OpenVPN connected but no other device route through VPN

treefiddy · March 11, 2018, 8:14pm

Hello all,

I have issues setting up a VPN with my Linksys WRT1900ACSv2 to route most of my lan traffic through a VPN The OpenVPN service connects successfully. Maybe some of you see the issue

I am using dnscrypt, not sure if this might be an issue

Thank you so much.

OpenVPN connection Log

Sun Mar 11 20:21:39 2018 daemon.warn openvpn(sample_client)[16066]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Sun Mar 11 20:21:39 2018 daemon.warn openvpn(sample_client)[16066]: WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sun Mar 11 20:21:39 2018 daemon.warn openvpn(sample_client)[16066]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Mar 11 20:21:39 2018 daemon.warn openvpn(sample_client)[16066]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Initializing OpenSSL support for engine 'dynamic'
Sun Mar 11 20:21:39 2018 daemon.warn openvpn(sample_client)[16066]: WARNING: Failed to stat CRL file, not (re)loading CRL.
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: LZO compression initializing
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: TCP/UDP: Preserving recently used remote address: [AF_INET]111.000.000.000:1194
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: UDP link local: (not bound)
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: UDP link remote: [AF_INET]111.000.000.000:1194
Sun Mar 11 20:21:39 2018 daemon.notice openvpn(sample_client)[16066]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

openvpn

DNS dnscrypt firewall interface

My firewall settings:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'PP'
	option output 'ACCEPT'
	option network 'tun0'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option dest 'PP'
	option src 'lan'

My OpenVPN Config:
 
config openvpn 'sample_client'
	option client '1'
	option proto 'udp'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option compress 'lzo'
	option ca '/etc/luci-uploads/cbid.openvpn.sample_client.ca'
	option cert '/etc/luci-uploads/cbid.openvpn.sample_client.cert'
	option dev_type 'tun'
	option key '/etc/luci-uploads/cbid.openvpn.sample_client.key'
	option key_direction '1'
	option dh '/etc/easy-rsa/keys/dh1024.pem'
	option enabled '1'
	option tun_ipv6 '1'
	option port '1194'
	list remote 'someserveraddress.com'
	option persist_remote_ip '1'
	option resolv_retry '60'
	option mute_replay_warnings '1'
	option auth 'SHA512'
	option tls_auth '/etc/openvpn/tlsauth.key'
	option auth_user_pass '/etc/openvpn/userpass.txt'
	option route_delay '0'
	option redirect_gateway 'def1'
	option cipher 'AES-256-CBC'
	option tls_version_min '1.0'
	option tls_version_max '1.2'
	option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA'
	option ns_cert_type 'server'
	option reneg_sec '3600'
	option crl_verify '/etc/easy-rsa/keys/crl.pem'
	option engine 'dynamic'
	option script_security '2'
	option verb '4'
	option tls_timeout '2'
	option tls_remote 'remote_x509_name'
	option remote_cert_tls 'client'
	option comp_lzo 'yes'
	option remote_random '1'
	option ping_restart '120'
	option ping '5'
	option inactive '604800'
	option key_method '2'
	option down '/usr/bin/ovpn-down'
	option tls_client '1'
	option route_gateway '192.168.1.1'
	option dev 'tun0'
	list push 'dhcp-option DNS 223.134.241.10’
	list push 'block-outside-dns’
	list push 'route 192.168.1.0 255.255.255.0'
	list push 'redirect-gateway def1'

anon57995562 · March 11, 2018, 8:18pm

What happens if you disable it?

treefiddy · March 11, 2018, 8:20pm

Nothing. Just the same. Openvpn connects but none of my clients does...

anon57995562 · March 11, 2018, 8:21pm

You might review the LEDE OpenVPN documentation and see if you've missed a step...

https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

treefiddy · March 11, 2018, 8:24pm

Thanks, i will try that again. I just added the OpenVPN connection log as well, but for me it looks okay... :-/

mk24 · March 11, 2018, 8:38pm

An OpenVPN client is not actually connected until the log shows "Initialization Sequence Completed" and the tun0 interface is up with an IP address provided by the server.

treefiddy · March 11, 2018, 8:39pm

Good hint. I will check the openvpn settings again!

JW0914 · March 12, 2018, 5:31pm

Just an FYI, you need to add to your VPN config option group 'nogroup'

treefiddy · March 12, 2018, 5:42pm

Thank you for the hint. But it still does not work, output from the openvpn log (Port and Host are correct) - UDP):

Mon Mar 12 18:41:01 2018 us=685467 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Mon Mar 12 18:41:01 2018 us=685528 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Mar 12 18:41:01 2018 us=685571 Re-using SSL/TLS context
Mon Mar 12 18:41:01 2018 us=685611 LZO compression initializing
Mon Mar 12 18:41:01 2018 us=685893 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Mon Mar 12 18:41:01 2018 us=717830 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 
Mon Mar 12 18:41:01 2018 us=717938 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Mon Mar 12 18:41:01 2018 us=717977 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Mon Mar 12 18:41:01 2018 us=718029 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:151
Mon Mar 12 18:41:01 2018 us=718076 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Mar 12 18:41:01 2018 us=718151 UDP link local: (not bound)
Mon Mar 12 18:41:01 2018 us=718195 UDP link remote: [AF_INET]80.255.7.98:151
Mon Mar 12 18:41:01 2018 us=718358 UDP WRITE [14] to [AF_INET]80.255.7.98:151: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

JW0914 · March 12, 2018, 5:56pm

It wasn't about troubleshooting, but that it needs to be added, else it's a security risk.

The user 'nobody' / group 'nogroup' options specify that should the VPN ever be compromised, the highest privileges that can be used are those belonging to user: nobody and group: nogroup, else root permissions would be obtained.
- It's far more preferable to also utilize a chroot for OpenVPN, which would prevent access to the root filesystem if a VPN is ever exploited, but most consumer routers lack the flash storage large enough to hold a chroot for OpenVPN (~11MB).

Please see Troubleshooting for your next post

Please Note: You posted your WAN IP in your log output above
- Please post log output and code within code boxes, not quote boxes.

treefiddy · March 14, 2018, 4:10pm

Okay, i tried again with:

Client:
client.ovpn
verb 7
proto tcp
Disconnect client, then reconnect

Log:

    Wed Mar 14 17:06:03 2018 us=588303 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Wed Mar 14 17:06:03 2018 us=588386 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Wed Mar 14 17:06:03 2018 us=588430 Re-using SSL/TLS context
    Wed Mar 14 17:06:03 2018 us=588474 LZO compression initializing
    Wed Mar 14 17:06:03 2018 us=588767 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
    Wed Mar 14 17:06:03 2018 us=588856 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:03 2018 us=588904 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
    Wed Mar 14 17:06:03 2018 us=588953 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:03 2018 us=588988 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:03 2018 us=589045 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:03 2018 us=589085 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:03 2018 us=589136 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
    Wed Mar 14 17:06:03 2018 us=589172 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
    Wed Mar 14 17:06:03 2018 us=589220 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:03 2018 us=589275 Socket Buffers: R=[87380->87380] S=[16384->16384]
    Wed Mar 14 17:06:03 2018 us=589318 Attempting to establish TCP connection with [AF_INET]80.255.7.98:1142 [nonblock]
    Wed Mar 14 17:06:04 2018 us=589497 TCP connection established with [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:04 2018 us=589568 TCP_CLIENT link local: (not bound)
    Wed Mar 14 17:06:04 2018 us=589614 TCP_CLIENT link remote: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:04 2018 us=589763 TCP_CLIENT WRITE [14] to [AF_INET]80.255.7.98:1142: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Wed Mar 14 17:06:04 2018 us=624997 Connection reset, restarting [0]
    Wed Mar 14 17:06:04 2018 us=625119 TCP/UDP: Closing socket
    Wed Mar 14 17:06:04 2018 us=625201 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Mar 14 17:06:04 2018 us=625256 Restart pause, 5 second(s)
    Wed Mar 14 17:06:09 2018 us=625360 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Wed Mar 14 17:06:09 2018 us=625445 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Wed Mar 14 17:06:09 2018 us=625489 Re-using SSL/TLS context
    Wed Mar 14 17:06:09 2018 us=625533 LZO compression initializing
    Wed Mar 14 17:06:09 2018 us=625832 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
    Wed Mar 14 17:06:09 2018 us=625924 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:09 2018 us=625973 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
    Wed Mar 14 17:06:09 2018 us=626022 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:09 2018 us=626057 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:09 2018 us=626114 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:09 2018 us=626148 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:09 2018 us=626197 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
    Wed Mar 14 17:06:09 2018 us=626232 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
    Wed Mar 14 17:06:09 2018 us=626280 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:09 2018 us=626334 Socket Buffers: R=[87380->87380] S=[16384->16384]
    Wed Mar 14 17:06:09 2018 us=626377 Attempting to establish TCP connection with [AF_INET]80.255.7.98:1142 [nonblock]
    Wed Mar 14 17:06:10 2018 us=626550 TCP connection established with [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:10 2018 us=626614 TCP_CLIENT link local: (not bound)
    Wed Mar 14 17:06:10 2018 us=626658 TCP_CLIENT link remote: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:10 2018 us=626821 TCP_CLIENT WRITE [14] to [AF_INET]80.255.7.98:1142: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Wed Mar 14 17:06:10 2018 us=663103 Connection reset, restarting [0]
    Wed Mar 14 17:06:10 2018 us=663221 TCP/UDP: Closing socket
    Wed Mar 14 17:06:10 2018 us=663304 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Mar 14 17:06:10 2018 us=663359 Restart pause, 5 second(s)
    Wed Mar 14 17:06:15 2018 us=663459 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Wed Mar 14 17:06:15 2018 us=663542 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Wed Mar 14 17:06:15 2018 us=663586 Re-using SSL/TLS context
    Wed Mar 14 17:06:15 2018 us=663626 LZO compression initializing
    Wed Mar 14 17:06:15 2018 us=663905 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
    Wed Mar 14 17:06:15 2018 us=663991 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:15 2018 us=664039 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
    Wed Mar 14 17:06:15 2018 us=664087 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:15 2018 us=664122 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:15 2018 us=664178 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:15 2018 us=664213 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:15 2018 us=664262 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
    Wed Mar 14 17:06:15 2018 us=664296 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
    Wed Mar 14 17:06:15 2018 us=664344 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:15 2018 us=664396 Socket Buffers: R=[87380->87380] S=[16384->16384]
    Wed Mar 14 17:06:15 2018 us=664438 Attempting to establish TCP connection with [AF_INET]80.255.7.98:1142 [nonblock]
    Wed Mar 14 17:06:16 2018 us=664607 TCP connection established with [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:16 2018 us=664673 TCP_CLIENT link local: (not bound)
    Wed Mar 14 17:06:16 2018 us=664719 TCP_CLIENT link remote: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:16 2018 us=664861 TCP_CLIENT WRITE [14] to [AF_INET]80.255.7.98:1142: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Wed Mar 14 17:06:16 2018 us=712816 Connection reset, restarting [0]
    Wed Mar 14 17:06:16 2018 us=712935 TCP/UDP: Closing socket
    Wed Mar 14 17:06:16 2018 us=713015 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Mar 14 17:06:16 2018 us=713070 Restart pause, 5 second(s)
    Wed Mar 14 17:06:21 2018 us=713171 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
    Wed Mar 14 17:06:21 2018 us=713256 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Wed Mar 14 17:06:21 2018 us=713298 Re-using SSL/TLS context
    Wed Mar 14 17:06:21 2018 us=713338 LZO compression initializing
    Wed Mar 14 17:06:21 2018 us=713627 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
    Wed Mar 14 17:06:21 2018 us=713716 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:21 2018 us=713763 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
    Wed Mar 14 17:06:21 2018 us=713812 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:21 2018 us=713848 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:21 2018 us=713904 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Wed Mar 14 17:06:21 2018 us=713938 calc_options_string_link_mtu: link-mtu 1624 -> 1604
    Wed Mar 14 17:06:21 2018 us=713987 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
    Wed Mar 14 17:06:21 2018 us=714021 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
    Wed Mar 14 17:06:21 2018 us=714068 TCP/UDP: Preserving recently used remote address: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:21 2018 us=714128 Socket Buffers: R=[87380->87380] S=[16384->16384]
    Wed Mar 14 17:06:21 2018 us=714173 Attempting to establish TCP connection with [AF_INET]80.255.7.98:1142 [nonblock]
    Wed Mar 14 17:06:22 2018 us=714340 TCP connection established with [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:22 2018 us=714406 TCP_CLIENT link local: (not bound)
    Wed Mar 14 17:06:22 2018 us=714451 TCP_CLIENT link remote: [AF_INET]80.255.7.98:1142
    Wed Mar 14 17:06:22 2018 us=714594 TCP_CLIENT WRITE [14] to [AF_INET]80.255.7.98:1142: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
    Wed Mar 14 17:06:22 2018 us=751098 Connection reset, restarting [0]
    Wed Mar 14 17:06:22 2018 us=751220 TCP/UDP: Closing socket
    Wed Mar 14 17:06:22 2018 us=751301 SIGUSR1[soft,connection-reset] received, process restarting
    Wed Mar 14 17:06:22 2018 us=751357 Restart pause, 10 second(s)
    root@swrt:/etc/init.d#

Something wrong with my firewall settings? Also please note that im using DSLITE (IPv4 via AFTR Gateway - no public ipv4 for my client).

Firewall settings:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'tun0 wan wan6'

config zone
	option name 'PP'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network ' '
	option proto 'tcp udp'

config forwarding
	option dest 'wan'
	option src 'lan'

JW0914 · March 14, 2018, 4:11pm

Please go back and follow all steps requested of you...

treefiddy · March 14, 2018, 4:27pm

Sorry, you mean all steps under https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup#troubleshooting?

Or anything else i forgot? Maybe i should start from the beginning

I did the following too:

OpenWrt:
/etc/config/openvpn
verb 5
proto tcp
/etc/config/firewall:
Change OpenVPN rules to proto 'tcp udp'
cd /etc/init.d && ./firewall reload && ./openvpn restart

anon57995562 · March 14, 2018, 5:08pm

Actually, that may be the best way to go.

JW0914 · March 14, 2018, 6:14pm

That's step 1.... perhaps read further down...

There's a reason those troubleshooting steps were added to multiple OpenVPN wikis, as it's the information required to troubleshoot, and I was sick of repeating myself in thread after thread

treefiddy · March 14, 2018, 7:58pm

I did a reset to default and started again, but im having the same issue.

Wed Mar 14 19:50:47 2018 us=928135 Restart pause, 5 second(s)
Wed Mar 14 19:50:52 2018 us=928238 Re-using SSL/TLS context
Wed Mar 14 19:50:52 2018 us=928304 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Wed Mar 14 19:50:52 2018 us=928344 LZO compression initializing
Wed Mar 14 19:50:52 2018 us=928518 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Wed Mar 14 19:50:52 2018 us=928938 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Wed Mar 14 19:50:52 2018 us=929004 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Wed Mar 14 19:50:52 2018 us=929040 calc_options_string_link_mtu: link-mtu 1624 -> 1560
Wed Mar 14 19:50:52 2018 us=929096 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Wed Mar 14 19:50:52 2018 us=929129 calc_options_string_link_mtu: link-mtu 1624 -> 1560
Wed Mar 14 19:50:52 2018 us=929176 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 14 19:50:52 2018 us=929208 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 14 19:50:52 2018 us=929256 TCP/UDP: Preserving recently used remote address: [AF_INET]217.114.218.18:300
Wed Mar 14 19:50:52 2018 us=929303 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Mar 14 19:50:52 2018 us=929344 Attempting to establish TCP connection with [AF_INET]217.114.218.18:300 [nonblock]
Wed Mar 14 19:50:53 2018 us=929507 TCP connection established with [AF_INET]217.114.218.18:300
Wed Mar 14 19:50:53 2018 us=929571 TCP_CLIENT link local: (not bound)
Wed Mar 14 19:50:53 2018 us=929616 TCP_CLIENT link remote: [AF_INET]217.114.218.18:300
Wed Mar 14 19:50:53 2018 us=929717 TCP_CLIENT WRITE [42] to [AF_INET]217.114.218.18:300: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Wed Mar 14 19:50:53 2018 us=960700 Connection reset, restarting [0]
Wed Mar 14 19:50:53 2018 us=960826 TCP/UDP: Closing socket
Wed Mar 14 19:50:53 2018 us=960916 SIGUSR1[soft,connection-reset] received, process restarting
Wed Mar 14 19:50:53 2018 us=960971 Restart pause, 10 second(s)

Still trying every possible configuration and every hint google is throwing at me...
Thanks again for your help guys, really appreciate it, sorry that i am not able to solve it by myself yet...

Do i need to use the Openvpn option "local" to bind an ip? I saw someone suggesting this because of the link local error and the SIGUSR1[soft,connection-reset]

JW0914 · March 15, 2018, 1:46am

Best of luck =]

treefiddy · March 15, 2018, 7:48pm

Okay, i got it working.

The missing part was to set a custom DNS under the WAN interfaces. See https://helpdesk.privateinternetaccess.com/hc/article_attachments/115018123386/02_InterfacesWANAdvanced.png

The PIA documentation is good, i just had to add some more settings for perfect privacy https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115005760646-Setting-up-a-Router-running-LEDE-Firmware

Thanks again for all your help and time. Sorry about that!