Posted: Fri May 14, 2021 8:27 Post subject: [SOLVED]WRT3200ACM OpenVpn Issue after upgrade to r46604
upgraded now my router to DD-WRT v3.0-r46604 std (05/09/21). now the openvpn connection was working once for 1 minute, and stopped then. rebooted the router several times, under status sometimes i see shortly client-wait, client-auth and then status page go blank, no connection...
syslog:
daemon.notice openvpn[4523]: SIGTERM[soft,auth-failure] received, process exiting
event_wait : Interrupted system call (code=4)
daemon.warn openvpn[4044]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
daemon.warn openvpn[4044]: --mtu-disc is not supported on this OS
tried different settings now like in the vpnguide, tried the troubleshooting steps, no success...
Settings:
OpenVpn Client enabled
CVE-Mitigation: enabled
Port: 443
Tunnel Device: TUN
Tunnel Protocol:tcp
Encryption Cipher: AES-256-CBC
Hash Algo: SHA1
First Data Cipher: AES-128-GCM
Second Data Cipher:AES-256-GCM
Third Data Cipher: AES-256-CBC
User / Pass enabled
TLS Cipher: none
Compression:no
NAT: enabled
Inbound Firewall on TUN: enabled
Tunnel UDP MSS-Fix: Disabled
TLS Key Choice: TLS Auth
Adapted the settings as you recommended, and yes the router was connected then, shown also in the gui. Speed measure was just 200kbps ..
rebooted the router, but now he don't connect anymore after reboot..
Saved and applied several times yet the vpn config and rebooted, no connect anymore..
cat /var/log/messages | grep openvpn
May 14 13:33:41 ddwrt daemon.notice openvpn[6640]: TCP/UDP: Closing socket
May 14 13:33:41 ddwrt daemon.notice openvpn[6640]: SIGTERM[hard,] received, process exiting
May 14 13:33:41 ddwrt user.info : openvpn : General Killswitch for OpenVPN removed in 3 using wanface br0
May 14 13:33:41 ddwrt user.info : openvpn : OpenVPN daemon (Client) starting/restarting...
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
May 14 13:33:41 ddwrt daemon.warn openvpn[6836]: WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: Current Parameter Settings:
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: config = '/tmp/openvpncl/openvpn.conf'
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: mode = 0
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: NOTE: --mute triggered...
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: 233 variation(s) on previous 3 message(s) suppressed by --mute
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: OpenVPN 2.5.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 9 2021
May 14 13:33:41 ddwrt daemon.notice openvpn[6836]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.09
May 14 13:33:41 ddwrt daemon.notice openvpn[6838]: MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
May 14 13:33:41 link daemon.warn openvpn[6838]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 14 13:33:41 link daemon.notice openvpn[6838]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 14 13:33:41 link daemon.notice openvpn[6838]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
May 14 13:33:41 link daemon.notice openvpn[6838]: Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
May 14 13:33:41 link daemon.notice openvpn[6838]: Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
May 14 13:33:41 link daemon.notice openvpn[6838]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
May 14 13:33:41 link daemon.notice openvpn[6838]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
May 14 13:33:41 link daemon.notice openvpn[6838]: TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: Socket Buffers: R=[87380->87380] S=[16384->16384]
May 14 13:33:41 link daemon.notice openvpn[6838]: Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
May 14 13:33:41 link daemon.notice openvpn[6838]: TCP connection established with [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: TCPv4_CLIENT link local: (not bound)
May 14 13:33:41 link daemon.notice openvpn[6838]: TCPv4_CLIENT link remote: [AF_INET]x.x.x.x:443
May 14 13:33:41 link daemon.notice openvpn[6838]: TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=4422c544 4e21f960
May 14 13:33:41 link daemon.notice openvpn[6838]: VERIFY KU OK
May 14 13:33:41 link daemon.notice openvpn[6838]: NOTE: --mute triggered...
May 14 13:33:42 link daemon.notice openvpn[6838]: 5 variation(s) on previous 3 message(s) suppressed by --mute
May 14 13:33:42 link daemon.notice openvpn[6838]: [xxxx.net] Peer Connection Initiated with [AF_INET]x.x.x.x:443
May 14 13:33:44 link daemon.notice openvpn[6838]: SENT CONTROL [xxxx.net]: 'PUSH_REQUEST' (status=1)
May 14 13:33:44 link daemon.notice openvpn[6838]: AUTH: Received control message: AUTH_FAILED
May 14 13:33:44 link daemon.notice openvpn[6838]: TCP/UDP: Closing socket
May 14 13:33:44 link daemon.notice openvpn[6838]: SIGTERM[soft,auth-failure] received, process exiting
Beware, some low-end VPN providers will produce an AUTH FAIL even when using the proper username/password. This is how they manage their limited resources. The server will refuse your connection, at least temporarily, presumably due to overloading. I see this all the time w/ FastestVPN. They will sometimes also use it to kick you OFF an active connection!
As a practical matter, I have to have several servers (in the form of remote directives) specified in Additional Config so the OpenVPN client can try more than one. If you stick w/ the one server as specified in the Server IP/Name field of the OpenVPN client GUI, you'll be forced to constantly reconfigure that field in hopes of finding a reachable server.
Here's an example of my own Additional Config field w/ FastestVPN.
To make matters worse, when an AUTH FAIL occurs, it *kills* the OpenVPN client process, completely! And at that point no more attempts will be made. That's why using an OpenVPN watchdog is sometimes necessary (like the one in my signature). In combination w/ the remote-random directive, restarting the OpenVPN process by the watchdog increases the chances you'll be referencing a different server each time.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Fri May 14, 2021 17:56 Post subject:
egc wrote:
2.5.2 was introduced in 45849.
I'm on 46069, and openvpn --version reports 2.5.1. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
now after 2 days downgrading 5 versions of my WRT3200ACM, testing every version with the provider config, and the DDWRT VPN Guide,testing different locations and ports, the issue with the [soft,auth-failure] is on provider side, they wrote me that sessions of my account filled up, so that's why no connection was possible anymore!
Thanks ALL for your Tips and Help!
P.S. If someone has a Step by Step Guide for install /configure DNS Encryption / DOT (something like the VPNGuidePDF) would be awesome:)