Starting OpenVPN with TAP Client seems to crash RT-AX86U

[sojomy]

@AndrewL733 thank you so much for the reply and for all of the info!

I'll look into the Beelink systems, but I'm doing a user-to-router VPN with a few users that just connect to the OpenVPN in the Asus Router. There were no problems when we were using the RT-AC86U, but we just upgraded to the AX version, and I only have 1 user that is not working on the new router. I also just saw that you were also using the same router I was, the PRO version of the AX. I'm wondering if the non-PRO version might not have the same issue. I might try to find one of them and return the PRO router if that fixes the issue. Or I might just setup a software-based VPN on one of the systems to get the one user working remotely again, and hopefully if they replace their laptop soon we won't have the same issue for them or anyone else in the future.

I don't have much (barely any) experience with Linux, but one of my former co-workers was telling me about the approach you're using with PCs handling the site-to-site VPN. I'll talk to him about it some more though. Can you use just one linux PC on the internal network side and have external clients connect to it with OpenVPN or other VPN client software? Would that allow external clients to access all resources (network shares, RDP Servers, printers) just like they were inside the office? I was only able to get that to work with the Asus OpenVPN Server by using TAP, it would not work when using TUN.

 

[seabass]

Hey @sojomy,

I just brushed off the dust from my GT-AX11000 and updated the firmware to 3004.388.4.

As soon as I start up my VPN client peer the TAP VPN is established and unfortunately after 5-10 seconds of successful and fully working (tested) connectivity my VPN server then crashes and reboots.

If left unattended, this cycle repeats indefinitely...

Unfortunately, it seems the latest GPL that was included in this new release didn't fix the TAP VPN problem for AX class routers

I also tried turning off the 2.4Ghz radio per your suggestion and the crashing behavior remains exactly the same.

I'll be switching back to my AC5300 until hopefully one day this is fixed.

Sorry to confirm the bad news...

 

[sojomy]

@AndrewL733 Dang, I was really hoping you'd be able to duplicate the problem going away when the 2.4GHz radio was disabled - I figured that would help Merlin or someone at Asus fix the problem with that correlation. It is so strange that it works just fine for me when the 2.4 Radio is disabled though. I can't imagine them having anything to do with each other. But I also can't figure out why it works fine from my workstation at my office, but not from another user's laptop. I don't know what the client could be sending to the OpenVPN server that other clients are not sending, even clients with the same version of OpenVPN using the same client.ovpn file.

I'm going to check with all of my other clients to see if I can find someone else with the AX router, but I think most of them all have the AC routers now. I do have 1 client that I'm supposed to switch to the RT-AX86U next week, so when I get that setup, I'll see if it's having the same issue. If not, I'll try to have this current client laptop connect to it. If only this client's laptop causes the issue with 2 identical routers, it has to be something different about this client's system, but I don't know what it would be. Maybe I'll try to have them plug in a USB wifi adapter and connect through that to see if it has something to do with the internal wifi adapter that they're currently using.

 

[Jeffrey Young]

I know this is an older thread. But just to add some to the story. More to confirm that there is an issue with the tap device.

I recently upgraded to the RT-AX86U Pro for the 2.5GBit WAN port (I have Bell's 1.5Gbit service now).

I went to configure SoftEtherVPN5 on the new router. Loading the tun.ko module was OK. Creating the tap device inside SoftEtherVPN was OK.

When I went to add the tap device to the br0 bridge (brctl addif br0 tap_tap0), that is when the router crashes hard. This is repeatable each time I try to add the tap device to the bridge. The router partially recovers and I can SSH back in, however, it is messed up to the point that a reboot is required (wireless comes back, WAN is connected, but Entware fails to start up).

It would seem that there is an issue with this firmware (388.8_4) on the AX86U Pro. No clues in the syslog either - just right to the mess.

Jan 10 09:38:43 softethervpn-server[32396]: Writing vpn_server.config (AutoSaveConfigSpan set to < 86400 > seconds)
Jan 10 09:38:53 wlceventd: wlceventd_proc_event(662): eth6: Disassoc D0:39:57:72:4F:E1, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:0
Jan 10 09:38:53 wlceventd: wlceventd_proc_event(645): eth6: Deauth_ind D0:39:57:72:4F:E1, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3), rssi:0
Jan 10 09:38:57 wlceventd: wlceventd_proc_event(685): eth6: Auth D0:39:57:72:4F:E1, status: Successful (0), rssi:0
Jan 10 09:38:57 wlceventd: wlceventd_proc_event(722): eth6: Assoc D0:39:57:72:4F:E1, status: Successful (0), rssi:-48
May  5 01:05:09 kernel: klogd started: BusyBox v1.25.1 (2024-11-17 14:17:59 EST)
May  5 01:05:09 kernel: Linux version 4.19.183 (merlin@ubuntu-dev) (gcc version 9.2.0 (Buildroot 2019.11.1)) #1 SMP PREEMPT Sun Nov 17 14:19:03 EST 2024
May  5 01:05:09 kernel: random: get_random_bytes called from start_kernel+0x9c/0x454 with crng_init=0
May  5 01:05:09 kernel: Kernel command line: coherent_pool=4M cpuidle_sysfs_switch pci=pcie_bus_safe console=ttyAMA0,115200 earlycon rootwait mtdparts=brcmnand.0:2097152(loader),264241152@2097152(image),524288@266338304(crashlog) root=/dev/ubiblock0_4 ubi.mtd=image ubi.block=0,4 rootfstype=squashfs cma=0M
May  5 01:05:09 kernel: mtusize 1500

Thought I would add my 2 cents. Will have to wait until the next release from Asus to see if the issue is resolved. For now, I've had to set up SoftEtherVPN on another Linux machine and port forward to it.

Cheers all.

 

[AndrewL733]

Thought I would add my 2 cents. Will have to wait until the next release from Asus to see if the issue is resolved. For now, I've had to set up SoftEtherVPN on another Linux machine and port forward to it.

Cheers all.

Hi Jeffrey,

I wouldn't hold your breath about ASUS fixing this. I have spent countless hours on the phone with their top tier support folks (and also collecting logs for them) and they show no sign of understanding the problem and no inclination to make any effort to do so. Super disappointing. Also, I have to say, some of the "experts" here in this forum (see above in this same thread) have been totally dismissive of me and chalked up my issues to a "bad OpenVPN config" as if I were an idiot (I quickly proved that hypothesis totally wrong, and they never replied again).

In any event, given that several people using totally different VPN software have had issues with TAP devices on this router -- and on other ASUS AX routers -- I think it's safe to say that the Router or the AX chipset has a bug that doesn't allow the TAP driver to function properly when added to a bridge.

My solution was to build a standalone VPN server that runs on a cheap, low power, high performing x86-64 mini Linux box. I'm using a combination of Wireguard plus GreTAP which encapsulates Ethernet (layer 2) traffic over the normal Wireguard connection. It works great. I'd be curious to know how my solution compares to SoftEther? I looked at SoftEther but when I read that it was hundreds of thousands of lines of code, versus Wireguard's very lightweight design, I chose Wireguard plus GreTAP. Also, the drivers for both Wireguard and GreTAP are built into the kernel (although there isn't any GreTAP driver for ARM64 Linux, so you can't run it on Entware on the ASUS Router -- I think I tried compiling it as well and got into dependency hell).

Please have a look at my Wireguard + GreTAP solution if you so desire. My write up was an addendum to another person's post on GitHub about how to make a Layer 2 Ethernet Bridge with Wireguard. I added a lot of important details.

wireguard, wireguard layer 2, wireguard over TCP

wireguard, wireguard layer 2, wireguard over TCP. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

Also, please note that I have run into another issue using my Wireguard + GreTAP solution. In the end, my old RT-AC68U router started to die -- it would occasional freeze up and as I'm not at the location where this router is located for many months at a time, I couldn't count on it any more. So, I ended up buying an RT-AX86U Pro AGAIN, this time thinking "because I will be using an external VPN server, it won't matter". Much to my additional disappointment, the VPN throughput between my two locations in the USA and Europe was cut in HALF when sending the traffic through the new RT-AX86U Pro router versus through the old RT-AC68U. I have proven to ASUS support that this is the case. I can swap back and forth between the two routers and the behavior is 100 % reproducible.

A

Thread 'Standalone VPN server throughput much lower going through RT-AX86U Pro than through old RT-AC68U'

Oct 26, 2024

I have an EXTERNAL UBUNTU 24.02 VPN SERVER that is running Wireguard (along with Linux GRETAP) to create a Layer 2 bridge between two homes on both sides of the Atlantic ocean. The setup is almost identical in each house except on the USA side I have an RT-AC86U and on the Europe side I have an RT-AX86U Pro.

Before purchasing the RT-AX86U Pro, I was running a much older RT-AC68U on the Europe side and throughput between the two houses was about 175 Mbps. Because the AC68U was starting to freeze up from time to time, I decided to "upgrade" and get an RT-AX86U Pro. But since making the...

• AndrewL733
• Replies: 0
• Forum: ASUS AX Routers & Adapters (Wi-Fi 6/6e)

Once again, the ASUS top tier tech support folks have been useless. They spent a ton of time with me on the phone. I collected logs and screen videos for them. And they have completely dropped the ball and now don't even respond to my case updates any more.

My conclusion is that the ASUS AX Routers are basically crap for some things. Hopefully the new BE WIFI-7 routers have fixed these issues.

 

[Jeffrey Young]

Hopefully the new BE WIFI-7 routers have fixed these issues.

I am hoping that it is just my biased opinion, but I would not hold my breath. I am disappointed in the QA that Asus has been putting into their routers these days. They seem to be focused on turning out a large number of models instead of turning out quality. I agree that this is a firmware/hardware issue with the bridge. This is significant as a centerpiece part of Asus's OpenVPN does not work (using TAP instead of TUN). The tap adaptor is being created OK. Just when you add the adapter to the bridge does the router take a fit. I am more disappointed in myself for not doing what I said I was going to do for my next router - build my own.

I've been using wireguard on Asus routers since the first kernel modules were compiled for the AC86U. Still use both wireguard server and client on the router via my own scripts. I find I can control the environment far more granular from the CLI. Either that or I am too old and just find the CLI easier and more flexible.

For now, I have compiled SoftEtherVPN5 on another Ubuntu machine and have put the server up there - using port forwarding from the router. I like SE5 as it nails all the bullets I was looking for (OVPN, L2TP/IpSec, Radius authentication).

Thanks for sharing your experience and your scripts.