OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
140 posts Page 12 of 14
by ankh » Thu Aug 23, 2018 8:35 am
I downloaded and installed a fresh copy of the Mac client and now get connected to the VPN properly. Appears to be the same version as before but hey, it works.
Did that per suggestion from Support after I asked them again.


I still see just three 'wait' spinners with either Firefox or Safari if I click the "Connect" button on the page https://ovpn.sonic.net/?src=connect

EDIT: as of 4/11/2019, the problem went away. I'm reviving an older Mac after the 2011 MBP's graphcs failed as they do. Went through the whole setup, downloaded the latest application version, so far all good.
by timyu94 » Mon Oct 29, 2018 6:13 pm
I've been using OVPN for a whole home VPN connection via a PFSense server and upgraded to 75 mbps IPBB a bit over a month ago. For the 45 mbps IPBB service the connection to Sonics OVPN server was pretty much maxed out at all times at line speed. With the upgrade to IPBB75 it seems the connection maxes out around 50-60 mbps hardwired whereas with it off the connection is 75-80 mbps.

I was wondering if this is a limitation on Sonics VPN side which may be optimized for the previous top FTTN tier of 50 mbps. If so is there any possibility that the connection can be enhanced so that a VPN connected to it can run at line speed on the new IPBB 75 tier.

For reference my PFSense build is on a chinese qotom mini pc running AES-NI enabled Intel i3-5015u with 2gb ram. Should be enough for 300-400 mbps of OVPN thoroughput.
by nhcuccia » Wed Dec 05, 2018 2:42 pm
I'm currently running the OpenVPN client on an Asus RT-AC3100 wifi router, running the most recent Asus firmware version (not ASUSWRT-Merlin). When I tried using the client.ovpn from ovpn.sonic.net (using 'username' and not 'username@sonic.net' as my login), the logs on my wifi router indicated that the TLS handshake was failing. After that, I obtained a client.ovpn from the beta.vpn.sonic.net using the same credentials; with this file, the connection was successful, and I'm currently happy.

My main question: What are the differences between the two services that may result in the issues that the behavior that I've observed? I've seen discussion of username vs. username@sonic.net and TLSv1.0 vs. TLSv1.2, but was wondering whether or not there were other differences that might result in such behavior.
by mike.ely » Wed Dec 05, 2018 3:15 pm
nhcuccia wrote:
What are the differences between the two services that may result in the issues that the behavior that I've observed? I've seen discussion of username vs. username@sonic.net and TLSv1.0 vs. TLSv1.2, but was wondering whether or not there were other differences that might result in such behavior.

The symptoms you are seeing combined with the fact that you are successful logging in to beta.vpn suggests that your router is only supporting TLS1.0. The fact that I see the following in the logs from your IP confirms it:

Code: Select all

OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol'

At this point your solutions would be, in no particular order:
  • Convince Asus to update their firmware.
  • Update your router to a third-party firmware that does support TLS 1.2
  • Use beta.vpn which means you'll have to tolerate things going 'bump' unpredictably (it is "beta" after all) not to mention living with the knowledge you are using a TLS version that's badly broken - check your favourite search engine for "tls 1.0 vulnerabilities" if you want more information
I'm a little surprised that Asus continues to ship such an out of date VPN client, especially on their higher-end routers. But unfortunately that is exactly what appears to be the case here.
Sonic Operations
by nhcuccia » Wed Dec 05, 2018 4:07 pm
Thanks. I can live with Beta. Will see what I can find over at Asus. Along those lines, when I was using Asuswrt-Merlin (the third-party firmware for this device), I had no problem with using prod. I only encountered issues when I reverted back to the Asus-supplied firmware in order to take advantage of other functionality not in Merlin.
by ankh » Thu Apr 11, 2019 12:52 pm
New error message from Tunnelblick:

Warning: This VPN may not connect in the future.

The OpenVPN configuration file for 'client' contains these OpenVPN options:

• 'ns-cert-type' was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5

• 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version


You should update the configuration so it can be used with modern versions of OpenVPN.

Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration.

However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.
by drew.phillips » Thu Apr 18, 2019 11:08 am
ankh wrote:
New error message from Tunnelblick:

Warning: This VPN may not connect in the future.

The OpenVPN configuration file for 'client' contains these OpenVPN options:

• 'ns-cert-type' was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5

• 'comp-lzo' was deprecated in OpenVPN 2.4 and has been or will be removed in a later version


You should update the configuration so it can be used with modern versions of OpenVPN.

Tunnelblick will use OpenVPN 2.4.7 - OpenSSL v1.0.2r to connect this configuration.

However, you will not be able to connect to this VPN with future versions of Tunnelblick that do not include a version of OpenVPN that accepts the options.


As far as I know there is still no OpenVPN client/server 2.5 release within sight. As of now, 2.4.7 is the latest version and there's a lot of work to be done for 2.5. When it does come out our configs will likely change and clients should be updated with newer versions.

Since it will be significant enough of a release to require config changes, we'll keep the previous version running for a while and put the new version on beta and give sufficient warning since changing these options will prevent clients with older configurations from connecting.

TL;DR - totally safe to ignore these warnings for now.
Drew Phillips
Programmer / System Operations, Sonic.net
by ark » Wed Jun 12, 2019 8:07 am
I'm trying to set up LAN wide VPN using DD-WRT on a Netgear R6400v2. I got it from Flashrouters.com and upgraded the VPN to the latest version Firmware: DD-WRT v3.0-r37305 std (10/10/18).

I followed the instructions at https://www.expressvpn.com/support/vpn- ... h-openvpn/ using the client.ovpn file I got when I installed OpenVPN from openvpn.sonic.net. I just tested that my OpenVPN configuration works. But I can't get the VPN to work on my Netgear router connected to a Comcast modem.

On the Netgear router, I get this message:

State
Client: RECONNECTING tls-error Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 0
TCP/UDP write bytes 0
Auth read bytes 0

Log
Clientlog:
19691231 16:04:01 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19691231 16:04:01 W WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
19691231 16:04:01 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19691231 16:04:01 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
19691231 16:04:01 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
19691231 16:04:01 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2018
19691231 16:04:01 I library versions: OpenSSL 1.1.1 11 Sep 2018 LZO 2.09
19691231 16:04:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19691231 16:04:01 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
19691231 16:04:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 16:04:01 W WARNING: Your certificate is not yet valid!
19691231 16:04:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
19691231 16:04:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
19691231 16:04:01 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
19691231 16:04:01 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 16:04:01 I UDPv4 link local: (not bound)
19691231 16:04:01 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
19691231 16:04:01 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=64ed9ae9 cdba13a4
19691231 16:04:01 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
19691231 16:04:01 N VERIFY ERROR: depth=1 error=certificate is not yet valid: CN=OpenVPN CA
19691231 16:04:01 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 16:04:01 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 16:04:01 NOTE: --mute triggered...
19691231 16:04:01 2 variation(s) on previous 3 message(s) suppressed by --mute
19691231 16:04:01 I SIGUSR1[soft tls-error] received process restarting
19691231 16:04:01 Restart pause 5 second(s)
19691231 16:04:06 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
19691231 16:04:06 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
19691231 16:04:06 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
19691231 16:04:06 Socket Buffers: R=[180224->180224] S=[180224->180224]
19691231 16:04:06 I UDPv4 link local: (not bound)
19691231 16:04:06 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
19691231 16:04:06 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=5935df11 7790bdc1
19691231 16:04:06 N VERIFY ERROR: depth=1 error=certificate is not yet valid: CN=OpenVPN CA
19691231 16:04:06 N OpenSSL: error:1416F086:lib(20):func(367):reason(134)
19691231 16:04:06 N TLS_ERROR: BIO read tls_read_plaintext error
19691231 16:04:06 NOTE: --mute triggered...
19691231 16:04:06 2 variation(s) on previous 3 message(s) suppressed by --mute
19691231 16:04:06 I SIGUSR1[soft tls-error] received process restarting
19691231 16:04:06 Restart pause 5 second(s)
19691231 16:04:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:04:10 D MANAGEMENT: CMD 'state'
19691231 16:04:10 MANAGEMENT: Client disconnected
19691231 16:04:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:04:10 D MANAGEMENT: CMD 'state'
19691231 16:04:10 MANAGEMENT: Client disconnected
19691231 16:04:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:04:10 D MANAGEMENT: CMD 'state'
19691231 16:04:10 MANAGEMENT: Client disconnected
19691231 16:04:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:04:10 D MANAGEMENT: CMD 'status 2'
19691231 16:04:10 MANAGEMENT: Client disconnected
19691231 16:04:10 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
19691231 16:04:10 D MANAGEMENT: CMD 'log 500'
19691231 16:00:00


Help

On Services->VPN, I've entered:

OpenVPN CLient

Start OpenVPN Client Enable
Server IP/Name ovpn.sonic.net
Port 1194
Tunnel Device TUN
Tunnel Protocol UDP
Encryption Cipher AES-128 CBC
Hash Algorithm SHA1
User Pass Authentication Enable
Username ark
Password (I filled it in)
Advanced Options Enable
TLS Cipher None
LZO Compression Yes
NAT Enable
Firewall Protection Enable
IP Address blank
Subnet Mask blank
Tunnel MTU setting 1500
Tunnel UDP Fragment blank
Tunnel UDP MSS-Fix Disable
nsCertType verificaiton checked
TLS Auth Key
filled in from client.ovpn file
Additional Config
persist-key
persist-tun
fragment 1300
mssfix 1450
keysize 256
Policy Based Routing
blank
PKCS12 Key
blank
Static Key
blank
CA Cert
filled in from client.ovpn file
Public Key Cert
filled in from client.ovpn file
Private Client Key
filled in from client.ovpn file

Please let me know what I am doing wrong and how to fix it.
by drew.phillips » Wed Jun 12, 2019 9:00 am
ark wrote:
I'm trying to set up LAN wide VPN using DD-WRT on a Netgear R6400v2. I got it from Flashrouters.com and upgraded the VPN to the latest version Firmware: DD-WRT v3.0-r37305 std (10/10/18).

I followed the instructions at https://www.expressvpn.com/support/vpn- ... h-openvpn/ using the client.ovpn file I got when I installed OpenVPN from openvpn.sonic.net. I just tested that my OpenVPN configuration works. But I can't get the VPN to work on my Netgear router connected to a Comcast modem.

On the Netgear router, I get this message:

State
Client: RECONNECTING tls-error Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 0
TCP/UDP write bytes 0
Auth read bytes 0


Hi ark,

Thanks for the detailed logs. Based on the logs, it looks like the router's system clock hasn't been set or synced with a time server (everything is logged as 1969-12-31 16:04:01). If you try setting the time to something closer to "now", does that fix the issue?
Drew Phillips
Programmer / System Operations, Sonic.net
by ark » Thu Jun 13, 2019 10:28 pm
Thanks, Drew. I still can't seem to get it to work.

I tried changing the host to opvn.sonic.net and get this error message sequence, as expected.

Client: RECONNECTING init_instance Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 0
TCP/UDP write bytes 0
Auth read bytes 0

Log
Clientlog:
20190613 22:22:49 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190613 22:22:49 W WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
20190613 22:22:49 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20190613 22:22:49 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20190613 22:22:49 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20190613 22:22:49 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2018
20190613 22:22:49 I library versions: OpenSSL 1.1.1 11 Sep 2018 LZO 2.09
20190613 22:22:49 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20190613 22:22:49 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190613 22:22:49 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190613 22:22:49 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190613 22:22:49 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190613 22:22:49 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)
20190613 22:22:49 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)
20190613 22:22:49 W Could not determine IPv4/IPv6 protocol
20190613 22:22:49 I SIGUSR1[soft init_instance] received process restarting
20190613 22:22:49 Restart pause 5 second(s)
20190613 22:22:54 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190613 22:22:54 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190613 22:22:54 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)
20190613 22:22:54 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)
20190613 22:22:54 W Could not determine IPv4/IPv6 protocol
20190613 22:22:54 I SIGUSR1[soft init_instance] received process restarting
20190613 22:22:54 Restart pause 5 second(s)
20190613 22:22:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190613 22:22:58 D MANAGEMENT: CMD 'state'
20190613 22:22:58 MANAGEMENT: Client disconnected
20190613 22:22:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190613 22:22:58 D MANAGEMENT: CMD 'state'
20190613 22:22:58 MANAGEMENT: Client disconnected
20190613 22:22:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190613 22:22:58 D MANAGEMENT: CMD 'state'
20190613 22:22:58 MANAGEMENT: Client disconnected
20190613 22:22:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190613 22:22:58 D MANAGEMENT: CMD 'status 2'
20190613 22:22:58 MANAGEMENT: Client disconnected
20190613 22:22:58 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190613 22:22:58 D MANAGEMENT: CMD 'log 500'
19691231 16:00:00

But when I change the address back to ovpn.sonic.net, I get this:

Client: Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:

The upper right shows the following:

Firmware: DD-WRT v3.0-r37305 std (10/10/18)
Time: 22:27:16 up 8:39, load average: 0.05, 0.03, 0.00
WAN IP: 73.162.21.232

I tried rebooting the router, but it doesn't help.
140 posts Page 12 of 14

Who is online

In total there are 2 users online :: 0 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 2 guests