ASUS RT-AC68U FW update and PIA OpenVPN client

hp_piahp_pia
in Other Devices VPN Setup

ASUS just released a new firmware, build nr. 382_18547.
This update is to patch the Krack vulnerability and some CVEs. 

With the previous FW, build 380_7378, I used the ASUS OpenVPN client to connect to PIA.
This worked like a charm.

With the new build I can not get the VPN tunnel working.

In the router logfile there are entries about a failed authentication, although I use the same credentials and configuration files as with the previous build. 

I suspect that ASUS changed something in the OpenVPN code causing this error.
I have reported this issue to ASUS, I don't know if, how and when this will be fixed.

In the meantime I rolled back to firmware 380_7378.

Those using stock ASUS firmware to connect to PIA and considering a firmware upgrade, please be prepared for some problems.

If you manage to get this to work please share your magic!


Comments

  • [Deleted User][Deleted User]
    Were you able to connect once you rolled back? There is an OpenVPN bug that can cause auth failures because the client caches the auth token and if your connection resets, the new IP address results in an auth failure since the cached token is no longer valid. Sometimes you can resolve the issue by adding auth-nocache to your config, although many router firmwares hardcode persist-tun so this fix doesn't work. I'm not certain if ASUSWRT does, so it might be worth a try. 

    I'm also happy to take a look at your log file if you'd like to send it my way :)
  • hp_piahp_pia
    Thank you PIAColleen for chiming in.

    I did not keep the logfile from the FW update session.
    Rolling back went without hiccup, after rollback I could connect to PIA as usual.
    I suspected there might be some data persistent in NVRAM, and I am not aware of an easy way to erase NVRAM. Perhaps there is a way using telnet, but I did not pursue that.
    Instead my flashing sequence was: factory reset => power-cycle reboot => flash FW => factory reset => power-cycle reboot.
    When I feel brave enough I can go through the procedure again just in the interest of science B) and send the logfile to you afterwards.

    FWIW, on the SNB forum there are some reports of other issues with the 382 branch of the ASUS firmware.
    There is one other guy there who reported the same issue I have, he is using another VPN service, so it is not unique to PIA connections.


  • hp_piahp_pia
    @PIAColleen ;
    You have a message with a logfile attached.
  • hp_piahp_pia
    A follow-up just for the record, in case someone has the same problem and stumbles over this one using the search engine.....

    I have been able to solve this issue.
    It appears that ASUS firmware branch 382 and higher limits the VPN client password length to 16 characters.
    My PIA password had 20 characters which was no problem at all in firmware branch 380 but which caused an authorization error in branches 382 and 384.

    According to a clarification by RMerlin this is because ASUS is now enforcing content length in nvram as a security measure against buffer overrun attacks.
Sign In or Register to comment.