VPN Cipher Error - cant find option it suggests

R2000 · November 15, 2022, 8:02pm

Hi, ive currently got the error:

daemon.warn openvpn(ExpressVPN)[28599]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Tue Nov 15 19:49:56 2022 daemon.err openvpn(ExpressVPN)[28599]: Cannot pre-load keyfile (/etc/openvpn/tlsauth.key)

I cant for the life of me find the option --data-ciphers, i can only find the option Ciphers.

Im using the lastest OpenWRT

Also because of this, is that why it cannot load the tlsauth.key ?

Thanks for any help here.

R2000 · November 15, 2022, 9:37pm

Successfully setup a connection to ExpressVPN, only problem i have now is how to route all my traffic through the VPN.

The VPN is alive, though still all my traffic goes through its normal route not the VPN. Have i missed something? Do i need to create a rely bridge?

Cheers for any help.

ulmwind · November 15, 2022, 9:45pm

Just comment forward rule lan->wan from firewall configuration file.

R2000 · November 15, 2022, 9:49pm

My current Firewall setting, is there something wrong here?

ulmwind · November 15, 2022, 9:50pm

It is very strange configuration, where have you found it?

R2000 · November 15, 2022, 9:57pm

I followed: https://www.my-private-network.co.uk/kbhome/openwrt-lede-openvpn-setup/

Then extracted the correct settings from the ovpn file from ExpressVPN to match the correct variables which are different than the Tutorial, then the connection was successfull, creating separate ca.crt, key file, and cert files from the ovpn.

So ive got the connection, just need to divert all traffic through the VPN Interface.

Ive also got other connections to my OpenWRT Router which routes to other OpenWRT Repeaters, that part is sound. Just need all br-lan to go through tun0

R2000 · November 15, 2022, 10:00pm

ulmwind · November 15, 2022, 10:01pm

OK, your manual is shit with pictures, sorry, I can only help in text files configuration.

R2000 · November 15, 2022, 10:05pm

The simple question is:

I need a rule to forward all traffic from going through its normal VDSL Route to basically pass through the created VPN Tunnel.

Do i just Bridge the br-lan through the VPN, if so using relyd, what would the rule i need?

ulmwind · November 15, 2022, 10:06pm

See /etc/config/firewall file, and make search 'forwarding'.

R2000 · November 15, 2022, 10:08pm

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'

ulmwind · November 15, 2022, 10:09pm

Here is 'default' forwarding. You should comment it to prevent forwarding lan->wan. You should add forwarding lan->vpn.

R2000 · November 15, 2022, 10:10pm

I`ll give it a try, that sounds plausable.

ulmwind · November 15, 2022, 10:12pm

You should also create zone for tun interface.

mk24 · November 15, 2022, 11:37pm

Make sure that OpenVPN has modified the routing table (System-->Routes, in the middle of the page). It should have installed two routes to 0.0.0.0 and 128.0.0.0 which effectively direct any request for the Internet (except one) through the VPN tunnel.
The one exception is that a connection to the VPN server itself must go through the regular WAN. OpenVPN should have installed a /32 route for it. This is how encrypted packets for every other site start their journey.

Remember the firewall rules control what traffic will be allowed, but it is based on what the routing table dictates how the kernel attempt to send them.