ANSWERED No connection with FreshTomato

[sdjh4dfgez7 0]

Hello,

until yesterday my OpenVPN connection via AirVPN was working without any problems. I am connecting through my router.
Current router firmware: FreshTomato 2022.3, but I also tried with 2024.1
I tried the "config generator" generating a new ovpn file and entered all the keys into the respective fields but I still cannot connect. I tried connecting with Eddie and it worked. 
Enclosed you will find my OpenVPN client settings in FreshTomato.
What am I doing wrong?

[Staff 9972]

17 hours ago, sdjh4dfgez7 said:

until yesterday my OpenVPN connection via AirVPN was working without any problems. I am connecting through my router.

Hello!

Please see here: https://airvpn.org/forums/topic/58352-pfsense-and-airvpn-wont-connect-to-the-internet/?do=findComment&comment=231461

If the problem persists, please let's see the OpenVPN log.

Kind regards

 

[sdjh4dfgez7 0]

hi,
I read the post you mentioned, but unfortunately I dont get a connection.
This is what I have done so far:

• generated a new .ovpn file
• replaced all four keys/certificates from new .ovpn file

This is my log file:

Apr  9 19:31:52 unknown daemon.notice openvpn-client1[14087]: SIGTERM[hard,init_instance] received, process exiting
Apr  9 19:38:54 unknown daemon.warn openvpn-client1[31103]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31103]: OpenVPN 2.5.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31103]: library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Apr  9 19:38:54 unknown daemon.warn openvpn-client1[31104]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.105.229:443
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: UDP link local: (not bound)
Apr  9 19:38:54 unknown daemon.notice openvpn-client1[31104]: UDP link remote: [AF_INET]195.206.105.229:443
Apr  9 19:39:55 unknown daemon.notice openvpn-client1[31104]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Apr  9 19:39:55 unknown daemon.notice openvpn-client1[31104]: SIGUSR1[soft,ping-restart] received, process restarting
Apr  9 19:39:55 unknown daemon.notice openvpn-client1[31104]: Restart pause, 5 second(s)
Apr  9 19:40:00 unknown daemon.warn openvpn-client1[31104]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.105.229:443
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: UDP link local: (not bound)
Apr  9 19:40:00 unknown daemon.notice openvpn-client1[31104]: UDP link remote: [AF_INET]195.206.105.229:443
Apr  9 19:41:01 unknown daemon.notice openvpn-client1[31104]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Apr  9 19:41:01 unknown daemon.notice openvpn-client1[31104]: SIGUSR1[soft,ping-restart] received, process restarting
Apr  9 19:41:01 unknown daemon.notice openvpn-client1[31104]: Restart pause, 5 second(s)
Apr  9 19:41:06 unknown daemon.warn openvpn-client1[31104]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.105.229:443
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: UDP link local: (not bound)
Apr  9 19:41:06 unknown daemon.notice openvpn-client1[31104]: UDP link remote: [AF_INET]195.206.105.229:443

[Staff 9972]

@sdjh4dfgez7

Hello!

We see at least one critical error at the moment, "Compression" combo box must be set to "Adaptive", otherwise your "comp-lzo no" directive (which is correct and must not be deleted) will cause a fatal conflict with the "Disabled" setting. Let us know what happens when "Compression" is set to "Adaptive". Note: if "Adaptive" is not available, set it to "Enabled" (then comp-lzo no will disable it during the negotiation).

Also, please check "Verify certificate" and change data-ciphers to AES-256-GCM or CHACHA20-POLY1305.

Kind regards
 

[sdjh4dfgez7 0]

Hello,
thanks. Now it works again.

But the How-to post "Using AirVPN with Tomato" does not work anymore with the settings shown there. Can you please update it?
Thanks and br

[outer ordeals 1]

Hi, I have been using AirVPN on FreshTomato for many years. Maybe 2-3 days ago, I started having a problem too. I tried fiddling with config to see if it would go but not sure if I messed anything up by doing so. Any ideas? Here is my log

Apr 10 01:19:00	daemon	warn	openvpn-client1[14946]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 10 01:19:00	daemon	notice	openvpn-client1[14946]	TCP/UDP: Preserving recently used remote address: [AF_INET]198.54.134.254:443
Apr 10 01:19:00	daemon	notice	openvpn-client1[14946]	Socket Buffers: R=[122880->245760] S=[122880->245760]
Apr 10 01:19:00	daemon	notice	openvpn-client1[14946]	UDPv4 link local: (not bound)
Apr 10 01:19:00	daemon	notice	openvpn-client1[14946]	UDPv4 link remote: [AF_INET]198.54.134.254:443
Apr 10 01:20:00	daemon	notice	openvpn-client1[14946]	[UNDEF] Inactivity timeout (--ping-restart), restarting
Apr 10 01:20:00	daemon	notice	openvpn-client1[14946]	SIGUSR1[soft,ping-restart] received, process restarting
Apr 10 01:20:00	daemon	notice	openvpn-client1[14946]	Restart pause, 32 second(s)
Apr 10 01:20:32	daemon	warn	openvpn-client1[14946]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 10 01:20:32	daemon	notice	openvpn-client1[14946]	TCP/UDP: Preserving recently used remote address: [AF_INET]198.54.134.254:443
Apr 10 01:20:32	daemon	notice	openvpn-client1[14946]	Socket Buffers: R=[122880->245760] S=[122880->245760]
Apr 10 01:20:32	daemon	notice	openvpn-client1[14946]	UDPv4 link local: (not bound)
Apr 10 01:20:32	daemon	notice	openvpn-client1[14946]	UDPv4 link remote: [AF_INET]198.54.134.254:443

[outer ordeals 1]

4 hours ago, sdjh4dfgez7 said:

Hello,
thanks. Now it works again.

But the How-to post "Using AirVPN with Tomato" does not work anymore with the settings shown there. Can you please update it?
Thanks and br

Would you mind sharing your config? It seems we have the same or similar problem. Also useful for the How-to post.

[Staff 9972]

26 minutes ago, eltznth said:

4 hours ago, sdjh4dfgez7 said:

Hello,
thanks. Now it works again.

But the How-to post "Using AirVPN with Tomato" does not work anymore with the settings shown there. Can you please update it?
Thanks and br

Would you mind sharing your config? It seems we have the same or similar problem. Also useful for the How-to post.

You can see it in the initial post. The corrections required are listed in our reply (the message set as "best answer" by the OP). If you still experience problems please post your configuration, similarly to what OP did.

Kind regards
 

[outer ordeals 1]

3 hours ago, Staff said:

You can see it in the initial post. The corrections required are listed in our reply (the message set as "best answer" by the OP). If you still experience problems please post your configuration, similarly to what OP did.

Kind regards
 

[Staff 9972]

Hello!

We're not 100% sure, but the "Compression" combo box set to "LZO" could create a problem with "comp-lzo no" directive. Which options do you have available in the "Compression" combo box? If available, please try with "Adaptive" and do not touch "comp-lzo no".
Also check "Verify server certificate".

198.54.134.254 is an entry-IP address #3 where OpenVPN accepts TLS Crypt only. Please double-check that you have (in the proper static key field) pasted the TLS Crypt key (tls-crypt.key). Last but not least, which options do you have in "TLS Control channel security" combo box?

Kind regards








 

[outer ordeals 1]

I am not sure, maybe the TLS Crypt thing for the entry IP is the reason for the troubles. I was connecting to a different server before and it stopped working so I was trying different servers. But it would be great to get TLS Crypt working and then I can use any server. The static key is from the <tls-crypt> part of the config file.

[Staff 9972]

@eltznth

Hello!

Yes, TLS Crypt seems fully supported.

• Set the "TLS Control Channel security" combo box to "Encrypt channel"
• Set the "Compression" combo box to "LZO Adaptive"
• Check "Verify certificate"
• Do not enable server certificate verification by name, leave the "Verify server certificate" combo box to "No".

Kind regards
 

[outer ordeals 1]

I was doubtful, but it worked!!! Thank you so much!!! For the benefit of everybody, here are screenshots of my working configuration

[outer ordeals 1]

Strangely, this morning, I found the VPN service stopped. After attempting to start the service, it stops shortly afterwards with the following in the log:

Apr 18 08:20:33	daemon	warn	openvpn-client1[26958]	WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Apr 18 08:20:33	daemon	notice	openvpn-client1[26958]	OpenVPN 2.6.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Apr 18 08:20:33	daemon	notice	openvpn-client1[26958]	library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Apr 18 08:20:33	daemon	warn	openvpn-client1[26959]	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	TCP/UDP: Preserving recently used remote address: [AF_INET]198.54.134.254:443
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	Socket Buffers: R=[122880->245760] S=[122880->245760]
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	UDPv4 link local: (not bound)
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	UDPv4 link remote: [AF_INET]198.54.134.254:443
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	TLS: Initial packet from [AF_INET]198.54.134.254:443, sid=cfd1ca2d c3bb9100
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	VERIFY KU OK
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	Validating certificate extended key usage
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	VERIFY EKU OK
Apr 18 08:20:33	daemon	notice	openvpn-client1[26959]	VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Bunda, emailAddress=info@airvpn.org
Apr 18 08:20:34	daemon	notice	openvpn-client1[26959]	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
Apr 18 08:20:34	daemon	notice	openvpn-client1[26959]	[Bunda] Peer Connection Initiated with [AF_INET]198.54.134.254:443
Apr 18 08:20:34	daemon	notice	openvpn-client1[26959]	TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Apr 18 08:20:34	daemon	notice	openvpn-client1[26959]	TLS: tls_multi_process: initial untrusted session promoted to trusted
Apr 18 08:20:35	daemon	notice	openvpn-client1[26959]	SENT CONTROL [Bunda]: 'PUSH_REQUEST' (status=1)
Apr 18 08:20:35	daemon	notice	openvpn-client1[26959]	AUTH: Received control message: AUTH_FAILED
Apr 18 08:20:35	daemon	notice	openvpn-client1[26959]	SIGTERM[soft,auth-failure] received, process exiting

I tried rebooting before posting this.

Update: My client area had this to say about the server I was trying to connect to: Device xyz last attempt failed: Server 'Bunda' is temporarily closed. Reason: High packet loss (2024-04-18 08:40:03)
Changed to a different server and things seem good again! Edited ... by outer ordeals