Hello,
I have a problem with setting up connection to my own OpenVPN server. Basically it works fine for me for quite a long time. I can connect from my computer with no issues. I’ve set the connection from my old router with Luci to this server as a gateway to my home network. No problems at all.
Now I have bought new router Beryl AX3000 and I can’t use my OpenVPN connection. Connection to some random VPN provider works fine, but when I use my server strange things happen.
I try to use the “OpenVPN” menu, I add my .ovpn file and no problem. I provide the password. Then when I start connection I got completely lost of connection with router. I lose IP address like DHCP server is gone, I can connect to router in any way, even with static IP which I expect to have for the router both in normal state and with IP from OpenVPN. It ended up in factory reset of the router. Now I for test purposes I use Toggle Button as when I move it to the left everything is broken and when I move it to the right everything is back to normal.
I’ve tried to add some plugins to Luci and connect to the server and after connecting at least I don’t lose connection to the router, but I haven’t set all that traffic forwarding which I prefer to avoid as I am not very good in understanding what I am doing.
I suspect that there could be something with the fact that I use TAP connection and router, even when it understands that I want TAP, uses TUN - the one which I tested was TUN.
Config of my OpenVPN server:
askpass
port 1194
proto udp
mode server
tls-server
dev tap
ca keys/ca.crt
cert keys/cert.crt
key keys/key.key
dh keys/dh.pem
topology subnet
ifconfig 192.168.0.242 255.255.255.0
ifconfig-pool 192.168.0.244 192.168.0.248
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
My client config:
askpass
client
dev tap
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
Log is quite long so I put here only those things which are concerning for me:
daemon.notice ovpnclient[28366]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
daemon.notice ovpnclient[28366]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
user.warn : skip line without '=' Default
user.warn : skip line without '='
daemon.notice netifd: lan (28332): udhcpc: performing DHCP renew
daemon.notice netifd: lan (28332): udhcpc: sending discover
daemon.notice ovpnclient[28366]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
daemon.notice ovpnclient[28366]: Socket Buffers: R=[212992->212992] S=[212992->212992]
daemon.notice ovpnclient[28366]: VERIFY EKU OK
daemon.notice ovpnclient[28366]: VERIFY OK: depth=0, CN=OVPN_server
daemon.warn ovpnclient[28366]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
daemon.warn ovpnclient[28366]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1589'
daemon.warn ovpnclient[28366]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
daemon.notice ovpnclient[28366]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
daemon.notice ovpnclient[28366]: [OVPN_server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
daemon.notice ovpnclient[28366]: PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig 192.168.0.244 255.255.255.0,peer-id 0,cipher AES-256-GCM'
daemon.notice ovpnclient[28366]: OPTIONS IMPORT: timers and/or timeouts modified
daemon.notice ovpnclient[28366]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice ovpnclient[28366]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.warn ovpnclient[28366]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
daemon.notice ovpnclient[28366]: TUN/TAP device ovpnclient opened
daemon.notice ovpnclient[28366]: net_iface_mtu_set: mtu 1500 for ovpnclient
daemon.notice ovpnclient[28366]: net_iface_up: set ovpnclient up
daemon.notice netifd: Network device 'ovpnclient' link is up
daemon.notice ovpnclient[28366]: net_addr_ptp_v4_add: 192.168.0.244 peer 255.255.255.0 dev ovpnclient
daemon.info avahi-daemon[5320]: Joining mDNS multicast group on interface ovpnclient.IPv4 with address 192.168.0.244.
daemon.info avahi-daemon[5320]: New relevant interface ovpnclient.IPv4 for mDNS.
daemon.info avahi-daemon[5320]: Registering new address record for 192.168.0.244 on ovpnclient.IPv4.
daemon.info dnsmasq[29106]: Connected to system UBus
daemon.info dnsmasq[29106]: started, version 2.85 cachesize 150
daemon.info dnsmasq[29106]: DNS service limited to local subnets
daemon.info dnsmasq[29106]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
daemon.info dnsmasq[29106]: UBus support enabled: connected to system bus
daemon.info dnsmasq[29106]: using only locally-known addresses for domain test
daemon.info dnsmasq[29106]: using only locally-known addresses for domain onion
daemon.info dnsmasq[29106]: using only locally-known addresses for domain localhost
daemon.info dnsmasq[29106]: using only locally-known addresses for domain local
daemon.info dnsmasq[29106]: using only locally-known addresses for domain invalid
daemon.info dnsmasq[29106]: using only locally-known addresses for domain bind
daemon.info dnsmasq[29106]: using only locally-known addresses for domain lan
daemon.info dnsmasq[29106]: reading /tmp/resolv.conf.d/resolv.conf.ovpn
daemon.info dnsmasq[29106]: using only locally-known addresses for domain test
daemon.info dnsmasq[29106]: using only locally-known addresses for domain onion
daemon.info dnsmasq[29106]: using only locally-known addresses for domain localhost
daemon.info dnsmasq[29106]: using only locally-known addresses for domain local
daemon.info dnsmasq[29106]: using only locally-known addresses for domain invalid
daemon.info dnsmasq[29106]: using only locally-known addresses for domain bind
daemon.info dnsmasq[29106]: using only locally-known addresses for domain lan
daemon.info dnsmasq[29106]: using nameserver 209.244.0.3#53
daemon.info dnsmasq[29106]: using nameserver 64.6.64.6#53
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
daemon.notice netifd: Interface 'ovpnclient' is now up
user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
kern.warn kernel: [ 2090.807170] 7981@C13L2,Set_DisConnectAllSta_Proc() 22426: Send DeAuth (Reason=2) to xx:xx:xx:xx:xx:xx
kern.warn kernel: [ 2090.821562] 7981@C01L2,wifi_sys_disconn_act() 1002: wdev_idx=2
kern.notice kernel: [ 2090.827867] 7981@C08L3,hw_ctrl_flow_v2_disconnt_act() 172: wdev_idx=2
kern.warn kernel: [ 2090.835295] 7981@C13L2,MacTableDeleteEntry() 1793: Del Sta:xx:xx:xx:xx:xx:xx
kern.err kernel: [ 2090.844542] 7981@C12L1,rt28xx_ap_ioctl() 893: interface is down, cmd [8be2] return!!!
daemon.notice netifd: ovpnclient (28366): Interface doesn't accept private ioctl...
daemon.notice netifd: ovpnclient (28366): set (8BE2): Network is down
daemon.notice netifd: ovpnclient (28366): Interface doesn't accept private ioctl...
daemon.notice netifd: ovpnclient (28366): set (8BE2): Network is down
kern.err kernel: [ 2090.855596] 7981@C12L1,rt28xx_ap_ioctl() 893: interface is down, cmd [8be2] return!!!
kern.info kernel: [ 2090.870965] br-lan: port 1(eth1) entered disabled state
kern.notice kernel: [ 2090.891086] 7981@C08L3,ap_peer_auth_req_at_idle_action() 717: AUTH - MBSS(2), Rcv AUTH seq#1, Alg=0, Status=0 from [wcid=1023]xx:xx:xx:xx:xx:xx
kern.debug kernel: [ 2090.904143] entrytb_aid_aquire(): found non-occupied aid:5, allocated from:4
kern.warn kernel: [ 2090.911241] 7981@C13L2,MacTableInsertEntry() 1537: New Sta:xx:xx:xx:xx:xx:xx
kern.notice kernel: [ 2090.920489] 7981@C08L3,ap_cmm_peer_assoc_req_action() 1647: Recv Assoc from STA - xx:xx:xx:xx:xx:xx
kern.notice kernel: [ 2090.929955] 7981@C08L3,ap_cmm_peer_assoc_req_action() 2170: ReASSOC Send ReASSOC response (Status=0)...
kern.notice kernel: [ 2090.939688] 7981@C01L3,wifi_sys_conn_act() 1115: wdev idx = 2
kern.notice kernel: [ 2090.945748] 7981@C08L3,hw_ctrl_flow_v2_connt_act() 215: wdev_idx=2
kern.notice kernel: [ 2091.066726] 7981@C15L3,WPABuildPairMsg1() 5280: <=== send Msg1 of 4-way
kern.notice kernel: [ 2091.073347] 7981@C15L3,PeerPairMsg2Action() 6202: ===>Receive msg 2
kern.notice kernel: [ 2091.080091] 7981@C15L3,WPABuildPairMsg3() 5557: <=== send Msg3 of 4-way
kern.notice kernel: [ 2091.086760] 7981@C15L3,PeerPairMsg4Action() 6632: ===>Receive msg 4
kern.warn kernel: [ 2091.098314] 7981@C15L2,PeerPairMsg4Action() 6994: AP SETKEYS DONE(rax0) - AKMMap=WPA2PSK, PairwiseCipher=AES, GroupCipher=AES, wcid=2 from xx:xx:xx:xx:xx:xx
kern.warn kernel: [ 2091.098314]
kern.info kernel: [ 2091.893208] MediaTek MT7981 PHY mdio-bus:00: TX-VCM SW cal result: 0x2
kern.info kernel: [ 2091.900595] mtk_soc_eth 15100000.ethernet eth1: PHY [mdio-bus:00] driver [MediaTek MT7981 PHY]
kern.info kernel: [ 2091.909207] mtk_soc_eth 15100000.ethernet eth1: configuring for phy/gmii link mode
daemon.notice netifd: lan (28332): udhcpc: sending discover
daemon.notice ovpnclient[28366]: Initialization Sequence Completed
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)