OpenVPN client issues

[th3viper]

Hi all,

I have some issues configuring the openvpn client on my router:

• RT-AC87U
  
• FW 384.13_8

The openvpn server uses cert authentication and it works with no issue when using a the openvpn client on the pc
Client Logs

Spoiler: openvpn client

5/29/2020, 11:28:38 AM OpenVPN core 3.git::f225fcd0 win x86_64 64-bit PT_PROXY built on Mar 19 2020 21:16:20
⏎5/29/2020, 11:28:38 AM Frame=512/2048/512 mssfix-ctrl=1250
⏎5/29/2020, 11:28:38 AM UNUSED OPTIONS
2 [verify-x509-name] ['xxxxxxxx'] [name]
6 [resolv-retry] [infinite]
7 [nobind]
10 [persist-key]
11 [persist-tun]
15 [log] [openvpn.log]
16 [verb] [3]
⏎5/29/2020, 11:28:38 AM Contacting xxxx:443 via TCPv4
⏎5/29/2020, 11:28:38 AM EVENT: RESOLVE ⏎5/29/2020, 11:28:38 AM EVENT: WAIT ⏎5/29/2020, 11:28:38 AM Connecting to [xxxxxxxx]:443 (xxxxxxxx) via TCPv4
⏎5/29/2020, 11:28:38 AM Tunnel Options:V4,dev-type tun,link-mtu 1523,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher AES-256-GCM,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client
⏎5/29/2020, 11:28:38 AM Creds: UsernameEmpty/PasswordEmpty
⏎5/29/2020, 11:28:38 AM Peer Info:
IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1

⏎5/29/2020, 11:28:38 AM EVENT: CONNECTING ⏎5/29/2020, 11:28:38 AM VERIFY OK : depth=2
cert. version : 3
serial number : xxxxxxxx
issuer name : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
subject name : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
issued on : 2006-11-10 00:00:00
expires on : 2031-11-10 00:00:00
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign

⏎5/29/2020, 11:28:38 AM VERIFY OK : depth=1
cert. version : 3
serial number : xxxxxxxx
issuer name : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
subject name : C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
issued on : 2013-03-08 12:00:00
expires on : 2023-03-08 12:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign

⏎5/29/2020, 11:28:38 AM VERIFY OK : depth=0
cert. version : 3
serial number : xxxxxxxx
issuer name : C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
subject name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxxxxxxx
issued on : 2020-05-18 00:00:00
expires on : 2022-05-18 12:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : xxxxxxxx
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

⏎5/29/2020, 11:28:39 AM SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
⏎5/29/2020, 11:28:39 AM Session is ACTIVE
⏎5/29/2020, 11:28:39 AM EVENT: GET_CONFIG ⏎5/29/2020, 11:28:39 AM Sending PUSH_REQUEST to server...
⏎5/29/2020, 11:28:39 AM OPTIONS:
0 [route] [10.198.0.0] [255.255.255.0]
1 [route-gateway] [10.198.1.33]
2 [topology] [subnet]
3 [ifconfig] [10.198.1.34] [255.255.255.240]
4 [cipher] [AES-256-GCM]

⏎5/29/2020, 11:28:39 AM PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA256
compress: NONE
peer ID: -1
⏎5/29/2020, 11:28:39 AM CAPTURED OPTIONS:
Session Name: xxxxxxxx
Layer: OSI_LAYER_3
Remote Address: xxxxxxxx
Tunnel Addresses:
10.198.1.34/28 -> 10.198.1.33
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
10.198.0.0/24
Exclude Routes:
DNS Servers:
Search Domains:

⏎5/29/2020, 11:28:39 AM EVENT: ASSIGN_IP ⏎5/29/2020, 11:28:40 AM SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
"confirm_event" : "900e000000000000",
"destroy_event" : "040b000000000000",
"tun" :
{
"adapter_domain_suffix" : "",
"add_routes" :
[
{
"address" : "10.198.0.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
],
"block_ipv6" : false,
"layer" : 3,
"mtu" : 0,
"remote_address" :
{
"address" : "xxxxxx",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 256,
"ipv4" : false,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "xxxxxxxx",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "10.198.1.34",
"gateway" : "10.198.1.33",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 28
}
]
}
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{xxxxxxxx}' index=20 name='Ethernet 3'
Open TAP device "Ethernet 3" PATH="\\.\Global\{DBC7843E-2458-408F-9FBC-75CBB1D59485}.tap" SUCCEEDED
TAP-Windows Driver Version 9.23
ActionDeleteAllRoutesOnInterface iface_index=20
netsh interface ip set interface 20 metric=1
Ok.
netsh interface ip set address 20 static 10.198.1.34 255.255.255.240 gateway=10.198.1.33 store=active
netsh interface ip add route 10.198.0.0/24 20 10.198.1.33 store=active
Ok.
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP handle: 8410000000000000
⏎5/29/2020, 11:28:40 AM Connected via TUN_WIN
⏎5/29/2020, 11:28:40 AM EVENT: CONNECTED xxxxxxxx (xxxxxxxx) via /TCPv4 on TUN_WIN/10.198.1.34/ gw=[10.198.1.33/]⏎

Used steps:

• download .ovpn file
• import via the interface and informed that i need to add the client cert and key
• save config
• start service

May 29 11:10:47 openvpn: Resetting client (unit 2) to default settings
May 29 11:11:18 syslog: VPN_LOG_ERROR: 472: Starting OpenVPN failed...
May 29 11:11:18 kernel: Interface tap12 doesn't exist
May 29 11:11:18 kernel: Interface tun12 doesn't exist
May 29 11:11:18 dnsmasq[6750]: read /etc / hosts  - 10 addresses
May 29 11:11:18 dnsmasq[6750]: using nameserver 2001:4860:4860::8844#53
May 29 11:11:18 dnsmasq[6750]: using nameserver 2001:4860:4860::8888#53
May 29 11:11:18 dnsmasq[6750]: using nameserver 8.8.8.8#53
May 29 11:11:18 dnsmasq[6750]: using nameserver 1.1.1.1#53
May 29 11:11:18 dnsmasq[6750]: using only locally-known addresses for domain xxxxx.eu

From the looks of the output it dos not even reach the cert verification. It fails on the network "check".
I`m thinking that the issue is from the missing interface error... but i don`t know how deal with it.
Any ideas on how to solve?

Spoiler: Used config

client
remote xxxxxxxxxxxxxxxxx 443
verify-x509-name 'xxxxxxxxxxxxxxxxx' name
remote-cert-tls server

dev tun
proto tcp
resolv-retry infinite
nobind

auth SHA256
cipher AES-256-GCM
persist-key
persist-tun

tls-timeout 30
tls-version-min 1.2
key-direction 1

log openvpn.log
verb 3

# P2S CA root certificate
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

# Pre Shared Key
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>

# P2S client certificate
# Please fill this field with a PEM formatted client certificate
# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file.
<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
</cert>

# P2S client certificate private key
# Please fill this field with a PEM formatted private key of the client certificate.
# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxxxxxxxxxxxxxxxx
-----END ENCRYPTED PRIVATE KEY-----
</key>

Thanks

 

[L&LD]

If you're trying to connect while within your network, it won't work.

 

[th3viper]

Sorry, i don`t really understand what you are referring to.
The server it`s hosted in in azure, is not in my network.
VPN is has assigner a 10.198.1.32/28 and my home is a 10.198.10.0/21..they don`t interlap.

 

[RMerlin]

Increase logging verbosity then try again connecting.

 

[th3viper]

I belive you are reffering to the "debug"
Changed and nothing new appeard...in case i need to do anithig else please let me know.

Thanks

https://imgur.com/xc8Vddp

 

[RMerlin]

I belive you are reffering to the "debug"
Changed and nothing new appeard...in case i need to do anithig else please let me know.

Thanks

https://imgur.com/xc8Vddp

No, I do mean log verbosity, configured right on your OpenVPN client page.

Also, post your actual settings from that page.

 

[th3viper]

Sorry for the misunderstanding.
Thanks for the reply, i`ve made the changes and nothing new appeared.
I`ve also tried to search the openvpn.log via ssh but did not find it.

 

[octopus]

Try to chanange "log openlog.txt" TO " log /tmp/openlog.txt"
and remove:
tls-version-min 1.2

Make sure your key are right one.

 

[th3viper]

Thanks...i was able to get the logs

 

[th3viper]

Ok...so i solved it.
Thanks for the help and pointers.

It seems that (i forgot) in the PC client i was asked for a password at first use.
I`ve created a pass file and added the following line:
askpass /tmp/pass.txt

Is the location ok or the file will be removed after a router reboot?