Trouble connecting to OpenVPN TAP Server


#1

Hi,

I’ve just got an MT300N and I’m in the process of setting it up. Everything has been really easy to set up so far, however I can’t get it to connect to my Asus AC87U OpenVPN TAP Server. I know the server works as I can connect from my Windows and OSX clients.

 

Here’s the log when the device tries to connect:

Tue May 2 17:42:31 2017 daemon.notice openvpn[25302]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]

Tue May 2 17:42:31 2017 daemon.notice openvpn[25302]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08

Tue May 2 17:42:31 2017 daemon.notice openvpn[25303]: UDPv4 link local: [undef]

Tue May 2 17:42:31 2017 daemon.notice openvpn[25303]: UDPv4 link remote: [AF_INET]XXX.XXX.103.152:1194

Tue May 2 17:42:31 2017 daemon.warn openvpn[25303]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this

Tue May 2 17:42:33 2017 daemon.notice openvpn[25303]: [RT-AC87U] Peer Connection Initiated with [AF_INET]XXX.XXX.103.152:1194

Tue May 2 17:42:36 2017 daemon.notice netifd: Interface ‘VPN_client’ is enabled

Tue May 2 17:42:36 2017 daemon.notice netifd: Network device ‘tap0’ link is up

Tue May 2 17:42:36 2017 daemon.notice netifd: Interface ‘VPN_client’ has link connectivity

Tue May 2 17:42:36 2017 daemon.notice netifd: Interface ‘VPN_client’ is setting up now

Tue May 2 17:42:36 2017 daemon.notice openvpn[25303]: TUN/TAP device tap0 opened

Tue May 2 17:42:36 2017 daemon.notice netifd: Interface ‘VPN_client’ is now up

Tue May 2 17:42:36 2017 user.notice firewall: Reloading firewall due to ifup of VPN_client (tap0)

Tue May 2 17:42:47 2017 daemon.warn openvpn[25303]: ERROR: Linux route add command failed: external program exited with error status: 1

Tue May 2 17:42:47 2017 daemon.warn openvpn[25303]: ERROR: Linux route add command failed: external program exited with error status: 1

Tue May 2 17:42:47 2017 daemon.warn openvpn[25303]: ERROR: Linux route add command failed: external program exited with error status: 1

Tue May 2 17:42:47 2017 daemon.warn openvpn[25303]: ERROR: Linux route add command failed: external program exited with error status: 1

Tue May 2 17:42:47 2017 daemon.notice openvpn[25303]: Initialization Sequence Completed

Tue May 2 17:45:33 2017 daemon.warn dnsmasq-dhcp[2005]: DHCP packet received on tap0 which has no address


 

Here’s the ovpn config file I’m uploading to the client router:

 

client

dev tap

Windows needs the TAP-Win32 adapter name

from the Network Connections panel

if you have more than one. On XP SP2,

you may need to disable the firewall

for the TAP adapter.

;dev-node MyTap

proto udp

remote XXX.asuscomm.com 1194

float

comp-lzo adaptive

route-delay 10

keepalive 15 60

auth-user-pass

ns-cert-type server

<ca>

-----BEGIN CERTIFICATE-----

 

XXX

-----END CERTIFICATE-----

</ca>

<cert>

-----BEGIN CERTIFICATE-----

 

XXX

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN PRIVATE KEY-----

 

XXX

-----END PRIVATE KEY-----

</key>

resolv-retry infinite

nobind


All during this time, the status says: “OpenVPN is: connecting …”

Anybody have any ideas?

 

Thanks!


#2

Just a follow up… I got it working using a TUN setup but I would ideally like to figure out a TAP link as that’s what I purchased the device for. Happy to use TUN for now though!


#3

Hi, I think you’d better use TUN. The reason is that the router will act as a gateway so it will create a firewall. Even you use tap, it will use it as tun so there is not too much difference.


#4

The main thing is being able to have broadcast packets sent between the two sites - will I be able to ever do this?


#5

The packets can be broadcast to the router. But how can you forward the packets forward to your devices is the problem.


#6

Did you get this working? Can this device even do TAP? People are saying there is not much difference between tun/tap but you need bridging for windows file sharing and some other protocols from what I can tell no? Even confirmation of that working anywhere on here would be helpful.


#7

I don’t think it does TAP. As this is a router and it is a firewall. You devices is not connected to your vpn server directly and they are in different subnet.

I am not 100% sure. Maybe there is a way to do this using status routing.


#8

The device is able to do TAP, but GL’s gui will not handle it for you. TAP requires bridging interfaces, which you have to setup yourself.


#9

Thanks guys, I think static routing is the solution. I understand that TAP requires bridging interfaces in the OS normally which is why I asked… I will try some more stuff.


#10

@Groentjuh, do you think bridging LAN and tap0 works? I think this requires openvpn server to allow this, right?


#11

On the AR300M I have it working to go to my own home network. You have to think of it as a virtual network cable on both sides. If that’s right on both sides, it will work fine.

It will require both the openvpn server and openvpn client setup right for it to work. Looking at the config above, that could be the case as asuscomm.com is a DDNS service for asus routers. He is doing what I did with my AR300M; extend his actual (home) LAN to somewhere remote! I don’t see any reason a MT300M would be different from a AR300M in the area of OpenVPN.

When I find some time, I might try to help out by posting some config when I had reconfigured my AR300M for its next use-case.


#12

@Groentjuh, I will be very happy to see your configuration.


#13

My GL-AR150 works with both tap and tun connections. I connect with a pfSense OpenVPN server. I use several servers on it (1 tun with pass through only, 1 tun with pass through and LAN connect, 1 tap just to see if it worked - it does) the pfSense client wizard offers several different profile layouts. The GL AR150 imports the inline-client in the android section. I’m experimenting now with the AR-150 to see which home profile(s) I want to keep on it.

pfSense is free. If you’re motivated then load it up in a virtual machine and install an OpenVPN server. It has a wizard for it and a tun server takes only a couple of minutes to build, certificates and all. Then go to user manager and create a user with a certificate associated with the openvpn server. Then go to the client download wizard for openvpn and download an inline-other client profile and copy the format.

I won’t print one of mine again as I think of it as a security risk. Even publicizing the ports and encryption methods opens a door a little crack.

 


#14

An Amazon review posted 5-18-2016 claims an MT300N client was configured with tap and connected to a “home” server. But my efforts to come up with a “simplest possible” configuration revealed that a site to site (static key) connection can not be done with the GUI.


#15

You may need to change the content of ovpn file in the router directly.


#16

Simplest possible VPN client (tap) (Contents of /etc/openvpn/conf.ovpn):

dev tap0
proto udp
remote SERVER-IP 1194
verb 3

-----BEGIN OpenVPN Static key V1-----
xxx …
-----END OpenVPN Static key V1-----

daemon

After enabling and applying, a tap0 interface shows up in ifconfig -a.
And the log shows:

Tue Dec 11 17:57:14 2018 daemon.notice netifd: Network device ‘tap0’ link is up
Tue Dec 11 17:57:14 2018 daemon.notice netifd: Interface ‘VPN_client’ has link connectivity
Tue Dec 11 17:57:14 2018 daemon.notice netifd: Interface ‘VPN_client’ is setting up now
Tue Dec 11 17:57:14 2018 daemon.notice netifd: Interface ‘VPN_client’ is now up
Tue Dec 11 17:57:15 2018 user.notice firewall: Reloading firewall due to ifup of VPN_client (tap0)
Tue Dec 11 17:57:16 2018 kern.info kernel: [25380.750000] br-lan: port 3(tap0) entered forwarding state

Then I issue:
brctl addif br-lan tap0

Then “brctl show” produces:
root@GL-MT300N:/etc/openvpn# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.e4956e42d981 no eth0.1
wlan0
tap0

But firewall must be blocking packets from the server; stats show no received packets.


#17

If the configuration is correct on server side, and you can set the client up, you have to disable dhcp server on client side, so all lan clients will get IP address from server side, it is bridge mode.

If you can’t received packets, it is usually the server issue.


#18

Thx for the response. The DHCP server on the MT300N is disabled. When I use a Shibby router as the VPN client, it correctly connects to a Shibby VPN server, which also acts as a DCHP server. A device connected to the Shibby client gets its IP address from the Shibby server. Conclusion: there is a problem with the MT300N configuration. My suspicion: MT300N firewall. I completely disabled the firewall using Luci and System -> Startup. I see packets arriving at the server, but no packet getting sent from the server. But the server log does NOT include the lines:
… UV-shibby daemon.notice openvpn[20900]: Peer Connection Initiated with …
… UV-shibby daemon.notice openvpn[20900]: Initialization Sequence Completed

But after some more head scratching, I determined the problem was with compression. The Shibby server was configured for “Adaptive”; the MT300N had nothing specified for compression. When I changed the Shibby server compression to “Disabled”, tap bridging now works.

Conclusion: it is possible to get the MT300N to act as a TAP bridged client with static key. But after loading the config.ovpn file with the simplest GUI (which adds the “client” line), the “client” line must be removed (ssh to the MT300N); and then the “brctl addif br-lan tap0” must be issued. I will now double back and see if the firewall actually needed to be disabled.


#19

The original problem had nothing to do with the default firewall settings; just needed compression to be configured consistently.

I now have it configured so that the VPN client connects when the device is powered up, with no configuration fiddling required. But that required:

  • ssh access to the MT100N to make several changes (create up.sh, down.sh, and delete the client line from config.ovpn)
  • Luci interface was needed to disable DHCP on the LAN
  • Luci interface was needed to open ports in the firewall for ssh and http access from the WAN
    (not strictly needed, but simplifies access once DHCP on the LAN is disabled).

My guess is that the MT300N is the lowest cost travel router capable of acting as an OpenVPN bridge client.


#20

Thanks for your sharing. It is simple to set bridge mode up if we know the knowledge.