ANSWERED Router: Connection fails with "Exiting due to fatal error"

[chbni 2]

Hi,

I have my Asus router running AsusWRT-Merlin set to automatically connect with VPN. Yesterday I manually disconnected and cannot reconnect ever since. I updated the firmware to the latest version, uploaded a brand new configuration set to the router and restarted the whole hardware. Whether I am trying to run the new, freshly generated setup or the old one, I am always getting an error with "Exiting due to fatal error". My Premium access to AirVPN is good for quite a while as well.
Here is the relevant part of the sys log copied from my router:

Oct 20 15:49:49 ovpn-client1[3844]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Oct 20 15:49:49 ovpn-client1[3844]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Oct 20 15:49:49 ovpn-client1[3845]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 20 15:49:49 ovpn-client1[3845]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 20 15:49:49 ovpn-client1[3845]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 20 15:49:49 ovpn-client1[3845]: TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.223.194:443
Oct 20 15:49:49 ovpn-client1[3845]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Oct 20 15:49:49 ovpn-client1[3845]: UDP link local: (not bound)
Oct 20 15:49:49 ovpn-client1[3845]: UDP link remote: [AF_INET]184.75.223.194:443
Oct 20 15:49:50 ovpn-client1[3845]: TLS: Initial packet from [AF_INET]184.75.223.194:443, sid=4fd25a87 fd4280d6
Oct 20 15:49:50 ovpn-client1[3845]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Oct 20 15:49:50 ovpn-client1[3845]: VERIFY KU OK
Oct 20 15:49:50 ovpn-client1[3845]: Validating certificate extended key usage
Oct 20 15:49:50 ovpn-client1[3845]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 20 15:49:50 ovpn-client1[3845]: VERIFY EKU OK
Oct 20 15:49:50 ovpn-client1[3845]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Sargas, emailAddress=info@airvpn.org
Oct 20 15:49:53 ovpn-client1[3845]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Oct 20 15:49:53 ovpn-client1[3845]: [Sargas] Peer Connection Initiated with [AF_INET]184.75.223.194:443
Oct 20 15:49:54 ovpn-client1[3845]: SENT CONTROL [Sargas]: 'PUSH_REQUEST' (status=1)
Oct 20 15:49:54 ovpn-client1[3845]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.29.56.1,dhcp-option DNS6 fde6:7a:7d20:1938::1,tun-ipv6,route-gateway 10.29.56.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:1938::1022/64 fde6:7a:7d20:1938::1,ifconfig 10.29.56.36 255.255.255.0,peer-id 11,cipher AES-256-GCM'
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: compression parms modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: route options modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: route-related options modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: peer-id set
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: adjusting link_mtu to 1625
Oct 20 15:49:54 ovpn-client1[3845]: OPTIONS IMPORT: data channel crypto options modified
Oct 20 15:49:54 ovpn-client1[3845]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 20 15:49:54 ovpn-client1[3845]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 20 15:49:54 ovpn-client1[3845]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 20 15:49:54 ovpn-client1[3845]: GDG6: remote_host_ipv6=n/a
Oct 20 15:49:54 ovpn-client1[3845]: TUN/TAP device tun11 opened
Oct 20 15:49:54 ovpn-client1[3845]: TUN/TAP TX queue length set to 1000
Oct 20 15:49:54 ovpn-client1[3845]: /usr/sbin/ip link set dev tun11 up mtu 1500
Oct 20 15:49:54 ovpn-client1[3845]: /usr/sbin/ip addr add dev tun11 10.29.56.36/24 broadcast 10.29.56.255
Oct 20 15:49:54 ovpn-client1[3845]: Linux ip addr add failed: external program exited with error status: 2
Oct 20 15:49:54 ovpn-client1[3845]: Exiting due to fatal error

Any advice is very much appreciated. Been using VPN for so many years now, I feel quite uncomfortable going online without...

Thank you very much in advance!

[Air4141841 23]

Will 256gcm operate with only a control channel of 160?

mine is set to 512 

[go558a83nk 352]

auth digest needs to be SHA1 if using entry IP 1 or 2.
auth digest needs to be SHA512 if using entry IP 3 or 4 (tls-crypt config)

I'd ask the merlin forum about this too.  It seems the problem isn't with AirVPN but with your router creating network configuration needed for openvpn to work.
https://www.snbforums.com/forums/asuswrt-merlin.42/

[chbni 2]

Thanks.
I am not going to pretend I understood most of it, but after reading your posts, I went to the router config, changed the setting " Legacy/fallback cipher " from "AES-256-CBC" to "default" and the router immediately connected...
 

Oct 21 16:04:03 ovpn-client2[9021]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Oct 21 16:04:03 ovpn-client2[9021]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Oct 21 16:04:03 ovpn-client2[9022]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 21 16:04:03 ovpn-client2[9022]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 21 16:04:03 ovpn-client2[9022]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 21 16:04:03 ovpn-client2[9022]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.250:443
Oct 21 16:04:03 ovpn-client2[9022]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Oct 21 16:04:03 ovpn-client2[9022]: UDP link local: (not bound)
Oct 21 16:04:03 ovpn-client2[9022]: UDP link remote: [AF_INET]104.254.90.250:443
Oct 21 16:04:03 ovpn-client2[9022]: TLS: Initial packet from [AF_INET]104.254.90.250:443, sid=e040adaf 559b11b3
Oct 21 16:04:03 ovpn-client2[9022]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Oct 21 16:04:03 ovpn-client2[9022]: VERIFY KU OK
Oct 21 16:04:03 ovpn-client2[9022]: Validating certificate extended key usage
Oct 21 16:04:03 ovpn-client2[9022]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 21 16:04:03 ovpn-client2[9022]: VERIFY EKU OK
Oct 21 16:04:03 ovpn-client2[9022]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1558'
Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Oct 21 16:04:06 ovpn-client2[9022]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Oct 21 16:04:06 ovpn-client2[9022]: Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Oct 21 16:04:06 ovpn-client2[9022]: [server] Peer Connection Initiated with [AF_INET]104.254.90.250:443
Oct 21 16:04:07 ovpn-client2[9022]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Oct 21 16:04:07 ovpn-client2[9022]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.18.24.1,route-gateway 10.18.24.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.18.24.185 255.255.255.0,peer-id 7,cipher AES-256-GCM'
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: compression parms modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: route options modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: route-related options modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: peer-id set
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: adjusting link_mtu to 1625
Oct 21 16:04:07 ovpn-client2[9022]: OPTIONS IMPORT: data channel crypto options modified
Oct 21 16:04:07 ovpn-client2[9022]: Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 21 16:04:07 ovpn-client2[9022]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 21 16:04:07 ovpn-client2[9022]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 21 16:04:07 ovpn-client2[9022]: TUN/TAP device tun12 opened
Oct 21 16:04:07 ovpn-client2[9022]: TUN/TAP TX queue length set to 1000
Oct 21 16:04:07 ovpn-client2[9022]: /usr/sbin/ip link set dev tun12 up mtu 1500
Oct 21 16:04:07 ovpn-client2[9022]: /usr/sbin/ip addr add dev tun12 10.18.24.185/24 broadcast 10.18.24.255
Oct 21 16:04:07 ovpn-client2[9022]: updown.sh tun12 1500 1553 10.18.24.185 255.255.255.0 init
Oct 21 16:04:08 rc_service: service 9082:notify_rc updateresolv
Oct 21 16:04:08 dnsmasq[242]: read /etc/hosts - 5 addresses
Oct 21 16:04:08 dnsmasq[242]: using nameserver 10.18.24.1#53
Oct 21 16:04:08 dnsmasq[242]: using nameserver xxxxxxxx#53 for domain Local 
Oct 21 16:04:08 dnsmasq[242]: using nameserver xxxxxxxx#53
Oct 21 16:04:08 dnsmasq[242]: using only locally-known addresses for domain HOME
Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 104.254.90.250/32 via xxxxxxxxx
Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 0.0.0.0/1 via 10.18.24.1
Oct 21 16:04:14 ovpn-client2[9022]: /usr/sbin/ip route add 128.0.0.0/1 via 10.18.24.1
Oct 21 16:04:14 ovpn-client2[9022]: Initialization Sequence Completed

When I then tried to find out what actually happened, disconnected and tried to connect - without changing anything at all - it failed again. Even before this weekend, the configuration was all fine. I did not change it, but now connection fails.

I am certainly not an expert with VPNs, usually everything worked right out of the box. Therefore I would be very grateful if you could point me into the right direction of which settings I might have to change. I will make a post at the merlin forum as well.

[OpenSourcerer 1359]

On 10/20/2019 at 5:04 PM, chbni said:

Oct 20 15:49:54 ovpn-client1[3845]: Linux ip addr add failed: external program exited with error status: 2

This indicates an error reported by the kernel. Which also means, it could have surfaced in /var/log/syslog or in the kernel's ring buffer, if applicable. Reproduce a failed connection, then try posting the contents of the following command here:

grep ovpn /var/log/syslog;echo "#################################";dmesg --level=err

If you get permission errors, prepend sudo in front of grep and dmesg.

Please use the LOG format for this. It's in the upper left corner of the editor you write your posts in.

[chbni 2]

Thanks, I tried that. Unfortunately there is not much more.
I turned the verbosity level up (to 6) in the VPN section and to all in the log section of the asus router, so there is much more "noise" but from what I see nothing after the error.
The --level=err was not accepted, so the whole thing got rather long but also shows the configs.
I therefore uploaded the whole thing instead of pasting it, hope you do not mind.

Thank you very much for looking into it.

log.txt

[OpenSourcerer 1359]

Well, these two lines here tell me it's trying to set v6 routes but fails to do so:

Oct 22 16:23:16 ovpn-client2[21440]: /usr/sbin/ip -6 addr add fde6:7a:7d20:1938::1022/64 dev tun12
Oct 22 16:23:16 ovpn-client2[21440]: Linux ip -6 addr add failed: external program exited with error status: 2

You could try disabling IPv6, just to see if it helps. In your original post it failed setting the IPv4 link address, here it succeeds but fails with v6. It's the only common error I see. I don't work with OpenWRT to know its little details of doing things, so maybe someone else can contribute or you come up with other ideas and experiments. Looking forward to hearing more.

[chbni 2]

Thank you! You pushed me into the right direction:
While I was still waiting for the activation code from the merlin board, I searched for openwrt + IPv6 + VPN and found an entry in the board of PerfectPrivacy. I hope you do not mind me linking them here. Also the website is in German but I assume that will not be an issue for you: Issues with Merlin-VPN

For future reference: There are two ways to fix this:

1. A clever user over at the board of PP suggested to add the following lines to the configuration down at the VPN section of the router:

   pull-filter ignore "ifconfig-ipv6"
   pull-filter ignore "route-ipv6"

2. Alternatively go to the IPv6 section of the router and switch it ON to "native".
    

I noticed #1 connecting a tad faster than #2, so I went with that. Also I do not have a clue why switching IPv6 ON to then NOT use it actually works but ...hey... as long as it does the trick?
 

[OpenSourcerer 1359]

Actually, I would've adviced it vice versa: Go with option 2 and accept the full push so that IPv6 is also routed through OpenVPN. All operating systems are preferring this over v4, so there's your tradeoff.
I hope you are not mixing both options, because that will get you a huge IPv6 "leak".

[chbni 2]

Thanks, I changed the settings.
Everything up and running. I still have no idea why all of a sudden VPN connections failed. I had not touched the config at all. But as long as it is working now, I am fine.