What's new

[Release] Asuswrt-Merlin 380.65 is now available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

With same settings i connect on 380,64_2 with BF-CBC, above 380,65 and also on 380,66 alpha 3 with openssl 2.4.1 only aes 256 possible.... (same on cipher negotiation disbabled) ....
Server side is unchanged ...

380,65 ... log

pr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 5 18:38:08 openvpn[1626]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:38:08 openvpn[1626]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:38:09 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: route options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: peer-id set
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 5 18:38:14 openvpn[1626]: OPTIONS IMPORT: data channel crypto options modified
Apr 5 18:38:14 openvpn[1626]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 5 18:38:14 openvpn[1626]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key

380,64_2

Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 5 18:47:36 openvpn[793]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 5 18:47:36 openvpn[793]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 5 18:47:36 openvpn[793]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 5 18:47:36 openvpn[793]: [server] Peer Connection Initiated with [AF_INET]xxx:1194
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPREQUEST(br0) 192.168.1.152 9c:b7:0d:69:a3:dc
Apr 5 18:47:37 dnsmasq-dhcp[436]: DHCPACK(br0) 192.168.1.152 9c:b7:0d:69:a3:dc HP
Apr 5 18:47:38 openvpn[793]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: route options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: peer-id set
Apr 5 18:47:38 openvpn[793]: OPTIONS IMPORT: adjusting link_mtu to 1549
 

Attachments

  • 87u.JPG
    87u.JPG
    65.7 KB · Views: 730
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.

380.65
Apr 5 18:38:14 openvpn[1626]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xxx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'

380.64_2
Apr 5 18:47:38 openvpn[793]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 2'

try adding

pull-filter ignore "cipher"

to your custom config

Not sure if you are also going to need to do something with the peer-id change.....

EDIT: Corrected command
 
Last edited:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
 
Your VPN provider is seeing that you are running OpenVPN 2.4.x and pushing the cipher to the client.
Same here: Also my VPN provider forces cipher 'AES-256-CBC' to my OpenVPN 2.4.1 client!
Code:
Apr  5 19:22:40 openvpn[4777]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Using peer cipher 'AES-256-CBC'
Apr  5 19:22:42 openvpn[4777]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
 
Last edited:
push-filter ignore "cipher"

cipher in brackets ? "" ??

Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: push-filter (2.3.14)
My fault....it's

pull-filter ignore "cipher"
 
Options error: Unrecognized option or missing parameter(s) in config.ovpn:29: pull-filter (2.3.14)

"cipher" ??

""?
 
You're on OpenVPN 2.3.14.....need to load up 380.65

EDIT: I verified it's accepted on OpenVPN 2.4.1
 
Disable NCP, it should disable the automatic cipher negotation, and revert to what is hardcoded in the legacy "cipher" field, unless the provider specifically does NOT support that cipher. Note for instance that BF-CBC is now deprecated as considered to be too weak.

We'd still need to see your current configuration to help you troubleshoot this.
 
"Disable NCP" , how to do this ...
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?

client
dev tun
auth-user-pass
proto udp
remote xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
mute-replay-warnings
verb 3
fragment 1300
mssfix 1300
reneg-sec 0
tun-mtu 1500
 
Pushed option removed by filter: 'cipher AES-256-GCM'
NICE!

BUT:
Authenticate/Decrypt packet error: packet HMAC authentication failed
???
 
Ive posted my settings or what do you mean?
He may not have seen your screen shot attachment in your previous post. If you have a windows client, perhaps you can use the snipping tool to copy and past the screen instead. Not sure if my OpenVPN 2.4 Client/ASUS Merlin 380.65 setup guide will help you. It is TorGuard centric but has helped some PIA customers.

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-iii.38283/
 
Last edited:
.... x
"We'd still need to see your current configuration to help you troubleshoot this."
Ive posted my settings or what do you mean?


Maybe re-post just the screenshot of the webui page? When you posted it before it was at the end of a very long list of log entries. Merlin must be a very busy fellow and possibly never made made it as far as the bottom of the page. I similarly only saw it by chance.
 
I admit, I missed your screen shot.....first thing to do is to change Cipher Negotiation to Disable and remove the pull-filter. Then post another syslog.
 
Apr 6 13:34:29 openvpn[856]: TLS: Initial packet from [AF_INET]xxx:1194, sid=8eff86ef 9010a66b
Apr 6 13:34:29 openvpn[856]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 13:34:29 openvpn[856]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 13:34:29 openvpn[856]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 13:34:30 openvpn[856]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 13:34:31 openvpn[856]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 1xx,topology net30,ping 10,ping-restart 120,ifconfig xxx,peer-id 1,cipher AES-256-GCM'
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: route options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: peer-id set
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 13:34:31 openvpn[856]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 13:34:31 openvpn[856]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 13:34:31 openvpn[856]: TUN/TAP device tun12 opened
Apr 6 13:34:31 openvpn[856]: TUN/TAP TX queue length set to 100
Apr 6 13:34:31 openvpn[856]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 6 13:34:31 openvpn[856]: /usr/sbin/ip link set dev tun12 up mtu 1500
 

Attachments

  • 87Udisabled.JPG
    87Udisabled.JPG
    60.1 KB · Views: 798
no change

pr 6 14:38:06 openvpn[2371]: TLS: Initial packet from [AF_INET]xxx:1194, sid=d7d7890c f674bce2
Apr 6 14:38:06 openvpn[2371]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=1, C=NV, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: VERIFY OK: depth=0, C=NV, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
Apr 6 14:38:06 openvpn[2371]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Apr 6 14:38:06 openvpn[2371]: [server] Peer Connection Initiated with [AF_INET]xx:1194
Apr 6 14:38:08 openvpn[2371]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Apr 6 14:38:09 openvpn[2371]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route xx,topology net30,ping 10,ping-restart 120,ifconfig xx,peer-id 0,cipher AES-256-GCM'
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: route options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: peer-id set
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: adjusting link_mtu to 1629
Apr 6 14:38:09 openvpn[2371]: OPTIONS IMPORT: data channel crypto options modified
Apr 6 14:38:09 openvpn[2371]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 6 14:38:09 openvpn[2371]: TUN/TAP device tun12 opened
Apr 6 14:38:09 openvpn[2371]: TUN/TAP TX queue length set to 100
Apr 6 14:38:09 openvpn[2371]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
 
The server has AES-256-GCM hardcoded in its push rather than handled through automatic negotiation. Check with your provider, you might need to use a different port or server if you wish to use a pre-2.4 cipher.

Ultimately, the cipher is decided by the provider, not by the user.

Filtering the cipher parameter might work, depending on how the server is set at their end, but once again, you cannot arbitrarily decide which cipher to use - they're the one that decide.
 
sry, but this is not correct, if i put "pull-filter ignore "cipher"" in my config, i am connecting with blowfish already, but there is no data possible, because i get the mentioned "HMAC" error ;-(
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top