Solved Import an .ovpn file into RT-AX88U (Merlin 386.2.4) ...

[Leguar]

Have changed to another VPN provider. Created a new .ovpn file and tried to import it.
This new file have an extention - "tls-crypt", but it seems not to be imported. The usual
CA, CERT and Key are ok. Any hints ??

 

[Hazel]

I think the answer is in the text in the header of your first screenshot.

Furthermore: doesn’t your VPN provider provide ready-made .ovpn config files? I can just download them from the website of my VPN provider, I’ve never had to ‘create’ my own .ovpn config file.

 

[Leguar]

I think the answer is in the text in the header of your first screenshot.

Furthermore: doesn’t your VPN provider provide ready-made .ovpn config files? I can just download them from the website of my VPN provider, I’ve never had to ‘create’ my own .ovpn config file.

My bad, not to explain it very well
The .ovpn file has been created by my new VPN provider.
The first screenshot just shows nothing, whereas I thought my "tls-crypt" would have been placed there,
as shown in the "Static Key.txt".

 

[Tech9]

Did you reset the VPN client before uploading the new configuration file? Default button at the bottom of the page.

 

[Leguar]

Did you reset the VPN client before uploading the new configuration file? Default button at the bottom of the page.

Yes, but it seems that my former VPN provider was still there after the reset.
Thinking that a reset would kill data - both in CA, CERT and Key

 

[Hazel]

The first screenshot just shows nothing, whereas I thought my "tls-crypt" would have been placed there,
as shown in the "Static Key.txt".

I meant, the header says:

Only paste the content of the ----- BEGIN xxx ----- / ----- END xxx ----- block (including those two lines)

So I guess the key should be pasted without the proceeding <tls-crypt> and the ending </tls-crypt>, so like

-----BEGIN OpenVPN Static key V1-----
....
a1198ef649f1c23861a2a19f2c6b27aa
5e43be761e0c71e9c2e8d33b75af289e
....
-----END OpenVPN Static key V1-----

 

[Leguar]

I meant, the header says:



So I guess the key should be pasted without the proceeding <tls-crypt> and the ending </tls-crypt>, so like

-----BEGIN OpenVPN Static key V1-----
....
a1198ef649f1c23861a2a19f2c6b27aa
5e43be761e0c71e9c2e8d33b75af289e
....
-----END OpenVPN Static key V1-----

Yes, you're right.

I have tried to copy/paste all four certs and then save all of them, but it seem that data in the Static Key
always disapear (removed=blanks). Seems strange to me !! Maybe a bug ??

 

[Hazel]

Yes, you're right.

I have tried to copy/paste all four certs and then save all of them, but it seem that data in the Static Key
always disapear (removed=blanks). Seems strange to me !! Maybe a bug ??

Have you tried to paste the keys without the surrounding <tls-crypt> tags as the header suggests, just from ----- BEGIN xxx ----- (contents of static key / certificates with BEGIN and END tags included ----- END xxx ----- ?

Haven't heard anyone else reporting this, so a bug seems unlikely to me. When I import and .ovpn config the certificates are included, I don't have to paste them manually. They are imported with the .ovpn config (and present in the config file). Most of the time I don't even look at it, as I know they're imported with the rest of the config. Have you opened the .ovpn config with a text editor like Notepad++ and checked whether the certificates aren't already included in the config? Or else, maybe your VPN provider has a step by step guide how to configure their VPN on Asuswrt(-Merlin), like my VPN Provider has? There are also several general guides on how to configure a VPN client on Asuswrt-Merlin.

I was wondering about tls-crypt and as far as I'm aware it should be supported by the included version of OpenVPN (I read it was included in 2.4.x and if I'm not mistaking 2.5.2 is the current version) and as your VPN-provider provides these configs, they should support it too (why else include it, instead of only tls-auth).

Question for @RMerlin: is the use of tls-crypt fully supported on 386.2_4?

Otherwise, I'm out of ideas. Maybe @eibgrad can help you out, he knows an awful lot about VPNs, way more compared to my rookie knowledge.

 

[Tech9]

I have tried to copy/paste all four certs and then save all of them

I'm not following you, sorry. You have one configuration .ovpn file to import. The file you have downloaded from your new VPN provider.

 

[john9527]

I have tried to copy/paste all four certs and then save all of them,

After you hit save where you enter the certs, did you also hit 'Apply' at the bottom of the page?

 

[Leguar]

Have you tried to paste the keys without the surrounding <tls-crypt> tags as the header suggests, just from ----- BEGIN xxx ----- (contents of static key / certificates with BEGIN and END tags included ----- END xxx ----- ?

Haven't heard anyone else reporting this, so a bug seems unlikely to me. When I import and .ovpn config the certificates are included, I don't have to paste them manually. They are imported with the .ovpn config (and present in the config file). Most of the time I don't even look at it, as I know they're imported with the rest of the config. Have you opened the .ovpn config with a text editor like Notepad++ and checked whether the certificates aren't already included in the config? Or else, maybe your VPN provider has a step by step guide how to configure their VPN on Asuswrt(-Merlin), like my VPN Provider has? There are also several general guides on how to configure a VPN client on Asuswrt-Merlin.

I was wondering about tls-crypt and as far as I'm aware it should be supported by the included version of OpenVPN (I read it was included in 2.4.x and if I'm not mistaking 2.5.2 is the current version) and as your VPN-provider provides these configs, they should support it too (why else include it, instead of only tls-auth).

Question for @RMerlin: is the use of tls-crypt fully supported on 386.2_4?

Otherwise, I'm out of ideas. Maybe @eibgrad can help you out, he knows an awful lot about VPNs, way more compared to my rookie knowledge.

First I appriciate your help, thanks.
Next, my copy/paste was just a try to do something else than just import the .ovpn file, but to no avail.
It seems that the "tls-crypt" gets erased.
I have attached my .ovpn file (anonymised). All certs gets updated, except the "tld-crypt".
Btw. I have tested both Udp and Tcp scripts.

 

[Leguar]

After you hit save where you enter the certs, did you also hit 'Apply' at the bottom of the page?

Indeed YES

 

[Hazel]

So, it's just the last key in your .ovpn config that doesn't 'stick'? That one doesn't get saved?
Any clues in your system logfile why it refuses to save that tls-crypt key?

 

[Leguar]

I'm not following you, sorry. You have one configuration .ovpn file to import. The file you have downloaded from your new VPN provider.

Right. Downloaded from my VPN provider. The script includes "tld-crypt" (and CA, CERT and Key). When I import the script, the "tld-crypt" doesn't get imported. After the import I try to start VPN in the router, but the router gets stuck, with a yellow msg. "Connection ...." and never starts.

 

[Hazel]

Right. Downloaded from my VPN provider. The script includes "tld-crypt" (and CA, CERT and Key). When I import the script, the "tld-crypt" doesn't get imported. After the import I try to start VPN in the router, but the router gets stuck, with a yellow msg. "Connection ...." and never starts.

If you look in your logfiles (System Log > General Log) you will most like see a TLS authentication error, while it tries to connect, because the last key doesn't get imported, so it can't establish a secure control channel. Please post your syslog (without any private info) to a site like pastebin or an alternative so we can see if we can find clues why a. the key won't get accepted and b. your connection can't be established (which is most likely answered by a.)

 

[Leguar]

So, it's just the last key in your .ovpn config that doesn't 'stick'? That one doesn't get saved?
Any clues in your system logfile why it refuses to save that tls-crypt key?

Attached is the log file from the router (RT-AX88U) Merlin 368.2_4 ...

 

[Hazel]

This is only from the attempt to connect. Here's the error I expected:

ovpn-client1[14946]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ovpn-client1[14946]: TLS Error: TLS handshake failed
ovpn-client1[14946]: SIGUSR1[soft,tls-error] received, process restarting
ovpn-client1[14946]: Restart pause, 5 second(s)
ovpn-client1[14946]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

which means there is a misconfiguration regarding TLS (ie. your missing key) why it can't setup a secure connection.

Is there anything in your logfile when importing this config, that helps us understand why it doesn't accept the tls-crypt static key? If you can't find it, delete the current config and re-configure it and keep an eye on your logfiles.

 

[Leguar]

This is only from the attempt to connect. Here's the error I expected:

ovpn-client1[14946]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ovpn-client1[14946]: TLS Error: TLS handshake failed
ovpn-client1[14946]: SIGUSR1[soft,tls-error] received, process restarting
ovpn-client1[14946]: Restart pause, 5 second(s)
ovpn-client1[14946]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

which means there is a misconfiguration regarding TLS (ie. your missing key) why it can't setup a secure connection.

Is there anything in your logfile when importing this config, that helps us understand why it doesn't accept the tls-crypt static key? If you can't find it, delete the current config and re-configure it and keep an eye on your logfiles.

Ok, here are some errors. Seems that jfss2 (GC) is full. Could that be my problem ??
If so, how do I clean up the GC ?? I have nothing connected to the router, and I dont
have any scripts (as I'm concerned of) running.

 

[Leguar]

Hazel and Followers (?).
Pls. forget my older mails. After researcing here, there and everywhere, I decided to reformat my JFFS
(Administration, System, JFFS partition). After that, I could import the usual CA, CERT and User Key, BUT
also (the problem) my tls-crypt Key.

After that, a new (but more precise) problem arised. Pls. look at the log, who is anominized (hopefully)

 

[ColinTaylor]

AirVPN is pushing an IPv6 config to your router but the router doesn't support IPv6 VPNs. Does AirVPN have an IPv4 profile you can use?

P.S. You don't need to anonymize the AirVPN address as that is one of their public addresses.