OpenVPN Client connectivity WAIT NordVPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
**Snake**
DD-WRT Novice


Joined: 19 Nov 2010
Posts: 8
PostPosted: Mon Aug 20, 2018 1:06    Post subject: OpenVPN Client connectivity WAIT NordVPN Reply with quote
Hello guys!
I'm on a DD-WRT v3.0-r36527 vpn but I've got a problem with NordVPN.

This is my configuration...





This is my status...



...and this is the /tmp/log...

Code:
Mon Aug 20 02:58:40 2018 us=874655 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Mon Aug 20 02:58:40 2018 us=876393 WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
Mon Aug 20 02:58:40 2018 us=876943 WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
Mon Aug 20 02:58:40 2018 us=877679 Current Parameter Settings:
Mon Aug 20 02:58:40 2018 us=878087   config = '/tmp/openvpncl/openvpn.conf'
Mon Aug 20 02:58:40 2018 us=878473   mode = 0
Mon Aug 20 02:58:40 2018 us=878841 NOTE: --mute triggered...
Mon Aug 20 02:58:40 2018 us=879573 225 variation(s) on previous 3 message(s) suppressed by --mute
Mon Aug 20 02:58:40 2018 us=879999 OpenVPN 2.4.6 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug  9 2018
Mon Aug 20 02:58:40 2018 us=880631 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.09
Mon Aug 20 02:58:40 2018 us=892457 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
Mon Aug 20 02:58:40 2018 us=906551 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Aug 20 02:58:40 2018 us=928975 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 20 02:58:40 2018 us=930263 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Aug 20 02:58:40 2018 us=931323 LZO compression initializing
Mon Aug 20 02:58:40 2018 us=939707 Control Channel MTU parms [ L:1654 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Mon Aug 20 02:58:40 2018 us=941828 Data Channel MTU parms [ L:1654 D:1450 EF:122 EB:411 ET:32 EL:3 ]
Mon Aug 20 02:58:40 2018 us=944043 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Mon Aug 20 02:58:40 2018 us=944543 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1634,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Mon Aug 20 02:58:40 2018 us=945283 TCP/UDP: Preserving recently used remote address: [AF_INET]176.53.23.254:1194
Mon Aug 20 02:58:40 2018 us=946101 Socket Buffers: R=[32767->32767] S=[32767->32767]
Mon Aug 20 02:58:40 2018 us=946572 UDPv4 link local: (not bound)
Mon Aug 20 02:58:40 2018 us=947151 UDPv4 link remote: [AF_INET]176.53.23.254:1194
WWWW
WMon Aug 20 02:59:40 2018 us=286168 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug 20 02:59:40 2018 us=286618 TLS Error: TLS handshake failed
Mon Aug 20 02:59:40 2018 us=291693 TCP/UDP: Closing socket
Mon Aug 20 02:59:40 2018 us=292389 SIGUSR1[soft,tls-error] received, process restarting


There is a TLS Handshake failed. Any suggestion ?

Thanks
Back to top View user's profile Send private message
Sponsor
**Snake**
DD-WRT Novice


Joined: 19 Nov 2010
Posts: 8
PostPosted: Mon Aug 20, 2018 8:44    Post subject: Reply with quote
I found this video where in CA section it insert also <ca> tags...

Code:
https://www.youtube.com/watch?v=CyUL869qFIE&t=411s


maybe is that the problem ?

Another question.
I use the router behind a modem.
Modem uses 192.168.1.x ip class and I've set the router to have internal ip 10.0.0.1...

WAN Setup
-------------
Automatic Config - DHCP (modem assign 192.168.1.40 ip to my DDWRT)

Network Setup
------------
IP: 10.0.0.1
DHCP server active

Is it correct ?
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12884
Location: Netherlands
PostPosted: Mon Aug 20, 2018 10:52    Post subject: Reply with quote
Nord VPN's instructions are pretty straightforward: https://www.youtube.com/watch?v=CyUL869qFIE&t=411s

Some older servers use SHA1 as hash algorithm.

You can try an other server, just use its name, note that every server has its own certificates, so if you change servers you must change certificates
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
**Snake**
DD-WRT Novice


Joined: 19 Nov 2010
Posts: 8
PostPosted: Mon Aug 20, 2018 11:40    Post subject: Reply with quote
Sure...Every server has its own certificate...I know Wink
I will try with SHA1 and other servers.
Thanks
Back to top View user's profile Send private message
**Snake**
DD-WRT Novice


Joined: 19 Nov 2010
Posts: 8
PostPosted: Mon Aug 20, 2018 17:47    Post subject: Reply with quote
Same error on other server.
I tested before with tunnelblick on macOS and it worked.
Tested with DDWRT (changed ca and tls cert)...this is the log tail Sad

Code:
Mon Aug 20 19:44:32 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Aug 20 19:44:32 2018 TLS Error: TLS handshake failed
Mon Aug 20 19:44:32 2018 SIGUSR1[soft,tls-error] received, process restarting
Mon Aug 20 19:44:32 2018 Restart pause, 5 second(s)
Back to top View user's profile Send private message
**Snake**
DD-WRT Novice


Joined: 19 Nov 2010
Posts: 8
PostPosted: Mon Aug 20, 2018 18:28    Post subject: Reply with quote
Ok...solved.
It was SHA1 and not SHA256 Smile

Thanks
Back to top View user's profile Send private message
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1447
Location: Appalachian mountains, USA
PostPosted: Thu Nov 29, 2018 16:28    Post subject: Reply with quote
I also use NordVPN with dd-wrt, and if I recall correctly, NordVPN US servers numbered below 538 are the ones that use SHA-1.

I've had great results picking servers to use this way:

1. Use the NordVPN app on some device to connect to a server in the geographic region where you want to pick a server for dd-wrt.

2. While connected via that region, visit https://nordvpn.com/servers/ and click "Recommended Server".

3. Click "Show advanced options" (fine print under "Adjust Server Preferences")

4. Click "Select Security Protocol" and choose "OpenVPN UDP". This may (or may not) change their recommended server listed.

5. Choose their recommended server for use in dd-wrt.

Troubling to get their recommendation specific to OpenVPN/UDP this way has gotten me some fast, lightly loaded servers. I can generally use one for weeks to months without issues.

Also note when you unzip their *ca.crt and *_tls.key files that all of those with file sizes of 1809 bytes for the ca cert and 602 bytes for the tls key actually use the same ca certs and tls keys. I did the diffs to prove it. So once you set up your dd-wrt OpenVPN client to use one of these, changing to another is trivial: just change the name of the server.

I considered using an IP address like you did rather than a server name, but personally I don't want to be using an obsolete IP if they make a change. Who knows what it might connect to.

If you're nervous about an exposed DNS search for the NordVPN server, there's always dnscrypt. Note that in our dnscrypt-resolvers.csv file the DNSSEC-capable servers that do not log all appear currently (as of release 37736) to be lone-programmer operations (I visited their websites yesterday, as it happens, to check them out) except for one: ipredator is a vpn provider in Sweden that makes their dns server available to the public (https://www.ipredator.se/page/services#service_dns). (There was one other server, in Germany, that actually might have had an organization behind it, but their website was nonfunctional, which I took as a red flag.) My logs suggest that the public ipredator DNS server IP forwards to the internal server that their vpn customers get.
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum