Menu
What's new
By:
Filters Better Search

[Release] Asuswrt-Merlin 380.65 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

With same settings i connect on 380,64_2 with BF-CBC, above 380,65 and also on 380,66 alpha 3 with openssl 2.4.1 only aes 256 possible.... (same on cipher negotiation disbabled) ....
Server side is unchanged ...

380,65 ... log

pr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:38:08 openvpn[1626]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:38:09 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: route options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: peer-id set
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: data channel crypto options modified
Apr 5 18:38:14 openvpn[1626]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 5 18:38:14 openvpn[1626]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

380,64_2

Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:47:36 openvpn[793]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPREQUEST(br0) 192.168.1.152 9c:b7:0d:69:a3:dc
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPACK(br0) 192.168.1.152 9c:b7:0d:69:a3:dc HP
Apr 5 18:47:38 openvpn[793]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: route options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: peer-id set
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: adjusting link_mtu to 1549
 

Attachments

  • 87u.JPG
    87u.JPG
    65.7 KB · Views: 730
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.

380.65
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'

380.64_2
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'

try adding

pull-filter ignore "cipher"

to your custom config

Not sure if you are also going to need to do something with the peer-id change.....

EDIT: Corrected command
 
Last edited:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
 
john9527 said:
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.
Click to expand...
Same here: Also my VPN provider forces cipher 'AES-256-CBC' to my OpenVPN 2.4.1 client!
Code: 
Apr  5 19:22:40 openvpn[4777]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Using peer cipher 'AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
 
Last edited:
netguru said:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
Click to expand...
My fault....it's

pull-filter ignore "cipher"
 
Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: pull-filter (2.3.14)

"cipher" ??

""?
 
You're on OpenVPN 2.3.14.....need to load up 380.65

EDIT: I verified it's accepted on OpenVPN 2.4.1
 
Disable NCP, it should disable the automatic cipher negotation, and revert to what is hardcoded in the legacy "cipher" field, unless the provider specifically does NOT support that cipher. Note for instance that BF-CBC is now deprecated as considered to be too weak.

We'd still need to see your current configuration to help you troubleshoot this.
 
"Disable NCP" , how to do this ...
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?

client
dev tun
auth-user-pass
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
mute-replay-warnings
verb 3
fragment 1300
mssfix 1300
reneg-sec 0
tun-mtu 1500
 
Pushed option removed by filter: 'cipher AES-256-GCM'
NICE!

BUT:
Authenticate/Decrypt packet error: packet HMAC authentication failed
???
 
netguru said:
Ive posted my settings or what do you mean?
Click to expand...
He may not have seen your screen shot attachment in your previous post. If you have a windows client, perhaps you can use the snipping tool to copy and past the screen instead. Not sure if my OpenVPN 2.4 Client/ASUS Merlin 380.65 setup guide will help you. It is TorGuard centric but has helped some PIA customers.

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-iii.38283/
 
Last edited:
netguru said:
.... x
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?
Click to expand...


Maybe re-post just the screenshot of the webui page? When you posted it before it was at the end of a very long list of log entries. Merlin must be a very busy fellow and possibly never made made it as far as the bottom of the page. I similarly only saw it by chance.
 
I admit, I missed your screen shot.....first thing to do is to change Cipher Negotiation to Disable and remove the pull-filter. Then post another syslog.
 
Apr 6 13:34:29 openvpn[856]: TLS: Initial packet from [AF_INET]xxx:1194, sid=8eff86ef 9010a66b
Apr 6 13:34:29 openvpn[856]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 13:34:29 openvpn[856]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 13:34:30 openvpn[856]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 13:34:31 openvpn[856]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 1xx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: route options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: peer-id set
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 13:34:31 openvpn[856]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: TUN/TAP device tun12 opened
Apr 6 13:34:31 openvpn[856]: TUN/TAP TX queue length set to 100
Apr 6 13:34:31 openvpn[856]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 6 13:34:31 openvpn[856]: /usr/sbin/ip link set dev tun12 up mtu 1500
 

Attachments

  • 87Udisabled.JPG
    87Udisabled.JPG
    60.1 KB · Views: 797
no change

pr 6 14:38:06 openvpn[2371]: TLS: Initial packet from [AF_INET]xxx:1194, sid=d7d7890c f674bce2
Apr 6 14:38:06 openvpn[2371]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 14:38:06 openvpn[2371]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 14:38:08 openvpn[2371]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 14:38:09 openvpn[2371]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 0,cipher AES-256-GCM'
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: route options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: peer-id set
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 14:38:09 openvpn[2371]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: TUN/TAP device tun12 opened
Apr 6 14:38:09 openvpn[2371]: TUN/TAP TX queue length set to 100
Apr 6 14:38:09 openvpn[2371]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 
The server has AES-256-GCM hardcoded in its push rather than handled through automatic negotiation. Check with your provider, you might need to use a different port or server if you wish to use a pre-2.4 cipher.

Ultimately, the cipher is decided by the provider, not by the user.

Filtering the cipher parameter might work, depending on how the server is set at their end, but once again, you cannot arbitrarily decide which cipher to use - they're the one that decide.
 
sry, but this is not correct, if i put "pull-filter ignore "cipher"" in my config, i am connecting with blowfish already, but there is no data possible, because i get the mentioned "HMAC" error ;-(
 
You must log in or register to reply here.

Similar threads

RMerlin
Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices
2 3 4
Replies
62
Views
6K
RMerlin
RMerlin
RMerlin
  • Locked
Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices
2 3 4
Replies
70
Views
12K
RMerlin
RMerlin
G
Using VPN Director to route only torrent traffic through VPN
Replies
9
Views
522
goldnet
G
RMerlin
  • Locked
Release Asuswrt-Merlin 3004.388.8_2 is now available
22 23 24
Replies
469
Views
59K
aitor_mtb
A
RMerlin
Release Asuswrt-Merlin 386.14 is now available for AC models
9 10 11
Replies
209
Views
32K
KGB7
K
Similar threads
Thread starter Title Forum Replies Date
D Release GNUton [Official Fork] 388.8_2 Release Asuswrt-Merlin 31
D Release GNUTON- 388.7_1 release [Official FORK] Asuswrt-Merlin 4
H Suggestion/Idea: AI scan of release threads/forum Asuswrt-Merlin 5
RMerlin Release Asuswrt-Merlin 3004.388.8_4 is now available Asuswrt-Merlin 71
RMerlin Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices Asuswrt-Merlin 62
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
F Several Questions Re:Asuswrt-Merlin Feature Implementation Asuswrt-Merlin 2
Yota How to enable port randomization in Asuswrt-Merlin? Asuswrt-Merlin 4
RMerlin Beta Asuswrt-Merlin 3006.102.2 Beta is now available for Wifi 7 devices Asuswrt-Merlin 70
J Does Asuswrt-Merlin support AiMesh over Wifi? Asuswrt-Merlin 4

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 835 (members: 32, guests: 803)
Top