VPN Issues: Asus RT-AC87U

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
9 posts Page 1 of 1
by hyayli » Fri Sep 07, 2018 8:23 pm
Hi folks,

'm trying to connect to the VPN using my router (It's an Asus RT-87U).
I downloaded the profile from ovpn.sonic.net and uploaded.
Here's what I see in my logs. Any idea what's wrong?

Code: Select all

Sep  7 19:57:58 vpnclient5[2765]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep  7 19:57:58 vpnclient5[2765]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep  7 19:57:58 vpnclient5[2765]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep  7 19:57:58 vpnclient5[2765]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  7 19:57:58 vpnclient5[2765]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  7 19:57:58 vpnclient5[2765]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep  7 19:57:58 vpnclient5[2766]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep  7 19:57:58 vpnclient5[2766]: UDPv4 link local: [undef]
Sep  7 19:57:58 vpnclient5[2766]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep  7 19:57:58 vpnclient5[2766]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=cabcb584 52e100ff
Sep  7 19:57:58 vpnclient5[2766]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep  7 19:58:58 vpnclient5[2766]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep  7 19:58:58 vpnclient5[2766]: TLS Error: TLS handshake failed
Sep  7 19:58:58 vpnclient5[2766]: SIGUSR1[soft,tls-error] received, process restarting
Sep  7 19:58:58 vpnclient5[2766]: Restart pause, 2 second(s)
by drew.phillips » Tue Sep 11, 2018 4:59 pm
It looks like the connection configuration that it's using is missing the "TLS Auth" key that we use in our config.

Did it have you upload the config.ovpn file into the router or did you have to transfer the settings yourself?

Some routers don't support this option as a client unfortunately, but if it gives you a place to input a "tls-auth" key, then you can pull this from the config file and enter it into the options in the router's interface.
Drew Phillips
Programmer / System Operations, Sonic.net
by hyayli » Tue Sep 11, 2018 5:40 pm
I uploaded the config file directly as I’ve downloaded from the site.
There is no option to input tlsauth just username password input allowed.
by Guest » Wed Sep 12, 2018 6:41 am
I uploaded the config file directly as I’ve downloaded from the site.
There is no option to input tlsauth just username password input allowed.


Are you running stock Asus firmware? If so have a look at Merlin's RT-AC87U fork. Lots of options, frequently updated and well supported. If you configured your OpenVPN settings correctly you should have no issues connecting with this firmware: http://asuswrt.lostrealm.ca/
by hyayli » Wed Sep 12, 2018 8:22 am
This was working about a year ago I’m sure.
I’m using the standard latest ASUS firmware.
Are you sure nothing changed on your end about how you produce the configuration file?
by Guest » Wed Sep 12, 2018 8:42 pm
After looking at some Asus OpenVPN client page screenshots on the web (stock firmware), you should be able to paste Sonic's tls-auth key in the static key box after clicking the "Content modification of keys and certs" link next to Authorization mode (TLS). The key you're looking for within the ovpn file starts with -----BEGIN OpenVPN Static key V1----- and ends with -----END OpenVPN Static key V1-----. Good luck.
by hyayli » Sat Sep 15, 2018 5:01 pm
After looking around for a while I found the configuration.

I imported the ovpn then hit the edit.
I see the following sections filled in: Certificate Authority, Client Certificate, Client Key, Static Key (Optional).
Following section is empty: Certificate Revocation List (Optional)
Per your description, tls-auth is entered correctly, when I upload the ovpn file directly.

Connection is still not successful. The logs came out the same as follows:


Code: Select all

Sep 15 16:51:52 vpnclient5[5417]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep 15 16:51:52 vpnclient5[5417]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 16:51:52 vpnclient5[5417]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep 15 16:51:52 vpnclient5[5417]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:51:52 vpnclient5[5417]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:51:52 vpnclient5[5417]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep 15 16:51:52 vpnclient5[5418]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 15 16:51:52 vpnclient5[5418]: UDPv4 link local: [undef]
Sep 15 16:51:52 vpnclient5[5418]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep 15 16:51:53 vpnclient5[5418]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=1bebeb4f f0281351
Sep 15 16:51:53 vpnclient5[5418]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 15 16:52:52 vpnclient5[5418]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 15 16:52:52 vpnclient5[5418]: TLS Error: TLS handshake failed
Sep 15 16:52:52 vpnclient5[5418]: SIGUSR1[soft,tls-error] received, process restarting
Sep 15 16:52:52 vpnclient5[5418]: Restart pause, 2 second(s)


On a second attempt I deleted the ca, cert, key and tls-auth sections in the file. I uploaded the file without keys and manually entered all sections. Still the connection can not be established.
Output is similar:

Code: Select all

Sep 15 16:57:54 vpnclient4[5650]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 22 2018
Sep 15 16:57:54 vpnclient4[5650]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 15 16:57:54 vpnclient4[5650]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep 15 16:57:54 vpnclient4[5650]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:57:54 vpnclient4[5650]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 15 16:57:54 vpnclient4[5650]: Socket Buffers: R=[122880->200000] S=[122880->200000]
Sep 15 16:57:54 vpnclient4[5651]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 15 16:57:54 vpnclient4[5651]: UDPv4 link local: [undef]
Sep 15 16:57:54 vpnclient4[5651]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Sep 15 16:57:54 vpnclient4[5651]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=5a4b79cf 0a9f2e8e
Sep 15 16:57:54 vpnclient4[5651]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 15 16:58:55 vpnclient4[5651]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 15 16:58:55 vpnclient4[5651]: TLS Error: TLS handshake failed
Sep 15 16:58:55 vpnclient4[5651]: SIGUSR1[soft,tls-error] received, process restarting
Sep 15 16:58:55 vpnclient4[5651]: Restart pause, 2 second(s)
by Guest » Sat Sep 15, 2018 9:16 pm
Don't worry about the CRL field. Instead, try pointing your router to their beta server -- beta.vpn.sonic.net (157.131.0.36). Are you able to connect? I believe I read previously where TLS v1.0 was no longer supported on ovpn.sonic.net. If you're able to connect to the beta server then stick with that or use that Merlin firmware I mentioned... It comes with OpenVPN v2.4, NCP, etc. Looks like that stock Asus firmware is using OpenVPN v2.3.2. IIRC, v2.3.2 is limited to TLS v1.0.
by hyayli » Mon Sep 17, 2018 11:03 am
What you're describing makes sense. Apparently TLS version negotiation starts at OpenVPN 2.3.3 and earlier versions supports only TLS 1.0
Probably Sonic disabled TLS 1.0 because of it's known issues.

Bummer!
9 posts Page 1 of 1

Who is online

In total there are 17 users online :: 2 registered, 0 hidden and 15 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: Bing [Bot], Google [Bot] and 15 guests