OpenVPN on OpenWrt: TLS Error: reading acknowledgement record from packet

I am trying to connect my (windows and apple) remote client to my home router so that I can remotely access servers and devices behind my firewall.
I have installed all of the components on both the client and server, I think that my problem is in the configuration.
I know that the certificate files are correct on both the client and server because this had been working at one point (I had to reset the router so the config and firewall files got wiped out because they weren't in the backup file list and I didn't have a copy off-router).

Results from logread on the openvpn/openwrt router:

Mon May 20 09:41:00 2019 daemon.notice openvpn(my_server)[808]: 185.245.86.12:49181 TLS: Initial packet from [AF_INET]185.245.86.12:49181, sid=46ae2e0d c9eff9ce
Mon May 20 09:41:00 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:01 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:06 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:49181 TLS Error: reading acknowledgement record from packet
Mon May 20 09:41:07 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:56886 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 20 09:41:07 2019 daemon.err openvpn(my_server)[808]: 185.245.86.12:56886 TLS Error: TLS handshake failed
Mon May 20 09:41:07 2019 daemon.notice openvpn(my_server)[808]: 185.245.86.12:56886 SIGUSR1[soft,tls-error] received, client-instance restarting

Here is my /etc/config/openvpn:

config openvpn 'my_server'
        option enable '1'
        option port '1194'
        option proto 'udp'
        option dev 'tap0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option 'comp_lzo' 'yes'
        option persist_key '1'
        option persist_tun '1'
        option status '/tmp/openvpn-status.log'
        option verb '3'
        option server_bridge '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'
        list push 'redirect-gateway def1'
        list push 'dhcp-option DNS 192.168.1.1'
        option enabled '1'

Additional /etc/config/firewall settings:

config 'rule'
        option 'target' 'ACCEPT'
        option 'dest_port' '1194'
        option 'src' 'wan'    
        option 'proto' 'tcpudp'
        option 'family' 'ipv4'

Additional /etc/config/dhcp settings:

    config dhcp 'lan'
            option interface 'lan'
            option ignore '0'
            option start '50'
            option limit '150'

Client (Macbook) .opvn:

  client
  dev tun
  proto udp
  fast-io
  remote someplace-really-cool.com 1194
  nobind
  persist-key
  persist-tun
  verb 3
  key-direction 1
  cipher AES-128-CBC
  auth SHA256

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jun 22 19:57:52 2018 GMT
            Not After : Jun 19 19:57:52 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
  auth-nocache
  client
  dev tun
  proto udp
  fast-io
  remote someplace-really-cool.com 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jun 22 19:57:52 2018 GMT
            Not After : Jun 19 19:57:52 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4097 (0x1001)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=London, O=WWW Ltd.
        Validity
            Not Before: Jun 22 19:57:52 2018 GMT
            Not After : Jun 19 19:57:52 2028 GMT
        Subject: CN=my-client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

Your server config does not contain tls-auth.

Good catch. I have now added that. My /etc/config/openvpn file now looks like:

config openvpn 'my_server'
        option port '1194'
        option proto 'udp'
        option dev 'tap0'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option comp_lzo 'yes' 
        option persist_key '1'
        option persist_tun '1'                 
        option status '/tmp/openvpn-status.log'
        option verb '3'                                                             
        option server_bridge '192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.219'
        list push 'redirect-gateway def1'      
        list push 'dhcp-option DNS 192.168.1.1'
        option enabled '1'
  • I have restarted ovpn on the router (and even reboot the router for good measure!) but still no joy.
  • I watched the logs on the router via logread -f and there was no activity during a connection attempt.
  • I confirmed the IP address and port the client is attempting to connect to is correct.
  • I am able to ping the router from the client (so I think the comment "check your network connectivity" is a read herring'
  • The crypto files are the same as when it was working - I have a backup of these files... (I even have another client laptop that I haven't changed - so it must be on the server-side.)

My client log looks like this:

*Tunnelblick: macOS 10.14.4; Tunnelblick 3.7.8 (build 5180)
2019-05-21 08:50:24 *Tunnelblick: Attempting connection with home using shadow copy; Set nameserver = 769; monitoring connection
2019-05-21 08:50:24 *Tunnelblick: openvpnstart start home.tblk 63105 769 0 1 0 1065264 -ptADGNWradsgnw 2.4.6-openssl-1.0.2q
2019-05-21 08:50:24 *Tunnelblick: openvpnstart log:
     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):
     
          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.6-openssl-1.0.2q/openvpn
          --daemon
          --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sjrt-SLibrary-SApplication Support-STunnelblick-SConfigurations-Shome.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_1065264.63105.openvpn.log
          --cd /Library/Application Support/Tunnelblick/Users/jrt/home.tblk/Contents/Resources
          --setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5180 3.7.8 (build 5180)"
          --verb 3
          --config /Library/Application Support/Tunnelblick/Users/jrt/home.tblk/Contents/Resources/config.ovpn
          --setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/jrt/home.tblk/Contents/Resources
          --verb 3
          --cd /Library/Application Support/Tunnelblick/Users/jrt/home.tblk/Contents/Resources
          --management 127.0.0.1 63105 /Library/Application Support/Tunnelblick/ebmehjcbmnoibdempjjcnmcgdmfpkljgjhpnjhnb.mip
          --management-query-passwords
          --management-hold
          --script-security 2
          --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
          --down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw

2019-05-21 08:50:24 *Tunnelblick: openvpnstart starting OpenVPN
2019-05-21 08:50:24 *Tunnelblick: Established communication with OpenVPN
2019-05-21 08:50:24 >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2019-05-21 08:50:24 OpenVPN 2.4.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 29 2018
2019-05-21 08:50:24 library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.10
2019-05-21 08:50:24 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:63105
2019-05-21 08:50:24 Need hold release from management interface, waiting...
2019-05-21 08:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63105
2019-05-21 08:50:24 MANAGEMENT: CMD 'pid'
2019-05-21 08:50:24 MANAGEMENT: CMD 'auth-retry interact'
2019-05-21 08:50:24 MANAGEMENT: CMD 'state on'
2019-05-21 08:50:24 MANAGEMENT: CMD 'state'
2019-05-21 08:50:24 MANAGEMENT: CMD 'bytecount 1'
2019-05-21 08:50:24 MANAGEMENT: CMD 'hold release'
2019-05-21 08:50:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-21 08:50:24 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-21 08:50:24 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2019-05-21 08:50:24 MANAGEMENT: >STATE:1558443024,RESOLVE,,,,,,
2019-05-21 08:50:24 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:50:24 Socket Buffers: R=[786896->786896] S=[9216->9216]
2019-05-21 08:50:24 UDP link local: (not bound)
2019-05-21 08:50:24 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:50:24 MANAGEMENT: >STATE:1558443024,WAIT,,,,,,
2019-05-21 08:51:24 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-05-21 08:51:24 TLS Error: TLS handshake failed
2019-05-21 08:51:24 SIGUSR1[soft,tls-error] received, process restarting
2019-05-21 08:51:24 MANAGEMENT: >STATE:1558443084,RECONNECTING,tls-error,,,,,
2019-05-21 08:51:24 MANAGEMENT: CMD 'hold release'
2019-05-21 08:51:24 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-21 08:51:24 MANAGEMENT: >STATE:1558443084,RESOLVE,,,,,,
2019-05-21 08:51:24 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:51:24 Socket Buffers: R=[786896->786896] S=[9216->9216]
2019-05-21 08:51:24 UDP link local: (not bound)
2019-05-21 08:51:24 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:51:24 MANAGEMENT: >STATE:1558443084,WAIT,,,,,,
2019-05-21 08:51:24 MANAGEMENT: CMD 'hold release'
2019-05-21 08:52:25 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-05-21 08:52:25 TLS Error: TLS handshake failed
2019-05-21 08:52:25 SIGUSR1[soft,tls-error] received, process restarting
2019-05-21 08:52:25 MANAGEMENT: >STATE:1558443145,RECONNECTING,tls-error,,,,,
2019-05-21 08:52:25 MANAGEMENT: CMD 'hold release'
2019-05-21 08:52:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2019-05-21 08:52:25 MANAGEMENT: >STATE:1558443145,RESOLVE,,,,,,
2019-05-21 08:52:25 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:52:25 Socket Buffers: R=[786896->786896] S=[9216->9216]
2019-05-21 08:52:25 UDP link local: (not bound)
2019-05-21 08:52:25 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
2019-05-21 08:52:25 MANAGEMENT: >STATE:1558443145,WAIT,,,,,,
2019-05-21 08:52:25 MANAGEMENT: CMD 'hold release'

There is a mess here.

  1. tap, tun - make tun everythere; comp_lzo - make or on both sides, or remove on both sides;
  2. key-direction, cipher, auth are specified only on client;
  3. I don't know, where proto 'tcpudp' works, leave udp only.

So remove extra parameters from both configs, and make sure, it works. See examples from OpenVPN-distribution.

1 Like
  • tun, comp_lzo, and key_direction now on server:
    option dev 'tun'
    option comp_lzo 'yes'
    option key_direction '1'
  • and on the client:

dev tun
comp_lzo
key-direction 1

You mentioned that cipher was specified in the client, but I could not find it. It is calling for a type in the server and I don't know what to use:

    option cipher 'BF-CBC'

I did find the auth section in the client, but could not figure out what value to use on the server:

option auth 'SHA1'

When I changed from:

option proto 'udp'

to:

option dev 'tun'`

or even:

option dev 'tun0'`

openvpn fails to start, and I get this in logread:

Tue May 21 09:46:29 2019 daemon.err openvpn(my_server)[2115]: Options error: --server-bridge directive only makes sense with --dev tap

Believe me, I have been scouring the web to solve this on my own. It was only after days of frustration that I came in desperation to the boards (and I am very grateful for your help.)

I had issues with lzo.
May I suggest to follow the examples in the documentation?
If you need bridging.
Otherwise routing works fine for me.

1 Like

I am not necessarily hung up on bridging, but it has been my understanding that I needed vpn bridging to be on the same network with devices behind my router (so I can access them as if I were at home.)
When I am behind the router, I can access all of my devices that are either on wired or wireless lans as if they were all on the same network (bridging the 5 & 2.4 GHz wlans and lan work fine in this case.)

I am trying to follow the directions you referenced for routing, but it is not clear how the /etc/config/openvpn file is updated. I ran the scripts, they created configuration files in /etc/openvpn, but they are not suitable for the /etc/config/openvpn file.

I believe you have this snippet in your /etc/config/openvpn file

#################################################
# Sample to include a custom config file.       #
#################################################

config openvpn custom_config

        # Set to 1 to enable this instance:
        option enabled 0

        # Include OpenVPN configuration
        option config /etc/openvpn/my-vpn.conf

Rename it to your needs.

I've told you, try simple example from OpenVPN-distribution.
Log message tells you clearly, that tun is incompatible with server-bridge.

From official OpenVPN manual:
If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server and dev tun .

Following client configuration works for me:

client
dev tun
proto tcp-client
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
;float
nobind
persist-key
persist-tun
auth SHA1
cipher BF-CBC
comp-lzo adaptive
nice 0
verb 3
mute 10
;ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

Server configuration file:

proto tcp-server
port 1194
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push "route 192.168.2.0 255.255.255.0"
auth SHA1
cipher BF-CBC
comp-lzo adaptive
push "comp-lzo adaptive"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.2.1"
ca /etc/storage/openvpn/server/ca.crt
dh /etc/storage/openvpn/server/dh1024.pem
cert /etc/storage/openvpn/server/server.crt
key /etc/storage/openvpn/server/server.key
tls-auth /etc/storage/openvpn/server/ta.key 0
persist-key
persist-tun
user nobody
group nogroup
script-security 2

### User params:
max-clients 10
client-to-client
keepalive 10 60
nice 3
verb 0
mute 10
push "dhcp-option DNS 8.8.8.8"

1 is on your client, so it should be 0 on the server.

OK... got it working FINALLY

  • Removed all of the files in the Backup File List (LUCI -> System -> Backup/Flash Firmware -> Configuration (I think there were too many conflicts as #ulmwind suggested.)
  • Completely reset the router:
    1. Unplug router from cable modem
    2. Reboot router
    3. Press & hold WPS button when light starts to blink (other light should blink very fast)
    4. Set PC IP address to manual (192.168.1.2/255.255.255.0)
    5. connect PC to LAN port
    6. ssh root@192.168.1.1 -p22
    7. firstboot -y
    8. mtd -r erase rootfs_data (router reboots)
    9. rm -r /overlay/*
    10. reboot -fPreformatted text
  • Reinstalled from my backup (make sure you make a backup!!!)
  • Followed the instructions from here (as suggested by #trendy)
  • Note that I did comment out the following lines in /etc/config/firewall because it looked like there was some overlap:
 # config rule               
 #       option name 'Allow-OpenVPN-Inbound'
 #       option target 'ACCEPT'
 #       option src '*'          
 #       option proto 'tcpudp'        
 #       option dest_port '1194'
  • I did have to modify /etc/config/openwrt as follows (as suggested by #trendy):
config openvpn 'home'
        option config '/etc/openvpn/vpnserver.conf'
        option enabled '1'

I also had to change /etc/openvpn/vpnclient.ovpn because the scripts had it pointing to the server's IP address rather than the host.domain name (because I am on a DHCP connection out of my house I wanted to make sure I can access it when the my ISP changes my IP address).

remote myhost.mydomain 1194 udp

To be honest, it was ridiculously easy (once I installed a completely fresh install on the router.)

Thanks to everyone who helped.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.