TLS Error setting up OpenVPN on DD-WRT
I've now spent several days troubleshooting, mining the DD-WRT, PIA, and OpenVPN forums. I believe I have the 90% solution, but I can't get past the following OpenVPN errors:
Client will work when started from the computer, so it's not a provider
delay/filtering problem.[Note: I disconnect the client before rebooting
/ testing the router VPN. When it fails, I connect the client &
confirm it works.]
Troubleshooting already attempted:
Firmware: DD-WRT v24-sp2 (01/10/14) std
build 23320
UDP port 1194 on 50.97.94.46 works via the client
(Texas)
CURRENT CONFIGURATION SCREENSHOTS: https://imgur.com/a/bBnc5#0
Additional Config (Services-VPN)
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
CA Cert (Services-VPN)
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
Startup Commands (Admin-Commands)
echo username > /tmp/password.txt
echo password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up
/tmp/openvpncl/route-up.sh --down-pre /tmp/openvpnc
/route-down.sh
--daemon
{Note: text wrapping fails here, but "/usr/sbin ... --daemon" is all entered as one command line.}
OpenVPN Status log:
20141012 23:47:50 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:47:50 I UDPv4 link local: [undef]
20141012 23:47:50 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:48:51 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20141012 23:48:51 N TLS Error: TLS handshake failed
20141012 23:48:51 I SIGUSR1[soft tls-error] received process restarting
20141012 23:48:51 Restart pause 2 second(s)
20141012 23:48:53 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141012 23:48:53 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:48:53 I UDPv4 link local: [undef]
20141012 23:48:53 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:49:53 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20141012 23:49:53 N TLS Error: TLS handshake failed
20141012 23:49:53 I SIGUSR1[soft tls-error] received process restarting
20141012 23:49:53 Restart pause 2 second(s)
20141012 23:49:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141012 23:49:55 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:49:55 I UDPv4 link local: [undef]
20141012 23:49:55 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'log 500'
- N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
- N TLS Error: TLS handshake failed
Client will work when started from the computer, so it's not a provider
delay/filtering problem.[Note: I disconnect the client before rebooting
/ testing the router VPN. When it fails, I connect the client &
confirm it works.]
Troubleshooting already attempted:
- Fixed NTP time settings
- Tried using Link-3 DNS servers as Static DNS
- Changed VPN server to IP address to prevent DNS-lookup delays
- Troubleshot / verified that password.txt is now being created correctly
- MTU shifted to 1500 from 1400 based on recommendation in DD-WRT OpenVPN status log
Firmware: DD-WRT v24-sp2 (01/10/14) std
build 23320
UDP port 1194 on 50.97.94.46 works via the client
(Texas)
CURRENT CONFIGURATION SCREENSHOTS: https://imgur.com/a/bBnc5#0
Additional Config (Services-VPN)
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server
CA Cert (Services-VPN)
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
Startup Commands (Admin-Commands)
echo username > /tmp/password.txt
echo password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up
/tmp/openvpncl/route-up.sh --down-pre /tmp/openvpnc
/route-down.sh
--daemon
{Note: text wrapping fails here, but "/usr/sbin ... --daemon" is all entered as one command line.}
OpenVPN Status log:
20141012 23:47:50 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:47:50 I UDPv4 link local: [undef]
20141012 23:47:50 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:48:51 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20141012 23:48:51 N TLS Error: TLS handshake failed
20141012 23:48:51 I SIGUSR1[soft tls-error] received process restarting
20141012 23:48:51 Restart pause 2 second(s)
20141012 23:48:53 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141012 23:48:53 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:48:53 I UDPv4 link local: [undef]
20141012 23:48:53 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:49:53 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20141012 23:49:53 N TLS Error: TLS handshake failed
20141012 23:49:53 I SIGUSR1[soft tls-error] received process restarting
20141012 23:49:53 Restart pause 2 second(s)
20141012 23:49:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20141012 23:49:55 Socket Buffers: R=[163840->131072] S=[163840->131072]
20141012 23:49:55 I UDPv4 link local: [undef]
20141012 23:49:55 I UDPv4 link remote: [AF_INET]50.97.94.46:1194
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'state'
20141012 23:50:24 MANAGEMENT: Client disconnected
20141012 23:50:24 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20141012 23:50:24 D MANAGEMENT: CMD 'log 500'
Comments
1 - the password formatting is incorrect
2 - an error is previnting the system from reaching the password verification stage.
Test: changing to an invalid password
Result: errors remain the same on OpenVPN status page
I've seen the password.txt instructions 3 ways now:
1: echo username >> /tmp/password.txt
2: echo username > /tmp/password.txt
3: echo "username" > /tmp/password.txt
When I execute cat /tmp/password.txt, each of the three methods appears to generate the same output:
username
password
I have also verified that the username and password are correct, by copy/pasting the cat /tmp/password.txt results into my OSX PIA client, which then connects and works properly.
I did notice that even though the setup instructions state to use Blowfish, the client is using AES-128, so I attempted shifting that independently; still no change in status log.
Checking the DD-WRT Wiki, I can't find anywhere that specifies exactly what the formatting should be - most of it is dedicated to creating servers. Double-checking with other service providers yields the commands above... still stumped. I did also note that a few of the commands listed in the instructions are not only default, but CAN'T be changed using the DD-WRT GUI, so I may try removing them tomorrow.
Can anyone point me towards a resource that describes the basic algorithm DD-WRT is executing here? Trying to figure out exactly what step it's hanging on.
Can anyone else vouch for the correct format of the password file? It's passed to the auth-user-pass OpenVPN command, but I haven't found explicit formatting in my searches.
I don't know what else to say on this. I never used dd-wrt for openvpn but have used tomato and now merlin asus.
I've replaced the ISP-provided DSL modem with a Bridge modem, removing any configuration issues on the modem. I've upgraded DD-WRT to build 24461.
Still no success. Anyone have suggestions?
Issue i found is the OPENVPN client software on the DDWRT keeps the Tunnel up regardless that the tunnel has obviously died. Can see incrementing drops / TX counters under ifconfig tun1 and no increments under RX. Tried multiple openvpn configuration flags (keepalive 10 60, ping-restart 8.8.8.8 and removing both perist-key / persist-tun) All which did nothing. Found someone killed openvpn process which killed the tunnel interface. So easy way to make it happen is a script to ping and restart openvpn service. Used someone elses script and using cron scheduled to run every minute. Think it is fixed now
#################################
#!/bin/bash
if ping -c 5 8.8.8.8 < /dev/null
then
: # colon is a null and is required
else
stopservice openvpn ; startservice openvpn