IP Vanish OpenVPN connection issue

AX6000 · July 12, 2023, 9:46am

Modell Xiaomi Redmi Router AX6000 (stock layout)
Firmware OpenWrt SNAPSHOT r23530-0e83b5e6cc / LuCI Master git-23.158.78004-23a246e
Kernel 5.15.120

Wed Jul 12 09:00:00 2023 daemon.notice openvpn(iada01ipvanishcom)[16131]: Exiting due to fatal error
Wed Jul 12 09:00:03 2023 kern.err kernel: [35839.165605] mt798x-wmac 18000000.wifi: Message 00005aed (seq 2) timeout
Wed Jul 12 09:00:05 2023 daemon.warn openvpn(iada01ipvanishcom)[16137]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Wed Jul 12 09:00:05 2023 daemon.warn openvpn(iada01ipvanishcom)[16137]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed Jul 12 09:00:05 2023 daemon.warn openvpn(iada01ipvanishcom)[16137]: WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Wed Jul 12 09:00:05 2023 daemon.notice openvpn(iada01ipvanishcom)[16137]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jul 12 09:00:05 2023 daemon.notice openvpn(iada01ipvanishcom)[16137]: library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
Wed Jul 12 09:00:05 2023 daemon.err openvpn(iada01ipvanishcom)[16137]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

egc · July 12, 2023, 9:55am

Remove Keysize from the openvpn config.

Furthermore remove Compression (comp-lzo etc), auth-nocache but add username & password in the appropriate box.

If it does not work post the used config file

AX6000 · July 12, 2023, 10:07am

I removed it but unfortunately it didn't work.
here is the original configuration file

client
dev tun
proto udp
remote iad-a01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
verify-x509-name iad-a01.ipvanish.com name
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

egc · July 12, 2023, 10:28am

As said remove keysize 256

If you want to make your OVPN client by importing the config file then you have to use your CA file inline.

So grab your IPVanish CA file (ca.ipvanish.com.crt) and with a text editor:
remove the line ca.ipvanish.com.crt
and add in the conf file:

[PLACE content of ca.ipvanish.com.crt]

So it will look something like:

<ca>
-----BEGIN CERTIFICATE-----
MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
BLABLABLA
wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
A1gTTlpi7A==
-----END CERTIFICATE-----
</ca>

Alternatively you can store the file somewhere and set the path/filename with
ca /path/filename

Add username and password in the password box on separate lines e.g.:

username
password

The header of the box will show you where the auth-user-pass is stored, see:

Grab this path and file name and add it like:
auth-user-pass /etc/openvpn/proton1.auth

If you get a connection but no traffic remove comp-lzo

AX6000 · July 12, 2023, 11:21am

it currently looks like this:

client
dev tun
proto udp
remote iad-a01.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca /etc/openvpn/ca.ipvanish.com.crt
verify-x509-name iad-a01.ipvanish.com name
auth-user-pass /etc/openvpn/ipvanish.auth
verb 3
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

connected but no internet access.
I removed first the "keysize 256" and then the "comp-lzo" lines.
connected but no internet.

egc · July 12, 2023, 11:46am

Have you rebooted the router?

What does the log show?

Run traceroute (for windows tracert) to 8.8.8.8 to see if it goes anywhere

Edit: Have you added the interface to the WAN zone?

AX6000 · July 12, 2023, 12:47pm

of course, I restart it after every major modification.

log: https://pastebin.com/gRJqPTcJ

egc · July 12, 2023, 12:50pm

Will look at it later but at least you have to turn on MASQUERADING on the tun0 zone!

egc · July 12, 2023, 12:54pm

Looks like an old log?
No connection whatsoever.

AX6000 · July 12, 2023, 1:06pm

I turned it on, nothing changed

egc · July 12, 2023, 2:12pm

Sure that is no problem and can be done with Policy Based Routing, I am using it myself

See:

mk24 · July 12, 2023, 2:20pm

When you simply want to route all Internet usage to a commercial VPN service, don't use policy routing and, at least initially, place the VPN tunnel into the existing wan zone (which already has masquerade).