openvpn error

Coldjack · September 9, 2024, 4:02pm

Hello,
I use a fiber optic contract with the provider Deutsche Glasfaser. Unfortunately, I no longer have a fixed IPv4 here.
In order to access my internal network, I installed OpenVPN on my NAS. I can also access my NAS from outside using my iPhone and the configuration file. I use a vps and 6tunnel. I have now bought a GL.inet Gl-MT3000. The latest firmware version 4.6.4 is installed. I have uploaded my OpenVPN configuration file here. Unfortunately, I cannot establish a connection.
I am attaching my configuration file and the error log. Can anyone help me?

OpenVPN config:

dev tun
tls-client

dhcp-option DOMAIN fritz.box
remote ip 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.178.1

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto tcp-client

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----

</ca>

Log

Mon Sep  9 17:29:32 2024 daemon.notice ovpnclient[15498]: Attempting to establish TCP connection with [AF_INET]ip:1194 [nonblock]
Mon Sep  9 17:29:32 2024 daemon.notice ovpnclient[15498]: TCP connection established with [AF_INET]ip:1194
Mon Sep  9 17:29:32 2024 daemon.notice ovpnclient[15498]: TCP_CLIENT link local: (not bound)
Mon Sep  9 17:29:32 2024 daemon.notice ovpnclient[15498]: TCP_CLIENT link remote: [AF_INET]ip:1194
Mon Sep  9 17:29:34 2024 daemon.notice ovpnclient[15498]: [synologyddnsname] Peer Connection Initiated with [AF_INET]ip:1194
Mon Sep  9 17:29:35 2024 daemon.notice ovpnclient[15498]: AUTH: Received control message: AUTH_FAILED
Mon Sep  9 17:29:35 2024 daemon.notice ovpnclient[15498]: SIGTERM[soft,auth-failure] received, process exiting
Mon Sep  9 17:29:40 2024 daemon.notice netifd: Interface 'ovpnclient' is now down
Mon Sep  9 17:29:40 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Mon Sep  9 17:29:40 2024 daemon.warn ovpnclient[15704]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
Mon Sep  9 17:29:40 2024 daemon.warn ovpnclient[15704]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Sep  9 17:29:40 2024 daemon.warn ovpnclient[15704]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: TCP/UDP: Preserving recently used remote address: [AF_INET]ip:1194
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: Attempting to establish TCP connection with [AF_INET]ip:1194 [nonblock]
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: TCP connection established with [AF_INET]ip:1194
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: TCP_CLIENT link local: (not bound)
Mon Sep  9 17:29:40 2024 daemon.notice ovpnclient[15704]: TCP_CLIENT link remote: [AF_INET]ip:1194
Mon Sep  9 17:29:42 2024 daemon.notice ovpnclient[15704]: [synologyddnsname] Peer Connection Initiated with [AF_INET]ip:1194

admon · September 9, 2024, 6:32pm

The error is due to wrong authentication. So mostly wrong username / password.

Coldjack · September 9, 2024, 6:54pm

Hello,
Thanks for the quick reply. I have tried a different password without special characters. Unfortunately no success either.

admon · September 9, 2024, 6:55pm

Could you please remove this and test again?

Coldjack · September 10, 2024, 2:21pm

Hello,
no sucess
i remove redirect-gateway def1

Tue Sep 10 16:18:31 2024 daemon.notice ovpnclient[17283]: TCP_CLIENT link local: (not bound)
Tue Sep 10 16:18:31 2024 daemon.notice ovpnclient[17283]: TCP_CLIENT link remote: [AF_INET]vps ip:1194
Tue Sep 10 16:18:33 2024 daemon.notice ovpnclient[17283]: [nas domain] Peer Connection Initiated with [AF_INET]vps ip:1194
Tue Sep 10 16:18:34 2024 daemon.notice ovpnclient[17283]: AUTH: Received control message: AUTH_FAILED
Tue Sep 10 16:18:34 2024 daemon.notice ovpnclient[17283]: SIGTERM[soft,auth-failure] received, process exiting
Tue Sep 10 16:18:39 2024 daemon.notice netifd: Interface 'ovpnclient' is now down
Tue Sep 10 16:18:39 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Tue Sep 10 16:18:39 2024 daemon.warn ovpnclient[17469]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10nas domain
Tue Sep 10 16:18:39 2024 daemon.warn ovpnclient[17469]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Sep 10 16:18:39 2024 daemon.warn ovpnclient[17469]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: TCP/UDP: Preserving recently used remote address:nas domain [AF_INET]vps ip:1194
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: Attempting to establish TCP connection with [AF_INET]vps ip:1194 [nonblock]
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: TCP connection established with [AF_INET]vps ip:1194
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: TCP_CLIENT link local: (not bound)
Tue Sep 10 16:18:39 2024 daemon.notice ovpnclient[17469]: TCP_CLIENT link remote: [AF_INET]vps ip:1194
Tue Sep 10 16:18:41 2024 daemon.notice ovpnclient[17469]: [nas domain] Peer Connection Initiated with [AF_INET]vps ip:1194
Tue Sep 10 16:18:42 2024 daemon.notice ovpnclient[17469]: AUTH: Received control message: AUTH_FAILED
Tue Sep 10 16:18:42 2024 daemon.notice ovpnclient[17469]: SIGTERM[soft,auth-failure] received, process exiting

Coldjack · September 10, 2024, 3:29pm

Does it matter which network mode you choose?

Router
Access Point
Extender
WDS
My firewall in the Synology always blocks it too.

bruce · September 12, 2024, 9:48am

Hi

Could you please post the OpenVPN server logs from the NAS? Since it requires to check if the server received the auth info.

Coldjack · September 21, 2024, 4:21am

Now it works. but the speed is slow. I can't open any website.
If I open the OpenVPN config file directly on my phone, I can surf at a reasonable speed.

Coldjack · September 23, 2024, 7:35am

I got a connection, but no internet via vpn:

Mon Sep 23 09:30:11 2024 daemon.notice ovpnclient[12919]: net_iface_up: set ovpnclient up
Mon Sep 23 09:30:11 2024 daemon.notice ovpnclient[12919]: net_addr_v6_add: ipv6:1000/64 dev ovpnclient
Mon Sep 23 09:30:11 2024 daemon.info avahi-daemon[4073]: Leaving mDNS multicast group on interface ovpnclient.IPv6 with address fe80::8e1e:448:c082:a3f.
Mon Sep 23 09:30:11 2024 daemon.info avahi-daemon[4073]: Joining mDNS multicast group on interface ovpnclient.IPv6 with address ipv6:1000.
Mon Sep 23 09:30:11 2024 daemon.info avahi-daemon[4073]: Registering new address record for ipv6:1000 on ovpnclient.*.
Mon Sep 23 09:30:11 2024 daemon.info avahi-daemon[4073]: Withdrawing address record for fe80::8e1e:448:c082:a3f on ovpnclient.
Mon Sep 23 09:30:11 2024 daemon.notice ovpnclient[12919]: /etc/openvpn/scripts/ovpnclient-up ovpnclient 0 ovpnclient 1500 1555 10.0.0.6 10.0.0.5 init
Mon Sep 23 09:30:11 2024 user.notice ovpnclient-up: env value:route_vpn_gateway=10.0.0.5 daemon_log_redirect=0 script_type=up ifconfig_ipv6_remote=ipv6:1 proto_1=tcp-client daemon=0 SHLVL=1 foreign_option_1=dhcp-option DOMAIN fritz.box dev_type=tun route_network_1=192.168.178.0 foreign_option_2=dhcp-option DNS 192.168.178.1 remote_1=87.106.71.131 dev=ovpnclient route_network_2=10.0.0.0 foreign_option_3=dhcp-option DNS 8.8.8.8 route_network_3=10.0.0.1 X509_0_CN=synology.domain.me remote_port_1=1194 X509_1_CN=R10 X509_1_C=US X509_2_CN=ISRG Root X1 X509_2_C=US tls_digest_sha256_0=c2:7c:0d:3c:6e:a8:a8:08:2d:f1:eb:a2:b8:b3:f1:6f:71:6e:7d:c4:f3:de:df:87:71:2a:ac:ec:7f:d2:95:74 daemon_start_time=1727076609 script_context=init ifconfig_local=10.0.0.6 common_name=synology.domain.me tls_digest_sha256_1=9d:7c:3f:1a:a6:ad:2b:2e:c0:d5:cf:1e:24:6f:8d:9a:e6:cb:c9:fd:07:55:ad:37:bb:97:4b:1f:2f:b6:03:f3 tls_digest_sha256_2=96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c
Mon Sep 23 09:30:11 2024 daemon.notice netifd: Network device 'ovpnclient' link is up
Mon Sep 23 09:30:11 2024 daemon.notice netifd: Interface 'ovpnclient' is now up
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 daemon.notice netifd: ovpnclient (12919): route: SIOCDELRT: No such process
Mon Sep 23 09:30:11 2024 user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)
Mon Sep 23 09:30:12 2024 user.notice nat6: Firewall config="ovpnclient" zone="ovpnclient" zone_masq6="0".
Mon Sep 23 09:30:14 2024 daemon.warn ovpnclient[12919]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 23 09:30:14 2024 daemon.notice ovpnclient[12919]: Initialization Sequence Completed

Coldjack · September 23, 2024, 7:57am

i changed vpn to automatic detection. Now i have internet connection. But i cannot open my internal ip. 192.168.178.1 eg.

bruce · September 24, 2024, 6:42am

Decrease the MTU number.

Using the global proxy mode.

Coldjack · September 24, 2024, 10:57am

Mtu is empty in changed to VPN policy based on destination domain or IP now it works.

alzhao · September 24, 2024, 11:24am

Can you remove this line as well?

Coldjack · October 5, 2024, 2:43pm

Hello, at the moment im in spain. my openvpn config works in my router. But I can't access my network at home in Germany.
If I open the openvpn profile in the app on my iPad, everything works and I have access to my network at home in Germany.
Does anyone have any idea what the problem is?
I don't want to install the OpenVPN app on every device so that I can access my network at home. I just want to have the OpenVPN connection opened centrally in the router so that I can access my devices at home from every device.

admon · October 5, 2024, 3:31pm

Is your network at home and on your travelrouter the same? Like both 192.168.178?

Coldjack · October 5, 2024, 3:54pm

No my home network is 192.168.178.1 and the spain 192.168.1.139
But why is it works about the openvpn app on my ipad

admon · October 5, 2024, 4:55pm

OpenVPN client on a real client works different than on some router.
May you share the OVPN config, minus the keys and stuff?

Coldjack · October 5, 2024, 5:50pm


dev tun
tls-client

dhcp-option DOMAIN fritz.box
remote ip 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.178.1

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto tcp-client

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----

</ca>

admon · October 5, 2024, 5:51pm

Try without the option dhcp-option DOMAIN fritz.box and dhcp-option DNS 192.168.178.1

Coldjack · October 5, 2024, 7:03pm

I tried without the options. No success