chbni 3 Posted ... Hi, I have my Asus router running AsusWRT-Merlin set to automatically connect with VPN. Yesterday I manually disconnected and cannot reconnect ever since. I updated the firmware to the latest version, uploaded a brand new configuration set to the router and restarted the whole hardware. Whether I am trying to run the new, freshly generated setup or the old one, I am always getting an error with "Exiting due to fatal error". My Premium access to AirVPN is good for quite a while as well. Here is the relevant part of the sys log copied from my router: Oct 20 15:49:49 ovpn-client1[3844]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019 Oct 20 15:49:49 ovpn-client1[3844]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08 Oct 20 15:49:49 ovpn-client1[3845]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 20 15:49:49 ovpn-client1[3845]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 20 15:49:49 ovpn-client1[3845]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 20 15:49:49 ovpn-client1[3845]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.223.194:443 Oct 20 15:49:49 ovpn-client1[3845]: Socket Buffers: R=[122880->122880] S=[122880->122880] Oct 20 15:49:49 ovpn-client1[3845]: UDP link local: (not bound) Oct 20 15:49:49 ovpn-client1[3845]: UDP link remote: [AF_INET]184.75.223.194:443 Oct 20 15:49:50 ovpn-client1[3845]: TLS: Initial packet from [AF_INET]184.75.223.194:443, sid=4fd25a87 fd4280d6 Oct 20 15:49:50 ovpn-client1[3845]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Oct 20 15:49:50 ovpn-client1[3845]: VERIFY KU OK Oct 20 15:49:50 ovpn-client1[3845]: Validating certificate extended key usage Oct 20 15:49:50 ovpn-client1[3845]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Oct 20 15:49:50 ovpn-client1[3845]: VERIFY EKU OK Oct 20 15:49:50 ovpn-client1[3845]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Sargas, emailAddress=info@airvpn.org Oct 20 15:49:53 ovpn-client1[3845]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Oct 20 15:49:53 ovpn-client1[3845]: [Sargas] Peer Connection Initiated with [AF_INET]184.75.223.194:443 Oct 20 15:49:54 ovpn-client1[3845]: SENT CONTROL [Sargas]: 'PUSH_REQUEST' (status=1) Oct 20 15:49:54 ovpn-client1[3845]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.29.56.1,dhcp-option DNS6 fde6:7a:7d20:1938::1,tun-ipv6,route-gateway 10.29.56.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1938::1022/64 fde6:7a:7d20:1938::1,ifconfig 10.29.56.36 255.255.255.0,peer-id 11,cipher AES-256-GCM' Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: timers and/or timeouts modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: compression parms modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: --ifconfig/up options modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: route options modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: route-related options modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: peer-id set Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: adjusting link_mtu to 1625 Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: data channel crypto options modified Oct 20 15:49:54 ovpn-client1[3845]: Data Channel: using negotiated cipher 'AES-256-GCM' Oct 20 15:49:54 ovpn-client1[3845]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 20 15:49:54 ovpn-client1[3845]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 20 15:49:54 ovpn-client1[3845]: GDG6: remote_host_ipv6=n/a Oct 20 15:49:54 ovpn-client1[3845]: TUN/TAP device tun11 opened Oct 20 15:49:54 ovpn-client1[3845]: TUN/TAP TX queue length set to 1000 Oct 20 15:49:54 ovpn-client1[3845]: /usr/sbin/ip link set dev tun11 up mtu 1500 Oct 20 15:49:54 ovpn-client1[3845]: /usr/sbin/ip addr add dev tun11 10.29.56.36/24 broadcast 10.29.56.255 Oct 20 15:49:54 ovpn-client1[3845]: Linux ip addr add failed: external program exited with error status: 2 Oct 20 15:49:54 ovpn-client1[3845]: Exiting due to fatal error Any advice is very much appreciated. Been using VPN for so many years now, I feel quite uncomfortable going online without... Thank you very much in advance! Quote Share this post Link to post
Air4141841 30 Posted ... Will 256gcm operate with only a control channel of 160? mine is set to 512 Quote Share this post Link to post
go558a83nk 380 Posted ... auth digest needs to be SHA1 if using entry IP 1 or 2. auth digest needs to be SHA512 if using entry IP 3 or 4 (tls-crypt config) I'd ask the merlin forum about this too. It seems the problem isn't with AirVPN but with your router creating network configuration needed for openvpn to work.https://www.snbforums.com/forums/asuswrt-merlin.42/ Quote Share this post Link to post
chbni 3 Posted ... Thanks. I am not going to pretend I understood most of it, but after reading your posts, I went to the router config, changed the setting " Legacy/fallback cipher " from "AES-256-CBC" to "default" and the router immediately connected... Oct 21 16:04:03 ovpn-client2[9021]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019 Oct 21 16:04:03 ovpn-client2[9021]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.08 Oct 21 16:04:03 ovpn-client2[9022]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Oct 21 16:04:03 ovpn-client2[9022]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 21 16:04:03 ovpn-client2[9022]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Oct 21 16:04:03 ovpn-client2[9022]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.250:443 Oct 21 16:04:03 ovpn-client2[9022]: Socket Buffers: R=[122880->122880] S=[122880->122880] Oct 21 16:04:03 ovpn-client2[9022]: UDP link local: (not bound) Oct 21 16:04:03 ovpn-client2[9022]: UDP link remote: [AF_INET]104.254.90.250:443 Oct 21 16:04:03 ovpn-client2[9022]: TLS: Initial packet from [AF_INET]104.254.90.250:443, sid=e040adaf 559b11b3 Oct 21 16:04:03 ovpn-client2[9022]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Oct 21 16:04:03 ovpn-client2[9022]: VERIFY KU OK Oct 21 16:04:03 ovpn-client2[9022]: Validating certificate extended key usage Oct 21 16:04:03 ovpn-client2[9022]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Oct 21 16:04:03 ovpn-client2[9022]: VERIFY EKU OK Oct 21 16:04:03 ovpn-client2[9022]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558' Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC' Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' Oct 21 16:04:06 ovpn-client2[9022]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Oct 21 16:04:06 ovpn-client2[9022]: [server] Peer Connection Initiated with [AF_INET]104.254.90.250:443 Oct 21 16:04:07 ovpn-client2[9022]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Oct 21 16:04:07 ovpn-client2[9022]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.18.24.1,route-gateway 10.18.24.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.18.24.185 255.255.255.0,peer-id 7,cipher AES-256-GCM' Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: timers and/or timeouts modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: compression parms modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: --ifconfig/up options modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: route options modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: route-related options modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: peer-id set Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: adjusting link_mtu to 1625 Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: data channel crypto options modified Oct 21 16:04:07 ovpn-client2[9022]: Data Channel: using negotiated cipher 'AES-256-GCM' Oct 21 16:04:07 ovpn-client2[9022]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 21 16:04:07 ovpn-client2[9022]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 21 16:04:07 ovpn-client2[9022]: TUN/TAP device tun12 opened Oct 21 16:04:07 ovpn-client2[9022]: TUN/TAP TX queue length set to 1000 Oct 21 16:04:07 ovpn-client2[9022]: /usr/sbin/ip link set dev tun12 up mtu 1500 Oct 21 16:04:07 ovpn-client2[9022]: /usr/sbin/ip addr add dev tun12 10.18.24.185/24 broadcast 10.18.24.255 Oct 21 16:04:07 ovpn-client2[9022]: updown.sh tun12 1500 1553 10.18.24.185 255.255.255.0 init Oct 21 16:04:08 rc_service: service 9082:notify_rc updateresolv Oct 21 16:04:08 dnsmasq[242]: read /etc/hosts - 5 addresses Oct 21 16:04:08 dnsmasq[242]: using nameserver 10.18.24.1#53 Oct 21 16:04:08 dnsmasq[242]: using nameserver xxxxxxxx#53 for domain Local Oct 21 16:04:08 dnsmasq[242]: using nameserver xxxxxxxx#53 Oct 21 16:04:08 dnsmasq[242]: using only locally-known addresses for domain HOME Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 104.254.90.250/32 via xxxxxxxxx Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 0.0.0.0/1 via 10.18.24.1 Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 128.0.0.0/1 via 10.18.24.1 Oct 21 16:04:14 ovpn-client2[9022]: Initialization Sequence Completed When I then tried to find out what actually happened, disconnected and tried to connect - without changing anything at all - it failed again. Even before this weekend, the configuration was all fine. I did not change it, but now connection fails. I am certainly not an expert with VPNs, usually everything worked right out of the box. Therefore I would be very grateful if you could point me into the right direction of which settings I might have to change. I will make a post at the merlin forum as well. Quote Share this post Link to post
Tech Jedi Alex 1499 Posted ... On 10/20/2019 at 5:04 PM, chbni said: Oct 20 15:49:54 ovpn-client1[3845]: Linux ip addr add failed: external program exited with error status: 2 This indicates an error reported by the kernel. Which also means, it could have surfaced in /var/log/syslog or in the kernel's ring buffer, if applicable. Reproduce a failed connection, then try posting the contents of the following command here: grep ovpn /var/log/syslog;echo "#################################";dmesg --level=err If you get permission errors, prepend sudo in front of grep and dmesg. Please use the LOG format for this. It's in the upper left corner of the editor you write your posts in. Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
chbni 3 Posted ... Thanks, I tried that. Unfortunately there is not much more. I turned the verbosity level up (to 6) in the VPN section and to all in the log section of the asus router, so there is much more "noise" but from what I see nothing after the error. The --level=err was not accepted, so the whole thing got rather long but also shows the configs. I therefore uploaded the whole thing instead of pasting it, hope you do not mind. Thank you very much for looking into it. log.txt Quote Share this post Link to post
Tech Jedi Alex 1499 Posted ... Well, these two lines here tell me it's trying to set v6 routes but fails to do so: Oct 22 16:23:16 ovpn-client2[21440]: /usr/sbin/ip -6 addr add fde6:7a:7d20:1938::1022/64 dev tun12 Oct 22 16:23:16 ovpn-client2[21440]: Linux ip -6 addr add failed: external program exited with error status: 2 You could try disabling IPv6, just to see if it helps. In your original post it failed setting the IPv4 link address, here it succeeds but fails with v6. It's the only common error I see. I don't work with OpenWRT to know its little details of doing things, so maybe someone else can contribute or you come up with other ideas and experiments. Looking forward to hearing more. Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
chbni 3 Posted ... Thank you! You pushed me into the right direction: While I was still waiting for the activation code from the merlin board, I searched for openwrt + IPv6 + VPN and found an entry in the board of PerfectPrivacy. I hope you do not mind me linking them here. Also the website is in German but I assume that will not be an issue for you: Issues with Merlin-VPN For future reference: There are two ways to fix this: A clever user over at the board of PP suggested to add the following lines to the configuration down at the VPN section of the router: pull-filter ignore "ifconfig-ipv6" pull-filter ignore "route-ipv6" Alternatively go to the IPv6 section of the router and switch it ON to "native". I noticed #1 connecting a tad faster than #2, so I went with that. Also I do not have a clue why switching IPv6 ON to then NOT use it actually works but ...hey... as long as it does the trick? 1 apero reacted to this Quote Share this post Link to post
Tech Jedi Alex 1499 Posted ... Actually, I would've adviced it vice versa: Go with option 2 and accept the full push so that IPv6 is also routed through OpenVPN. All operating systems are preferring this over v4, so there's your tradeoff. I hope you are not mixing both options, because that will get you a huge IPv6 "leak". Quote Hide Tech Jedi Alex's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
chbni 3 Posted ... Thanks, I changed the settings. Everything up and running. I still have no idea why all of a sudden VPN connections failed. I had not touched the config at all. But as long as it is working now, I am fine. 1 Tech Jedi Alex reacted to this Quote Share this post Link to post