I've been trying to setup OpenVPN in client mode on my EA4500 router. When I first tried it a couple of weeks ago I couldn't make it work and gave up. Today I took the opportunity of upgrading to the latest release candidate 21.02.0-rc4 to reset the router to factory defaults and then setup OpenVPN client on a "clean" router.
After the factory-reset I configured the Wi-Fi radios (SSIDs and security) and installed the packages "openvpn-openssl" and "luci-app-openvpn".
Then I followed the procedure for configuring the OpenVPN client. I actually tried procedures from three different places (including the one on openwrt.org), but can't get it to work properly with any of them.
I am using a *.ovpn file that I exported from my VPN server router to configure the client.
The OpenVPN client itself appears to connect fine and I can ping the home router and the devices in my home network, as well as ping websites on the Internet through the VPN connection, like "ping www.speedtest.net".
However, I am unable to open the configuration webpages of my devices in my home network (e.g. router, Wi-Fi power switches) and about 2 out of 3 websites on the Internet will not open as well (for example, wikipedia.org, google.com, youtube.com work excellent, while many others, including speedtest.net and openwrt.org, won't open at all). Similar is the situation on my smartphone, where a few apps work fine (e.g. Google maps, YouTube), while many others appear to be unable to connect to the Internet.
What could be causing these problems?
Does anyone have a setup procedure that is proven to be working if it's just followed step by step?
I understand the solution is "Remove compression and mssfix for a start.", however there is no mention of how this is to be implemented.
The router where the OpenVPN server is running on is a TP-Link with stock firmware that is very likely based on OpenWrt.
Below is the content of the 'openvpn' configuration file of the EA4500 that runs the client and also the settings section from within the *.ovpn config file.
I previously tried to replace "comp-lzo adaptive" with "comp-lzo no", but at the time it didn't appear to make any difference.
Do I maybe need to put something other than "no" there?
Where and how do I set "mssfix" to none?
/etc/config/openvpn of the EA4500 (client)
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option verb '3'
config openvpn 'OPENVPN_1'
option config '/etc/openvpn/OPENVPN_1.ovpn'
option enabled '1'
OPENVPN_1.ovpn settings section
client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo adaptive
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
remote 192.168.6.50 1194
After I comment out that line on the OpenVPN client (or delete the whole line completely) and then restart openvpn I can't open any websites at all and also can't ping any server or device through the VPN. Furthermore, in OpenWrt's System Log I see the line "daemon.err openvpn(OPENVPN_1)[4242]: write to TUN/TAP : Invalid argument (code=22)" being added every 10 seconds.
If I reactivate the comp-lzo line and restart openvpn, then it works again as described in my original post and that error doesn't get added to the System Log every 10 seconds.
By the way, I believe the TP-Link router that acts as the VPN Server is running a variant of OpenVPN 2.3.
I wish I could, but this is not possible.
The OpenVPN server is running on an Archer AX50 router. Its configuration GUI only allows to modify a few basic options (protocol udp or tcp, port number, access local or internet). There is no newer firmware available from TP-Link and neither is there a third-party firmware I could flash.
Disable/remove compression for both client and server and try to play with MTU/MSS.
I'm afraid that upgrading to OpenVPN 2.5 involves some compatibility breaking changes.
Perhaps it would be best keep the VPN versions in sync and reconsider your upgrade strategy.
Can you see server logs? Does the server allow TAP? Why are you needing TAP? TAP should only be used for single endpoints (road warriors) not site to site.
Ok, thanks, I understand. I didn't know that openvpn-openssl version 2.5 wouldn't be able to cope with an older OpenVPN server version. I have always nicely connected to that AX50 router's OpenVPN server using various versions of the OpenVPN Connect Windows client software and Android app from openvpn.net, including the very latest versions of them.
In the end, disabling lzo-compression on the VPN server router is the solution to the problem and the sole change that was required in this case. (edited the option "comp_lzo yes" in /etc/config/openvpn to "comp_lzo no")
Nothing else needed to be modified on either side.
However, this modification was only possible after installing an unofficial and unreleased test version of the stock firmware that is different from the release firmware in that it allows to get to the command line of the router's Linux system.
So, anyone whose OpenVPN server runs on a device with stock firmware that has been locked down by the manufacturer or anyone who doesn't own the equipment that is running the OpenVPN server and thus can't modify the compression setting would be pretty much out of luck here.
Besides, most of those users likely do not know which version of OpenVPN that equipment is running, because such information is normally nowhere to be found in the documentation of retail products. Hence, if told to keep their version of the OpenWrt OpenVPN client "in sync" with that of the OpenVPN server, then they might end up clueless.