I have some old TP-Link TL-WR841N/ND revision 11 routers that I really want to reuse as VPN routers and really don't need much from them, would be crazy to throw them away. I found some older versions that include openvpn for this router (LEDE 17.01.6 r3979 and 17.01.7 r4030) but I'm having some issues connecting to my VPN provider with it (all config files are known good and tested on other routers so seems unlikely there's an issue here but I'm getting "Cipher aes-128-cbc not supported" message in system logs)
I can connect fine from other newer routers using this exact same config file and using aes-128-cbc so aes-128-cbc certainly is supported although I've noticed it gives this in a loop even when not connected to internet so maybe there's a strange setting that needs changing in these old versions?
From system logs:
Fri Dec 3 21:18:16 2021 daemon.notice openvpn(VPNclient): OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Fri Dec 3 21:18:16 2021 daemon.notice openvpn(VPNclient): library versions: mbed TLS 2.7.10, LZO 2.10 Fri Dec 3 21:18:16 2021 daemon.err openvpn(VPNclient): Cipher aes-128-cbc not supported Fri Dec 3 21:18:16 2021 daemon.notice openvpn(VPNclient): Exiting due to fatal error
I followed "OpenVPN Client for HH5A v1.1j.pdf" guide (except steps for installing openvpn of course as it's already installed) which guides through step by step for LEDE 17 and seems to be well regarded as a reliable setup 'how to' across any LEDE 17 device, everything seemed to go fine (although now I've upgraded to 17.01.7 r4030 I've just noticed on final step where press save and apply on OpenVPN instances page it highlights the line with empty box under the VPNclient3 entry (line with apply button on it) and states "Invalid" - not sure why as every step has been followed and no mention of needing to do anything with this box).
login info was added to userpass.txt and saved in /etc/openvpn with WinSCP along with my PIA-us-texas.ovpn PIA VPN file, openvpn file for 1st VPN was changed to option config '/etc/openvpn/PIA-us-texas.ovpn' and saved in /etc/config as well of course
Below is shortened PIA-us-texas.ovpn file if there are any extra settings needed/anything specifically needs removing or changing...
client dev tun proto udp remote us-texas.privacy.network 1198 resolv-retry infinite nobind persist-key persist-tun <ca> -----BEGIN CERTIFICATE----- MIIFqz...RiU (shortened) -----END CERTIFICATE----- </ca> cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /etc/openvpn/userpass.txt comp-lzo no verb 1 reneg-sec 0
Note: I removed X509 section from this file as my other routers refused to connect with it in, have also tried with below version straight from PIA (only changed auth-user-pass line) but same results
client dev tun proto udp remote us-texas.privacy.network 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /etc/openvpn/userpass.txt compress verb 1 reneg-sec 0 <crl-verify> -----BEGIN X509 CRL----- MIIC...A== (shortened) -----END X509 CRL----- </crl-verify> <ca> -----BEGIN CERTIFICATE----- MIIF...RiU (shortened) -----END CERTIFICATE----- </ca> disable-occ
If this is a simple config error would really appreciate knowing what went wrong and needs to be changed for this to work. I've followed everything in the guide exactly as stated so seems very odd, only sections skipped were openvpn install as it is already installed and the 'Modem-router Owners' section as this device has no modem.