ER605 V2.0 - OpenVPN Client Issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 V2.0 - OpenVPN Client Issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 V2.0 - OpenVPN Client Issue
ER605 V2.0 - OpenVPN Client Issue
2024-01-28 16:40:28 - last edited 2024-01-29 09:39:39
Tags: #VPN #OpenVPN
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.3 Build 20231201 Rel.32918

Hello,


I'm running:

  • Software Controller (version 5.13.23)
  • ER605 V2.0 router (firmware version 2.2.3 Build 20231201 Rel.32918)


Issue

I can't get my router to connect to a vpn server and I can't figure out whats wrong with my config.

Unfortunately, I'm not able to access any logs or receive any feedback regarding this issue. This is the second time in as many days, since setting up the system, that I've encountered challenges with tasks that I expected would be straightforward for a business solution like Omada. The intent was for Omada to simplify network management, but instead, it has been consuming a significant amount of my time, including my weekends. My apologies for the tone of frustration, but this situation has been quite challenging.


Config

Purpose: Client-to-Site VPN
VPN Type: VPN Client - OpenVPN
Mode: Certificate+Account
Local Network Type:  Network
Local Networks: All
WAN: WAN
Configuration:


client
dev tun
proto udp
remote ... 1194
remote-cert-tls server
nobind
mssfix
reneg-sec 432000
resolv-retry infinite
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
tun-mtu 1440
fragment 1400
comp-lzo yes
tls-version-min 1.0
cipher bf-cbc
verb 1
auth-user-pass


The config is of course tested locally without any problems.

I do not have detailed knowledge about the OpenVPN server as I am using a service provider with PORT-VPN.

However, I could reach out to them for any specific information that might be required to resolve this issue.


Thank you for your assistance and looking forward to any advice from the community.

Steve

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER605 V2.0 - OpenVPN Client Issue-Solution
2024-01-29 09:25:15 - last edited 2024-01-29 09:39:39

@Clive_A

 

Hello,

 

I wanted to provide an update and extend a partial apology. In hindsight, a debug log would have been immensely helpful in diagnosing the problem.

Although I had tested the configuration locally, I overlooked a crucial detail: the local setup used "tls-auth fipTA.key 1".

What I missed in my initial setup was the key-direction 1 parameter.

 

After including this, the connection is now visible in Insight.

 

I want to express my gratitude for the swift support offered.

It has been a learning experience, and I appreciate the assistance. Thank you!

 

Best regards,

Steve

Recommended Solution
  1  
  1  
#5
Options
6 Reply
Re:ER605 V2.0 - OpenVPN Client Issue
2024-01-29 06:10:16

Hi @stevets42 

Thanks for posting in our business forum.

1. Recommend you remove

stevets42 wrote

Hello,


I'm running:

  • Software Controller (version 5.13.23)
  • ER605 V2.0 router (firmware version 2.2.3 Build 20231201 Rel.32918)


Issue

I can't get my router to connect to a vpn server and I can't figure out whats wrong with my config.

Unfortunately, I'm not able to access any logs or receive any feedback regarding this issue. This is the second time in as many days, since setting up the system, that I've encountered challenges with tasks that I expected would be straightforward for a business solution like Omada. The intent was for Omada to simplify network management, but instead, it has been consuming a significant amount of my time, including my weekends. My apologies for the tone of frustration, but this situation has been quite challenging.


Config

Purpose: Client-to-Site VPN
VPN Type: VPN Client - OpenVPN
Mode: Certificate+Account
Local Network Type:  Network
Local Networks: All
WAN: WAN
Configuration:


client
dev tun
proto udp
remote ... 1194
remote-cert-tls server
nobind
mssfix
reneg-sec 432000
resolv-retry infinite
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
tun-mtu 1440
fragment 1400
comp-lzo yes
tls-version-min 1.0
cipher bf-cbc
verb 1
auth-user-pass

Set this string as comp-lzo and save and test. If this does not work, ask your VPN provider what kind of encryption they offer.

For example, encryption AES-CBC might not be supported. See the search result from the related threads on the forum.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:ER605 V2.0 - OpenVPN Client Issue
2024-01-29 07:28:12

  @Clive_A Thanks for the quick response.

 

Testing on my lokal computer.

Just comp-lzo works.

 

Tried cipher AES-128-CBC

Mon Jan 29 08:08:09 2024 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

 

Tried no cipher at all and let them figure out the best cipher.

Works local, but not the er605 i guess.

 

I there a way to access the logs or run openvpn through ssh directly on the er605 in controller mode to at least see what the problem is i'm trying to fix here?

 

I read GCM is not supported.

BF-CBC seems not to work.

 

Do you know which ciphers are supported?

 

AES-128-CBC?

AES-256-CBC?

DES-EDE3-CBC?
CAMELLIA-128-CBC?

CAMELLIA-256-CBC?

  0  
  0  
#3
Options
Re:ER605 V2.0 - OpenVPN Client Issue
2024-01-29 07:32:06

Hi @stevets42 

Thanks for posting in our business forum.

stevets42 wrote

  @Clive_A Thanks for the quick response.

 

Testing on my lokal computer.

Just comp-lzo works.

 

Tried cipher AES-128-CBC

Mon Jan 29 08:08:09 2024 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

 

Tried no cipher at all and let them figure out the best cipher.

Works local, but not the er605 i guess.

 

I there a way to access the logs or run openvpn through ssh directly on the er605 in controller mode to at least see what the problem is i'm trying to fix here?

 

I read GCM is not supported.

BF-CBC seems not to work.

 

Do you know which ciphers are supported?

 

AES-128-CBC?

AES-256-CBC?

DES-EDE3-CBC?
CAMELLIA-128-CBC?

CAMELLIA-256-CBC?

So, if your service provider supports the compatible mode, get a file from the compatible mode.

AFAIK, our built-in OVPN version is not the latest one. Some encryption might not be compatible.

 

I think AES-CBC and others if they are very new and the latest gen of encryption, they don't work on the old(version of) OVPN client.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:ER605 V2.0 - OpenVPN Client Issue-Solution
2024-01-29 09:25:15 - last edited 2024-01-29 09:39:39

@Clive_A

 

Hello,

 

I wanted to provide an update and extend a partial apology. In hindsight, a debug log would have been immensely helpful in diagnosing the problem.

Although I had tested the configuration locally, I overlooked a crucial detail: the local setup used "tls-auth fipTA.key 1".

What I missed in my initial setup was the key-direction 1 parameter.

 

After including this, the connection is now visible in Insight.

 

I want to express my gratitude for the swift support offered.

It has been a learning experience, and I appreciate the assistance. Thank you!

 

Best regards,

Steve

Recommended Solution
  1  
  1  
#5
Options
Re:ER605 V2.0 - OpenVPN Client Issue
2024-01-29 09:40:58

Hi @stevets42 

Thanks for posting in our business forum.

stevets42 wrote

@Clive_A

 

Hello,

 

I wanted to provide an update and extend a partial apology. In hindsight, a debug log would have been immensely helpful in diagnosing the problem.

Although I had tested the configuration locally, I overlooked a crucial detail: the local setup used "tls-auth fipTA.key 1".

What I missed in my initial setup was the key-direction 1 parameter.

 

After including this, the connection is now visible in Insight.

 

I want to express my gratitude for the swift support offered.

It has been a learning experience, and I appreciate the assistance. Thank you!

 

Best regards,

Steve

Very happy to know that.

Can you share the full config again? That might be helpful for others who run into the same issue in future.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:ER605 V2.0 - OpenVPN Client Issue
2024-01-31 16:24:48

Final config:

 

client
dev tun
proto udp
remote ... 1194
remote-cert-tls server
nobind
mssfix
reneg-sec 432000
resolv-retry infinite
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
tun-mtu 1440
fragment 1400
comp-lzo
tls-version-min 1.0
cipher bf-cbc
verb 1
auth-user-pass

 

  0  
  0  
#7
Options