Problem Connecting to VPN with V1.0.2.49SF

6 posts / 0 new
Last post
dbkb22
dbkb22's picture
Problem Connecting to VPN with V1.0.2.49SF

I am having trouble connecting to the VPN with the latest firmware.  Same settings worked with the 47SF firmware.  I have run out of ideas with my limited knowledge.  Does anyone have any suggestions for how to fix this? 

 

root@NETGEAR-R7800:/$ /etc/init.d/openvpn-client start
PING www.google.com (74.125.136.147): 56 data bytes

--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 15.120/15.817/16.588 ms
Please wait...
Error: OpenVPN client start failed.
/etc/rc.common: kill: 90: (25087) - No such process
root@NETGEAR-R7800:/$

LOG FILE OUTPUT
Wed Mar 14 18:33:00 2018 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Mar 14 18:33:00 2018 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Wed Mar 14 18:33:00 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Mar 14 18:33:00 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.200.20.20:22
Wed Mar 14 18:33:00 2018 Socket Buffers: R=[163840->786432] S=[163840->786432]
Wed Mar 14 18:33:00 2018 UDP link local: (not bound)
Wed Mar 14 18:33:00 2018 UDP link remote: [AF_INET]192.200.20.20:22
Wed Mar 14 18:33:00 2018 TLS: Initial packet from [AF_INET]192.200.20.20:22, sid=1e415fab a4c217d7
Wed Mar 14 18:33:00 2018 VERIFY X509NAME OK: CN=vpn.trust.zone
Wed Mar 14 18:33:00 2018 VERIFY OK: depth=0, CN=vpn.trust.zone
Wed Mar 14 18:33:00 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Mar 14 18:33:00 2018 [vpn.trust.zone] Peer Connection Initiated with [AF_INET]192.200.20.20:22
Wed Mar 14 18:33:01 2018 SENT CONTROL [vpn.trust.zone]: 'PUSH_REQUEST' (status=1)
Wed Mar 14 18:33:06 2018 SENT CONTROL [vpn.trust.zone]: 'PUSH_REQUEST' (status=1)
Wed Mar 14 18:33:07 2018 AUTH: Received control message: AUTH_FAILED
Wed Mar 14 18:33:07 2018 SIGTERM[soft,auth-failure] received, process exiting
Error: OpenVPN client start failed.

Voxel
Voxel's picture
Try to play with your OVPN

Try to play with your OVPN file. Check this:
 

https://www.privateinternetaccess.com/forum/discussion/24305/sigterm-sof...

and this:
 

https://www.privateinternetaccess.com/forum/discussion/24089/inactivity-...

OpenVPN version is upgraded. Maybe new versioin introduces some additional restrictions. 

P.S. and check your file with credentials (username/pass).
Voxel.

dbkb22
dbkb22's picture
I have tried most/all of the

I have tried most/all of the ovpn file setting suggested in the links.  Also have confirmed username and password are correct.  Was able to connect to VPN using latest 2.4.5 windows client using the same ovpn file.  Does anyone have any other ideas?

Thanks

kamoj
kamoj's picture
Your vpn-providers server

Your vpn-providers server does not reply to your "PUSH_REQUEST"
It should answer something like:

Fri Mar 23 07:33:12 2018 SENT CONTROL [vpn.trust.zone]: 'PUSH_REQUEST' (status=1)
Fri Mar 23 07:33:12 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option  ... cipher AES-256-GCM'
 
FW 49SF added some arguments to speed-up the openvpn-client. It might be that "trust" don't recognize or allow them:
OPT_ARGS="--fast-io --sndbuf 393216 --rcvbuf 393216 --tun-mtu 1500 --mssfix 1460"
--push "sndbuf 393216" --push "rcvbuf 393216"

Maybe you can ask "trust" about these arguments.
Or if you are able to, remove these settings from /etc/init.d/openvpn-client and try again.

You can also increase the logging of error messages by changing the "verb" setting in your .ovpn file,
eg from "verb 3" to "verb 9" and try again.

Another thing is to upload your .ovpn file here, it would make things easier to understand.

dbkb22
dbkb22's picture
Commented out the OPT_ARGS

Commented out the OPT_ARGS line, but still have the same results.  Changed the verb setting and got the following error log.  The .ovpn file follows.  Any suggestions would be appreciated.  Thanks for the help.

 

Wed Mar 28 15:39:05 2018 us=452436 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Mar 28 15:39:05 2018 us=452592 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Wed Mar 28 15:39:05 2018 us=453779 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Mar 28 15:39:05 2018 us=456747 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Mar 28 15:39:05 2018 us=952904 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Mar 28 15:39:05 2018 us=953061 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Wed Mar 28 15:39:05 2018 us=953123 calc_options_string_link_mtu: link-mtu 1621 -> 1601
Wed Mar 28 15:39:05 2018 us=953217 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Wed Mar 28 15:39:05 2018 us=953248 calc_options_string_link_mtu: link-mtu 1621 -> 1601
Wed Mar 28 15:39:05 2018 us=953342 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Wed Mar 28 15:39:05 2018 us=953404 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed Mar 28 15:39:05 2018 us=953498 TCP/UDP: Preserving recently used remote address: [AF_INET]192.200.20.23:22
Wed Mar 28 15:39:05 2018 us=953592 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Mar 28 15:39:05 2018 us=953654 UDP link local: (not bound)
Wed Mar 28 15:39:05 2018 us=953717 UDP link remote: [AF_INET]192.200.20.23:22
Wed Mar 28 15:39:05 2018 us=953873  event_wait returned 1
Wed Mar 28 15:39:05 2018 us=954029 UDP WRITE [14] to [AF_INET]192.200.20.23:22: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=31c6b425 e7174d47 [ ] pid=0 DATA
Wed Mar 28 15:39:05 2018 us=954185 UDP write returned 14
Wed Mar 28 15:39:06 2018 us=4482  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=4607 UDP read returned 26
Wed Mar 28 15:39:06 2018 us=4701 UDP READ [26] from [AF_INET]192.200.20.23:22: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=bf994acc d2bfc6b4 [ 0 sid=31c6b425 e7174d47 ] pid=0 DATA
Wed Mar 28 15:39:06 2018 us=4794 TLS: Initial packet from [AF_INET]192.200.20.23:22, sid=bf994acc d2bfc6b4
Wed Mar 28 15:39:06 2018 us=4919  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=5013 UDP WRITE [22] to [AF_INET]192.200.20.23:22: P_ACK_V1 kid=0 sid=31c6b425 e7174d47 [ 0 sid=bf994acc d2bfc6b4 ]
Wed Mar 28 15:39:06 2018 us=5138 UDP write returned 22
Wed Mar 28 15:39:06 2018 us=5294  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=5669 UDP WRITE [183] to [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=31c6b425 e7174d47 [ ] pid=1 DATA 16030100 a4010000 a00303c3 526c0b24 4ee663e4 9ec98feb cb98107d 7e63ba5[more...]
Wed Mar 28 15:39:06 2018 us=5763 UDP write returned 183
Wed Mar 28 15:39:06 2018 us=65244  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=65338 UDP read returned 1226
Wed Mar 28 15:39:06 2018 us=67119 UDP READ [1226] from [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=bf994acc d2bfc6b4 [ 1 sid=31c6b425 e7174d47 ] pid=1 DATA 16030100 56020000 5203015a bc2799f8 d510c4e5 2dd78f7d 390364fe 7eadd1b[more
...]
Wed Mar 28 15:39:06 2018 us=68306 VERIFY X509NAME OK: CN=vpn.trust.zone
Wed Mar 28 15:39:06 2018 us=68368 VERIFY OK: depth=0, CN=vpn.trust.zone
Wed Mar 28 15:39:06 2018 us=68556  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=68649 UDP WRITE [22] to [AF_INET]192.200.20.23:22: P_ACK_V1 kid=0 sid=31c6b425 e7174d47 [ 1 sid=bf994acc d2bfc6b4 ]
Wed Mar 28 15:39:06 2018 us=68774 UDP write returned 22
Wed Mar 28 15:39:06 2018 us=68868  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=68931 UDP read returned 283
Wed Mar 28 15:39:06 2018 us=69399 UDP READ [283] from [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=bf994acc d2bfc6b4 [ ] pid=2 DATA 37df0100 b493628c 255f19e4 83eb1804 cf15f2af a68d40f9 6b26cfae fd233fd[more...]
Wed Mar 28 15:39:06 2018 us=80896  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=81271 UDP WRITE [224] to [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=31c6b425 e7174d47 [ 2 sid=bf994acc d2bfc6b4 ] pid=2 DATA 16030100 86100000 8200800a debc4291 83aec323 b888bb35 8df0dc73 90f63dd[more..
.]
Wed Mar 28 15:39:06 2018 us=81396 UDP write returned 224
Wed Mar 28 15:39:06 2018 us=140627  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=140689 UDP read returned 85
Wed Mar 28 15:39:06 2018 us=140877 UDP READ [85] from [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=bf994acc d2bfc6b4 [ 2 sid=31c6b425 e7174d47 ] pid=3 DATA 14030100 01011603 010030d6 0b5c50d1 010eac30 402f7fb0 8816716a 78f8396[more.
..]
Wed Mar 28 15:39:06 2018 us=141377  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=142095 UDP WRITE [468] to [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=31c6b425 e7174d47 [ 3 sid=bf994acc d2bfc6b4 ] pid=3 DATA 17030100 2053f831 b150ee06 ecb202ae 5b44208a 4f6e635a 0b73727b 08f1fa5[more.
..]
Wed Mar 28 15:39:06 2018 us=142189 UDP write returned 468
Wed Mar 28 15:39:06 2018 us=198796  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=198859 UDP read returned 292
Wed Mar 28 15:39:06 2018 us=199327 UDP READ [292] from [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=bf994acc d2bfc6b4 [ 3 sid=31c6b425 e7174d47 ] pid=4 DATA 17030100 208465cb 3c52c147 13f62846 037ca378 f6bb93fa 67825f2f ecbaf72[more
...]
Wed Mar 28 15:39:06 2018 us=199546  event_wait returned 1
Wed Mar 28 15:39:06 2018 us=199671 UDP WRITE [22] to [AF_INET]192.200.20.23:22: P_ACK_V1 kid=0 sid=31c6b425 e7174d47 [ 4 sid=bf994acc d2bfc6b4 ]
Wed Mar 28 15:39:06 2018 us=199765 UDP write returned 22
Wed Mar 28 15:39:06 2018 us=199890 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Mar 28 15:39:06 2018 us=199983 [vpn.trust.zone] Peer Connection Initiated with [AF_INET]192.200.20.23:22
Wed Mar 28 15:39:07 2018 us=304076  event_wait returned 0
Wed Mar 28 15:39:07 2018 us=304263 SENT CONTROL [vpn.trust.zone]: 'PUSH_REQUEST' (status=1)
Wed Mar 28 15:39:07 2018 us=304357  event_wait returned 1
Wed Mar 28 15:39:07 2018 us=304576 UDP WRITE [104] to [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=31c6b425 e7174d47 [ ] pid=4 DATA 17030100 207e47c4 38bd2a6f a89e5121 ef731645 a28f364e 8618b660 c7603cf[more...]
Wed Mar 28 15:39:07 2018 us=304701 UDP write returned 104
Wed Mar 28 15:39:07 2018 us=354185  event_wait returned 1
Wed Mar 28 15:39:07 2018 us=354279 UDP read returned 22
Wed Mar 28 15:39:07 2018 us=354373 UDP READ [22] from [AF_INET]192.200.20.23:22: P_ACK_V1 kid=0 sid=bf994acc d2bfc6b4 [ 4 sid=31c6b425 e7174d47 ]
Wed Mar 28 15:39:07 2018 us=573460  event_wait returned 1
Wed Mar 28 15:39:07 2018 us=573554 UDP read returned 104
Wed Mar 28 15:39:07 2018 us=573773 UDP READ [104] from [AF_INET]192.200.20.23:22: P_CONTROL_V1 kid=0 sid=bf994acc d2bfc6b4 [ ] pid=5 DATA 17030100 2094ec7e 45c474d8 912e363d 897cfef6 0c13e7d7 93a5026b b9843a8[more...]
Wed Mar 28 15:39:07 2018 us=573960 AUTH: Received control message: AUTH_FAILED
Wed Mar 28 15:39:07 2018 us=574335 TCP/UDP: Closing socket
Wed Mar 28 15:39:07 2018 us=574429 SIGTERM[soft,auth-failure] received, process exiting
Error: OpenVPN client start failed.

 

 

###############################################################################
# OpenVPN 2.0 Sample Configuration File
#
# !!! AUTO-GENERATED  !!!
#
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#
# This configuration file is auto-generated. You might use this config file
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.

###############################################################################
# Specify the type of the layer of the VPN connection.
#
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun

###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#
# Specify either 'proto tcp' or 'proto tcp'.

proto tcp

###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
#
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
#
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

# Note: The below hostname is came from the Dynamic DNS Client function
#       which is running on the VPN Server. If you don't want to use
#       the Dynamic DNS hostname, replace it to either IP address or
#       other domain's hostname.

remote us-ga.trust.zone 22

###############################################################################
# The HTTP/HTTPS proxy setting.
#
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]

###############################################################################
# The encryption and authentication algorithm.
#
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC
#  auth:   SHA SHA1 MD5 MD4 RMD160 SHA256 SHA384 SHA512

cipher AES-256-CBC
auth SHA512
#auth-nocache

###############################################################################
# Other parameters necessary to connect to the VPN Server.
#
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
client
verb 3
auth-user-pass

verify-x509-name vpn.trust.zone name

#remote-cert-tls server
#remote-cert-ku f6

dhcp-option DNS 109.236.87.2
dhcp-option DNS 144.217.75.55

#uncomment next line if you want your OpenVPN client to ignore DNS settings pushed from VPN server
#pull-filter ignore "dhcp-option DNS "

###############################################################################
 

kamoj
kamoj's picture
Your .ovpn-file is incomplete

One important thing to get it working is:

You must add the name of the file containing your userid and password.

So change the .ovpn line:
Example:
auth-user-pass
to:

auth-user-pass trust.txt

Then you also must add the trust.txt file to the USB-stick directory openvpn-client (same place as the .ovp-file)
I have same name of .ovpn-file as authorization file to keep it simple.
In you case my files would be trust.ovpn and trust.txt

Other comments:
-If still not working login to router and run:

/hipplay/usr/bin/dos2unix  -u  /etc/openvpn/config/client/*

Then reboot the router.
 

-Your vpn-speed is probably better if you change "proto tcp" to "proto udp".

-Your .ovpn-file is incomplete, missing certificate e.g.

-Undo your other changes to openvpn-client and .ovpn after you get it working.