Android OpenVPN to ASUSWRT-Merlin OpenVPN SERVER

[dominatorstang]

Tested using :
-Samsung Galaxy Note II
-RT-AC66U (Asuswrt-Merlin 3.0.0.4.372.30_2)
-RT-AC56U (Asuswrt-Merlin 3.0.0.4.372.30_2)

You will need to have already done the following before you start:
-have followed the Easy-RSA instructions for building your keys and certificates
-your Asus router flashed with Asuswrt-Merlin


Server
Open your router interface using a web browser
Click VPN Server on the left under advanced settings
Go to the OpenVPN Server Settings tab
now update your settings to match the below

Select server instance: Server1
Service state : off (leave this off until later down)
Start with WAN : Yes (this also allows automatic starting after reboot)
Interface Type : TUN
Protocol : TCP
Port : 1194
Firewall : Automatic
Authorization Mode : TLS
Extra HMAC authorization : Disabled
VPN Subnet / Netmask : 10.8.0.0 255.255.255.0

Advanced Settings
Poll Interval: 0
Push LAN to clients : Yes
Direct clients to redirect Internet traffic :No
Respond to DNS: Yes
Advertise DNS to clients: Yes
Encryption cipher : BR-CBC (default works but better to just set it)
Compression : adaptive
TLS Renegotiation Time : -1
Manage Client-Specific Options: No (you can enable this if you have multi-clients and want then to cross talk)

click apply changes.

No click the switch at "Service state" so the server will start. Once it finishes then it should show a green "ON" at the switch to show it started fine.


Now for the android client

I did not have great success with the "official" openvpn client at first so I wrote this using "OpenVPN for android 0.5.38". A post below by "The Chief" explains using the official OpenVPN app for android and I have also confirmed it working with UDP

Once "OpenVPN for Android 0.5.38" is downloaded you will also need to create a pkcs12 file with the easy-rsa if you have not already ( the android app also lets you use key files and certificates individually but I had some quarks so I just went with the pkcs12 file.

I used the info from this site /https://airvpn.org/topic/8795-pkcs12-file-generation-android-tutorial/ to create the pkcs12 file needed.

the android program is pretty easy to use, you just enter the ip address or Domain Name and select the pkcs12file you created, then connect.


I originally just zipped through the android side of things for testing of my server and not to actually use it so when you go through the setup, if you find something that I missed then please let me know so I can update this post.

Thanks

 

[The Chief]

I did not have great success with the "official" openvpn client

I was successful with official «OpenVPN Connect» android application. Samsung Galaxy Note II.

 

[dominatorstang]

I was successful with official «OpenVPN Connect» android application. Samsung Galaxy Note II.

Great! Would you want to add the information you used to get the official app working so we can add it here too?

BTW, are you able to use port 445 across your OpenVPN connection to PC's on the LAN?

Thanks

 

[shooter40sw]

I use the official one with no problems, I just imported the client and the cert from the phone, I use a Nexus 4.

Great! Would you want to add the information you used to get the official app working so we can add it here too?

BTW, are you able to use port 445 across your OpenVPN connection to PC's on the LAN?

Thanks

 

[The Chief]

Great! Would you want to add the information you used to get the official app working so we can add it here too?

BTW, are you able to use port 445 across your OpenVPN connection to PC's on the LAN?

Thanks

Start with WAN Yes

Interface Type TUN
Protocol UDP
Port: default, 1194
Firewall Automatic
Authorization Mode TLS
Extra HMAC authorization disabled
VPN Subnet / Netmask 10.8.0.0/255.255.255.0

Advanced Settings:
Poll Interval 0
Push LAN to clients Yes
Direct clients to redirect Internet traffic No
Respond to DNS No
Encryption cipher Default
Compression Adaptive
TLS Renegotiation Time -1

Manage Client-Specific Options No
------------
openvpn profile to import in android:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# it has a .ovpn extension #
##############################################
client
dev tun
proto udp
remote ohmyfreakingaccount.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.ohmyfreakingaccount.crt
cert androidclient.ohmyfreakingaccount.crt
key androidclient.ohmyfreakingaccount.key

ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
##############################################


PS: speaking of port 445, I can access samba shares on router itself, on mediaplayer (RTL1186-based Iconbit) and on my home computer (Win7 Ultimate x64)without any problem.

 

[RMerlin]

The port 445 issue is most likely related to security on your target computer. I remember a few months ago someone had a similar issue, his computer firewall didn't like the fact that the connection came from an IP in a different subnet.

 

[dominatorstang]

I have verified the issue being only with my android device since I connected in using a windows xp client and port 445 was working fine. Thanks for all the help and that makes it no longer an issue for me.

 

[Lossengwath]

Hi Guys...

I would really appreciate your insight with the following. I am having a lot of problems trying to make a similar configuration work and I really don't know what I'm getting wrong. For some reason the authentication is not working. In essence, the only difference I have with the configuration shared by The Chief is the encryption (I'm using AES-256-CBC), and perhaps the complexity of DH parameters. And I also know for a fact the certificate and keys are correct because the VPN does work with my other two computers (both running tunnelblick 3.4beta20 (build 3727)). My router is a RT-AC66U running 374_40_beta2, and my mobile devices are both an iPad and a Galaxy S4 google edition.

The detailed configuration is the following

Server Side:

Interface Type: TUN
Protocol: UDP
English Default: 1194
Firewall: AUTO
Authorization Mode: TLS
Username/Password
Authentication: NO
Extra HMAC
authorization (tls-auth): DISABLE
VPN Subnet/Netmask: 10.8.0.0/24

Advanced Settings
Poll Interval: 0
Push LAN to clients: NO
Direct clients to redirect Internet traffic: NO
Respond to DNS: NO
Encryption cipher: AES-256-CBC
Compression: ADAPTIVE
TLS Renegotiation Time -1
Manage Client-Specific Options NO

Client Side:

client
dev tun
proto udp
remote xxxxxx.asuscomm.com 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 4

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>

ns-cert-type server
resolv-retry infinite
nobind

This is the log from the ipad (OpenVPN 1.0.4 build 140, iOS 64-bit), which I believe is exactly the same result as the one on the S4. Below is the router's log.

2014-03-07 21:44:18 ----- OpenVPN Start (iOS 64-bit) -----
2014-03-07 21:44:18 UNUSED OPTIONS
4 [float]
7 [keepalive] [15] [60]
8 [verb] [4]
13 [resolv-retry] [infinite]
14 [nobind]

2014-03-07 21:44:18 LZO-ASYM init swap=0 asym=0
2014-03-07 21:44:18 EVENT: RESOLVE
2014-03-07 21:44:19 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:44:19 EVENT: WAIT
2014-03-07 21:44:19 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:44:28 Server poll timeout, trying next remote entry...
2014-03-07 21:44:28 EVENT: RECONNECTING
2014-03-07 21:44:28 LZO-ASYM init swap=0 asym=0
2014-03-07 21:44:28 EVENT: RESOLVE
2014-03-07 21:44:28 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:44:28 EVENT: WAIT
2014-03-07 21:44:28 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:44:38 Server poll timeout, trying next remote entry...
2014-03-07 21:44:38 EVENT: RECONNECTING
2014-03-07 21:44:38 LZO-ASYM init swap=0 asym=0
2014-03-07 21:44:38 EVENT: RESOLVE
2014-03-07 21:44:38 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:44:38 EVENT: WAIT
2014-03-07 21:44:38 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:44:48 Server poll timeout, trying next remote entry...
2014-03-07 21:44:48 EVENT: RECONNECTING
2014-03-07 21:44:48 LZO-ASYM init swap=0 asym=0
2014-03-07 21:44:48 EVENT: RESOLVE
2014-03-07 21:44:48 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:44:48 EVENT: WAIT
2014-03-07 21:44:48 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:44:58 Server poll timeout, trying next remote entry...
2014-03-07 21:44:58 EVENT: RECONNECTING
2014-03-07 21:44:58 LZO-ASYM init swap=0 asym=0
2014-03-07 21:44:58 EVENT: RESOLVE
2014-03-07 21:44:58 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:44:58 EVENT: WAIT
2014-03-07 21:44:58 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:45:08 Server poll timeout, trying next remote entry...
2014-03-07 21:45:08 EVENT: RECONNECTING
2014-03-07 21:45:08 LZO-ASYM init swap=0 asym=0
2014-03-07 21:45:08 EVENT: RESOLVE
2014-03-07 21:45:08 Contacting XX.XX.XX.XX:1194 via UDP
2014-03-07 21:45:08 EVENT: WAIT
2014-03-07 21:45:08 Connecting to XXXX.asuscomm.com:1194 (50.163.198.192) via UDPv4
2014-03-07 21:45:18 EVENT: CONNECTION_TIMEOUT [ERR]
2014-03-07 21:45:18 EVENT: DISCONNECTED
2014-03-07 21:45:18 Raw stats on disconnect:
BYTES_OUT : 420
PACKETS_OUT : 30
CONNECTION_TIMEOUT : 1
N_RECONNECT : 5
2014-03-07 21:45:18 Performance stats on disconnect:
CPU usage (microseconds): 44023
Network bytes per CPU second: 9540
Tunnel bytes per CPU second: 0
2014-03-07 21:45:18 ----- OpenVPN Stop -----
2014-03-07 21:45:18 EVENT: DISCONNECT_PENDING

Mar 7 21:44:18 openvpn[1875]: 192.168.2.106:61646 TLS: Initial packet from [AF_INET]192.168.2.106:61646, sid=48fb9e47 f3988c9d
Mar 7 21:44:27 openvpn[1875]: 192.168.2.106:51990 TLS: Initial packet from [AF_INET]192.168.2.106:51990, sid=9c02b0ef aff7fbd0
Mar 7 21:44:37 openvpn[1875]: 192.168.2.106:64484 TLS: Initial packet from [AF_INET]192.168.2.106:64484, sid=ea5e91fa 393eee51
Mar 7 21:44:47 openvpn[1875]: 192.168.2.106:57437 TLS: Initial packet from [AF_INET]192.168.2.106:57437, sid=46eb101b f56f62f9
Mar 7 21:44:57 openvpn[1875]: 192.168.2.106:56440 TLS: Initial packet from [AF_INET]192.168.2.106:56440, sid=5a1f98ed e9c7976d
Mar 7 21:45:07 openvpn[1875]: 192.168.2.106:65187 TLS: Initial packet from [AF_INET]192.168.2.106:65187, sid=f7719684 3da3dfe9
Mar 7 21:45:19 openvpn[1875]: 192.168.2.106:61646 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:45:19 openvpn[1875]: 192.168.2.106:61646 TLS Error: TLS handshake failed
Mar 7 21:45:19 openvpn[1875]: 192.168.2.106:61646 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:45:27 openvpn[1875]: 192.168.2.106:51990 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:45:27 openvpn[1875]: 192.168.2.106:51990 TLS Error: TLS handshake failed
Mar 7 21:45:27 openvpn[1875]: 192.168.2.106:51990 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:45:37 openvpn[1875]: 192.168.2.106:64484 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:45:37 openvpn[1875]: 192.168.2.106:64484 TLS Error: TLS handshake failed
Mar 7 21:45:37 openvpn[1875]: 192.168.2.106:64484 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:45:47 openvpn[1875]: 192.168.2.106:57437 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:45:47 openvpn[1875]: 192.168.2.106:57437 TLS Error: TLS handshake failed
Mar 7 21:45:47 openvpn[1875]: 192.168.2.106:57437 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:45:57 openvpn[1875]: 192.168.2.106:56440 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:45:57 openvpn[1875]: 192.168.2.106:56440 TLS Error: TLS handshake failed
Mar 7 21:45:57 openvpn[1875]: 192.168.2.106:56440 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:46:07 openvpn[1875]: 192.168.2.106:65187 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 7 21:46:07 openvpn[1875]: 192.168.2.106:65187 TLS Error: TLS handshake failed
Mar 7 21:46:07 openvpn[1875]: 192.168.2.106:65187 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 7 21:48:09 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=367 TOS=0x00 PREC=0x00 TTL=255 ID=22113 PROTO=UDP <1>SPT=67 DPT=68 LEN=347
Mar 7 21:48:09 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=367 TOS=0x00 PREC=0x00 TTL=255 ID=22118 PROTO=UDP <1>SPT=67 DPT=68 LEN=347
Mar 7 21:48:15 sd-idle-2.6[247]: spinning down /dev/sda after 5 mins 30 secs
Mar 7 21:49:32 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=331 TOS=0x00 PREC=0x00 TTL=255 ID=22242 PROTO=UDP <1>SPT=67 DPT=68 LEN=311
Mar 7 21:50:44 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=367 TOS=0x00 PREC=0x00 TTL=255 ID=22341 PROTO=UDP <1>SPT=67 DPT=68 LEN=347
Mar 7 21:50:44 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=367 TOS=0x00 PREC=0x00 TTL=255 ID=22344 PROTO=UDP <1>SPT=67 DPT=68 LEN=347
Mar 7 21:52:20 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=341 TOS=0x00 PREC=0x00 TTL=255 ID=22503 PROTO=UDP <1>SPT=67 DPT=68 LEN=321
Mar 7 21:52:20 kernel: ACCEPT <4>ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1d:70:af:b5:e2:08:00 <1>SRC=96.179.248.1 DST=255.255.255.255 <1>LEN=341 TOS=0x00 PREC=0x00 TTL=255 ID=22506 PROTO=UDP <1>SPT=67 DPT=68 LEN=321
Mar 7 21:52:58 openvpn[1875]: event_wait : Interrupted system call (code=4)
Mar 7 21:52:58 openvpn[1875]: TITLE,OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 5 2014
Mar 7 21:52:58 openvpn[1875]: TIME,Fri Mar 7 21:52:58 2014,1394247178
Mar 7 21:52:58 openvpn[1875]: HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username
Mar 7 21:52:58 openvpn[1875]: HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
Mar 7 21:52:58 openvpn[1875]: GLOBAL_STATS,Max bcast/mcast queue length,0
Mar 7 21:52:58 openvpn[1875]: END

 

[Lossengwath]

Something weird just happened. I recently found this thread: https://code.google.com/p/android-openvpn-settings/issues/detail?id=156

As you see in the bottom of that post, this guy says he can connect using TCP but not UDP. Just for the fun of it, I also tried connecting using TCP and... it worked. So now I am definitively and positively lost...

Again, any insight would be very welcome...

EDIT: I got positive results switching from UDP to TCP on both iOS and Android versions of OpenVPN Connect...

 

[sinshiva]

increase the verbosity so you can see what the mtu settings are on connect. you probably need to set this

 

[Lossengwath]

Hi sinshiva, thanks for your time and suggestion. It does make a lot of sense.

I have been trying to increase the verbosity on the client side but the command goes to the "unused options" list, and I didn't find anything related to it in the preferences inside OpenVPN Connect.

Do you know any other way to increase verbosity?

 

[sinshiva]

Hi sinshiva, thanks for your time and suggestion. It does make a lot of sense.

I have been trying to increase the verbosity on the client side but the command goes to the "unused options" list, and I didn't find anything related to it in the preferences inside OpenVPN Connect.

Do you know any other way to increase verbosity?

i use 'OpenVPN for Android'

 

[Lossengwath]

Thanks a lot!!! It seems it is a problem with the official openVPN client only. I had to reconfigure everything manually on the client you suggested but it worked on the first try.

So this is the log I got, in case you are interested. In short, MTU is set to 1500. After lunch I'll try forcing MTU to this value on the other program, just to see what happens... Again, Thank you so much! If I don't get anywhere with this, I might start looking for another client on the iPad...


Part 1/2:

2014-03-08 13:12:42 Running on GT-I9505G (MSM8960) samsung, Android API 19, version 0.6.10, official build
2014-03-08 13:12:47 Building configuration…
2014-03-08 13:12:50 started Socket Thread
2014-03-08 13:12:50 Network Status: CONNECTED  to WIFI "xxxxx"
2014-03-08 13:12:50 P:Initializing Google Breakpad!
2014-03-08 13:12:50 Current Parameter Settings:
2014-03-08 13:12:50   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2014-03-08 13:12:50   mode = 0
2014-03-08 13:12:50   show_ciphers = DISABLED
2014-03-08 13:12:50   show_digests = DISABLED
2014-03-08 13:12:50   show_engines = DISABLED
2014-03-08 13:12:50   genkey = DISABLED
2014-03-08 13:12:50   key_pass_file = '[UNDEF]'
2014-03-08 13:12:50   show_tls_ciphers = DISABLED
2014-03-08 13:12:50   connect_retry_max = 2
2014-03-08 13:12:50 Connection profiles [0]:
2014-03-08 13:12:50   proto = udp
2014-03-08 13:12:50   local = '[UNDEF]'
2014-03-08 13:12:50   local_port = '[UNDEF]'
2014-03-08 13:12:50   remote = 'xxxxx.asuscomm.com'
2014-03-08 13:12:50   remote_port = '1194'
2014-03-08 13:12:50   remote_float = ENABLED
2014-03-08 13:12:50   bind_defined = DISABLED
2014-03-08 13:12:50   bind_local = DISABLED
2014-03-08 13:12:50   bind_ipv6_only = DISABLED
2014-03-08 13:12:50   connect_retry_seconds = 5
2014-03-08 13:12:50   connect_timeout = 10
2014-03-08 13:12:50   socks_proxy_server = '[UNDEF]'
2014-03-08 13:12:50   socks_proxy_port = '[UNDEF]'
2014-03-08 13:12:50   socks_proxy_retry = DISABLED
2014-03-08 13:12:50   tun_mtu = 1500
2014-03-08 13:12:50   tun_mtu_defined = ENABLED
2014-03-08 13:12:50   link_mtu = 1500
2014-03-08 13:12:50   link_mtu_defined = DISABLED
2014-03-08 13:12:50   tun_mtu_extra = 0
2014-03-08 13:12:50   tun_mtu_extra_defined = DISABLED
2014-03-08 13:12:50   mtu_discover_type = -1
2014-03-08 13:12:50   fragment = 0
2014-03-08 13:12:50   mssfix = 1450
2014-03-08 13:12:50   explicit_exit_notification = 0
2014-03-08 13:12:50 Connection profiles END
2014-03-08 13:12:50   remote_random = DISABLED
2014-03-08 13:12:50   ipchange = '[UNDEF]'
2014-03-08 13:12:50   dev = 'tun'
2014-03-08 13:12:50   dev_type = '[UNDEF]'
2014-03-08 13:12:50   dev_node = '[UNDEF]'
2014-03-08 13:12:50   lladdr = '[UNDEF]'
2014-03-08 13:12:50   topology = 1
2014-03-08 13:12:50   tun_ipv6 = DISABLED
2014-03-08 13:12:50   ifconfig_local = '[UNDEF]'
2014-03-08 13:12:50   ifconfig_remote_netmask = '[UNDEF]'
2014-03-08 13:12:50   ifconfig_noexec = DISABLED
2014-03-08 13:12:50   ifconfig_nowarn = DISABLED
2014-03-08 13:12:50   ifconfig_ipv6_local = '[UNDEF]'
2014-03-08 13:12:50   ifconfig_ipv6_netbits = 0
2014-03-08 13:12:50   ifconfig_ipv6_remote = '[UNDEF]'
2014-03-08 13:12:50   shaper = 0
2014-03-08 13:12:50   mtu_test = 0
2014-03-08 13:12:50   mlock = DISABLED
2014-03-08 13:12:50   keepalive_ping = 0
2014-03-08 13:12:50   keepalive_timeout = 0
2014-03-08 13:12:50   inactivity_timeout = 0
2014-03-08 13:12:50   ping_send_timeout = 0
2014-03-08 13:12:50   ping_rec_timeout = 0
2014-03-08 13:12:50   ping_rec_timeout_action = 0
2014-03-08 13:12:50   ping_timer_remote = DISABLED
2014-03-08 13:12:50   remap_sigusr1 = 0
2014-03-08 13:12:50   persist_tun = ENABLED
2014-03-08 13:12:50   persist_local_ip = DISABLED
2014-03-08 13:12:50   persist_remote_ip = DISABLED
2014-03-08 13:12:50   persist_key = DISABLED
2014-03-08 13:12:50   passtos = DISABLED
2014-03-08 13:12:50   resolve_retry_seconds = 60
2014-03-08 13:12:50   resolve_in_advance = ENABLED
2014-03-08 13:12:50   username = '[UNDEF]'
2014-03-08 13:12:50   groupname = '[UNDEF]'
2014-03-08 13:12:50   chroot_dir = '[UNDEF]'
2014-03-08 13:12:50   cd_dir = '[UNDEF]'
2014-03-08 13:12:50   writepid = '[UNDEF]'
2014-03-08 13:12:50   up_script = '[UNDEF]'
2014-03-08 13:12:50   down_script = '[UNDEF]'
2014-03-08 13:12:50   down_pre = DISABLED
2014-03-08 13:12:50   up_restart = DISABLED
2014-03-08 13:12:50   up_delay = DISABLED
2014-03-08 13:12:50   daemon = DISABLED
2014-03-08 13:12:50   inetd = 0
2014-03-08 13:12:50   log = DISABLED
2014-03-08 13:12:50   suppress_timestamps = DISABLED
2014-03-08 13:12:50   machine_readable_output = ENABLED
2014-03-08 13:12:50   nice = 0
2014-03-08 13:12:50   verbosity = 4
2014-03-08 13:12:50   mute = 0
2014-03-08 13:12:50   gremlin = 0
2014-03-08 13:12:50   status_file = '[UNDEF]'
2014-03-08 13:12:50   status_file_version = 1
2014-03-08 13:12:50   status_file_update_freq = 60
2014-03-08 13:12:50   occ = ENABLED
2014-03-08 13:12:50   rcvbuf = 65536
2014-03-08 13:12:50   sndbuf = 65536
2014-03-08 13:12:50   sockflags = 0
2014-03-08 13:12:50   fast_io = DISABLED
2014-03-08 13:12:50   comp.alg = 2
2014-03-08 13:12:50   comp.flags = 1
2014-03-08 13:12:50   route_script = '[UNDEF]'
2014-03-08 13:12:50   route_default_gateway = '[UNDEF]'
2014-03-08 13:12:50   route_default_metric = 0
2014-03-08 13:12:50   route_noexec = DISABLED
2014-03-08 13:12:50   route_delay = 0
2014-03-08 13:12:50   route_delay_window = 30
2014-03-08 13:12:50   route_delay_defined = DISABLED
2014-03-08 13:12:50   route_nopull = DISABLED
2014-03-08 13:12:50   route_gateway_via_dhcp = DISABLED
2014-03-08 13:12:50   allow_pull_fqdn = DISABLED
2014-03-08 13:12:50   route 0.0.0.0/0.0.0.0/vpn_gateway/nil
2014-03-08 13:12:50   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2014-03-08 13:12:50   management_port = 'unix'
2014-03-08 13:12:50   management_user_pass = '[UNDEF]'
2014-03-08 13:12:50   management_log_history_cache = 250
2014-03-08 13:12:50   management_echo_buffer_size = 100
2014-03-08 13:12:50   management_write_peer_info_file = '[UNDEF]'
2014-03-08 13:12:50   management_client_user = '[UNDEF]'
2014-03-08 13:12:50   management_client_group = '[UNDEF]'
2014-03-08 13:12:50   management_flags = 294
2014-03-08 13:12:50   shared_secret_file = '[UNDEF]'
2014-03-08 13:12:50   key_direction = 0
2014-03-08 13:12:50   ciphername_defined = ENABLED
2014-03-08 13:12:50   ciphername = 'aes-256-cbc'
2014-03-08 13:12:50   authname_defined = ENABLED
2014-03-08 13:12:50   authname = 'SHA1'
2014-03-08 13:12:50   prng_hash = 'SHA1'
2014-03-08 13:12:50   prng_nonce_secret_len = 16
2014-03-08 13:12:50   keysize = 0
2014-03-08 13:12:50   engine = DISABLED
2014-03-08 13:12:50   replay = ENABLED
2014-03-08 13:12:50   mute_replay_warnings = DISABLED
2014-03-08 13:12:50   replay_window = 64
2014-03-08 13:12:50   replay_time = 15
2014-03-08 13:12:50   packet_id_file = '[UNDEF]'
2014-03-08 13:12:50   use_iv = ENABLED
2014-03-08 13:12:50   test_crypto = DISABLED
2014-03-08 13:12:50   tls_server = DISABLED
2014-03-08 13:12:50   tls_client = ENABLED
2014-03-08 13:12:50   key_method = 2
2014-03-08 13:12:50   ca_file = '[[INLINE]]'
2014-03-08 13:12:50   ca_path = '[UNDEF]'
2014-03-08 13:12:50   dh_file = '[UNDEF]'
2014-03-08 13:12:50   cert_file = '[[INLINE]]'
2014-03-08 13:12:50   priv_key_file = '[[INLINE]]'
2014-03-08 13:12:50   pkcs12_file = '[UNDEF]'
2014-03-08 13:12:50   cipher_list = '[UNDEF]'
2014-03-08 13:12:50   tls_verify = '[UNDEF]'
2014-03-08 13:12:50   tls_export_cert = '[UNDEF]'
2014-03-08 13:12:50   verify_x509_type = 0
2014-03-08 13:12:50   verify_x509_name = '[UNDEF]'
2014-03-08 13:12:50   crl_file = '[UNDEF]'
2014-03-08 13:12:50   ns_cert_type = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 160
2014-03-08 13:12:50   remote_cert_ku[i] = 136
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_ku[i] = 0
2014-03-08 13:12:50   remote_cert_eku = 'TLS Web Server Authentication'
2014-03-08 13:12:50   ssl_flags = 0
2014-03-08 13:12:50   tls_timeout = 2
2014-03-08 13:12:50   renegotiate_bytes = 0
2014-03-08 13:12:50   renegotiate_packets = 0
2014-03-08 13:12:50   renegotiate_seconds = 3600
2014-03-08 13:12:50   handshake_window = 60
2014-03-08 13:12:50   transition_window = 3600
2014-03-08 13:12:50   single_session = DISABLED
2014-03-08 13:12:50   push_peer_info = DISABLED
2014-03-08 13:12:50   tls_exit = DISABLED
2014-03-08 13:12:50   tls_auth_file = '[UNDEF]'
2014-03-08 13:12:50   client = ENABLED
2014-03-08 13:12:50   pull = ENABLED
2014-03-08 13:12:50   auth_user_pass_file = '[UNDEF]'

 

[Lossengwath]

Part 2/2:

2014-03-08 13:12:50 OpenVPN 2.4-icsopenvpn [git:icsopenvpn_70-078981e61dfdf105] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [SNAPPY] [LZ4] [EPOLL] [MH] [IPv6] built on Mar  2 2014
2014-03-08 13:12:50 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
2014-03-08 13:12:50 MANAGEMENT: CMD 'hold release'
2014-03-08 13:12:50 LZO compression initializing
2014-03-08 13:12:50 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
2014-03-08 13:12:51 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:395 ET:0 EL:0 ]
2014-03-08 13:12:51 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2014-03-08 13:12:51 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2014-03-08 13:12:51 Local Options hash (VER=V4): '22188c5b'
2014-03-08 13:12:51 Expected Remote Options hash (VER=V4): 'a8f55717'
2014-03-08 13:12:51 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.XX.XX.XX:1194 [B]<--(PUBLIC SERVER IP)[/B]
2014-03-08 13:12:51 Socket Buffers: R=[163840->131072] S=[163840->131072]
2014-03-08 13:12:51 Protecting socket fd 4
2014-03-08 13:12:51 MANAGEMENT: CMD 'bytecount 2'
2014-03-08 13:12:51 MANAGEMENT: CMD 'state on'
2014-03-08 13:12:51 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2014-03-08 13:12:51 UDP link local: (not bound)
2014-03-08 13:12:51 UDP link remote: [AF_INET]XX.XX.XX.XX:1194 [B]<--(PUBLIC SERVER IP)[/B]
2014-03-08 13:12:51 MANAGEMENT: >STATE:1394302371,WAIT,,,
2014-03-08 13:12:51 MANAGEMENT: >STATE:1394302371,AUTH,,,
2014-03-08 13:12:51 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:1194, sid=9bff0c22 b226468f [B]<-- (PRIVATE SERVER IP)[/B]
2014-03-08 13:12:54 VERIFY OK: depth=1, C=XX, ST=XX, L=XX, O=XX, OU=changeme, CN=CA, name=changeme, emailAddress=XX@XX.org
2014-03-08 13:12:54 Validating certificate key usage
2014-03-08 13:12:54 ++ Certificate has key usage  00a0, expects 00a0
2014-03-08 13:12:54 VERIFY KU OK
2014-03-08 13:12:54 Validating certificate extended key usage
2014-03-08 13:12:54 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2014-03-08 13:12:54 VERIFY EKU OK
2014-03-08 13:12:54 VERIFY OK: depth=0, C=XX, ST=XX, L=XX, O=XX, OU=changeme, CN=Server, name=changeme, emailAddress=XX@XX.org
2014-03-08 13:12:58 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2014-03-08 13:12:58 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-03-08 13:12:58 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
2014-03-08 13:12:58 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2014-03-08 13:12:58 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
2014-03-08 13:12:58 [Server] Peer Connection Initiated with [AF_INET]XX.XX.XX.XX:1194 [B]<-- (PRIVATE SERVER IP)[/B]
2014-03-08 13:12:59 MANAGEMENT: >STATE:1394302379,GET_CONFIG,,,
2014-03-08 13:13:00 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
2014-03-08 13:13:00 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.10 10.8.0.9'
2014-03-08 13:13:00 OPTIONS IMPORT: timers and/or timeouts modified
2014-03-08 13:13:00 OPTIONS IMPORT: --ifconfig/up options modified
2014-03-08 13:13:00 OPTIONS IMPORT: route options modified
2014-03-08 13:13:00 ROUTE_GATEWAY XX.XX.XX.XX/255.255.255.0 IFACE=wlan0 HWADDR=XX:XX:XX:1a:f5:85 [B]<-- (PRIVATE SERVER IP)[/B]
2014-03-08 13:13:00 ROUTE6: default_gateway=UNDEF
2014-03-08 13:13:00 OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
2014-03-08 13:13:00 OpenVPN ROUTE: failed to parse/resolve route for host/network: ::/0
2014-03-08 13:13:00 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2014-03-08 13:13:00 MANAGEMENT: >STATE:1394302380,ASSIGN_IP,,10.8.0.10,
2014-03-08 13:13:00 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2014-03-08 13:13:00 MANAGEMENT: >STATE:1394302380,ADD_ROUTES,,,
2014-03-08 13:13:00 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-03-08 13:13:00 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-03-08 13:13:00 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_AFTER_CLOSE'
2014-03-08 13:13:00 Opening tun interface:
2014-03-08 13:13:00 Local IPv4: 10.8.0.10/30 IPv6: null MTU: 1500
2014-03-08 13:13:00 DNS Server: , Domain: null
2014-03-08 13:13:00 Routes: 0.0.0.0/0, 10.8.0.1/32 
2014-03-08 13:13:00 Routes excluded:  
2014-03-08 13:13:00 VpnService routes installed: 0.0.0.0/0 
2014-03-08 13:13:00 No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set.
2014-03-08 13:13:01 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2014-03-08 13:13:01 Initialization Sequence Completed
2014-03-08 13:13:01 MANAGEMENT: >STATE:1394302381,CONNECTED,SUCCESS,10.8.0.10,XX.XX.XX.XX [B]<-- (PRIVATE SERVER IP)[/B]

 

[sinshiva]

as i understand it, when either link-mtu or tun-mtu is specified, one is derived from the other. link-mtu i believe is supposed to be the same as the wan mtu however i'm not entirely confident in using link-mtu.

most people should just use tun-mtu 1400 and with fragment 1396 and mssfix with a udp vpn for the sake of simplicity