OpenVPN iOS Win10 Issues

[madition]

Hi guys,

Just reinstalled my AC68U to get OpenVPN Server to work again, after install OpenVPN is working good, traffic flowed to both LAN and WEB.
But after install of AMTM- Diversion, SkyNet and Stubby i can no longer route any traffic to LAN or WEB.

Pretty newbie in this section so looking forward for help!
Client connects perfectly but cant route anything.

Current routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
213.122.222.1 * 255.255.255.255 UH 0 0 0 eth0
10.16.0.0 * 255.255.255.0 U 0 0 0 tun22
10.20.30.0 * 255.255.255.0 U 0 0 0 br0
213.122.222.0 * 255.255.248.0 U 0 0 0 eth0
10.0.0.0 * 255.0.0.0 U 0 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default ua-213-112-232- 0.0.0.0 UG 0 0 0 eth0

Client connected with 10.16.0.2, i can ping 10.16.0.2 from lan.

Current OpenVPN settings:
Authorization Mode TLS
Username/Password Authentication Yes
Username / Password Auth. Only Yes
TLS control channel security Disable
HMAC Authentication Default
VPN Subnet / Netmask 10.16.0.0 255.255.255.0
Advertise DNS to clients No
Cipher Negotiation Enable
Negotiable ciphers AES-256-GCM
Compression LZ4

Any ideas?

 

[HuskyHerder]

I'll take a stab at it.

Do the clients have a DNS added to them manually during your setup? You may want to "Advertise DNS" to YES.

The part about Diversion etc, has me scratching my head? Did you install Stubby too ?

edit: Missed your yes stubby above ...

Did you re run the stubby setup, I seem to recall it needing to be run again after adding a VPN.

 

[madition]

I'll take a stab at it.

Do the clients have a DNS added to them manually during your setup? You may want to "Advertise DNS" to YES.

The part about Diversion etc, has me scratching my head? Did you install Stubby too ?

edit: Missed your yes stubby above ...

Did you re run the stubby setup, I seem to recall it needing to be run again after adding a VPN.

Thanks for stabbing

I will try change Advertise DNS to Yes.
edit: it didnt help unfortunely

During Stubby setup it says it cant find any active OpenVPN Connections, even though i am connected with my cellphone via 4g - maybe try to drop stubby for dnscrypt installer?

OpenVPN runs on "server2" if thats any hint

Some screens if it helps;
OpenVPN: https://i.imgur.com/1nAok7V.png
DHCP: https://i.imgur.com/tXYkSuj.png
WAN: https://i.imgur.com/3w77FQI.png

Log from router:
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 TLS: Initial packet from [AF_INET6]::ffff:94.191.130.80:5749, sid=6aa6b043 b305a968
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.0.2-894
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_VER=3.2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_PLAT=ios
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_NCP=2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_TCPNL=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_PROTO=2
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_LZO_STUB=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_COMP_STUB=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_COMP_STUBv2=1
Mar 5 07:46:46 ovpn-server2[964]: 94.191.130.80 peer info: IV_BS64DL=1
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 TLS: Username/Password authentication succeeded for username 'superfon' [CN SET]
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mar 5 07:46:47 ovpn-server2[964]: 94.191.130.80 [superfon] Peer Connection Initiated with [AF_INET6]::ffff:94.191.130.80:5749
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI_sva: pool returned IPv4=10.16.0.2, IPv6=(Not enabled)
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI: Learn: 10.16.0.2 -> superfon/94.191.130.80
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 MULTI: primary virtual IP for superfon/94.191.130.80: 10.16.0.2
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 PUSH: Received control message: 'PUSH_REQUEST'
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 SENT CONTROL [superfon]: 'PUSH_REPLY,route 10.20.30.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.16.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.16.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 5 07:46:47 ovpn-server2[964]: superfon/94.191.130.80 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 5 07:47:19 ovpn-server2[964]: superfon/94.191.130.80 SIGTERM[soft,remote-exit] received, client-instance exiting

And log from the client, iOS:
2019-03-05 07:46:46 Contacting [xxxxxxxxx]:1195/UDP via UDP

2019-03-05 07:46:46 EVENT: WAIT

2019-03-05 07:46:46 Connecting to [xxxxxxxxx]:1195 (xxxxxxxxx) via UDPv4

2019-03-05 07:46:46 EVENT: CONNECTING

2019-03-05 07:46:46 Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

2019-03-05 07:46:46 Creds: Username/Password

2019-03-05 07:46:46 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_BS64DL=1


2019-03-05 07:46:46 VERIFY OK : depth=0
cert. version : 3
serial number : 01
issuer name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
subject name : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC68U, emailAddress=me@myhost.mydomain
issued on : 2019-03-04 18:29:40
expires on : 2029-03-01 18:29:40
signed using : RSA with SHA-256
RSA key size : 1024 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication


2019-03-05 07:46:47 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

2019-03-05 07:46:47 Session is ACTIVE

2019-03-05 07:46:47 EVENT: GET_CONFIG

2019-03-05 07:46:47 Sending PUSH_REQUEST to server...

2019-03-05 07:46:47 OPTIONS:
0 [route] [10.20.30.0] [255.255.255.0] [vpn_gateway] [500]
1 [redirect-gateway] [def1]
2 [route-gateway] [10.16.0.1]
3 [topology] [subnet]
4 [ping] [15]
5 [ping-restart] [60]
6 [ifconfig] [10.16.0.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]


2019-03-05 07:46:47 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: SHA1
compress: COMP_STUB
peer ID: 0

2019-03-05 07:46:47 EVENT: ASSIGN_IP

2019-03-05 07:46:47 NIP: preparing TUN network settings

2019-03-05 07:46:47 NIP: init TUN network settings with endpoint: xxxxxxxxx

2019-03-05 07:46:47 NIP: adding IPv4 address to network settings 10.16.0.2/255.255.255.0

2019-03-05 07:46:47 NIP: adding (included) IPv4 route 10.16.0.0/24

2019-03-05 07:46:47 NIP: adding (included) IPv4 route 10.20.30.0/24

2019-03-05 07:46:47 NIP: redirecting all IPv4 traffic to TUN interface

2019-03-05 07:46:47 NIP: adding DNS 8.8.8.8

2019-03-05 07:46:47 NIP: adding DNS 8.8.4.4

2019-03-05 07:46:47 Connected via NetworkExtensionTUN

2019-03-05 07:46:47 LZO-ASYM init swap=0 asym=1

2019-03-05 07:46:47 Comp-stub init swap=1

2019-03-05 07:46:47 EVENT: CONNECTED superfon@xxxxxxxxx:1195 (213.112.237.251) via /UDPv4 on NetworkExtensionTUN/10.16.0.2/ gw=[/]

Changed public ip for xxxxxxxxx

Thanks

 

[Xentrk]

Thanks for stabbing
During Stubby setup it says it cant find any active OpenVPN Connections, even though i am connected with my cellphone via 4g - maybe try to drop stubby for dnscrypt installer?

The message from Stubby installer only applies to OpenVPN Clients, not OpenVPN Servers. I'll check the message again to see if requires any clarification.

Spoiler: Stubby and OpenVPN Clients

If an OpenVPN client is running on the router, the firmware will populate /tmp/resolv.dnsmasq with both the WAN DNS1 and the OpenVPN DNS entries 10.9.0.1 and 10.8.0.1 during an OpenVPN up event. The addition of the VPN DNS in /tmp/resolv.dnsmasq prevents Stubby from working. I resolved the issue by creating the file /jffs/configs/resolv.dnsmasq with the value server=x.x.x.x, where x’s are the router's LAN IP address e.g. 192.168.1.1, and adding an entry in /jffs/scripts/openvpn-event to copy /jffs/configs/resolv.dnsmasq to /tmp/resolv.dnsmasq.

I put this guide listed below together last year. There have been some firmware updates the past several months. So, some of the fields may no longer be there. On my to do list to update the guide.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

When it comes to debugging things like you describe, try turning off Skynet and Diversion and see if the problem persists. If so, disable or remove Stubby and test again. Then, turn Diversion on and test, followed by Skynet and another test. This helps knowing where to start looking in more detail.

 

[madition]

The message from Stubby installer only applies to OpenVPN Clients, not OpenVPN Servers. I'll check the message again to see if requires any clarification.

If an OpenVPN client is running on the router, the firmware will populate /tmp/resolv.dnsmasq with both the WAN DNS1 and the OpenVPN DNS entries 10.9.0.1 and 10.8.0.1 during an OpenVPN up event. The addition of the VPN DNS in /tmp/resolv.dnsmasq prevents Stubby from working. I resolved the issue by creating the file /jffs/configs/resolv.dnsmasq with the value server=x.x.x.x, where x’s are the router's LAN IP address e.g. 192.168.1.1, and adding an entry in /jffs/scripts/openvpn-event to copy /jffs/configs/resolv.dnsmasq to /tmp/resolv.dnsmasq.


I put this guide together last year, there have been some firmware updates the past several months so some of the fields may no longer be there. On my to do list to update the guide.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

Hi again,

It looks like this:

bobadmin@ENDBOSS:/tmp/home/root# cat /tmp/resolv.conf
nameserver 10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /jffs/configs/resolv.dnsmasq
server=10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /jffs/scripts/openvpn-event
copy /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq

/tmp/resolv.conf
/tmp/resolv.dnsmasq
/jffs/configs/resolv.dnsmasq
These 3 above where already populated, i only added the openvpn-event line

edit: when i create the openvpn-event file the OpenVPN Service cannot start and referring to the Advanced Page, once i removed the openvpn-event file the service start but i cannot still access LAN or WEB via OpenVPN.

 

[Xentrk]

Hi again,

It looks like this:

bobadmin@ENDBOSS:/tmp/home/root# cat /tmp/resolv.conf
nameserver 10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /tmp/resolv.dnsmasq
server=10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /jffs/configs/resolv.dnsmasq
server=10.20.30.1
bobadmin@ENDBOSS:/tmp/home/root# cat /jffs/scripts/openvpn-event
copy /jffs/configs/resolv.dnsmasq /tmp/resolv.dnsmasq

/tmp/resolv.conf
/tmp/resolv.dnsmasq
/jffs/configs/resolv.dnsmasq
These 3 above where already populated, i only added the openvpn-event line

edit: when i create the openvpn-event file the OpenVPN Service cannot start and referring to the Advanced Page, once i removed the openvpn-event file the service start but i cannot still access LAN or WEB via OpenVPN.

You only need the server=x.x.x.x entry in /jffs/configs/resolv.dnsmasq and the entry to copy the value in /jffs/scripts/openvpn-event if there is an OpenVPN Client running on the router.

Best thing to do is turn off Stubby, Diversion and Skynet. Then, turn on each on Diversion followed by a test. Then, to the same with Skynet and Stubby. This should help determine where the problem is. I'll do a test on my development router to see if I have any issues as I run all three of those services along with a OpenVPN server and clients.

 

[Xentrk]

Check the General settings in the last row below. The LAN button will prevent access to the WAN or internet for users.

 

[Xentrk]

I am now connected to my AC88U using the OpenVPN Server and have full access to websites. I have Stubby, Diversion and Skynet installed.

Confirmed the Stubby installer specifies OpenVPN Clients:

5 active OpenVPN Clients found
Required entry already exists in /jffs/scripts/openvpn-event
Skipping update of /jffs/scripts/openvpn-event

 

[madition]

I am now connected to my AC88U using the OpenVPN Server and have full access to websites. I have Stubby, Diversion and Skynet installed.

Confirmed the Stubby installer specifies OpenVPN Clients:

5 active OpenVPN Clients found
Required entry already exists in /jffs/scripts/openvpn-event
Skipping update of /jffs/scripts/openvpn-event

Sweet, i am in the process of another reset - when i had it working before i did setup the router first, all of the AMTM functions and then later enabled OpenVPN. Everything worked until i changed some option in OpenVPN server. Gonna try the same way now, did you add OpenVPN server after diversion etc?

edit: does it matter if i use server1 or server2 for OpenVPN? Read that server2 maybe can give better performance

 

[Xentrk]

Sweet, i am in the process of another reset - when i had it working before i did setup the router first, all of the AMTM functions and then later enabled OpenVPN. Everything worked until i changed some option in OpenVPN server. Gonna try the same way now, did you add OpenVPN server after diversion etc?

edit: does it matter if i use server1 or server2 for OpenVPN? Read that server2 maybe can give better performance

I had to re-configure the Server and DDNS as I had not reentered the configs after the last time I did factory reset. I think the setting below may be the root cause of the issue you describe, especially since the "LAN only" setting is the default. Check the "Both" button to give LAN and WAN access VPN clients.

 

[madition]

I had to re-configure the Server and DDNS as I had not reentered the configs after the last time I did factory reset. After reading your issue, I think the setting below may be the issue. The LAN only setting is the default setting. Check the "Both" button to give LAN and WAN access VPN clients.

View attachment 16468

Yeah BOTH is selected already, but when im done with AMTM setup i will first let it stand on LAN and see if i can access my computers behind at all, then change it to BOTH if it works

 

[madition]

Clean install of Asus Merlin.
Clean install of AMTM - Diversion (enabled all options, blocking list B+ etc), SkyNet and Stubby
Setup of OpenVPN with these settings:
https://i.imgur.com/bJspXWp.png
https://i.imgur.com/mOGJ16E.png

I cant access any servers on the LAN from the client but i can ping the client from the LAN
Pinging 10.16.0.2 with 32 bytes of data:
Reply from 10.16.0.2: bytes=32 time=28ms TTL=63
Reply from 10.16.0.2: bytes=32 time=35ms TTL=63
Reply from 10.16.0.2: bytes=32 time=36ms TTL=63
Reply from 10.16.0.2: bytes=32 time=33ms TTL=63

Last time i did exactly the same and it worked.. im out of ideas ><

 

[elorimer]

The LAN button will prevent access to the WAN or internet for users.

When you redo your helpful guide, note that this is not so. OpenVPN Server Redirect Question

 

[elorimer]

but i can ping the client from the LAN

I think this is just the router responding, not the client.

 

[elorimer]

Clean install of Asus Merlin.
Clean install of AMTM - Diversion (enabled all options, blocking list B+ etc), SkyNet and Stubby
Setup of OpenVPN with these settings:
https://i.imgur.com/bJspXWp.png
https://i.imgur.com/mOGJ16E.png

I cant access any servers on the LAN from the client but i can ping the client from the LAN
Pinging 10.16.0.2 with 32 bytes of data:
Reply from 10.16.0.2: bytes=32 time=28ms TTL=63
Reply from 10.16.0.2: bytes=32 time=35ms TTL=63
Reply from 10.16.0.2: bytes=32 time=36ms TTL=63
Reply from 10.16.0.2: bytes=32 time=33ms TTL=63

Last time i did exactly the same and it worked.. im out of ideas ><

I think your problem might be with the compression setting. Try "LZO" or "none" or "disable". I'm not familiar with iOS, but your client is reporting comp-LZO while your screenshot is LZ4-v2.

https://community.openvpn.net/openvpn/ticket/1126

 

[Xentrk]

Clean install of Asus Merlin.
Clean install of AMTM - Diversion (enabled all options, blocking list B+ etc), SkyNet and Stubby
Setup of OpenVPN with these settings:
https://i.imgur.com/bJspXWp.png
https://i.imgur.com/mOGJ16E.png

I cant access any servers on the LAN from the client but i can ping the client from the LAN
Pinging 10.16.0.2 with 32 bytes of data:
Reply from 10.16.0.2: bytes=32 time=28ms TTL=63
Reply from 10.16.0.2: bytes=32 time=35ms TTL=63
Reply from 10.16.0.2: bytes=32 time=36ms TTL=63
Reply from 10.16.0.2: bytes=32 time=33ms TTL=63

Last time i did exactly the same and it worked.. im out of ideas ><

The only idea I can think of is to add the command (If 10.20.30.1 is your LAN IP)

push "route 10.20.30.0 255.225.255.0"

in the Custom Configuration section. But the firmware should be doing this when you select the LAN Only or Both button.

 

[madition]

The only idea I can think of is to add the command (If 10.20.30.1 is your LAN IP)

push "route 10.20.30.0 255.225.255.0"

in the Custom Configuration section. But the firmware should be doing this when you select the LAN Only or Both button.

Thanks for all your help, i should have started the troubleshooting directly from a computer instead of an iOS device.. ofcourse it works flawless from a computer with the above setup, i will troubleshoot the iOS device at a later time.

Thanks all!

 

[Xentrk]

Thanks for all your help, i should have started the troubleshooting directly from a computer instead of an iOS device.. ofcourse it works flawless from a computer with the above setup, i will troubleshoot the iOS device at a later time.

Thanks all!

I am having a similar issue with an iOS device (iPad) when connected to an OpenVPN server running on my pfSense appliance. I can connect okay on Android and Win 10 devices and have full access to the LAN and admin console. On the iPad, I can connect okay. But I can't access the admin console in a browser.

 

[madition]

I am having a similar issue with an iOS device (iPad) when connected to an OpenVPN server running on my pfSense appliance. I can connect okay on Android and Win 10 devices and have full access to the LAN and admin console. On the iPad, I can connect okay. But I can't access the admin console in a browser.

Yeah i have the same problem right now, going to try some "easier" settings on server1 and see if the iOS unit wants to communicate as the desktop clients does on my server2

 

[elorimer]

That link I posted will point you specifically to iOS problems with a working OpenVPN server linked to compression treatment. Which you don't want anyway.