Page 1 of 1

VPN Issues: Asus RT-AC87U

Posted: Fri Sep 07, 2018 8:23 pm
by hyayli
Hi folks,

'm trying to connect to the VPN using my router (It's an Asus RT-87U).
I downloaded the profile from ovpn.sonic.net and uploaded.
Here's what I see in my logs. Any idea what's wrong?

Code: Select all

Sep  7 19:57:58 vpnclient5[2765]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep  7 19:57:58 vpnclient5[2765]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep  7 19:57:58 vpnclient5[2765]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep  7 19:57:58 vpnclient5[2765]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  7 19:57:58 vpnclient5[2765]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  7 19:57:58 vpnclient5[2765]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep  7 19:57:58 vpnclient5[2766]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep  7 19:57:58 vpnclient5[2766]: UDPv4 link local: [undef]
Sep  7 19:57:58 vpnclient5[2766]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep  7 19:57:58 vpnclient5[2766]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=cabcb584 52e100ff
Sep  7 19:57:58 vpnclient5[2766]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep  7 19:58:58 vpnclient5[2766]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep  7 19:58:58 vpnclient5[2766]: TLS Error: TLS handshake failed
Sep  7 19:58:58 vpnclient5[2766]: SIGUSR1[soft,tls-error] received, process restarting
Sep  7 19:58:58 vpnclient5[2766]: Restart pause, 2 second(s)

Re: VPN Issues: Asus RT-AC87U

Posted: Tue Sep 11, 2018 4:59 pm
by drew.phillips
It looks like the connection configuration that it's using is missing the "TLS Auth" key that we use in our config.

Did it have you upload the config.ovpn file into the router or did you have to transfer the settings yourself?

Some routers don't support this option as a client unfortunately, but if it gives you a place to input a "tls-auth" key, then you can pull this from the config file and enter it into the options in the router's interface.

Re: VPN Issues: Asus RT-AC87U

Posted: Tue Sep 11, 2018 5:40 pm
by hyayli
I uploaded the config file directly as I’ve downloaded from the site.
There is no option to input tlsauth just username password input allowed.

Re: VPN Issues: Asus RT-AC87U

Posted: Wed Sep 12, 2018 6:41 am
by Guest
I uploaded the config file directly as I’ve downloaded from the site.
There is no option to input tlsauth just username password input allowed.
Are you running stock Asus firmware? If so have a look at Merlin's RT-AC87U fork. Lots of options, frequently updated and well supported. If you configured your OpenVPN settings correctly you should have no issues connecting with this firmware: http://asuswrt.lostrealm.ca/

Re: VPN Issues: Asus RT-AC87U

Posted: Wed Sep 12, 2018 8:22 am
by hyayli
This was working about a year ago I’m sure.
I’m using the standard latest ASUS firmware.
Are you sure nothing changed on your end about how you produce the configuration file?

Re: VPN Issues: Asus RT-AC87U

Posted: Wed Sep 12, 2018 8:42 pm
by Guest
After looking at some Asus OpenVPN client page screenshots on the web (stock firmware), you should be able to paste Sonic's tls-auth key in the static key box after clicking the "Content modification of keys and certs" link next to Authorization mode (TLS). The key you're looking for within the ovpn file starts with -----BEGIN OpenVPN Static key V1----- and ends with -----END OpenVPN Static key V1-----. Good luck.

Re: VPN Issues: Asus RT-AC87U

Posted: Sat Sep 15, 2018 5:01 pm
by hyayli
After looking around for a while I found the configuration.

I imported the ovpn then hit the edit.
I see the following sections filled in: Certificate Authority, Client Certificate, Client Key, Static Key (Optional).
Following section is empty: Certificate Revocation List (Optional)
Per your description, tls-auth is entered correctly, when I upload the ovpn file directly.

Connection is still not successful. The logs came out the same as follows:

Code: Select all

Sep 15 16:51:52 vpnclient5[5417]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep 15 16:51:52 vpnclient5[5417]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 16:51:52 vpnclient5[5417]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep 15 16:51:52 vpnclient5[5417]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:51:52 vpnclient5[5417]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:51:52 vpnclient5[5417]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep 15 16:51:52 vpnclient5[5418]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 15 16:51:52 vpnclient5[5418]: UDPv4 link local: [undef]
Sep 15 16:51:52 vpnclient5[5418]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep 15 16:51:53 vpnclient5[5418]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=1bebeb4f f0281351
Sep 15 16:51:53 vpnclient5[5418]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 15 16:52:52 vpnclient5[5418]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 15 16:52:52 vpnclient5[5418]: TLS Error: TLS handshake failed
Sep 15 16:52:52 vpnclient5[5418]: SIGUSR1[soft,tls-error] received, process restarting
Sep 15 16:52:52 vpnclient5[5418]: Restart pause, 2 second(s)
On a second attempt I deleted the ca, cert, key and tls-auth sections in the file. I uploaded the file without keys and manually entered all sections. Still the connection can not be established.
Output is similar:

Code: Select all

Sep 15 16:57:54 vpnclient4[5650]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep 15 16:57:54 vpnclient4[5650]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 16:57:54 vpnclient4[5650]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep 15 16:57:54 vpnclient4[5650]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:57:54 vpnclient4[5650]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:57:54 vpnclient4[5650]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep 15 16:57:54 vpnclient4[5651]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 15 16:57:54 vpnclient4[5651]: UDPv4 link local: [undef]
Sep 15 16:57:54 vpnclient4[5651]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep 15 16:57:54 vpnclient4[5651]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=5a4b79cf 0a9f2e8e
Sep 15 16:57:54 vpnclient4[5651]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 15 16:58:55 vpnclient4[5651]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 15 16:58:55 vpnclient4[5651]: TLS Error: TLS handshake failed
Sep 15 16:58:55 vpnclient4[5651]: SIGUSR1[soft,tls-error] received, process restarting
Sep 15 16:58:55 vpnclient4[5651]: Restart pause, 2 second(s)

Re: VPN Issues: Asus RT-AC87U

Posted: Sat Sep 15, 2018 9:16 pm
by Guest
Don't worry about the CRL field. Instead, try pointing your router to their beta server -- beta.vpn.sonic.net (157.131.0.36). Are you able to connect? I believe I read previously where TLS v1.0 was no longer supported on ovpn.sonic.net. If you're able to connect to the beta server then stick with that or use that Merlin firmware I mentioned... It comes with OpenVPN v2.4, NCP, etc. Looks like that stock Asus firmware is using OpenVPN v2.3.2. IIRC, v2.3.2 is limited to TLS v1.0.

Re: VPN Issues: Asus RT-AC87U

Posted: Mon Sep 17, 2018 11:03 am
by hyayli
What you're describing makes sense. Apparently TLS version negotiation starts at OpenVPN 2.3.3 and earlier versions supports only TLS 1.0
Probably Sonic disabled TLS 1.0 because of it's known issues.

Bummer!

Re: VPN Issues: Asus RT-AC87U

Posted: Sun Nov 25, 2018 10:10 am
by gbnilsen
I had the same issue (sonic.net ovpn worked about a year ago using the client in the Asus rounter but no longer does). I just flashed my RT-AC1900P to the latest Merlin firmware and got the setup to work. Here are the steps necessary:
1) import the client.ovpn file generated by sonic
2) add username/password
3) change connection type to UDP (the Merlin config file uploader/parser didn't get that option from the .ovpn file)