OpenVPN does not connect from behind Chinese Great Firewall

7 posts / 0 new
Last post
holjanger
holjanger's picture
OpenVPN does not connect from behind Chinese Great Firewall

Dear community,

thank you all for making customization for the router possible, especially Voxel and team. I am new to this and also linux. My motivation for this to get the VPN client running with my provider ExpressVPN. I have Voxel's R7800-V1.0.2.54SF running, SSH enabled,  .ovpn file in the directory /etc/openvpn/config/client. However, I am notable to get the client running with the .ovpn file provided by ExpressVPN.

Can somebody point me in the right direction?

I am wondering why the client tries to ping google, as this is exactly the reson why I needed the VPN in the first place. I live in China and am behind the GReat Firewall which is why the ping shouldn't be normally successful. So normally this is the prompt:

When I try to start the service I get these prompts:

3 packets transmitted, 0 packets received, 100% packet loss
PING www.google.com (69.171.247.71): 56 data bytes

Is there a way to modify the script so that this ping is not attempted? Or could I use any other server instead, e.g. Bing or any other server that is not blocked by the Chinese?
 

However, at some point, somehow the ping was returned, but the client couldn't connect anyways.

For what it's worth, this is the log file for that time:
my_expressvpn_usa_-_san_francisco_udp.ovpn
Sat Jun  2 13:13:47 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sat Jun  2 13:13:47 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun  2 13:13:47 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
~
Sat Jun  2 13:13:47 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sat Jun  2 13:13:47 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun  2 13:13:47 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Sat Jun  2 13:15:15 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sat Jun  2 13:15:15 2018 NOTE: the current --script-security setting may allow this configuration to call user-defin
ed scripts
Sat Jun  2 13:15:15 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authe
ntication
Sat Jun  2 13:15:15 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authe
ntication
Sat Jun  2 13:15:15 2018 nice -20 succeeded
Sat Jun  2 13:15:15 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]173.239.198.8:1195
Sat Jun  2 13:15:15 2018 Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Sat Jun  2 13:15:15 2018 UDP link local: (not bound)
Sat Jun  2 13:15:15 2018 UDP link remote: [AF_INET]173.239.198.8:1195
Sat Jun  2 13:15:15 2018 TLS: Initial packet from [AF_INET]173.239.198.8:1195, sid=3ea6560c 4105c332
Sat Jun  2 13:15:15 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddre
ss=[email protected]
Sat Jun  2 13:15:15 2018 VERIFY OK: nsCertType=SERVER
Sat Jun  2 13:15:15 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2048-1a, emailAddr
ess=[email protected]
Sat Jun  2 13:15:15 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2048-1a, emailAddr
ess=[email protected]
Sat Jun  2 13:15:16 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jun  2 13:15:16 2018 [Server-2048-1a] Peer Connection Initiated with [AF_INET]173.239.198.8:1195
Sat Jun  2 13:15:17 2018 SENT CONTROL [Server-2048-1a]: 'PUSH_REQUEST' (status=1)
Sat Jun  2 13:15:17 2018 AUTH: Received control message: AUTH_FAILED
Sat Jun  2 13:15:17 2018 SIGTERM[soft,auth-failure] received, process exiting
Error: OpenVPN client start failed.
Sat Jun  2 13:17:09 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Sat Jun  2 13:17:09 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun  2 13:17:09 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Sat Jun  2 13:18:20 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sat Jun  2 13:18:20 2018 NOTE: the current --script-security setting may allow this configuration to call user-defin
ed scripts
Sat Jun  2 13:18:20 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authe
ntication
Sat Jun  2 13:18:20 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authe
ntication
Sat Jun  2 13:18:20 2018 nice -20 succeeded
Sat Jun  2 13:18:20 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]191.96.36.113:1195
Sat Jun  2 13:18:20 2018 Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Sat Jun  2 13:18:20 2018 UDP link local: (not bound)
Sat Jun  2 13:18:20 2018 UDP link remote: [AF_INET]191.96.36.113:1195
Sat Jun  2 13:18:20 2018 TLS: Initial packet from [AF_INET]191.96.36.113:1195, sid=582ba98c 1521e5c5
Sat Jun  2 13:18:21 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddre
ss=[email protected]
Sat Jun  2 13:18:21 2018 VERIFY OK: nsCertType=SERVER
Sat Jun  2 13:18:21 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3478-0a, emailAddr
ess=[email protected]
Sat Jun  2 13:18:21 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-3478-0a, emailAddr
ess=[email protected]
Sat Jun  2 13:18:21 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Jun  2 13:18:21 2018 [Server-3478-0a] Peer Connection Initiated with [AF_INET]191.96.36.113:1195
Sat Jun  2 13:18:22 2018 SENT CONTROL [Server-3478-0a]: 'PUSH_REQUEST' (status=1)
Sat Jun  2 13:18:22 2018 AUTH: Received control message: AUTH_FAILED
Sat Jun  2 13:18:22 2018 SIGTERM[soft,auth-failure] received, process exiting
Error: OpenVPN client start failed.
 

kamoj
kamoj's picture
Yes, you can change google

Yes, you can change www.google.com to something else.
But that is not your problem.
expressvpn requires a userid and password to accept your login.

You MUST put another file (expressvpn.auth) containing userid and password in /etc/openvpn/config/client
I suggest you name the 2 files as: expressvpn.ovpn and expressvpn.auth.

See my answer to another user: https://www.myopenrouter.com/comment/43128#comment-43128

holjanger
holjanger's picture
Hi kamoj,

Hi kamoj,

thanks for taking time to help me. I have the expressvpn.auth now in the file and added the path to it in the .ovpn file.

HOwever, the script still tries to ping Google as first action and that is doomed as it cannot be reached from behind the Great Firewall. So the whole thing fails as no pong is returned and the script keeps retrying the ping.

I have to break the script using ctrl+C.

This is the log-file output, something seems to be amiss also, but for as NOOB this is no help.
Thu May 31 17:09:33 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenV
Thu May 31 17:09:33 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ
Thu May 31 17:09:33 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Thu May 31 17:09:33 2018 neither stdin nor stderr are a tty device and you have neithe
Thu May 31 17:09:33 2018 Exiting due to fatal error
Error: OpenVPN client start failed.
Fri Jun  1 19:33:03 GMT 2018 Voxel: OpenVPNclient stop run: ip route del:
default via 10.128.195.1 dev brwan
10.128.195.0/24 dev brwan  proto kernel  scope link  src 10.128.195.30
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
239.0.0.0/8 dev br0  scope link
Fri Jun  1 19:35:53 GMT 2018 Voxel: OpenVPNclient stop run: ip route del:
default via 10.128.195.1 dev brwan
10.128.195.0/24 dev brwan  proto kernel  scope link  src 10.128.195.30
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
239.0.0.0/8 dev br0  scope link
 

kamoj
kamoj's picture
The google ping with stop

The google ping with stop after a number of tries if I remember correctly. That is not your big problem.

Apparently expressvpn usess the parameter "keysize" that is obsolete. But it's only a warning. Don't care that either!

One error is probably that your user and/or password can not be found.
Difficult to say because the log is corrupt/cut.
If you read my instructions you shall NOT add any path to the .auth file.

How do you edit the files?
If you are using windows, don't use notepad or word to edit the files,
since they corrupt the files for Linux,
or you need to run "dos2unix" command on the files before using them.

How do you get the files into the router? Voxels USB-method? 

Another thing is that your time is not correct. May 31/June 1?
To be able to verify some "certificates" your Routers time must be set.

Also this indicates that you are not running the latest Voxel FW.
What firmware are you using?
Please update your router FW.

Before you try to start the client manually, make sure it is not already started!
Give linux command to check running processes: ps -w | grep openvpn

Don't give up, you will succeed at some time! smiley

holjanger
holjanger's picture
Dear Kamoj,

Dear Kamoj,

FW: V1.0.2.54SF
Edit/copying files: I have no way other than to use my little Raspberry Pi 3 B. So I download the files onto it and then copy them onto an Ext file system USB stick and copy them from there to the directory on the Router. Then I use vi to edit them.
Time: I didn´t find any router setting in the GUI other than for the time zone. So after your hint I set the time using the date command through PuTTY, however this is only working until next reboot. I don't know if the router cannot connect to the ntp server? Possible explanation could be that the set server is also outside the Chinese Firewall.

you shall NOT add any path to the .auth file: This is from Voxel's readme Annex: "PS: Use full path directory filenames on any referenced files in the OVPN file"
Anyways, I have changed the file again, but to no avail. I am prompted for user and pw (see below).

Google server ping: The VPN does not start if the ping is not successfeul and does not stop trying either. However, it tries different servers after a while and there seems to be one that can be actually reached: "PING www.google.com (31.13.85.8): 56 data bytes" Only then does the script proceed to the actual login at expressvpn.

Login: Then I have to enter user and password, so for some reason it doesn´t use the expressvpn.auth file.

However, the VPN connects!!

From my desktop I can now use Internet Explorer to access Google without VPN running on the desktop, however, I cannot use Firefox...that gives the following error: "Your connection is not secure Error code: SSL_ERROR_BAD_CERT_DOMAIN"

Here is the log entry:

Thu Aug 16 22:30:33 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6ug 16 22:30:33 2018 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Aug 16 22:30:33 2018 OpenVPN 2.4.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Aug 16 22:30:33 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Thu Aug 16 22:31:22 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Aug 16 22:31:22 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 16 22:31:22 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 16 22:31:22 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 16 22:31:22 2018 nice -20 succeeded
Thu Aug 16 22:31:22 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]173.239.198.8:1195
Thu Aug 16 22:31:22 2018 Socket Buffers: R=[163840->1048576] S=[163840->1048576]
Thu Aug 16 22:31:22 2018 UDP link local: (not bound)
Thu Aug 16 22:31:22 2018 UDP link remote: [AF_INET]173.239.198.8:1195
Thu Aug 16 22:31:22 2018 TLS: Initial packet from [AF_INET]173.239.198.8:1195, sid=120fef1e 55e727ac
Thu Aug 16 22:31:22 2018 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=[email protected]
Thu Aug 16 22:31:22 2018 VERIFY OK: nsCertType=SERVER
Thu Aug 16 22:31:22 2018 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2048-1a, emailAddress=[email protected]
Thu Aug 16 22:31:22 2018 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-2048-1a, emailAddress=[email protected]
Thu Aug 16 22:31:23 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Aug 16 22:31:23 2018 [Server-2048-1a] Peer Connection Initiated with [AF_INET]173.239.198.8:1195
Thu Aug 16 22:31:24 2018 SENT CONTROL [Server-2048-1a]: 'PUSH_REQUEST' (status=1)
Thu Aug 16 22:31:24 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.89.0.1,route 10.89.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.89.22.194 10.89.22.193'
Thu Aug 16 22:31:24 2018 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 16 22:31:24 2018 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 16 22:31:24 2018 OPTIONS IMPORT: route options modified
Thu Aug 16 22:31:24 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 16 22:31:24 2018 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 16 22:31:24 2018 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 16 22:31:24 2018 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Aug 16 22:31:24 2018 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Thu Aug 16 22:31:24 2018 TUN/TAP device tun0 opened
Thu Aug 16 22:31:24 2018 TUN/TAP TX queue length set to 1000
Thu Aug 16 22:31:24 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Aug 16 22:31:24 2018 /sbin/ifconfig tun0 10.89.22.194 pointopoint 10.89.22.193 mtu 1500
Thu Aug 16 22:31:24 2018 /etc/openvpn/ovpnclient-up.sh tun0 1500 1606 10.89.22.194 10.89.22.193 init
Thu Aug 16 22:31:26 2018 /sbin/route add -net 173.239.198.8 netmask 255.255.255.255 gw 10.128.195.1
Thu Aug 16 22:31:26 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.89.22.193
Thu Aug 16 22:31:26 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.89.22.193
Thu Aug 16 22:31:26 2018 /sbin/route add -net 10.89.0.1 netmask 255.255.255.255 gw 10.89.22.193
Thu Aug 16 22:31:26 2018 Initialization Sequence Completed
 

 

holjanger
holjanger's picture
Next step for me would be to

Next step for me would be to try to eliminate the unnecessay google pings, since this way a login would take between 5 and 15 mins, depending on when the right server is tried...

Also I would like to find out, why IE works but Firefox and Chrome are not connecting to Google becuase of the SSL error.

Thanks a lot for your help until here!

holjanger
holjanger's picture
UPDATE: I have solved the

UPDATE: I have solved the ping issue by changing one line in /etc/init.d/openvpn-client

If anyone encounters similar issues, just change

CHECK_HOST=www.google.com

to

CHECK_HOST=www.bing.com

or any other server that is not blocked by the Great Firewall