[Help] Problems setting up OpenVPN

[Thookie]

Hello together,

I have a RT-AC68U running Merlin 386.14 and am trying to set up an OpenVPN Client with the config file that was provided to me by my VPN provider (Mullvad, https://mullvad.net/de/account/openvpn-config?platform=linux). After importing the config file (see below), adding username & password and adding the Keys and Certificates the VPN won't start because of an error (see log below). I am sadly not that knowledgeable about VPNs so I was hoping someone could help me solve the issue.

Log (removed some IPs because I am not sure wich might be mine):

Oct 16 21:02:07 rc_service: httpd 452:notify_rc start_vpnclient1
Oct 16 21:02:08 ovpn-client1[18966]: OpenVPN 2.6.10 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Oct 16 21:02:08 ovpn-client1[18966]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.08
Oct 16 21:02:08 ovpn-client1[18967]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 16 21:02:08 ovpn-client1[18967]: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1195
Oct 16 21:02:08 ovpn-client1[18967]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Oct 16 21:02:08 ovpn-client1[18967]: UDPv4 link local: (not bound)
Oct 16 21:02:08 ovpn-client1[18967]: UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1195
Oct 16 21:02:08 ovpn-client1[18967]: TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1195, sid=36ef92c6 a69fc06b
Oct 16 21:02:08 ovpn-client1[18967]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct 16 21:02:09 ovpn-client1[18967]: VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
Oct 16 21:02:09 ovpn-client1[18967]: VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v7, emailAddress=security@mullvad.net
Oct 16 21:02:09 ovpn-client1[18967]: VERIFY KU OK
Oct 16 21:02:09 ovpn-client1[18967]: Validating certificate extended key usage
Oct 16 21:02:09 ovpn-client1[18967]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 16 21:02:09 ovpn-client1[18967]: VERIFY EKU OK
Oct 16 21:02:09 ovpn-client1[18967]: VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=de-fra-ovpn-004.mullvad.net, emailAddress=security@mullvad.net
Oct 16 21:02:09 ovpn-client1[18967]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Oct 16 21:02:09 ovpn-client1[18967]: [de-fra-ovpn-004.mullvad.net] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1195
Oct 16 21:02:09 ovpn-client1[18967]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Oct 16 21:02:09 ovpn-client1[18967]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Oct 16 21:02:10 ovpn-client1[18967]: SENT CONTROL [de-fra-ovpn-004.mullvad.net]: 'PUSH_REQUEST' (status=1)
Oct 16 21:02:10 ovpn-client1[18967]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.9.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,route-gateway 10.9.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1195::1007/64 fdda:d0d0:cafe:1195::,ifconfig 10.9.0.9 255.255.0.0,peer-id 7,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: --socket-flags option modified
Oct 16 21:02:10 ovpn-client1[18967]: NOTE: setsockopt TCP_NODELAY=1 failed
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: route options modified
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: route-related options modified
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 16 21:02:10 ovpn-client1[18967]: OPTIONS IMPORT: tun-mtu set to 1500
Oct 16 21:02:10 ovpn-client1[18967]: GDG6: remote_host_ipv6=n/a
Oct 16 21:02:10 ovpn-client1[18967]: net_route_v6_best_gw query: dst ::
Oct 16 21:02:10 ovpn-client1[18967]: net_route_v6_best_gw result: via :: dev lo
Oct 16 21:02:10 ovpn-client1[18967]: TUN/TAP device tun11 opened
Oct 16 21:02:10 ovpn-client1[18967]: TUN/TAP TX queue length set to 1000
Oct 16 21:02:10 ovpn-client1[18967]: /usr/sbin/ip link set dev tun11 up mtu 1500
Oct 16 21:02:10 ovpn-client1[18967]: /usr/sbin/ip link set dev tun11 up
Oct 16 21:02:10 ovpn-client1[18967]: /usr/sbin/ip addr add dev tun11 10.9.0.9/16
Oct 16 21:02:10 ovpn-client1[18967]: Linux ip addr add failed: external program exited with error status: 2
Oct 16 21:02:10 ovpn-client1[18967]: Exiting due to fatal error

config:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-GCM
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
proto udp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
fast-io
remote-random
remote 146.70.117.66 1195 # de-fra-ovpn-101
remote 185.213.155.70 1195 # de-fra-ovpn-005
remote 185.213.155.66 1195 # de-fra-ovpn-001
remote 185.213.155.68 1195 # de-fra-ovpn-003
remote 193.32.248.72 1195 # de-ber-ovpn-001
remote 185.213.155.67 1195 # de-fra-ovpn-002
remote 146.70.117.98 1195 # de-fra-ovpn-102
remote 185.213.155.69 1195 # de-fra-ovpn-004

Best regards
Thore

 

[eibgrad]

Not sure if by "config" that's what ended up in the custom config field, or an actual dump of the underlying config file.

If the import placed anything in the custom config field, remove it and try again. If that works, then try adding back the remote-random and remote directives to custom config. If that works, leave it as it is.

 

[Thookie]

config is the config file that Mullvad provided. tryed to remove everything in custom config then the Error changes but it still does not work.

new Error:

Oct 16 23:23:33 ovpn-client1[31643]: Linux ip -6 addr add failed: external program exited with error status: 2
Oct 16 23:23:33 ovpn-client1[31643]: Exiting due to fatal error

also there was an up script provided by Mullvad but i found no way to upload it, maybe this is needed for the connection to work?

content of up script:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
    part1="$1"
    part2="$2"
    part3="$3"
}

case "$script_type" in
  up)
    NMSRVRS=""
    SRCHS=""
    for optionvarname in ${!foreign_option_*} ; do
        option="${!optionvarname}"
        echo "$option"
        split_into_parts $option
        if [ "$part1" = "dhcp-option" ] ; then
            if [ "$part2" = "DNS" ] ; then
                NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
            elif [ "$part2" = "DOMAIN" ] ; then
                SRCHS="${SRCHS:+$SRCHS }$part3"
            fi
        fi
    done
    R=""
    [ "$SRCHS" ] && R="search $SRCHS
"
    for NS in $NMSRVRS ; do
            R="${R}nameserver $NS
"
    done
    echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
    ;;
  down)
    /sbin/resolvconf -d "${dev}.openvpn"
    ;;
esac

 

[eibgrad]

Well that's a slightly different error message than before (unless you edited it). That appears to be an attempt to add an IPv6 address. Try adding the following to the custom config field.

pull-filter ignore ifconfig-ipv6
pull-filter ignore route-ipv6
block-ipv6

 

[eibgrad]

You do NOT want to use their up/down script(s). The router already manages the DNS configuration w/ its own scripts. That's why the GUI has the "Accept DNS configuration" setting.

 

[Thookie]

VPN does turn on now after adding the noipv6 stuff, but it seems like my clients are still not using it. Do I need to configure that it should be used somewhere?

 

[eibgrad]

If you have "Redirect internet traffic through tunnel" set to NO (which iirc, is the default), nothing will happen. You either have to use Yes(all) or the VPN Director (and some rules).

 

[Thookie]

Ah I see, weird that it is off by default but now everything works. Thank you so much for your help