berkscanuck
New Around Here
I'm having a serious amount of issues getting the Merlin OpenVPN client to work properly with my VPN provider. I'm at the end of my abilities to try and debug, and am hoping I can get some help from someone much smarter than me! The threads here have been a big help getting me this far.
My VPN provider is StreamVia (www.streamvia.com). I have successfully gotten StreamVia working with Tunnelblick on a number of Macs with no issue, so I know OpenVPN works fine. This includes Macs sitting under the RT-AC66U. The RT-AC66U has another router/DSL-Modem between it and the Interent. The RT-AC66U has a LAN address of 10.0.0.1. It's gateway (the router/DSL-Modem) is 192.168.1.1.
The RT-AC66U has its Firewall on (left default settings), and the DNS servers are 8.8.8.8, and 8.8.4.4.
The OpenVPN config file for StreamVia for Tunelblick that I use on the Macs that I have been basing my Merlin config on is here:
I've also been reverse engineering the setup script that StreamVia provides for DD-WRT. The relevant parts of this script are here:
Based on all of this, I came up with the following config in the Merlin OpenVPN Client Settings for Client1:
Start with WAN: No
Interface Type: TUN
Protocol: UDP
Server Address and Port: site1.uk.streamvia.com 1194
Firewall: Automatic
Authorization Mode: TLS
Username/Password Authentication: Yes
Username: <my username>
Password: <my password>
Username Auth Only: No
Extra HMAC authorization: Outgoing
Create NAT on Tunnel: No (although I get same results when I try Yes)
Poll Interval: 0
Redirect Internet Traffic: No (although I get same results when I try Yes)
Accept DNS Configuration: Disabled (I have tried other values too)
Encryption Cipher: Default
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry -1
Verify Server Certificate: No
Custom Configuration:
I have also populated the Static Key and the Certificate Authority on the OpenVPN Keys for Client1.
I had significant issues getting the VPN to authenticate, and was only able to do by setting Extra HMAC authorization to Outgoing. Any other value and the VPN would not authenticate. I don't think Outgoing is correct, and perhaps this is the cause of some of my other issues? But its the only value where authentication works!
Once I get the VPN established, no matter what I set "Create NAT on Tunnel" to or "Redirect Internet Traffic" to, I have the same result: all hosts connected to the RT-AC66U have no Internet connectivity - but the VPN tunnel is up. I have tried all 4 permutations for these 2 variables. I notice that traffic is passing, except for the pre-compress bytes and post-compress bytes, which makes me think that nothing is being sent into the tunnel?
Any help would be appreciated, this is driving me crazy. I have been at this for a while, and tried everything I can think of.n I will post the log in a followup to this post.
My VPN provider is StreamVia (www.streamvia.com). I have successfully gotten StreamVia working with Tunnelblick on a number of Macs with no issue, so I know OpenVPN works fine. This includes Macs sitting under the RT-AC66U. The RT-AC66U has another router/DSL-Modem between it and the Interent. The RT-AC66U has a LAN address of 10.0.0.1. It's gateway (the router/DSL-Modem) is 192.168.1.1.
The RT-AC66U has its Firewall on (left default settings), and the DNS servers are 8.8.8.8, and 8.8.4.4.
The OpenVPN config file for StreamVia for Tunelblick that I use on the Macs that I have been basing my Merlin config on is here:
client
auth-user-pass
dev tun
proto udp
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
fragment 1400
remote site1.uk.streamvia.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca streamvia-ca.crt
tls-auth streamvia-ta.key 1
comp-lzo
verb 3
auth-user-pass
dev tun
proto udp
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
fragment 1400
remote site1.uk.streamvia.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca streamvia-ca.crt
tls-auth streamvia-ta.key 1
comp-lzo
verb 3
I've also been reverse engineering the setup script that StreamVia provides for DD-WRT. The relevant parts of this script are here:
mkdir /tmp/streamvia
cat > /tmp/streamvia/streamvia-pass.txt << MARK1
USERNAME
PASSWORD
MARK1
chmod 0600 /tmp/streamvia/streamvia-pass.txt
cat > /tmp/streamvia/streamvia.conf << MARK2
client
auth-user-pass streamvia-pass.txt
dev tun
proto udp
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
fragment 1400
remote SERVER_NAME
port 1194
resolv-retry infinite
nobind
route-delay 2
persist-key
persist-tun
ca /tmp/streamvia/ca.crt
tls-auth /tmp/streamvia/ta.key 1
comp-lzo
verb 3
MARK2
cat > /tmp/streamvia/ca.crt << MARK3
-----BEGIN CERTIFICATE-----
<CERTIFICATE SNIPPED>
-----END CERTIFICATE-----
MARK3
cat > /tmp/streamvia/ta.key << MARK4
-----BEGIN OpenVPN Static key V1-----
<Static Key SNIPPED>
-----END OpenVPN Static key V1-----
MARK4
cat > /tmp/streamvia/streamviadaemon << MARK5
#!/bin/sh
while :
do
date >> /tmp/streamvia/streamvia.log
sleep 60
NOPROCS=\`ps w | grep openvpn | grep -v grep | wc -l\`
if [ \$NOPROCS -eq 0 ]
then
echo "openvpn not running, i will start it" >> /tmp/streamvia/streamvia.log
openvpn --config streamvia.conf --daemon
else
echo "openvpn running fine, sleeping" >> /tmp/streamvia/streamvia.log
fi
done
MARK5
chmod a+x /tmp/streamvia/streamviadaemon
cd /tmp/streamvia
sleep 5
/tmp/streamvia/streamviadaemon &
exit 0
###########################################################
#
# The End
#
###########################################################
cat > /tmp/streamvia/streamvia-pass.txt << MARK1
USERNAME
PASSWORD
MARK1
chmod 0600 /tmp/streamvia/streamvia-pass.txt
cat > /tmp/streamvia/streamvia.conf << MARK2
client
auth-user-pass streamvia-pass.txt
dev tun
proto udp
tun-mtu 1500
tun-mtu-extra 32
mssfix 1400
fragment 1400
remote SERVER_NAME
port 1194
resolv-retry infinite
nobind
route-delay 2
persist-key
persist-tun
ca /tmp/streamvia/ca.crt
tls-auth /tmp/streamvia/ta.key 1
comp-lzo
verb 3
MARK2
cat > /tmp/streamvia/ca.crt << MARK3
-----BEGIN CERTIFICATE-----
<CERTIFICATE SNIPPED>
-----END CERTIFICATE-----
MARK3
cat > /tmp/streamvia/ta.key << MARK4
-----BEGIN OpenVPN Static key V1-----
<Static Key SNIPPED>
-----END OpenVPN Static key V1-----
MARK4
cat > /tmp/streamvia/streamviadaemon << MARK5
#!/bin/sh
while :
do
date >> /tmp/streamvia/streamvia.log
sleep 60
NOPROCS=\`ps w | grep openvpn | grep -v grep | wc -l\`
if [ \$NOPROCS -eq 0 ]
then
echo "openvpn not running, i will start it" >> /tmp/streamvia/streamvia.log
openvpn --config streamvia.conf --daemon
else
echo "openvpn running fine, sleeping" >> /tmp/streamvia/streamvia.log
fi
done
MARK5
chmod a+x /tmp/streamvia/streamviadaemon
cd /tmp/streamvia
sleep 5
/tmp/streamvia/streamviadaemon &
exit 0
###########################################################
#
# The End
#
###########################################################
Based on all of this, I came up with the following config in the Merlin OpenVPN Client Settings for Client1:
Start with WAN: No
Interface Type: TUN
Protocol: UDP
Server Address and Port: site1.uk.streamvia.com 1194
Firewall: Automatic
Authorization Mode: TLS
Username/Password Authentication: Yes
Username: <my username>
Password: <my password>
Username Auth Only: No
Extra HMAC authorization: Outgoing
Create NAT on Tunnel: No (although I get same results when I try Yes)
Poll Interval: 0
Redirect Internet Traffic: No (although I get same results when I try Yes)
Accept DNS Configuration: Disabled (I have tried other values too)
Encryption Cipher: Default
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry -1
Verify Server Certificate: No
Custom Configuration:
mssfix 1400
fragment 1400
comp-lzo
verb 6
resolv-retry infinite
nobind
persist-key
persist-tun
fragment 1400
comp-lzo
verb 6
resolv-retry infinite
nobind
persist-key
persist-tun
I have also populated the Static Key and the Certificate Authority on the OpenVPN Keys for Client1.
I had significant issues getting the VPN to authenticate, and was only able to do by setting Extra HMAC authorization to Outgoing. Any other value and the VPN would not authenticate. I don't think Outgoing is correct, and perhaps this is the cause of some of my other issues? But its the only value where authentication works!
Once I get the VPN established, no matter what I set "Create NAT on Tunnel" to or "Redirect Internet Traffic" to, I have the same result: all hosts connected to the RT-AC66U have no Internet connectivity - but the VPN tunnel is up. I have tried all 4 permutations for these 2 variables. I notice that traffic is passing, except for the pre-compress bytes and post-compress bytes, which makes me think that nothing is being sent into the tunnel?
Mar 29 18:43:09 openvpn[1347]: TUN/TAP read bytes,9614
Mar 29 18:43:09 openvpn[1347]: TUN/TAP write bytes,776
Mar 29 18:43:09 openvpn[1347]: TCP/UDP read bytes,5951
Mar 29 18:43:09 openvpn[1347]: TCP/UDP write bytes,13252
Mar 29 18:43:09 openvpn[1347]: Auth read bytes,776
Mar 29 18:43:09 openvpn[1347]: pre-compress bytes,0
Mar 29 18:43:09 openvpn[1347]: post-compress bytes,0
Mar 29 18:43:09 openvpn[1347]: TUN/TAP write bytes,776
Mar 29 18:43:09 openvpn[1347]: TCP/UDP read bytes,5951
Mar 29 18:43:09 openvpn[1347]: TCP/UDP write bytes,13252
Mar 29 18:43:09 openvpn[1347]: Auth read bytes,776
Mar 29 18:43:09 openvpn[1347]: pre-compress bytes,0
Mar 29 18:43:09 openvpn[1347]: post-compress bytes,0
Any help would be appreciated, this is driving me crazy. I have been at this for a while, and tried everything I can think of.n I will post the log in a followup to this post.
