ANSWERED Can't connect to any VPN servers after Chow went down

[User26401 1]

Hi,

I had connectivity issues this morning then saw Chow was down, so tried connection to a working GB server (Betelgeuse, 217.138.195.26)

Now it just tries to connect then fails (tried a few other servers too)

Here's the log, ISP is Plusnet and works fine outside VPN

May 30 13:22:55 rc_service: httpd 1934:notify_rc stop_vpnclient1
May 30 13:22:55 ovpn-client1[25169]: event_wait : Interrupted system call (code=4)
May 30 13:22:55 ovpn-client1[25169]: SIGTERM received, sending exit notification to peer
May 30 13:23:00 ovpn-client1[25169]: SIGTERM[soft,exit-with-notification] received, process exiting
May 30 13:23:00 openvpn-routing: Clearing routing table for VPN client 1
May 30 13:23:10 rc_service: httpd 1934:notify_rc start_vpnclient1
May 30 13:23:10 ovpn-client1[28486]: OpenVPN 2.5.5 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  2 2022
May 30 13:23:10 ovpn-client1[28486]: library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.08
May 30 13:23:10 ovpn-client1[28487]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 30 13:23:10 ovpn-client1[28487]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 13:23:10 ovpn-client1[28487]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 13:23:10 ovpn-client1[28487]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 13:23:10 ovpn-client1[28487]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 13:23:10 ovpn-client1[28487]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.26:443
May 30 13:23:10 ovpn-client1[28487]: Socket Buffers: R=[524288->524288] S=[524288->524288]
May 30 13:23:10 ovpn-client1[28487]: UDP link local: (not bound)
May 30 13:23:10 ovpn-client1[28487]: UDP link remote: [AF_INET]217.138.195.26:443
May 30 13:24:10 ovpn-client1[28487]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 30 13:24:10 ovpn-client1[28487]: TLS Error: TLS handshake failed
May 30 13:24:10 ovpn-client1[28487]: SIGUSR1[soft,tls-error] received, process restarting
May 30 13:24:10 ovpn-client1[28487]: Restart pause, 5 second(s)
May 30 13:24:15 ovpn-client1[28487]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 30 13:24:15 ovpn-client1[28487]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 13:24:15 ovpn-client1[28487]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 13:24:15 ovpn-client1[28487]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 13:24:15 ovpn-client1[28487]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 13:24:15 ovpn-client1[28487]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.26:443
May 30 13:24:15 ovpn-client1[28487]: Socket Buffers: R=[524288->524288] S=[524288->524288]
May 30 13:24:15 ovpn-client1[28487]: UDP link local: (not bound)
May 30 13:24:15 ovpn-client1[28487]: UDP link remote: [AF_INET]217.138.195.26:443

I'm not aware of any changed configuration, I have this in custom configuration

resolv-retry infinite
auth-nocache
route-delay 5
explicit-exit-notify 5
remote-cert-tls server
data-ciphers-fallback AES-256-CBC

Router is ASUS AC-86U with Asuswrt-Merlin (updated about 3 months ago)

Cheers!
 

[Staff 10331]

Hello!

You're trying to connect to an entry-IP address 1 (217.138.195.26), which supports TLS Auth. If you're trying the connection through a key for TLS Crypt you would get that error.

TLS Auth and TLS Crypt are different and mutually incompatible OpenVPN ways to negotiate the Control Channel. Hence we use different keys and different IP addresses for each "mode". The Configuration Generator, by default, generates TLS Crypt keys and entry-IP address 3, which supports TLS Crypt. Can you please check?

Note that if you turn on the "Advanced" switch, you will be able to see all the available connection modes on the Configuration Generator.

Kind regards
 

[User26401 1]

Thanks for the quick response,

I got the 217.138.195.26 IP from doing this:

C:\Windows\System32>nslookup betelgeuse.airservers.org dns1.airvpn.org
arpa    nameserver = m.ns.arpa
arpa    nameserver = f.ns.arpa
arpa    nameserver = b.ns.arpa
arpa    nameserver = c.ns.arpa
arpa    nameserver = a.ns.arpa
arpa    nameserver = i.ns.arpa
arpa    nameserver = e.ns.arpa
arpa    nameserver = l.ns.arpa
arpa    nameserver = g.ns.arpa
arpa    nameserver = d.ns.arpa
arpa    nameserver = k.ns.arpa
arpa    nameserver = h.ns.arpa
m.ns.arpa       internet address = 202.12.27.33
l.ns.arpa       internet address = 199.7.83.42
k.ns.arpa       internet address = 193.0.14.129
i.ns.arpa       internet address = 192.36.148.17
h.ns.arpa       internet address = 198.97.190.53
g.ns.arpa       internet address = 192.112.36.4
f.ns.arpa       internet address = 192.5.5.241
e.ns.arpa       internet address = 192.203.230.10
d.ns.arpa       internet address = 199.7.91.13
c.ns.arpa       internet address = 192.33.4.12
b.ns.arpa       internet address = 170.247.170.2
a.ns.arpa       internet address = 198.41.0.4
m.ns.arpa       AAAA IPv6 address = 2001:dc3::35
l.ns.arpa       AAAA IPv6 address = 2001:500:9f::42
Server:  UnKnown
Address:  54.225.156.17

Name:    betelgeuse.airservers.org
Address:  217.138.195.26

Which I then pasted into the IP in the router (in the past I'm sure I've done this, but when the VPN connects it will have an IP address "near" the one I typed in.

I generated an .ovpn file for betelgeuse thus (redacted)
 

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Thursday 30th of May 2024 02:31:50 PM
# OpenVPN Client Configuration
# AirVPN_GB-London_Betelgeuse_UDP-443-Entry3
# --------------------------------------------------------

client
dev tun
remote 217.138.195.29 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
remote-cert-tls server
comp-lzo no
data-ciphers AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto udp
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
foo
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
foo
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
foo
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
bar
-----END OpenVPN Static key V1-----
</tls-crypt>

But when I try to connect, router goes "Applying 10.. 20.. etc. then just shows error:
 

May 30 15:42:33 rc_service: httpd 1934:notify_rc start_vpnclient1
May 30 15:42:33 ovpn-client1[17020]: OpenVPN 2.5.5 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  2 2022
May 30 15:42:33 ovpn-client1[17020]: library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.08
May 30 15:42:33 ovpn-client1[17021]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 30 15:42:33 ovpn-client1[17021]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 15:42:33 ovpn-client1[17021]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 15:42:33 ovpn-client1[17021]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
May 30 15:42:33 ovpn-client1[17021]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
May 30 15:42:33 ovpn-client1[17021]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.29:443
May 30 15:42:33 ovpn-client1[17021]: Socket Buffers: R=[524288->524288] S=[524288->524288]
May 30 15:42:33 ovpn-client1[17021]: UDP link local: (not bound)
May 30 15:42:33 ovpn-client1[17021]: UDP link remote: [AF_INET]217.138.195.29:443
May 30 15:42:33 ovpn-client1[17021]: TLS: Initial packet from [AF_INET]217.138.195.29:443, sid=c6a53759 d89e34df
May 30 15:42:33 ovpn-client1[17021]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
May 30 15:42:33 ovpn-client1[17021]: VERIFY KU OK
May 30 15:42:33 ovpn-client1[17021]: Validating certificate extended key usage
May 30 15:42:33 ovpn-client1[17021]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 30 15:42:33 ovpn-client1[17021]: VERIFY EKU OK
May 30 15:42:33 ovpn-client1[17021]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Betelgeuse, emailAddress=info@airvpn.org
May 30 15:42:34 ovpn-client1[17021]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA512
May 30 15:42:34 ovpn-client1[17021]: [Betelgeuse] Peer Connection Initiated with [AF_INET]217.138.195.29:443
May 30 15:42:34 ovpn-client1[17021]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway ipv6 def1 bypass-dhcp,dhcp-option DNS 10.11.214.1,dhcp-option DNS6 fde6:7a:7d20:7d6::1,tun-ipv6,route-gateway 10.11.214.1,topology subnet,ping 10,ping-restart 60,ifconfig-ipv6 fde6:7a:7d20:7d6::1026/64 fde6:7a:7d20:7d6::1,ifconfig 10.11.214.40 255.255.255.0,peer-id 3,cipher AES-256-GCM'
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: timers and/or timeouts modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: compression parms modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: --ifconfig/up options modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: route options modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: route-related options modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: peer-id set
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: adjusting link_mtu to 1625
May 30 15:42:34 ovpn-client1[17021]: OPTIONS IMPORT: data channel crypto options modified
May 30 15:42:34 ovpn-client1[17021]: Data Channel: using negotiated cipher 'AES-256-GCM'
May 30 15:42:34 ovpn-client1[17021]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 30 15:42:34 ovpn-client1[17021]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
May 30 15:42:34 ovpn-client1[17021]: GDG6: remote_host_ipv6=n/a
May 30 15:42:34 ovpn-client1[17021]: net_route_v6_best_gw query: dst ::
May 30 15:42:34 ovpn-client1[17021]: net_route_v6_best_gw result: via :: dev lo
May 30 15:42:34 ovpn-client1[17021]: TUN/TAP device tun11 opened
May 30 15:42:34 ovpn-client1[17021]: TUN/TAP TX queue length set to 1000
May 30 15:42:34 ovpn-client1[17021]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 30 15:42:34 ovpn-client1[17021]: /usr/sbin/ip link set dev tun11 up
May 30 15:42:34 ovpn-client1[17021]: /usr/sbin/ip addr add dev tun11 10.11.214.40/24
May 30 15:42:34 ovpn-client1[17021]: Linux ip addr add failed: external program exited with error status: 2
May 30 15:42:34 ovpn-client1[17021]: Exiting due to fatal error

Any ideas?
 

[Staff 10331]

2 minutes ago, User26401 said:

Any ideas? 

Hello!

Yes, our suspicion was correct, as you can see the IP address in the file generated by the CG is different from the one you used previously. Server domain names resolve only into entry-IP address 1, we do not have domain names for other entry-IP addresses. You can query the API or use the CG to see all the entry-IP addresses of the servers. Now the TLS key mismatch problem is solved.

The new problem:

May 30 15:42:34 ovpn-client1[17021]: /usr/sbin/ip addr add dev tun11 10.11.214.40/24
May 30 15:42:34 ovpn-client1[17021]: Linux ip addr add failed: external program exited with error status: 2

Something goes wrong when the tun11 virtual network interface is configured. According to the current man, the syntax does not seem correct:

ip addr { add | del } IFADDR dev STRING 

but we see it's an old usage which should be just fine. If the problem persists, try to upgrade the firmware if a new version is available. If you have WireGuard available in your firmware you can also test it and check what happens.

Kind regards
 

[User26401 1]

OK got it working again, I think it was to do with the OpenVPN Version, I had v2.55, worked, something went wrong, updated .ovpn file but that defaulted to v2.6, failed, upgraded router firmware, re-applied a new .ovpn file.

if it helps anyone else:

In the config generator:

set IP layer exit and enter to IPv4 only
set OpenVPN profile to 2.5

Custom Config (set by ovpn file not me) says:

resolv-retry infinite
auth-nocache
explicit-exit-notify 5
remote-cert-tls server
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC

Log is now:

 

May 30 18:35:35 rc_service: httpd 1060:notify_rc restart_vpnclient1
May 30 18:35:35 openvpn-routing: Clearing routing table for VPN client 1
May 30 18:35:35 lldpd[1145]: removal request for address of 10.11.214.40%21, but no knowledge of it
May 30 18:35:35 ovpn-client1[14222]: OpenVPN 2.6.10 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
May 30 18:35:35 ovpn-client1[14222]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.08
May 30 18:35:35 ovpn-client1[14223]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May 30 18:35:35 ovpn-client1[14223]: TCP/UDP: Preserving recently used remote address: [AF_INET]217.138.195.29:443
May 30 18:35:35 ovpn-client1[14223]: Socket Buffers: R=[524288->524288] S=[524288->524288]
May 30 18:35:35 ovpn-client1[14223]: UDPv4 link local: (not bound)
May 30 18:35:35 ovpn-client1[14223]: UDPv4 link remote: [AF_INET]217.138.195.29:443
May 30 18:35:35 ovpn-client1[14223]: TLS: Initial packet from [AF_INET]217.138.195.29:443, sid=750e050b fb8431b9
May 30 18:35:35 ovpn-client1[14223]: VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
May 30 18:35:35 ovpn-client1[14223]: VERIFY KU OK
May 30 18:35:35 ovpn-client1[14223]: Validating certificate extended key usage
May 30 18:35:35 ovpn-client1[14223]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
May 30 18:35:35 ovpn-client1[14223]: VERIFY EKU OK
May 30 18:35:35 ovpn-client1[14223]: VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=Betelgeuse, emailAddress=info@airvpn.org
May 30 18:35:35 ovpn-client1[14223]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bits RSA, signature: RSA-SHA512, peer temporary key: 253 bits X25519
May 30 18:35:35 ovpn-client1[14223]: [Betelgeuse] Peer Connection Initiated with [AF_INET]217.138.195.29:443
May 30 18:35:35 ovpn-client1[14223]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
May 30 18:35:35 ovpn-client1[14223]: TLS: tls_multi_process: initial untrusted session promoted to trusted
May 30 18:35:36 ovpn-client1[14223]: SENT CONTROL [Betelgeuse]: 'PUSH_REQUEST' (status=1)
May 30 18:35:36 ovpn-client1[14223]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway  def1 bypass-dhcp,dhcp-option DNS 10.11.214.1,route-gateway 10.11.214.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.11.214.40 255.255.255.0,peer-id 3,cipher CHACHA20-POLY1305'
May 30 18:35:36 ovpn-client1[14223]: OPTIONS IMPORT: --ifconfig/up options modified
May 30 18:35:36 ovpn-client1[14223]: OPTIONS IMPORT: route options modified
May 30 18:35:36 ovpn-client1[14223]: OPTIONS IMPORT: route-related options modified
May 30 18:35:36 ovpn-client1[14223]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
May 30 18:35:36 ovpn-client1[14223]: TUN/TAP device tun11 opened
May 30 18:35:36 ovpn-client1[14223]: TUN/TAP TX queue length set to 1000
May 30 18:35:36 ovpn-client1[14223]: /usr/sbin/ip link set dev tun11 up mtu 1500
May 30 18:35:36 ovpn-client1[14223]: /usr/sbin/ip link set dev tun11 up
May 30 18:35:36 ovpn-client1[14223]: /usr/sbin/ip addr add dev tun11 10.11.214.40/24
May 30 18:35:36 ovpn-client1[14223]: ovpn-up 1 client tun11 1500 0 10.11.214.40 255.255.255.0 init
May 30 18:35:36 openvpn-routing: Setting client 1 routing table's default route through the tunnel
May 30 18:35:36 openvpn-routing: Routing foo from bar to any through main
May 30 18:35:36 openvpn-routing: Routing foo from bar to any through main
May 30 18:35:36 openvpn-routing: Routing  from bar to any through ovpnc1
May 30 18:35:36 openvpn-routing: Routing All Devices from 192.168.1.0/24 to any through ovpnc1
May 30 18:35:36 dnsmasq[1633]: read /etc/hosts - 22 names
May 30 18:35:36 dnsmasq[1633]: using nameserver 10.11.214.1#53
May 30 18:35:36 dnsmasq[1633]: using nameserver 212.159.6.9#53
May 30 18:35:36 dnsmasq[1633]: using nameserver 212.159.13.49#53
May 30 18:35:36 dnsmasq[1633]: using nameserver 10.11.214.1#53
May 30 18:35:36 dnsmasq[1633]: using nameserver 212.159.6.9#53
May 30 18:35:36 dnsmasq[1633]: using nameserver 212.159.13.49#53
May 30 18:35:36 ovpn-client1[14223]: Data Channel: cipher 'CHACHA20-POLY1305', peer-id: 3, compression: 'stub'
May 30 18:35:36 ovpn-client1[14223]: Timers: ping 10, ping-restart 60
May 30 18:35:36 ovpn-client1[14223]: Protocol options: explicit-exit-notify 5
May 30 18:35:38 ovpn-client1[14223]: Initialization Sequence Completed
May 30 18:39:10 kernel: nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.