Own OpenVPN server connection issue

Technical Support for Routers VPN, DNS, Leaks
1

Hello,

I have a problem with setting up connection to my own OpenVPN server. Basically it works fine for me for quite a long time. I can connect from my computer with no issues. I’ve set the connection from my old router with Luci to this server as a gateway to my home network. No problems at all.

Now I have bought new router Beryl AX3000 and I can’t use my OpenVPN connection. Connection to some random VPN provider works fine, but when I use my server strange things happen.

I try to use the “OpenVPN” menu, I add my .ovpn file and no problem. I provide the password. Then when I start connection I got completely lost of connection with router. I lose IP address like DHCP server is gone, I can connect to router in any way, even with static IP which I expect to have for the router both in normal state and with IP from OpenVPN. It ended up in factory reset of the router. Now I for test purposes I use Toggle Button as when I move it to the left everything is broken and when I move it to the right everything is back to normal.

I’ve tried to add some plugins to Luci and connect to the server and after connecting at least I don’t lose connection to the router, but I haven’t set all that traffic forwarding which I prefer to avoid as I am not very good in understanding what I am doing. :sweat_smile:

I suspect that there could be something with the fact that I use TAP connection and router, even when it understands that I want TAP, uses TUN - the one which I tested was TUN.

Config of my OpenVPN server:

askpass
port 1194
proto udp
mode server
tls-server
dev tap
ca keys/ca.crt
cert keys/cert.crt
key keys/key.key  
dh keys/dh.pem
topology subnet
ifconfig 192.168.0.242 255.255.255.0
ifconfig-pool 192.168.0.244 192.168.0.248
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0 
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 3

My client config:

askpass
client
dev tap
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>

Log is quite long so I put here only those things which are concerning for me:

daemon.notice ovpnclient[28366]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
daemon.notice ovpnclient[28366]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
user.warn : skip line without '=' Default
user.warn : skip line without '='
daemon.notice netifd: lan (28332): udhcpc: performing DHCP renew
daemon.notice netifd: lan (28332): udhcpc: sending discover
daemon.notice ovpnclient[28366]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
daemon.notice ovpnclient[28366]: Socket Buffers: R=[212992->212992] S=[212992->212992]

daemon.notice ovpnclient[28366]: VERIFY EKU OK
daemon.notice ovpnclient[28366]: VERIFY OK: depth=0, CN=OVPN_server
daemon.warn ovpnclient[28366]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'
daemon.warn ovpnclient[28366]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1589'
daemon.warn ovpnclient[28366]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
daemon.notice ovpnclient[28366]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
daemon.notice ovpnclient[28366]: [OVPN_server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
daemon.notice ovpnclient[28366]: PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig 192.168.0.244 255.255.255.0,peer-id 0,cipher AES-256-GCM'
daemon.notice ovpnclient[28366]: OPTIONS IMPORT: timers and/or timeouts modified

daemon.notice ovpnclient[28366]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.notice ovpnclient[28366]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
daemon.warn ovpnclient[28366]: WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
daemon.notice ovpnclient[28366]: TUN/TAP device ovpnclient opened
daemon.notice ovpnclient[28366]: net_iface_mtu_set: mtu 1500 for ovpnclient
daemon.notice ovpnclient[28366]: net_iface_up: set ovpnclient up
daemon.notice netifd: Network device 'ovpnclient' link is up
daemon.notice ovpnclient[28366]: net_addr_ptp_v4_add: 192.168.0.244 peer 255.255.255.0 dev ovpnclient
daemon.info avahi-daemon[5320]: Joining mDNS multicast group on interface ovpnclient.IPv4 with address 192.168.0.244.
daemon.info avahi-daemon[5320]: New relevant interface ovpnclient.IPv4 for mDNS.
daemon.info avahi-daemon[5320]: Registering new address record for 192.168.0.244 on ovpnclient.IPv4.

daemon.info dnsmasq[29106]: Connected to system UBus
daemon.info dnsmasq[29106]: started, version 2.85 cachesize 150
daemon.info dnsmasq[29106]: DNS service limited to local subnets
daemon.info dnsmasq[29106]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
daemon.info dnsmasq[29106]: UBus support enabled: connected to system bus
daemon.info dnsmasq[29106]: using only locally-known addresses for domain test
daemon.info dnsmasq[29106]: using only locally-known addresses for domain onion
daemon.info dnsmasq[29106]: using only locally-known addresses for domain localhost
daemon.info dnsmasq[29106]: using only locally-known addresses for domain local
daemon.info dnsmasq[29106]: using only locally-known addresses for domain invalid
daemon.info dnsmasq[29106]: using only locally-known addresses for domain bind
daemon.info dnsmasq[29106]: using only locally-known addresses for domain lan
daemon.info dnsmasq[29106]: reading /tmp/resolv.conf.d/resolv.conf.ovpn
daemon.info dnsmasq[29106]: using only locally-known addresses for domain test
daemon.info dnsmasq[29106]: using only locally-known addresses for domain onion
daemon.info dnsmasq[29106]: using only locally-known addresses for domain localhost
daemon.info dnsmasq[29106]: using only locally-known addresses for domain local
daemon.info dnsmasq[29106]: using only locally-known addresses for domain invalid
daemon.info dnsmasq[29106]: using only locally-known addresses for domain bind
daemon.info dnsmasq[29106]: using only locally-known addresses for domain lan
daemon.info dnsmasq[29106]: using nameserver 209.244.0.3#53
daemon.info dnsmasq[29106]: using nameserver 64.6.64.6#53
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
daemon.notice netifd: Interface 'ovpnclient' is now up
user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
daemon.info dnsmasq[29106]: read /etc/hosts - 4 addresses
daemon.info dnsmasq[29106]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
kern.warn kernel: [ 2090.807170] 7981@C13L2,Set_DisConnectAllSta_Proc() 22426: Send DeAuth (Reason=2) to xx:xx:xx:xx:xx:xx
kern.warn kernel: [ 2090.821562] 7981@C01L2,wifi_sys_disconn_act() 1002:  wdev_idx=2
kern.notice kernel: [ 2090.827867] 7981@C08L3,hw_ctrl_flow_v2_disconnt_act() 172: wdev_idx=2
kern.warn kernel: [ 2090.835295] 7981@C13L2,MacTableDeleteEntry() 1793: Del Sta:xx:xx:xx:xx:xx:xx
kern.err kernel: [ 2090.844542] 7981@C12L1,rt28xx_ap_ioctl() 893: interface is down, cmd [8be2] return!!!
daemon.notice netifd: ovpnclient (28366): Interface doesn't accept private ioctl...
daemon.notice netifd: ovpnclient (28366): set (8BE2): Network is down
daemon.notice netifd: ovpnclient (28366): Interface doesn't accept private ioctl...
daemon.notice netifd: ovpnclient (28366): set (8BE2): Network is down
kern.err kernel: [ 2090.855596] 7981@C12L1,rt28xx_ap_ioctl() 893: interface is down, cmd [8be2] return!!!
kern.info kernel: [ 2090.870965] br-lan: port 1(eth1) entered disabled state
kern.notice kernel: [ 2090.891086] 7981@C08L3,ap_peer_auth_req_at_idle_action() 717: AUTH - MBSS(2), Rcv AUTH seq#1, Alg=0, Status=0 from [wcid=1023]xx:xx:xx:xx:xx:xx
kern.debug kernel: [ 2090.904143] entrytb_aid_aquire(): found non-occupied aid:5, allocated from:4
kern.warn kernel: [ 2090.911241] 7981@C13L2,MacTableInsertEntry() 1537: New Sta:xx:xx:xx:xx:xx:xx
kern.notice kernel: [ 2090.920489] 7981@C08L3,ap_cmm_peer_assoc_req_action() 1647:  Recv Assoc from STA - xx:xx:xx:xx:xx:xx
kern.notice kernel: [ 2090.929955] 7981@C08L3,ap_cmm_peer_assoc_req_action() 2170: ReASSOC Send ReASSOC response (Status=0)...
kern.notice kernel: [ 2090.939688] 7981@C01L3,wifi_sys_conn_act() 1115: wdev idx = 2
kern.notice kernel: [ 2090.945748] 7981@C08L3,hw_ctrl_flow_v2_connt_act() 215: wdev_idx=2
kern.notice kernel: [ 2091.066726] 7981@C15L3,WPABuildPairMsg1() 5280: <=== send Msg1 of 4-way
kern.notice kernel: [ 2091.073347] 7981@C15L3,PeerPairMsg2Action() 6202: ===>Receive msg 2
kern.notice kernel: [ 2091.080091] 7981@C15L3,WPABuildPairMsg3() 5557: <=== send Msg3 of 4-way
kern.notice kernel: [ 2091.086760] 7981@C15L3,PeerPairMsg4Action() 6632: ===>Receive msg 4
kern.warn kernel: [ 2091.098314] 7981@C15L2,PeerPairMsg4Action() 6994: AP SETKEYS DONE(rax0) - AKMMap=WPA2PSK, PairwiseCipher=AES, GroupCipher=AES, wcid=2 from xx:xx:xx:xx:xx:xx
kern.warn kernel: [ 2091.098314]
kern.info kernel: [ 2091.893208] MediaTek MT7981 PHY mdio-bus:00: TX-VCM SW cal result: 0x2
kern.info kernel: [ 2091.900595] mtk_soc_eth 15100000.ethernet eth1: PHY [mdio-bus:00] driver [MediaTek MT7981 PHY]
kern.info kernel: [ 2091.909207] mtk_soc_eth 15100000.ethernet eth1: configuring for phy/gmii link mode
daemon.notice netifd: lan (28332): udhcpc: sending discover
daemon.notice ovpnclient[28366]: Initialization Sequence Completed
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
daemon.err ovpnclient[28366]: write to TUN/TAP : Invalid argument (code=22)
2

First question: Do you need to use OpenVPN?
The performance of WireGuard is much better on GL.iNet routers.
(And setup is easier as well)

3

Most of the time no, I don’t need OpenVPN. But when I need it it’s good to have TAP. As far as I understand that WireGuard works on like TUN.

One thing I haven’t mention. I use some VPS as a gateway with public IP. I connect to VPS, my router in home network connects to VPS and it creates tunnel to my home network.

I don’t know if I can do it easily with WireGuard, but I have very little experience with that. All I have done is setting up server on my VPS and connecting from router. It was working so that’s all what I know.

Anyway I’m open for WireGuard suggestion, but I want to solve my problem with OpenVPN.

4

I keep seeings the question on why are people using OpenVPN when Wireguard is better.

As someone who travels full time, there are times Wireguard for varios reasons just does not work from some remote sites. In those cases having the option of running OpenVPN over either UDP or TCP has saved me more than once. It is always good to have options.

1 Like
5

Normally for a simple OpenVPN client tun is simpler, as it is a layer 3 protocol. I have all my OpenVPN servers setup using the tun device and I do not have any experience using the tap device. Looking at the log message:

daemon.warn ovpnclient[28366]: WARNING: 'dev-type' is used inconsistently, local='dev-type tun', remote='dev-type tap'

It looks like the AX3000 is not using the correct device. Maybe someone in gl.inet support can answer if the AX3000 supports the tap device

6

Have you set a different Client IP for the Beryl compared to the old home router?

7

@eric
I can install (and I have tried that) OpenVPN module for LuCi, but I am not very familiar with configuration of that, so I wanted to rely on solution provided by GL.iNet as it is already routing the whole traffic through tunnel and I don’t mess with firewall.
Anyway that was my wild guess that router shows this config as TAP but uses TUN anyway. Anyway I decided to ask as I don’t understand that.
I will make some experiments with config today in the evening and I give the feedback is it working.
Anyway I prefer to stick with TAP for other protocols than just connecting internet.

@hecatae
If you mean IP conflict then there is no conflict at all. I tried to use well tested ovpn files which I previously used on my computer. And my server attach IP address for the clients so no IP conflicts for sure.

8

thank you, which firmware are you using on the Beryl AX?

9

I’ve started from upgrading to the newest version.
Current firmware is 4.5.16.

I’ve also changed my server from TAP to TUN (just this single option both on server and client) and then connection looks fine. So can I assume some kind of bug in a software?

10

Just checked my vps and I’m using TUN for ovpn.
My beryl AX is also on 4.5.16.
I’ve also got an Opal here if you want me to test that?

11

With TUN looks ok on my configuration so the only thing in which I’m interested is TAP connection.

And to make it clear my OpenVPN server is set on VPS not on any router. Routers are just clients.