OpenVPN server couldn't initialize since upgrade to 360.66 beta1

[p1r473]

I'm trying to setup OpenVPN server and it couldn't initialize. I used to have it working until I upgraded firmware to 380.66 beta 1 today.
It's not working for both #1 and #2 slots.

It's continuously showing following message under "Export OpenVPN configuration file" section:

Initialinzing the settings of OpenVPN server now, please wait a few minutes to let the server to setup completed before VPN clients establish the connection.

I find the following log messages:

Apr 26 12:22:39 openvpn[7114]: Options error: --up script fails with 'updown.sh': Permission denied
Apr 26 12:22:39 openvpn[7114]: Options error: Please correct this error.
Apr 26 12:22:39 openvpn[7114]: Use --help for more information.
Apr 26 12:22:39 syslog: VPN_LOG_ERROR: 1524: Starting VPN instance failed...

I've tried to reset to defaults, bit it doesn't help.

Router: AC5300
Firmware: 380.66_beta1

 

[octopus]

Only change realted to openvpn is:
openvpn: only copy rules related to the intended tunnel when creating a separete policy routing table
https://github.com/RMerl/asuswrt-merlin/commit/39adbd463cfbe39408ce813777b9d67ee51cddae

 

[octopus]

Do you have any /jffs/scripts/openvpn-event script?

 

[p1r473]

Yes, I do, I have a netflix vpn bypass script:
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)

In openvpn-event:


for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
#All devices bypass VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#ShieldTV uses VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.190 -j MARK --set-mark 0

#BlackPearl uses VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.69 -j MARK --set-mark 0

#Netflix bypass VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.177.0-107.20.177.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.154.0-107.20.154.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 174.129.2.0-174.129.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 75.101.139.0-75.101.139.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.243.253.0-54.243.253.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 50.19.210.0-50.19.210.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.23.191.0-23.23.191.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.2.0-54.204.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.43.0-54.204.43.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.225.192.0-54.225.192.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.21.190.0-23.21.190.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.151.0-107.20.151.255 -j MARK --set-mark 1

exit 1

 

[octopus]

Try to remove it and test if it's start. (just for test)

 

[p1r473]

Yep, disabled the script and it works great thanks!

I will try to temporarily disable this script while I bring my server online!

 

[octopus]

Yep, disabled the script and it works great thanks!

I will try to temporarily disable this script while I bring my server online!

okey see my second post about new change in openvpn policy table.

 

[p1r473]

ok so I deleted the script, enabled the server successfully, then re-enabled the script, and now my clients can't connect to the server (says: "waiting for server reply")
Is there something I need to do to the script to get it to work with having both a client and server running simultanouesly?

Isnt your 2nd post about the new change, in the back end, and I don't have to do anything for it?

 

[octopus]

That reflect new policy rule. (You don't have to do anything)
I don't know how to modify your script, I'm using builtin Policy routing function.

 

[p1r473]

Even without the script, I don't seem to be able to connect to my OpenVPN server if I am also running an OpenVPN client
Is there no way to run a client and server at same time? Trying to connect to my server (even without the script!) is giving "waiting for server reply" message

Here are my configs:

 

[octopus]

Okey I see you use only password/user only. I use full set of certificate.
You can always go back to alpha4 build.

 

[p1r473]

Went back to alpha4, and seem, to have same issue, where my OpenVPN server won't work if my client is connected, even without the script