Beryl AX OpenVPN client is unable to connect

dmitri · August 8, 2024, 6:09am

Hello GL iNet Support,

My new router is unable to establish OpenVPN connection to my home OpenVPN server. The same client config works on Android phone and Raspberry Pi.

Log:

Wed Aug 7 21:06:23 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Wed Aug 7 21:06:24 2024 daemon.notice ovpnclient[2557]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Aug 7 21:06:24 2024 daemon.notice ovpnclient[2557]: library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10
Wed Aug 7 21:06:24 2024 daemon.warn ovpnclient[2557]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Aug 7 21:06:24 2024 daemon.warn ovpnclient[2557]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Aug 7 21:06:24 2024 daemon.notice ovpnclient[2557]: UDPv4 link local (bound): [AF_INET][undef]:0
Wed Aug 7 21:06:24 2024 daemon.notice ovpnclient[2557]: UDPv4 link remote: [AF_UNSPEC]

Config (certs and keys are skipped):

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA3-512
tls-client
client
resolv-retry infinite
remote abc.xyz 1234 udp4
lport 0
verify-x509-name "abc.xyz" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify

bruce · August 8, 2024, 9:37am

May I know what is the network topology of the Home OpenVPN Server -> Beryl AX?

Is it: Home OVPN server <-> ISP Modem <-> Internet <-> another ISP modem/cellular hotspot/etc. <-> Beryl AX OVPN Client?

Or: the home server and Beryl AX under the SAME LAN?

dmitri · August 8, 2024, 3:33pm

Hello Bruce,

It is a first option, with Internet in between sites. The ISP modem in front of the OVPN server is transparent - OVPN server (pfSence) has public IP on its WAN interface.

Side note. I managed to make WireGuard tunnel works between these devices after Beryl firmware reset. This reset didn't help with OVPN.

bruce · August 9, 2024, 2:33am

The WG tunnel works? So please try to check if the ISP is blocked the OVPN traffic? Like change the port, use the 51820 in the OVPN, or others.

dmitri · August 9, 2024, 1:40pm

I can connect to my OVPN from other devices from the same remote network - this is not a FW issue. In the Beryl's log, there is no even record about server name and its IP.
Also, on the server, I do not even see attempts to connect from my Beryl

alzhao · August 9, 2024, 2:05pm

Try remove the two lines and test.

dmitri · August 10, 2024, 9:20pm

Hi Alzhao,

Same result - OVPN client doesn't connect.

Sat Aug 10 17:11:40 2024 daemon.info glc: (ovpnclient.c:1659) ===>cmd = cp -a '/tmp/etc/openvpn/profiles/99838/cert' '/tmp/etc/openvpn/profiles/99838/auth' '/etc/openvpn/profiles/99838'
Sat Aug 10 17:11:46 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Sat Aug 10 17:11:46 2024 daemon.notice ovpnclient[20150]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 10 17:11:46 2024 daemon.notice ovpnclient[20150]: library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10
Sat Aug 10 17:11:46 2024 daemon.warn ovpnclient[20150]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug 10 17:11:46 2024 daemon.warn ovpnclient[20150]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Aug 10 17:11:46 2024 daemon.notice ovpnclient[20150]: UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Aug 10 17:11:46 2024 daemon.notice ovpnclient[20150]: UDPv4 link remote: [AF_UNSPEC]

admon · August 11, 2024, 4:57am

May you try to remove the udp4 entry here?

alzhao · August 11, 2024, 7:26am

Maybe you can send me a complete config file and credential to test.

dmitri · August 11, 2024, 3:26pm

How can I do this securely?

alzhao · August 11, 2024, 3:53pm

Send to me via private message is ok.