My router only supports AES-128-CBC, can I allow this somehow on the Beryl / GL-MT1300

shoelessone · 2022-02-28T00:27:10.210Z

Hello! I have a router (Netgear “Orbi” RBR750) and the built in VPN server appears to only support AES-128-CBC. I am fairly certain that the Beryl does not support this, based on this error message when I attempt to connect:

OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0
DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

I’m wondering if I can somehow enable this feature through a configuration option somewhere in the Beryl? I’ve googled a bit but haven’t found any solution at this point. Thank you so much for your help!

p.s. If I could somehow install OpenVPN 2.4 that may solve the issue, but honestly I don’t really know. One discussion post I read on reddit (on a completely different topic but similar error) said

You need to either fall back to OpenVPN 2.4, or follow the directions in the error message and change your configuration and explicitly enable the CBC ciphers.

Almahadeus · 2022-02-28T00:36:39.983Z

Don’t know the answer to your question but if you are running VPN on your GL.iNet rather than on your Orbi then why does it have to be strictly AES-128-CBC?

shoelessone · 2022-02-28T04:38:03.511Z

The Beryl is acting as the VPN client in my situation, not the server. The server is using a version of the server that only sports AES-128-CBC it seems. Sorry if that didn’t answer your question!

alzhao · 2022-02-28T09:56:26.060Z

Maybe just try.

Isn’t it be back-compabible?

elorimer · 2022-02-28T12:48:44.250Z

shoelessone:

(Netgear “Orbi” RBR750

I don’t think the cipher is your problem, it is the route. In theory you would download the WIndows configuration from the Orbi and then import it to your Beryl and it would work. So I would do this:

Install the most recent firmware for the Orbi, which I think is around October 2021.
Change the router username/password to something really, really strong.
Set up your DDNS method.
Set up your VPN Server as TUN/UDP/their default port. Unfortunately that’s all you are offered.
Download the configuration file for Windows.
Upload it to your Beryl VPN Client.
If it doesn’t work, open the configuration file in a text editor and see that your ddns name & port is specified as the destination. If not, change it and try again. (Also, make sure it includes certificates.)
If that doesn’t work, sanitize the configuration file in a text editor and post it here.

2.4 and 2.5 have changed how the cipher negotiation works, and you are seeing notes to that effect. Normally the server and the client will advertise their preferred cipher, and if they don’t match, then they will negotiate a common cipher. Because you are using the cipher that is in the configuration file, they should match, but unless one or both is set not to negotiate a cipher it should still work. What you are seeing is a warning that the configuration file is specifying -CBC, but it isn’t in the list of ciphers that your client is prepared to negotiate. But as long as the server speaks one of those as well, it should go through.

More on cipher negotiation here: https://community.openvpn.net/openvpn/wiki/CipherNegotiation

The bigger problem is that it looks like the client is trying to get to 192.168.1.0 (which sounds like the LAN network of the Orbi) and doesn’t know how to get there, not least because there are a billion subnets out there with that stupid choice.

shoelessone · 2022-02-28T17:45:12.230Z

Thank you so so much for the thoughtful and super useful reply @elorimer <3

Your message prompted me to look a bit deeper into the VPN configuration. In the end, what worked is swapping my configuration fro dev tun to dev tun, and swapping from UDP → TCP and setting the correct port (for tunnel over tcp).

I should probably mention that my current test setup is I have my iPhone tethered to the Beryl (and the Beryl is using the “tether” internet option accordingly). I don’t know if I switch to “repeater” mode for internet if this would effect my setup (?). I’ve done a bit of reading but I’m a bit limited on time at the moment and my primary goal is not to access my home network while I’m away, but rather to have my traffic from my router appear to come from my home address.

This thread (which is old I realize) vpn - Should I use tap or tun for openvpn? - Server Fault makes me think that “tun” is OK for my purposes.

Thanks again for your help, really appreciate it!

elorimer · 2022-02-28T18:16:13.427Z

Yes, unless there is a compelling reason for TAP, always use TUN. If you want to use TAP, lie down until the mood passes.

Using the iPhone is a good way of seeing if your setup works, because your traffic unambiguously is going out to the internet one way and then coming back to your Orbi. If you take your Beryl someplace else and use the repeater (WISP) option instead, it all should work the same way.

Be aware that the speed at which you download something from the internet through your Orbi to your Beryl is going to be affected by your Orbi’s upload speed. At my house, I have a 200/40 cable connection, and at location #2 I have a 200/10 cable connection. So if I am reaching the internet through my house, I’m going to be limited by that 40.

For that reason, you may want to create a second Beryl VPN client, identical to the first, that includes pull-filter ignore redirect-gateway. If you use that second client, it should give you access to your home network, but any other traffic will go out through the Beryl’s own WAN, and not over the tunnel, because it will ignore the instruction from the server to redirect the Beryl’s gateway. So then other sites you will be limited to the 200, in my example. By having two clients, you can decide which mode you want to be in, everything over the tunnel, or only some things over the tunnel.

shoelessone · 2022-02-28T19:30:51.858Z

Yes, unless there is a compelling reason for TAP, always use TUN. If you want to use TAP, lie down until the mood passes.

loled here. Thanks :).

After a bit more testing I’m having some mixed results tethering to my phone. This was working well for a while, but at some point the network just stopped responding. I’m a bit worried that this is going to turn into a full time job trying to diagnose the issue (e.g. is it my budget cellular provider cutting me off for some reason? Is my home router / VPN server choking? etc).

I have my home IP memorized (or can dig <ddns> I suppose) so might give this a shot next time I’m at a coffee shop or something to see if I’m having better / more consistent results this way.

Thanks for the pull-filter ignore redirect-gateway info - I’ll look more into this option.

Thanks again!

elorimer · 2022-02-28T20:11:06.054Z

shoelessone:

I have my home IP memorized (or can dig <ddns> I suppose) so might give this a shot next time I’m at a coffee shop or something to see if I’m having better / more consistent results this way.

Definitely set your Orbi to have a ddns address. I think Netgear like Asus does it for free. Unless you are paying for a static address, from time to time your home IP will change. This way you never have to worry about it.