OpenVPN Enable
Start Type WAN Up
Config as Server Daemon
Server mode Router (TUN)
Network 192.168.99.0
Netmask Port 1194
Tunnel Protocol UDP
Encryption Cipher AES-256 CBC
Hash Algorithm SHA1
Advanced Options Enable
TLS Cipher None
LZO Compression Adaptive
Redirect default Gateway Enable
Allow Client to Client Enable
Allow duplicate cn Enable
Tunnel MTU setting 1500
Tunnel UDP Fragment [Blank]
Tunnel UDP MSS-Fix Disable
Certificates & Keys entered:
• Public server cert
• CA cert
• Private server key
• DH pem
Here's the server log:
Oct 9 20:02:47 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 TLS: Initial packet from [AF_INET6]::ffff:82.132.185.250:28082, sid=dedf97e1 56105315
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 VERIFY OK: depth=1, C=UK, ST=England, L=London, O=OpenVPN, CN=OpenVPN-CA, name=xxx, emailAddress=xxx@gmail.com
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 VERIFY OK: depth=0, C=UK, ST=England, L=London, O=OpenVPN, CN=client1, name=xxx, emailAddress=xxx@gmail.com
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_VER=2.4.6
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_PLAT=win
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_PROTO=2
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_NCP=2
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_LZ4=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_LZ4v2=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_LZO=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_COMP_STUB=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_COMP_STUBv2=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_TCPNL=1
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 peer info: IV_GUI_VER=OpenVPN_GUI_11
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: 82.132.185.250 [client1] Peer Connection Initiated with [AF_INET6]::ffff:82.132.185.250:28082
Oct 9 20:02:49 MyDDWRTRouter daemon.notice openvpn[12300]: client1/82.132.185.250 MULTI_sva: pool returned IPv4=192.168.99.2, IPv6=(Not enabled)
Oct 9 20:02:49 MyDDWRTRouter daemon.warn openvpn[12300]: client1/82.132.185.250 WARNING: Failed running command (--client-connect): external program exited with error status: 2
Oct 9 20:02:50 MyDDWRTRouter daemon.notice openvpn[12300]: client1/82.132.185.250 PUSH: Received control message: 'PUSH_REQUEST'
Oct 9 20:02:50 MyDDWRTRouter daemon.notice openvpn[12300]: client1/82.132.185.250 Delayed exit in 5 seconds
Oct 9 20:02:50 MyDDWRTRouter daemon.notice openvpn[12300]: client1/82.132.185.250 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
And the corresponding client log:
Tue Oct 09 20:02:47 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Oct 09 20:02:47 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Oct 09 20:02:47 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Oct 09 20:02:47 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Oct 09 20:02:47 2018 Need hold release from management interface, waiting...
Tue Oct 09 20:02:48 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'state on'
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'log all on'
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'echo all on'
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'bytecount 5'
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'hold off'
Tue Oct 09 20:02:48 2018 MANAGEMENT: CMD 'hold release'
Tue Oct 09 20:02:48 2018 MANAGEMENT: >STATE:1539111768,RESOLVE,,,,,,
Tue Oct 09 20:02:48 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]5.67.20.85:1194
Tue Oct 09 20:02:48 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Oct 09 20:02:48 2018 UDP link local: (not bound)
Tue Oct 09 20:02:48 2018 UDP link remote: [AF_INET]5.67.20.85:1194
Tue Oct 09 20:02:48 2018 MANAGEMENT: >STATE:1539111768,WAIT,,,,,,
Tue Oct 09 20:02:48 2018 MANAGEMENT: >STATE:1539111768,AUTH,,,,,,
Tue Oct 09 20:02:48 2018 TLS: Initial packet from [AF_INET]5.67.20.85:1194, sid=ff47e8dc d5269164
Tue Oct 09 20:02:49 2018 VERIFY OK: depth=1, C=UK, ST=England, L=London, O=OpenVPN, CN=OpenVPN-CA, name=xxx, emailAddress=xxx@gmail.com
Tue Oct 09 20:02:49 2018 VERIFY KU OK
Tue Oct 09 20:02:49 2018 Validating certificate extended key usage
Tue Oct 09 20:02:49 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Oct 09 20:02:49 2018 VERIFY EKU OK
Tue Oct 09 20:02:49 2018 VERIFY OK: depth=0, C=UK, ST=England, L=London, O=OpenVPN, CN=server, name=xxx, emailAddress=xxx@gmail.com
Tue Oct 09 20:02:50 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Tue Oct 09 20:02:50 2018 [server] Peer Connection Initiated with [AF_INET]5.67.20.85:1194
Tue Oct 09 20:02:51 2018 MANAGEMENT: >STATE:1539111771,GET_CONFIG,,,,,,
Tue Oct 09 20:02:51 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Oct 09 20:02:51 2018 AUTH: Received control message: AUTH_FAILED
Tue Oct 09 20:02:51 2018 SIGUSR1[soft,auth-failure] received, process restarting
Tue Oct 09 20:02:51 2018 MANAGEMENT: >STATE:1539111771,RECONNECTING,auth-failure,,,,,
Tue Oct 09 20:02:51 2018 Restart pause, 5 second(s)
As I'm running the Server GUI I'm not entirely sure where to put the [client-cert-not-required] - would it be in the additional config or the client connect script?
The DD-WRT router runs my main LAN and sits behind my ISP gateway router which connects via DMZ pass through. The WAN IP of the DD-WRT router points to the DMZ of the gateway router. I'm not sure if I'm missing a firewall command to NAT the DD-WRT to ISP router WAN IP (I mentioned this in a previous post).
I have tried to run the OpenVPN connection with both firewalls turned off and still get the same error.
As a note I also run some other IPSEC VPNs to connect to work servers (the clients sit on my LAN / DD-WRT router to run and I've never had any issues).
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Oct 10, 2018 9:59 Post subject:
You should not use client-cert-not-required, but you do not.
Besides the NAT rule you do not need any firewall rule, the VPN GUI will open up the firewall for the appropriate port
Having another VPN client running can be a problem, because you are connecting over the WAN interface and if the traffic goes out via the VPN client you have a no go.
The best thing to do is in these cases reset to default only setup the router with basic settings and then the OpenVPN server
I was hoping that the GUI would handle opening the right outbound ports, but wasn't 100% sure. You mention "besides the NAT rule" - can I just check: the only firewall command I have set myself is the one you advised previously - is that the only NAT rule you are referring to and therefore I don't need to add any others?
I won't be using OpenVPN at the same time as other VPNs as I only want to use it to get remote access to my home WAN / LAN - and the other VPNs are only used when I'm already on the LAN at home.
The OpenVPN status page has unfortunately never been anything but blank through all my testing and I've been keeping a watchful eye on it....
Although I have already reset the router to factory defaults before I posted for help, I did recofigure my current standard config before configuring OpenVPN server, so I'll do ask you suggest, reset / keep it bare bones and try OpenVPN first before anything else.
One final request for advice - I note that there is a newer firmware release for my router (only a few weeks later). Should I install this as well in conjunction with the reset, or should I just focus on what I have and not inject any further change until I get OpenVPN working? Just wondering if there may be a problem with my current firmware........although I can't see any related bugs posted.
Just wanted to update my final conclusions. Unfortunately I just couldn't get past the AUTH_FAILED error and believe the problem lies with my OpenVPN server not starting up regardless of resetting and upgrading the firmware, re-generating certificates and stripping back to very basic VPN configuration. On the server logs I just get OpenVPN "Failed running command (--route-up)" no matter what combination is used.
I'll have to admit defeat this time - and as I've got an ageing router that's past it's best this is the best excuse for me to upgrade!
Thanks to everyone for pitching in with useful responses, and in particular egc for providing a lot of time and helpful support. It really is a great forum for advice....... keep up the good work.
Just wanted to conclude this topic by stating that I purchased a new router (Linksys WRT3200ACM) flashed it with build 37305 and OpenVPN works perfectly using exactly the same settings, certificates, keys as I was using with the Netgear WNDR4000. So it was definitely a problem with the router, not the certs or configuration.
Hopefully this will help any others with the same problems I had!