OpenVPN client and TP-Link Archer C6U v1

MrOg2004 · June 3, 2023, 7:35pm

Hi, everyone.

I`m experiencing a problem trying to setup the OpenVPN client to connect my second similar router with manufacturer firmware where I have up n running the OpenVPN server.

Firmware version:
OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a

Installed packges:
openvpn-openssl 2.5.7-3
luci-app-openvpn git-23.093.42303-4b07c72

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'xxxx:89c8:ad27::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        list dns '10.8.0.1'
        list dns '1.0.0.1'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'vpn0'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'vpn0'

config forwarding
        option src 'lan'
        option dest 'vpn'

OpenVPN log

root@OpenWrt:~# logread -e openvpn; netstat -l -n -p | grep -e openvpn
Sat Jun  3 18:05:52 2023 daemon.warn openvpn(Balticom)[2037]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat Jun  3 18:05:52 2023 daemon.warn openvpn(Balticom)[2037]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Sat Jun  3 18:05:52 2023 daemon.notice openvpn(Balticom)[2037]: OpenVPN 2.5.7 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun  3 18:05:52 2023 daemon.notice openvpn(Balticom)[2037]: library versions: OpenSSL 1.1.1t  7 Feb 2023, LZO 2.10
Sat Jun  3 18:05:52 2023 daemon.warn openvpn(Balticom)[2037]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun  3 18:05:53 2023 daemon.notice openvpn(Balticom)[2037]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:05:53 2023 daemon.notice openvpn(Balticom)[2037]: UDP link local: (not bound)
Sat Jun  3 18:05:53 2023 daemon.notice openvpn(Balticom)[2037]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:05:53 2023 daemon.notice openvpn(Balticom)[2037]: Network unreachable, restarting
Sat Jun  3 18:05:53 2023 daemon.notice openvpn(Balticom)[2037]: SIGUSR1[soft,network-unreachable] received, process restarting
Sat Jun  3 18:42:24 2023 daemon.warn openvpn(Balticom)[2037]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun  3 18:42:24 2023 daemon.notice openvpn(Balticom)[2037]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:42:24 2023 daemon.notice openvpn(Balticom)[2037]: UDP link local: (not bound)
Sat Jun  3 18:42:24 2023 daemon.notice openvpn(Balticom)[2037]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:42:24 2023 daemon.notice openvpn(Balticom)[2037]: [server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: TUN/TAP device tun0 opened
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: net_iface_mtu_set: mtu 1500 for tun0
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: net_iface_up: set tun0 up
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: net_addr_ptp_v4_add: 10.8.0.10 peer 10.8.0.9 dev tun0
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: /usr/libexec/openvpn-hotplug up Balticom tun0 1500 1553 10.8.0.10 10.8.0.9 init
Sat Jun  3 18:42:25 2023 daemon.notice openvpn(Balticom)[2037]: Initialization Sequence Completed
udp        0  84480 0.0.0.0:44364           0.0.0.0:*                           2037/openvpn

From my second router, I can see that connection established. Due to some tunneling or firewall rules my lan and wifi deviced does not have internet connection.

As well, after some time OpenVPN connection is lost with error

Sat Jun  3 18:09:13 2023 daemon.notice openvpn(Balticom)[2037]: [server] Inactivity timeout (--ping-restart), restarting
Sat Jun  3 18:09:13 2023 daemon.notice openvpn(Balticom)[2037]: SIGUSR1[soft,ping-restart] received, process restarting
Sat Jun  3 18:09:18 2023 daemon.warn openvpn(Balticom)[2037]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun  3 18:09:18 2023 daemon.notice openvpn(Balticom)[2037]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:09:18 2023 daemon.notice openvpn(Balticom)[2037]: UDP link local: (not bound)
Sat Jun  3 18:09:18 2023 daemon.notice openvpn(Balticom)[2037]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:10:18 2023 daemon.err openvpn(Balticom)[2037]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jun  3 18:10:18 2023 daemon.err openvpn(Balticom)[2037]: TLS Error: TLS handshake failed
Sat Jun  3 18:10:18 2023 daemon.notice openvpn(Balticom)[2037]: SIGUSR1[soft,tls-error] received, process restarting
Sat Jun  3 18:10:23 2023 daemon.warn openvpn(Balticom)[2037]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun  3 18:10:23 2023 daemon.notice openvpn(Balticom)[2037]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:10:23 2023 daemon.notice openvpn(Balticom)[2037]: UDP link local: (not bound)
Sat Jun  3 18:10:23 2023 daemon.notice openvpn(Balticom)[2037]: UDP link remote: [AF_INET]xx.xx.xx.xx:1194
Sat Jun  3 18:11:23 2023 daemon.err openvpn(Balticom)[2037]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jun  3 18:11:23 2023 daemon.err openvpn(Balticom)[2037]: TLS Error: TLS handshake failed
Sat Jun  3 18:11:23 2023 daemon.notice openvpn(Balticom)[2037]: SIGUSR1[soft,tls-error] received, process restarting

OpenVPN config is loaded with .ovpn file. Same config is used from android phone and win using OpenVPN client, no any issue there.

I`ve read all available guides on how to config openwrt and OpenVPN client. Watched and tried everything that can be found on Youtube.
Even tried to use older firmwares, still same issue. I was able to see vpn connection from other side (OpenVPN server), but lan and wifi devices do not have an internet connection.

Probably someone can share ready openwrt build with all packages and where tunneling and firewalls will be already setup and I just need to upload my .ovpn file? Please

There is no more strength to fight this router.

iplaywithtoys · June 23, 2023, 10:22pm

Here is an example of a pair of working OpenVPN configurations, first the server (a Raspberry Pi running Raspbian), then the client (a laptop running Windows). I know they're working; I tested them just before scribbling this reply. Feel free to adapt for peer-peer scenarios.

For what it's worth, I much prefer WireGuard; it's so much easier to configure than OpenVPN, and it's faster in use as well.

Some of the directives might be obsolete, due both to changes in the OpenVPN code as each version is released and my inability to update anything in a timely manner.

Server:

# OpenVPN / Routed / TUN / UDP

# Listen only on this address
local                   192.168.xxx.xxx

# Protocol
dev-type                tun
dev                     tun_udp
proto                   udp
port                    1194
topology                subnet

# Routing
server                  192.168.yyy.yyy 255.255.255.0
ifconfig-pool-persist   /etc/openvpn/client/ipp.txt
push                    "route 0.0.0.0 0.0.0.0"
push                    "redirect-gateway def1 bypass-dhcp"
push                    "dhcp-option DNS 192.168.xxx.xxx"

# Client configs
ccd-exclusive
client-config-dir       /etc/openvpn/client
max-clients             10
client-to-client

# Encryption
ca                      /etc/openvpn/server/certs/CA_Chain.crt
cert                    /etc/openvpn/server/certs/Server.crt
key                     /etc/openvpn/server/certs/Server.pem
dh                      /etc/openvpn/server/certs/dh4096.pem
tls-auth                /etc/openvpn/server/certs/ta.key 0
key-direction           0
cipher                  AES-256-GCM
auth                    SHA512
tls-server
tls-version-min         1.2
tls-cipher              TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
reneg-sec               1800
reneg-bytes             64000000
remote-cert-tls         client
verify-client-cert      require

# Logging
# log-append            /tmp/openvpn-udp.log
status                  /tmp/openvpn-udp-status.log
mute                    5
verb                    6

# Connection
keepalive               10 120
compress                lz4-v2
push                    "compress lz4-v2"
script-security         1

# Connection reliability
persist-key
persist-tun
explicit-exit-notify    1

# Permissions
user nobody
group nogroup

Client:

# OpenVPN / Routed / TUN / UDP

# Client configuration file
client

# Protocol
dev				tun
proto			udp
topology		subnet
remote			xxx.xxx.xxx.xxx 1194
resolv-retry	infinite
nobind
script-security	2
# up			/etc/openvpn/update-resolv-conf
# down			/etc/openvpn/update-resolv-conf
block-outside-dns

# Encryption
ca					CA_Chain.crt
cert				Laptop.crt
key					Laptop.pem
tls-auth			ta.key 1
key-direction		1
cipher				AES-256-GCM
auth				SHA512
tls-client
tls-version-min		1.2
tls-cipher			TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
reneg-sec			1800
reneg-bytes			64000000
remote-cert-tls		server
verify-client-cert	require


# Authentication
auth-user-pass
auth-nocache

# Connection
keepalive		10 120
compress		lz4-v2

# Connection reliability
persist-key
persist-tun

# Permisisons
# user nobody
# group nogroup

iplaywithtoys · June 23, 2023, 10:24pm

In addition, I note that your firewall configuration does not appear to permit 1194/udp inbound; is this intentional?

ulmwind · June 24, 2023, 8:18pm

dns for lan looks VERY strange.