XWRT on R7000 authentication failure
I have been using PIA happily on a client computer. I decided to switch routers to an R7000 and loaded XWRT. Works fine. I then tried to set up PIA as a VPN client, following Tom W.'s instructions "Setting up a router running Merlin firmware" and making sure everything was entered correctly (and I have checked it several times). When I try to use the VPN clinet, it goes green for a bit, then comes back saying "Authentication failure". A search on PIA for authentication failure just said to check account/password, but they are fine.
Can anyone suggest an answer? THANKS!
The log looks like this:
Feb 10 16:54:01 rc_service: httpd 483:notify_rc restart_vpnclient1
Feb 10 16:54:03 dnsmasq[5093]: read /etc/hosts - 5 addresses
Feb 10 16:54:03 dnsmasq[5093]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:54:03 dnsmasq-dhcp[5093]: read /etc/ethers - 1 addresses
Feb 10 16:54:03 dnsmasq[5093]: using nameserver 206.248.154.22#53
Feb 10 16:54:03 dnsmasq[5093]: using nameserver 206.248.154.170#53
Feb 10 16:54:04 openvpn[5880]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 31 2018
Feb 10 16:54:04 openvpn[5880]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
Feb 10 16:54:04 openvpn[5881]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 10 16:54:04 openvpn[5881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 10 16:54:04 openvpn[5881]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.59:1198
Feb 10 16:54:04 openvpn[5881]: UDP link local: (not bound)
Feb 10 16:54:04 openvpn[5881]: UDP link remote: [AF_INET]172.98.67.59:1198
Feb 10 16:54:04 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Peer Connection Initiated with [AF_INET]172.98.67.59:1198
Feb 10 16:54:05 openvpn[5881]: auth-token received, disabling auth-nocache for the authentication token
Feb 10 16:54:05 openvpn[5881]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 10 16:54:05 openvpn[5881]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 10 16:54:05 openvpn[5881]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Feb 10 16:54:05 openvpn[5881]: TUN/TAP device tun11 opened
Feb 10 16:54:05 openvpn[5881]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 10 16:54:05 openvpn[5881]: /usr/sbin/ip link set dev tun11 up mtu 1500
Feb 10 16:54:06 openvpn[5881]: /usr/sbin/ip addr add dev tun11 local 10.3.10.6 peer 10.3.10.5
Feb 10 16:54:06 openvpn[5881]: updown.sh tun11 1500 1542 10.3.10.6 10.3.10.5 init
Feb 10 16:54:06 rc_service: service 5947:notify_rc updateresolv
Feb 10 16:54:06 dnsmasq[5093]: exiting on receipt of SIGTERM
Feb 10 16:54:06 dnsmasq[5953]: started, version 2.78 cachesize 1500
Feb 10 16:54:06 dnsmasq[5953]: asynchronous logging enabled, queue limit is 5 messages
Feb 10 16:54:06 dnsmasq-dhcp[5953]: DHCP, IP range 192.168.2.100 -- 192.168.2.199, lease time 1d
Feb 10 16:54:06 dnsmasq[5953]: read /etc/hosts - 5 addresses
Feb 10 16:54:06 dnsmasq[5953]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:54:06 dnsmasq-dhcp[5953]: read /etc/ethers - 1 addresses
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 209.222.18.222#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 209.222.18.218#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 206.248.154.22#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 206.248.154.170#53
Feb 10 16:54:08 openvpn[5881]: Initialization Sequence Completed
Feb 10 16:54:16 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:25 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:36 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:46 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:56 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:06 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:16 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:26 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:36 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:46 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:56 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:56:03 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:56:05 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Inactivity timeout (--ping-restart), restarting
Feb 10 16:56:05 openvpn[5881]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 10 16:56:10 openvpn[5881]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 10 16:56:10 openvpn[5881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 10 16:56:10 openvpn[5881]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.59:1198
Feb 10 16:56:10 openvpn[5881]: UDP link local: (not bound)
Feb 10 16:56:10 openvpn[5881]: UDP link remote: [AF_INET]172.98.67.59:1198
Feb 10 16:56:10 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Peer Connection Initiated with [AF_INET]172.98.67.59:1198
Feb 10 16:56:16 openvpn[5881]: AUTH: Received control message: AUTH_FAILED
Feb 10 16:56:16 openvpn[5881]: vpnrouting.sh tun11 1500 1622 10.3.10.6 10.3.10.5 init
Feb 10 16:56:16 openvpn-routing: Configuring policy rules for client 1
Feb 10 16:56:16 openvpn[5881]: /usr/sbin/ip addr del dev tun11 local 10.3.10.6 peer 10.3.10.5
Feb 10 16:56:16 openvpn[5881]: updown.sh tun11 1500 1622 10.3.10.6 10.3.10.5 init
Feb 10 16:56:17 rc_service: service 6132:notify_rc updateresolv
Feb 10 16:56:17 dnsmasq[5953]: read /etc/hosts - 5 addresses
Feb 10 16:56:17 dnsmasq[5953]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:56:17 dnsmasq-dhcp[5953]: read /etc/ethers - 1 addresses
Feb 10 16:56:17 dnsmasq[5953]: using nameserver 206.248.154.22#53
Feb 10 16:56:17 dnsmasq[5953]: using nameserver 206.248.154.170#53
Feb 10 16:56:17 openvpn[5881]: SIGTERM[soft,auth-failure] received, process exiting
Can anyone suggest an answer? THANKS!
The log looks like this:
Feb 10 16:54:01 rc_service: httpd 483:notify_rc restart_vpnclient1
Feb 10 16:54:03 dnsmasq[5093]: read /etc/hosts - 5 addresses
Feb 10 16:54:03 dnsmasq[5093]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:54:03 dnsmasq-dhcp[5093]: read /etc/ethers - 1 addresses
Feb 10 16:54:03 dnsmasq[5093]: using nameserver 206.248.154.22#53
Feb 10 16:54:03 dnsmasq[5093]: using nameserver 206.248.154.170#53
Feb 10 16:54:04 openvpn[5880]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 31 2018
Feb 10 16:54:04 openvpn[5880]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
Feb 10 16:54:04 openvpn[5881]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 10 16:54:04 openvpn[5881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 10 16:54:04 openvpn[5881]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.59:1198
Feb 10 16:54:04 openvpn[5881]: UDP link local: (not bound)
Feb 10 16:54:04 openvpn[5881]: UDP link remote: [AF_INET]172.98.67.59:1198
Feb 10 16:54:04 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Peer Connection Initiated with [AF_INET]172.98.67.59:1198
Feb 10 16:54:05 openvpn[5881]: auth-token received, disabling auth-nocache for the authentication token
Feb 10 16:54:05 openvpn[5881]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 10 16:54:05 openvpn[5881]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 10 16:54:05 openvpn[5881]: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Feb 10 16:54:05 openvpn[5881]: TUN/TAP device tun11 opened
Feb 10 16:54:05 openvpn[5881]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 10 16:54:05 openvpn[5881]: /usr/sbin/ip link set dev tun11 up mtu 1500
Feb 10 16:54:06 openvpn[5881]: /usr/sbin/ip addr add dev tun11 local 10.3.10.6 peer 10.3.10.5
Feb 10 16:54:06 openvpn[5881]: updown.sh tun11 1500 1542 10.3.10.6 10.3.10.5 init
Feb 10 16:54:06 rc_service: service 5947:notify_rc updateresolv
Feb 10 16:54:06 dnsmasq[5093]: exiting on receipt of SIGTERM
Feb 10 16:54:06 dnsmasq[5953]: started, version 2.78 cachesize 1500
Feb 10 16:54:06 dnsmasq[5953]: asynchronous logging enabled, queue limit is 5 messages
Feb 10 16:54:06 dnsmasq-dhcp[5953]: DHCP, IP range 192.168.2.100 -- 192.168.2.199, lease time 1d
Feb 10 16:54:06 dnsmasq[5953]: read /etc/hosts - 5 addresses
Feb 10 16:54:06 dnsmasq[5953]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:54:06 dnsmasq-dhcp[5953]: read /etc/ethers - 1 addresses
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 209.222.18.222#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 209.222.18.218#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 206.248.154.22#53
Feb 10 16:54:06 dnsmasq[5953]: using nameserver 206.248.154.170#53
Feb 10 16:54:08 openvpn[5881]: Initialization Sequence Completed
Feb 10 16:54:16 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:25 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:36 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:46 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:54:56 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:06 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:16 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:26 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:36 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:46 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:55:56 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:56:03 openvpn[5881]: Authenticate/Decrypt packet error: cipher final failed
Feb 10 16:56:05 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Inactivity timeout (--ping-restart), restarting
Feb 10 16:56:05 openvpn[5881]: SIGUSR1[soft,ping-restart] received, process restarting
Feb 10 16:56:10 openvpn[5881]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 10 16:56:10 openvpn[5881]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 10 16:56:10 openvpn[5881]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.59:1198
Feb 10 16:56:10 openvpn[5881]: UDP link local: (not bound)
Feb 10 16:56:10 openvpn[5881]: UDP link remote: [AF_INET]172.98.67.59:1198
Feb 10 16:56:10 openvpn[5881]: [68a030da2d6504d0f8ecfa90e2d37ef9] Peer Connection Initiated with [AF_INET]172.98.67.59:1198
Feb 10 16:56:16 openvpn[5881]: AUTH: Received control message: AUTH_FAILED
Feb 10 16:56:16 openvpn[5881]: vpnrouting.sh tun11 1500 1622 10.3.10.6 10.3.10.5 init
Feb 10 16:56:16 openvpn-routing: Configuring policy rules for client 1
Feb 10 16:56:16 openvpn[5881]: /usr/sbin/ip addr del dev tun11 local 10.3.10.6 peer 10.3.10.5
Feb 10 16:56:16 openvpn[5881]: updown.sh tun11 1500 1622 10.3.10.6 10.3.10.5 init
Feb 10 16:56:17 rc_service: service 6132:notify_rc updateresolv
Feb 10 16:56:17 dnsmasq[5953]: read /etc/hosts - 5 addresses
Feb 10 16:56:17 dnsmasq[5953]: read /etc/hosts.dnsmasq - 1 addresses
Feb 10 16:56:17 dnsmasq-dhcp[5953]: read /etc/ethers - 1 addresses
Feb 10 16:56:17 dnsmasq[5953]: using nameserver 206.248.154.22#53
Feb 10 16:56:17 dnsmasq[5953]: using nameserver 206.248.154.170#53
Feb 10 16:56:17 openvpn[5881]: SIGTERM[soft,auth-failure] received, process exiting
Comments
SOLUTION: ASUSWRT Merlin OpenVPN Client Settings
that largely corresponded to Tom W's advice but had some differences - those differences made it work. Sorry to have posted my question before spelunking the forums for possible answers.pull-filter ignore "auth token"If you keep seeing Authenticate/Decrypt errors in your logs, it's also worth trying
mssfix 1300to deal with any potential MTU issues.