Netgear R8000 and OpenVPN

Hi to all, I have a big problem: for days I'm trying to configure the router with nordVPN (I've already done it on raspberry pi 3 and on wr841nd). It works when i restart OpenVPN service but only for a few seconds!!.

I tried 4 different versions:
-openwrt-15.05.1-bcm53xx-netgear-r8000-squashfs.chk (vpn doesn't start)
-lede-17.01.2-bcm53xx-netgear-r8000-squashfs.chk
-lede-17.01.3-bcm53xx-netgear-r8000-squashfs.chk
-lede-17.01.4-bcm53xx-netgear-r8000-squashfs.chk
On all versions i can connect to VPN but after few second the connection goes in stuck! Everytime i restart the service it work for some seconds!

WHAT I DO (SOURCE:https://nordvpn.com/it/tutorials/openwrt/openvpn/)
On fresh firmware i do:

opkg update
opkg install openvpn-openssl
opkg install ip-full
opkg install luci-app-openvpn
/etc/init.d/openvpn enable

uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled='1'
uci set openvpn.nordvpn.config='/etc/openvpn/it14.nordvpn.com.udp1194.ovpn'
uci commit openvpn

uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='162.242.211.137'
uci add_list network.wan.dns='78.46.223.24'
uci commit

After i put ovpn file in openvpn folder and reboot router!
I tried some servers (ovpn file) always with the same results.
Someone can help me?? Thanks a lot

Any hints in the logs?

This is my log: https://pastebin.com/syxiALYD

Anyone can help me?

What about your NordVPN username and password file? I don't see it being created during your fresh install.

i put it in openvpn folder with ovpn file! (The coonection is established but only for a few seconds)
Now i installed dd-wrt and i get same error but log is more detailed:

Clientlog:
20171027 16:12:24 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20171027 16:12:24 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20171027 16:12:24 I OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 11 2017
20171027 16:12:24 I library versions: OpenSSL 1.0.2k 26 Jan 2017 LZO 2.09
20171027 16:12:24 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20171027 16:12:24 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20171027 16:12:24 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20171027 16:12:24 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
20171027 16:12:24 I TCP/UDP: Preserving recently used remote address: [AF_INET]185.94.193.179:1194
20171027 16:12:24 Socket Buffers: R=[180224->180224] S=[180224->180224]
20171027 16:12:24 I UDPv4 link local: (not bound)
20171027 16:12:24 I UDPv4 link remote: [AF_INET]185.94.193.179:1194
20171027 16:12:24 TLS: Initial packet from [AF_INET]185.94.193.179:1194 sid=4f998d3c 0273c2dc
20171027 16:12:24 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20171027 16:12:24 VERIFY OK: depth=1 C=PA ST=PA L=Panama O=NordVPN OU=NordVPN CN=it9.nordvpn.com name=NordVPN emailAddress=cert@nordvpn.com
20171027 16:12:24 VERIFY KU OK
20171027 16:12:24 Validating certificate extended key usage
20171027 16:12:24 NOTE: --mute triggered...
20171027 16:12:24 4 variation(s) on previous 3 message(s) suppressed by --mute
20171027 16:12:24 I [it9.nordvpn.com] Peer Connection Initiated with [AF_INET]185.94.193.179:1194
20171027 16:12:25 SENT CONTROL [it9.nordvpn.com]: 'PUSH_REQUEST' (status=1)
20171027 16:12:25 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 sndbuf 524288 rcvbuf 524288 dhcp-option DNS 78.46.223.24 dhcp-option DNS 162.242.211.137 route-gateway 10.8.8.1 topology subnet ping 60 ping-restart 180 ifconfig 10.8.8.22 255.255.255.0 peer-id 17 cipher AES-256-GCM'
20171027 16:12:25 OPTIONS IMPORT: timers and/or timeouts modified
20171027 16:12:25 NOTE: --mute triggered...
20171027 16:12:25 1 variation(s) on previous 3 message(s) suppressed by --mute
20171027 16:12:25 Socket Buffers: R=[180224->360448] S=[180224->360448]
20171027 16:12:25 OPTIONS IMPORT: --ifconfig/up options modified
20171027 16:12:25 OPTIONS IMPORT: route options modified
20171027 16:12:25 OPTIONS IMPORT: route-related options modified
20171027 16:12:25 NOTE: --mute triggered...
20171027 16:12:25 4 variation(s) on previous 3 message(s) suppressed by --mute
20171027 16:12:25 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
20171027 16:12:25 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
20171027 16:12:25 I TUN/TAP device tun1 opened
20171027 16:12:25 TUN/TAP TX queue length set to 100
20171027 16:12:25 D do_ifconfig tt->did_ifconfig_ipv6_setup=0
20171027 16:12:25 I /sbin/ifconfig tun1 10.8.8.22 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
20171027 16:12:25 /sbin/route add -net 185.94.193.179 netmask 255.255.255.255 gw 192.168.178.1
20171027 16:12:25 W ERROR: Linux route add command failed: external program exited with error status: 1
20171027 16:12:25 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
20171027 16:12:25 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
20171027 16:12:28 I Initialization Sequence Completed
20171027 16:12:28 N write UDPv4: Message too large (code=90)
20171027 16:12:28 N write UDPv4: Message too large (code=90)
20171027 16:12:28 N write UDPv4: Message too large (code=90)
20171027 16:12:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20171027 16:12:32 D MANAGEMENT: CMD 'state'
20171027 16:12:32 MANAGEMENT: Client disconnected
20171027 16:12:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20171027 16:12:32 D MANAGEMENT: CMD 'state'
20171027 16:12:32 MANAGEMENT: Client disconnected
20171027 16:12:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20171027 16:12:32 D MANAGEMENT: CMD 'state'
20171027 16:12:32 MANAGEMENT: Client disconnected
20171027 16:12:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20171027 16:12:32 D MANAGEMENT: CMD 'status 2'
20171027 16:12:32 MANAGEMENT: Client disconnected
20171027 16:12:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20171027 16:12:32 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00

Have you tried the .ovpn file using a stand-alone client? Also, post the .ovpn file here so we can check for issues.

It work on raspberry pi and wr841nd and also on this netgear but only for a few seconds! (every server that i tried and every firmware that i tried!)
Now i'm trying tomato but I cannot really connect to vpn
(I cut ca and tls)

client
dev tun
proto tcp
remote 185.94.193.179 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

You need a filename after auth-user-pass in the format auth-user-pass "/etc/openvpn/userpass.txt" or whatever your username and password file is called.

Yes, i just have set up the file correctly

So, it's working now?

No, i had set up it before! The connection to vpn is established but after a few seconds the connection goes in stuck! If i restart openvpn service the connection works again but only for a few seconds!
That is the problem!

You say you have the .ovpn file setup correctly, but what you posted was not setup correctly. Please post the actual contents of the file you are using!

Also, have you tried connecting (using the same .ovpn file) with a stand-alone Windows, Mac or Linux client to confirm the problem is not with NordVPN?

I just signed up for a 3-day trial NordVPN account and downloaded their .ovpn files. I tried 6 different servers in the US and Canada, using the Windows OpenVPN client. I could connect, but no traffic would pass through the tunnel. I then tried my usual VPN provider, AirVPN and had no problem. Seems like a NordVPN issue to me.

Don't worry i know!

auth-user-pass filename

NordVPN work correctly for me with iphone, raspberry pi and windows!
I have a problem only with Netgear R8000

So I just connected to NordVPN using my iPad and using THEIR Windows client. However, using the standard OpenVPN Windows client, I can connect but can't pass traffic through any of their servers. Something is wrong with their .ovpn file configs!

Try for yourself by installing the standard OpenVPN Windows client, and then connect using the same config you're trying to use on your router:

https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.4-I601.exe

It appears you need to manually specify your DNS servers, either using NordVPN's DNS, Google DNS or OpenDNS. I had to do this with both Windows and LEDE to get a NordVPN OpenVPN instance running.

Go to Network - Interfaces - LAN - Edit - DHCP Server - Advanced Settings - DHCP-Options and add 6,8.8.8.8,8.8.4.4 in the LuCI GUI. Reboot and start your client instance.

https://s20.postimg.org/4i4zhwyh9/screenshot_14.png

I don't know how and i don't know why but now it work correctly O_o. I I didn't do anything different.

Something on the NordVPN end I think. As I said in one my previous posts, I was seeing the same with any client using an ovpn configuration yesterday. Their packaged iOS and Windows clients worked fine. Ultimately, the work-around was to manually specify DNS servers in LEDE. Their "pushed" servers weren't resolving DNS through the tunnel.