OpenVPN client permission denied

andresp · December 18, 2022, 12:06am

Hello, I have just bought a GL.iNet GL-MT1300 (Beryl) router but I can’t use it to connect to my OpenVPN server.

I get these from the router logs (SSH - logread)

Sat Dec 17 23:53:20 2022 daemon.notice openvpn[25004]: OpenVPN 2.5.2 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Dec 17 23:53:20 2022 daemon.notice openvpn[25004]: library versions: OpenSSL 1.1.1n  15 Mar 2022
Sat Dec 17 23:53:20 2022 daemon.notice openvpn[25004]: Restart pause, 2 second(s)
Sat Dec 17 23:53:22 2022 daemon.warn openvpn[25004]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1603,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: TCP/UDP: Preserving recently used remote address: [AF_INET6]GLOBAL_IPV6_IP:1194
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Attempting to establish TCP connection with [AF_INET6]GLOBAL_IPV6_IP:1194 [nonblock]
Sat Dec 17 23:53:22 2022 daemon.err openvpn[25004]: TCP: connect to [AF_INET6]GLOBAL_IPV6_IP:1194 failed: Permission denied
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: SIGHUP[connection failed(soft),init_instance] received, process restarting
Sat Dec 17 23:53:22 2022 daemon.warn openvpn[25004]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: OpenVPN 2.5.2 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: library versions: OpenSSL 1.1.1n  15 Mar 2022
Sat Dec 17 23:53:22 2022 daemon.notice openvpn[25004]: Restart pause, 2 second(s)

I have updated the firmware to the latest available version 3.215 but the error messages are the same.

The OpenVPN client configuration I send to the router is:

client
dev tun-ipv6
proto udp6
remote GLOBAL_IPV6_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
verb 4

<ca>
DATA
</ca>
<cert>
DATA
</cert>
<key>
DATA
</key>
<tls-crypt>
DATA
</tls-crypt>

server is running OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.08

server config:

port 1194
proto tcp6
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS6 2001:4860:4860::8888"
push "dhcp-option DNS6 2001:4860:4860::8844"
push "block-outside-dns"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 4
log-append /var/log/openvpn.log
crl-verify crl.pem

The server doesn’t get any traffic so it shows no logs.

If I connect from my computer directly using OpenVPN Connect it works, so I am pretty sure this is some issue with the router’s OpenVPN client or related config.

Is the router able to connect to OpenVPN servers over IPv6? Is there something wrong in my configuration?

Any help would be appreciated as this is the main use case for this router, so if it doesn’t work I will have to return it.

Thanks

jdub · December 18, 2022, 12:52am

Dumb question, but does the Beryl actually have an IPv6 address? Can you ping6 your server?

I’m not sure about IPv6 on the 3.X firmware. 4.X would be more likely, and a stock build of OpenWrt would be more likely still to support it.

andresp · December 18, 2022, 11:19am

It has a few link local IPs and one global IP which is marked as “Reserved by IETF (c000::/3)” by IPv4/IPv6 subnet calculator and addressing planner.

root@GL-MT1300:~# ifconfig
apclix0   Link encap:Ethernet  HWaddr 92:93:C4:22:C2:B8
          inet addr:192.168.1.150  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9093:c4ff:fe22:c2b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:99186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:106963 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26695213 (25.4 MiB)  TX bytes:39485261 (37.6 MiB)

br-guest  Link encap:Ethernet  HWaddr 6A:B4:1C:4B:0B:B6
          inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
          inet6 addr: dde2:d984:fcbe:1::1/64 Scope:Global
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br-lan    Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B7
          inet addr:192.168.8.1  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::9683:c4ff:fe22:c2b7/64 Scope:Link
          inet6 addr: dde2:d984:fcbe::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:36659 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23560 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:19441384 (18.5 MiB)  TX bytes:11537843 (11.0 MiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B6
          inet6 addr: fe80::9683:c4ff:fe22:c2b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18899 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:5885286 (5.6 MiB)
          Interrupt:23

eth0.1    Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1593 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:255766 (249.7 KiB)

eth0.2    Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B6
          inet6 addr: fe80::9683:c4ff:fe22:c2b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12146 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:4146924 (3.9 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2086 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2086 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:155199 (151.5 KiB)  TX bytes:155199 (151.5 KiB)

ra0       Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B9
          inet6 addr: fe80::9683:c4ff:fe22:c2b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:76826 errors:7309 dropped:0 overruns:0 frame:0
          TX packets:57550 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18785456 (17.9 MiB)  TX bytes:14509438 (13.8 MiB)
          Interrupt:25

rax0      Link encap:Ethernet  HWaddr 94:83:C4:22:C2:B8
          inet6 addr: fe80::9683:c4ff:fe22:c2b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:43779 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25191 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22531803 (21.4 MiB)  TX bytes:12159069 (11.5 MiB)

Ping6 from the router to the VPN server also returns “Permission denied”

root@GL-MT1300:~# ping6 OPENVPN_SERVER_IPV6
PING OPENVPN_SERVER_IPV6 (OPENVPN_SERVER_IPV6): 56 data bytes
ping6: sendto: Permission denied

3.215 is the latest version of the firmware that is available for download from the Upgrade page in the Web Admin. There is no option for 4.x.

I don’t understand. This router is being advertised as supporting IPv6 GL-MT1300 / Beryl - GL.iNet
That was the reason why I bought this one instead of the cheaper Mango. What kind of support is this? Or am I misconfiguring it?

jdub · December 18, 2022, 12:29pm

I’m out of my depth in terms of IPv6 - I try to avoid it because there always seem to be these sorts of issues. That said, I think I’d try with a public IPv6 address on the router side.

There is a 4.1 beta: GL.iNet download center

And again, it’s supported in vanilla OpenWrt, which would certainly be able to deal with this issue.

andresp · December 18, 2022, 3:09pm

Thanks for the suggestions.

I configured an ngrok tunnel today to connect to the VPN via IPv4 (the VPN server is in a network with CGNAT for IPv4, that is the reason why I need IPv6) and it worked, then just to re-check I tried again using IPv6 TCP (a config I also had tried yesterday but didn’t post here to reduce the length of the post) and it also worked . I have no idea what changed. Maybe the router needed to be restarted and some of the configurations I have done forced that?

I even tried with OpenVPN UDPv6 but, even though there was no Permission Denied error, it failed with:

MULTI: bad source address from client [CLIENT_IPV6_IP], packet dropped

Not sure why only UDP6 is failing now, but it seems that TCP6 works OK at least. I might do a few more experiments, but this is already something usable.

alzhao · December 20, 2022, 8:29am

The 4.1 firmware is here
https://dl.gl-inet.com/?model=mt1300&type=beta

Maybe you can try.

andresp · January 6, 2023, 8:27pm

I tried beta3 as it briefly showed up as 4.1.0 stable in the download center (probably a temporary mistake) and my openvpn configuration doesn’t work at all there.

The connection is established but I get:

ovpnclient[18488]: Recursive routing detected

in the logs and can’t access anything.

I rolled back the firmware to 3.215 where TCP configs (over IPv6 or IPv4) work.

I will wait for the stable version.