Anyone know what this is. I know it's QOS but what is the problem.
It turns out that the client 2 on my ac3100 is unable to connect to a ovpn server on a ac68u. I can however connect using the android ovpn app to the ac68u. I can import the server ovpn file to my phone and it works excellent. Same config on the router in client 2 or in client 3 it screws my whole router up if I connect. Sometimes I have to manual reboot. The weird thing is as the connection is being tried it kills the internet sometimes sometimes not. It always kills access to my router gui. My server on the ac3100 works great. Server on the ac68u works great. cannot connect router to router over ovpn.
Oh! Awesome! Thanks for this release. Have it installed on my RT-N66U B1. Seems to be working ok so far. Did not have time to do a factory reset with it being New Years. I will do that tomorrow when I am hung over and have nothing better to do.
Have you tried using one asus router as a server and the other as client?I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.
Here is the connection logs please find something its driving me crazy!!!I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.
View attachment 11415
Dec 31 22:32:27 rc_service: httpds 398:notify_rc start_vpnclient3
Dec 31 22:32:28 ovpn-client3[6787]: OpenVPN 2.4.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 29 2017
Dec 31 22:32:28 ovpn-client3[6787]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
Dec 31 22:32:28 ovpn-client3[6788]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 31 22:32:28 ovpn-client3[6788]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 31 22:32:28 ovpn-client3[6788]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 31 22:32:28 ovpn-client3[6788]: TCP/UDP: Preserving recently used remote address: [AF_INET]70.64.208.255:1194
Dec 31 22:32:28 ovpn-client3[6788]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Dec 31 22:32:28 ovpn-client3[6788]: UDP link local: (not bound)
Dec 31 22:32:28 ovpn-client3[6788]: UDP link remote: [AF_INET]70.64.208.255:1194
Dec 31 22:32:28 ovpn-client3[6788]: TLS: Initial packet from [AF_INET]70.64.208.255:1194, sid=7979ce6f 8b363e77
Dec 31 22:32:28 ovpn-client3[6788]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY KU OK
Dec 31 22:32:28 ovpn-client3[6788]: Validating certificate extended key usage
Dec 31 22:32:28 ovpn-client3[6788]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY EKU OK
Dec 31 22:32:28 ovpn-client3[6788]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
Dec 31 22:32:29 ovpn-client3[6788]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Dec 31 22:32:29 ovpn-client3[6788]: [RT-AC68U] Peer Connection Initiated with [AF_INET]70.64.208.255:1194
Dec 31 22:32:30 ovpn-client3[6788]: SENT CONTROL [RT-AC68U]: 'PUSH_REQUEST' (status=1)
Dec 31 22:32:30 ovpn-client3[6788]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.1.1,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: timers and/or timeouts modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: --ifconfig/up options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: route options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: route-related options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: peer-id set
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: adjusting link_mtu to 1625
Dec 31 22:32:30 ovpn-client3[6788]: OPTIONS IMPORT: data channel crypto options modified
Dec 31 22:32:30 ovpn-client3[6788]: Data Channel: using negotiated cipher 'AES-128-GCM'
Dec 31 22:32:30 ovpn-client3[6788]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec 31 22:32:30 ovpn-client3[6788]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Dec 31 22:32:30 ovpn-client3[6788]: TUN/TAP device tun13 opened
Dec 31 22:32:30 ovpn-client3[6788]: TUN/TAP TX queue length set to 100
Dec 31 22:32:30 ovpn-client3[6788]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Dec 31 22:32:30 ovpn-client3[6788]: /usr/sbin/ip link set dev tun13 up mtu 1500
Dec 31 22:32:30 ovpn-client3[6788]: /usr/sbin/ip addr add dev tun13 10.8.0.2/24 broadcast 10.8.0.255
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 70.64.208.255/32 via 142.165.14.254
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Dec 31 22:32:32 ovpn-client3[6788]: /usr/sbin/ip route add 192.168.1.0/24 metric 500 via 10.8.0.1
Dec 31 22:32:32 custom_script: Running /jffs/scripts/openvpn-event (args: tun13 1500 1553 10.8.0.2 )
Dec 31 22:32:32 ovpn-client3[6788]: Initialization Sequence Completed
Cannot show you this as when I engage the vpn it locks up ac3100.I'm using Client2 and Client3 on this RT-AC66_B1 for my OpenVPN tests and they both connect fine. Please post your log output.
View attachment 11415
Have you tried using one asus router as a server and the other as client?
Strange this worked with the latest alpha.....hmmmm.That would be a completely different issue from the inability to use client 2/ client 3 that you initially reported.
I have never done site-to-site tunnels, so I can't help you with that type of configuration, sorry.
20 7730 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
Relax, and breathe people... This is just OpenVPN-specific, no need to start panicking as if the sky was falling.
The issue is caused by the following rule in the FORWARD chain which is blocking traffic before it can get accepted by the OVPN chain:
Code:20 7730 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
Hi, are u able to paste your iptables rule here.
iptables -S
I just want to see the order... thanks.
Anyone with a working openvpn in 382.2.beta... can paste the iptables for reference. Thx.
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N default_block
-N logaccept
-N logdrop
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8082 -j DROP
-A INPUT -p tcp -m tcp --dport 9443 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdrop
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 32400 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 49163 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p tcp -m tcp --dport 4433 -j ACCEPT
-A FUPNP -d xxx.xxx.xxx.xxx/32 -p udp -m udp --dport 49163 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A OVPN -i tun21 -j ACCEPT
-A OVPN -i tun11 -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -i eth0 -m set --match-set Whitelist src -j ACCEPT
-A logdrop -i eth0 -p tcp -m multiport --sports 80,443,143,993,110,995,25,465 -m state --state INVALID -j DROP
-A logdrop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A logdrop -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST -j ACCEPT
-A logdrop -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG RST,ACK -j ACCEPT
-A logdrop -i eth0 -m state --state INVALID -j LOG --log-prefix "[BLOCKED - NEW BAN] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -i eth0 -m state --state INVALID -j SET --add-set Skynet src
-A logdrop -j DROP
"Direct clients to redirect Internet traffic" works for you?
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!