OpenVPN not working

[forux]

Hello!

I am working with AC66U and Merlin wrt 380.65

OpenVPN file contains only first of the three certificates for some reason and when i trying to connect after manual entering all others from router settings in log i see next error when I am trying to connect to vpn:

Mar 4 18:16:00 openvpn[371]: 37.115.124.229 TLS: Initial packet from [AF_INET6]::ffff:37.115.124.229:53272, sid=dd8ef1f1 becf31eb
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC66U, emailAddress=me@myhost.mydomain
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 TLS_ERROR: BIO read tls_read_plaintext error
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 TLS Error: TLS object -> incoming plaintext read error
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 TLS Error: TLS handshake failed
Mar 4 18:16:00 openvpn[371]: 37.115.124.229 SIGUSR1[soft,tls-error] received, client-instance restarting


Also system time strange, 2015 year instead of 2017 and a lot of such log lines:

Mar 4 18:16:12 ntp: start NTP update
Mar 4 18:16:39 ntp: start NTP update
Mar 4 18:17:09 ntp: start NTP update
Mar 4 18:17:39 ntp: start NTP update
Mar 4 18:18:09 ntp: start NTP update
Mar 4 18:18:39 ntp: start NTP update
Mar 4 18:19:09 ntp: start NTP update
Mar 4 18:19:39 ntp: start NTP update
Mar 4 18:20:09 ntp: start NTP update
Mar 4 18:20:39 ntp: start NTP update
Mar 4 18:21:10 ntp: start NTP update

All works before some point, after it - time was broken and vpn broken, looks like vpn not working because of problems with time synchronization.

Please help =)

 

[forux]

Here is ovpn file:

client
dev tun
proto udp
remote 5.53.119.86 1194
float
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIDNDCCAp2gAwIBAgIJALszHoxLY1DlMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRB
U1VTMREwDwYDVQQDEwhSVC1BQzY2VTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMB4XDTE2MTIyMzE0MTEzNloXDTI2MTIyMTE0MTEzNlowcDELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxDTALBgNVBAoT
BEFTVVMxETAPBgNVBAMTCFJULUFDNjZVMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhv
c3QubXlkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM6qKzveiRwY
BQqOaKUkY3zVBX5B5FVtyd3Nt+UyXfMYntfePHOxjJANn5X4gkKsQiOBbZ6t2x/5
E5usBd0WUiOf9D3Y7Cb2RgvUIOcuoYC7v55vpwJEL4kL21qPu4vVcYsa5dDlXUy0
YSHyzEOaKs8rYQ0F2PkyMUl259LSVYOLAgMBAAGjgdUwgdIwHQYDVR0OBBYEFFFP
IeuYr2E8PdNfgwk7KVNzQ9hmMIGiBgNVHSMEgZowgZeAFFFPIeuYr2E8PdNfgwk7
KVNzQ9hmoXSkcjBwMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcT
BlRhaXBlaTENMAsGA1UEChMEQVNVUzERMA8GA1UEAxMIUlQtQUM2NlUxITAfBgkq
hkiG9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpboIJALszHoxLY1DlMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAPq6aGovFm6NtBA4APC7wJ2pQo8ykPLn2
eFRrib1bzqBNya4wuab2MWfhf3JY01+DSP3ZIfC6CO2oFtzZkc4ekCmSedu1aQvb
5xUJDNxe3ODiE5cBRvHjunGi9hKkgfyaNS+FPeMt8MQAZZj6lQeTqtGtyTz/9ats
VnmFn2iqMhs=
-----END CERTIFICATE-----
</ca>
<cert>
    paste client certificate data here
</cert>
<key>
    paste client key data here
</key>
resolv-retry infinite
nobind

 

[martinr]

You say you manually entered all other certificates. Did you use Unix/Linux formatting in the editor you used (Notepad++ allows such formatting), or did you perhaps use Windows formatting eg Notepad?

As to the other problem with the incorrect date, have you done anything to the router that might account for this? For example, did it break immediately after you updated to 380.65, can you say for sure it has worked on your new firmware? Which firmware did you update from? When did you last restore to factory default settings after flashing an update?

 

[forux]

I copy all certificates from router settings, and a certificate was correct, I use Tunnelbrick for connection, the problem is that in router settings there are all 3 certificates/keys, but in a file from export button only one.

I think it was not because of an upgrade, vpn work on 380.65 for a week at list.

I have changed location and WAN provider, and wifi SSID names and passwords - this are only things that was changed

 

[pitboss]

You can use this guide from my site for ac66u to setup the vpn, https://www.bolehvpn.net/asuswrt-merlin-configuration/
Usually we give our users inline format which makes it easier to import in various openvpn apps including tunnelblick.
Disregard all reference to the ovpn in the guide as it refers to our servers but look closely at the setting needed to make it work with OpenVPN 2.4
You export the ovpn from tunnelblick?
Where is the original ovpn from your provider? Can you show the original ovpn? Is it in inline or standard format?

Thank you

 

[RMerlin]

The instructions are in the config file itself:

paste client certificate data here

If you are not using user-based authentication but cert-based authentication, then you need to generate these client key/certs yourself, paste them in the .ovpn file and import that modified file onto your client device.

Make sure you understand the difference between the CA, the SERVER key/certs, and the CLIENT key/certs. Webui only lets you enter the server ones. Client ones must be user-generated if you intend to use them.

 

[forux]

All works well while time on the router is okay after the time become broken it stop working.
And it becomes broken once per one-two days and I need to do manual time setup.

Based on logs I guess NTP server not working, or update from NTP server not working and because of that router time becomes broken.

I have attached system log file.

 

[Xentrk]

All works well while time on the router is okay after the time become broken it stop working.
And it becomes broken once per one-two days and I need to do manual time setup.

Based on logs I guess NTP server not working, or update from NTP server not working and because of that router time becomes broken.

I have attached system log file.

See item #7 in the guide here to see if it helps with the NTP server issues https://www.snbforums.com/threads/t...r-asus-merlin-380-65-380-65_2-part-iii.38283/

 

[forux]

See item #7 in the guide here to see if it helps with the NTP server issues https://www.snbforums.com/threads/t...r-asus-merlin-380-65-380-65_2-part-iii.38283/

Tried entering ip address manually - did not work. How can I setup that fake-hwclock package?

 

[Xentrk]

Tried entering ip address manually - did not work. How can I setup that fake-hwclock package?

Here are my ntp settings under Administration, Systems tab:

fake-hwclock is an entware package
Entware Intallation:
You will need a client software such as putty on your PC to allow command line access. I use MobaXterm client. You will also need to enable jffs and SSH access on the router. Follow step 2 here https://www.hqt.ro/how-to-install-new-generation-entware/

Info on entware here:
https://github.com/RMerl/asuswrt-merlin/wiki/Entware
You will need to format a USB thumb drive as ext2, ext3, or ext4. I chose ext2 for mine. Label the partition. There is a windows software you can download called Mini Tool partition to do this for you. While you are at it, create another partition called absolution and install AB-Solution on the router to block advertisements! If you use Mini Tool partition to do the partitioning, install AB-Solution first. There is a menu pick to install pixelserv, which is an entware package. It will then install entware for you and take care of all of the optimizing! Another way to format, partition and label the USB is thru Linux command line. Instructions are here:http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers

I had a 2 GB vendor swag USB drive. I allocated absolution as the primary partition at 500 MB and entware as the logical partition at 500MB. I have extra space left over if I need it for some future use.