GL-MT3000 OpenVPN client is starting, please wait…

Hi,

When I connect my OpenVPN client on MT3000 to my VPN server it stuck at "The client is starting, please wait..." forever. I can connect the VPN server via my computer's OpenVPN client when connected to this MT3000 router. Here is the log:

Wed May 29 01:22:12 2024 daemon.warn ovpnclient[28499]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1420)
Wed May 29 01:22:12 2024 daemon.notice ovpnclient[28499]: TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:1194
Wed May 29 01:22:12 2024 daemon.notice ovpnclient[28499]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:22:12 2024 daemon.notice ovpnclient[28499]: UDP link local: (not bound)
Wed May 29 01:22:12 2024 daemon.notice ovpnclient[28499]: UDP link remote: [AF_INET]123.123.123.123:1194
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Server poll timeout, restarting
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: SIGHUP[soft,server_poll] received, process restarting
Wed May 29 01:22:16 2024 daemon.warn ovpnclient[28499]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Wed May 29 01:22:16 2024 daemon.warn ovpnclient[28499]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 29 01:22:16 2024 daemon.warn ovpnclient[28499]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1420)
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:1194
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: UDP link local: (not bound)
Wed May 29 01:22:16 2024 daemon.notice ovpnclient[28499]: UDP link remote: [AF_INET]123.123.123.123:1194

What is your ovpn server?

OpenVPN Access Server running on my own VPS, built using official openvpn-as docker.

Here is the ovpn setting:

client
server-poll-timeout 4
nobind
remote 123.123.123.123 1194 udp
remote 123.123.123.123 1194 udp
remote 123.123.123.123 443 tcp
remote 123.123.123.123 1194 udp
remote 123.123.123.123 1194 udp
remote 123.123.123.123 1194 udp
remote 123.123.123.123 1194 udp
remote 123.123.123.123 1194 udp
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
tun-mtu 1420
auth-user-pass
verb 3
push-peer-info

OpenVPN Access Server running on my own VPS, built using official openvpn-as docker.

I am can you send me a full config with credentials via message and I will test.

Issue found.

There are multiple servers. Windows openvpn client can cycle the servers and connect to one that is available. But the router only connect to the first one.

After removing the non working server it is OK.

1 Like

The workaround to retry every remote server, run command

sed -i  '/SIGHUP/d' /lib/netifd/proto/ovpnclient.sh

Then toggle OpenVPN client.

The side effect is UI won't report when disconnection happens.

This is an ancient bug introduced when we optimize the reconnection of the OpenVPN client.
We'll address this issue thoroughly in firmware 4.6.