Help with StrongVPN configuration

[CrazyCanuck]

Thanks, CrazyCanuck. Glad to know StrongVPN can be made to work. But, I've decided to try ExpressVPN, which supports Asus directly, with no extra work. I've enough work sorting how to restrict tunneling to a separate SSID. The links here are useful, but it entails more fiddling than I've done with that stuff.

Not really, it's only a few things you have to do manually. The certicates and custom config sections can be left alone. It only takes about 2 minutes to manually configure out the rest. Anyways if someone's interested there's the information.

 

[Chinquapin]

Thanks. OK. So, I'm interested, but my ignorance about this is significant. So...care to walk me through this? The script Merlin provides appears to fit my intended us, and can be used as-is. I'm just not sure what to do with it or where to put it or how. Two minutes sounds quick, and I'm sure once I know what to do, it will be that quick.

https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.

 

[Lee Banwell]

Not really, it's only a few things you have to do manually. The certicates and custom config sections can be left alone. It only takes about 2 minutes to manually configure out the rest. Anyways if someone's interested there's the information.

Any chance you can give some pics of your routers settings? passwords blurred OFC!

Been try for a while now and cant figure it out. The service goes up but I get -

Mar 11 13:22:37 openvpn[1837]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 11 13:22:37 openvpn[1837]: TLS Error: TLS handshake failed
Mar 11 13:22:37 openvpn[1837]: TCP/UDP: Closing socket
Mar 11 13:22:37 openvpn[1837]: SIGUSR1[soft,tls-error] received, process restarting
Mar 11 13:22:37 openvpn[1837]: Restart pause, 2 second(s)

I've tried it with Firewall off and matched router time to server time but nothing works.

 

[octopus]

TLS Error: TLS handshake failed: is you havent set Extra HMAC authorization (tls-auth) direction right or static key dont match. must be same at both sides, server-client. Server and client dont have any connection.

 

[Lee Banwell]

Thanks for the pointer but that doesn't seem to be it.

The tomato setup referred to earlier in the thread uses 4 keys and suggests that they are included in ovpn file from Strongvpn. Well my OVPN file only contains 2 keys a static key and ca cert. I've tried two different servers and both only supply 2 keys.

 

[octopus]

Client cert and client key is downloading first time you connect to Strong Vpn and saves in config-directory with ca and static key.
Make sure you have set static key direction right, usually on client side to 1.

This indicates error in TLS handling, key or direction. TLS Error: TLS handshake failed

 

[BigDaddy5]

So since this thread is referenced in a few other sites as a how-to, I thought I'd write a clear answer to this question. To figure out how to get StrongVPN's OpenVPN service working, I flashed to tomato, did their auto setup, then went back to Merlin and copied everything StrongVPN automatically setup. Here's what I did:

1) download the .ovpn file and save it somewhere. We'll open it to copy the server key and certificate later.
2) go into your Merlin router GUI, go to VPN, OpenVPN Client.
3) import the .ovpn file
4) verify the settings, I had to make some changes:

Basic Settings:
Stats with WAN: Yes
Interface type: TUN
Protocol: UDP (you can change this if you changed it on StrongVPN. I'd stick with UDP, but iOS doesn't like the UDP .ovpn file so if you changed it for some reason, change your setting to TCP. Default StrongVPN is UDP)
Server Address and Port: should be automatically set
Firewall: automatic
Authorization mode: TLS
Username/Password Authentication: Yes
Copy your username/Pass from StrongVPN Website
Username / Password Auth. Only: No
Extra HMAC authorization: Outgoing (1)
Auth digest: MD5
Create NAT on tunnel: Yes

Advanced Settings:
Global Log verbosity: 4
Poll Interval: 0
Accept DNS Configuration: Exclusive
Encryption cipher: AES 256 CBC (this is the default, change it if you've changed it in StrongVPN)
Compression: Adaptive
TLS Renegotiation Time: 0
Connection Retry: 30
Verify Server Certificate: No
Redirect Internet traffic: All Traffic

5) now open up the .ovpn file in a reader, notepad, etc. we need to verify some info.
Under "advanced Settings" there's a spot for "Custom Configuration". You can delete almost everything there except for:

fragment 1390
hand-window 30
tun-mtu 1500

Confirm those values with your .ovpn file, or just leave whatever you have in the custom configuration.

Add the following two lines to the custom configuration too:
persist-key
ns-cert-type server

6) In Basic Settings, click "Content modification of Keys & Certificates" next to "Authorization Mode"

This brings up a bunch of boxes, but we only need to worry about "Static Key" and "Certificate Authority"

In your .ovpn, copy (no quotes, only for emphasis):

"-----BEGIN OpenVPN Static key V1-----
Bunch of values
-----END OpenVPN Static key V1----"

Paste that in Static Key

Then copy:
"-----BEGIN CERTIFICATE-----
Random Crap
-----END CERTIFICATE-----"

Paste that in Certificate Authority.

7). Apply Settings, and turn on the VPN. This should fix the issues with TLS errors and Client Key authentication errors. I got both as I was playing and is what I have now and it works for me.

Good Luck!