OpenVPN Client TLS: username/password (secret) causes: AUTH_FAILED: SIGTERM[soft,auth-failure]

GoogleCodeExporter commented 9 years ago

Firmware Version: 3.4.3.6-068

OpenVPN client connects perfectly.  However, every time wrong username/password 
is submitted (even though I have typed them 100% correctly in Padavan GUI).  I 
dont have any issues using other OpenVPN clients on other devices using same 
username/password.

Sep 26 18:42:57 openvpn-cli[883]: AUTH: Received control message: AUTH_FAILED
Sep 26 18:42:57 openvpn-cli[883]: SIGTERM[soft,auth-failure] received, process 
exiting

I tried to create my own /etc/openvpn/client/client.conf file using all correct 
settings with "auth-user-pass userpass.txt" instead of "auth-user-pass secret"; 
however, settings revert back. If I can at least use my own client.opvn (with 
all correct settings) without any interference, I think I can avoid this 
problem.

See full log below:
Sep 26 19:00:00 kernel: device tap0 entered promiscuous mode
Sep 26 19:00:00 kernel: ADDRCONF(NETDEV_UP): tap0: link is not ready
Sep 26 19:00:00 RT-N56U: starting OpenVPN client...
Sep 26 19:00:00 openvpn-cli[1368]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  1 2013
Sep 26 19:00:00 openvpn-cli[1368]: WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 26 19:00:00 openvpn-cli[1368]: NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Sep 26 19:00:00 openvpn-cli[1368]: Socket Buffers: R=[163840->131072] 
S=[163840->131072]
Sep 26 19:00:00 openvpn-cli[1369]: nice 3 succeeded
Sep 26 19:00:00 openvpn-cli[1369]: UDPv4 link local: [undef]
Sep 26 19:00:00 openvpn-cli[1369]: UDPv4 link remote: 
[AF_INET]55.21.34.122.23:8081
Sep 26 19:00:00 openvpn-cli[1369]: TLS: Initial packet from 
[AF_INET]55.21.34.122.23:8081, sid=4afbffdd 2e05ad63
Sep 26 19:00:00 openvpn-cli[1369]: WARNING: this configuration may cache 
passwords in memory -- use the auth-nocache option to prevent this
Sep 26 19:00:00 openvpn-cli[1369]: VERIFY OK: depth=2, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Sep 26 19:00:00 openvpn-cli[1369]: VERIFY OK: depth=1, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Sep 26 19:00:00 openvpn-cli[1369]: VERIFY OK: depth=0, C=HK, ST=New York, L=New 
York, O=Network Solutions Ltd., CN=*.netsolutions.com
Sep 26 19:00:03 openvpn-cli[1369]: Data Channel Encrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 26 19:00:03 openvpn-cli[1369]: Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 26 19:00:03 openvpn-cli[1369]: Data Channel Decrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 26 19:00:03 openvpn-cli[1369]: Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 26 19:00:03 openvpn-cli[1369]: Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 4096 bit RSA
Sep 26 19:00:03 openvpn-cli[1369]: [*.networksolutions.com] Peer Connection 
Initiated with [AF_INET]55.21.34.122.23:8081
Sep 26 19:00:05 openvpn-cli[1369]: SENT CONTROL [*.networksolutions.com]: 
'PUSH_REQUEST' (status=1)
Sep 26 19:00:05 openvpn-cli[1369]: PUSH: Received control message: 
'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 
5,ping-restart 15,route-gateway 10.3.14.88,redirect-gateway,ifconfig 10.3.14.88 
255.255.255.0'
Sep 26 19:00:05 openvpn-cli[1369]: OPTIONS IMPORT: timers and/or timeouts 
modified
Sep 26 19:00:05 openvpn-cli[1369]: OPTIONS IMPORT: --ifconfig/up options 
modified
Sep 26 19:00:05 openvpn-cli[1369]: OPTIONS IMPORT: route options modified
Sep 26 19:00:05 openvpn-cli[1369]: OPTIONS IMPORT: route-related options 
modified
Sep 26 19:00:05 openvpn-cli[1369]: OPTIONS IMPORT: --ip-win32 and/or 
--dhcp-option options modified
Sep 26 19:00:05 kernel: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready
Sep 26 19:00:05 openvpn-cli[1369]: TUN/TAP device tap0 opened
Sep 26 19:00:05 openvpn-cli[1369]: TUN/TAP TX queue length set to 100
Sep 26 19:00:05 openvpn-cli[1369]: do_ifconfig, tt->ipv6=0, 
tt->did_ifconfig_ipv6_setup=0
Sep 26 19:00:05 openvpn-cli[1369]: /sbin/ifconfig tap0 10.3.14.88 netmask 
255.255.255.0 mtu 1500 broadcast 10.3.14.255
Sep 26 19:00:05 kernel: br0: port 4(tap0) entered listening state
Sep 26 19:00:05 openvpn-cli[1369]: ovpnc.script tap0 1500 1590 10.3.14.88 
255.255.255.0 init
Sep 26 19:00:05 openvpn-cli[1369]: /sbin/route add -net 55.21.34.122.23 netmask 
255.255.255.255 gw 50.152.160.1
Sep 26 19:00:05 openvpn-cli[1369]: /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Sep 26 19:00:05 openvpn-cli[1369]: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 
gw 10.3.14.88
Sep 26 19:00:05 openvpn-cli[1369]: Initialization Sequence Completed
Sep 26 19:00:20 openvpn-cli[1369]: [*.networksolutions.com] Inactivity timeout 
(--ping-restart), restarting
Sep 26 19:00:20 openvpn-cli[1369]: SIGUSR1[soft,ping-restart] received, process 
restarting
Sep 26 19:00:20 openvpn-cli[1369]: Restart pause, 2 second(s)
Sep 26 19:00:20 kernel: br0: port 4(tap0) entered learning state
Sep 26 19:00:22 openvpn-cli[1369]: WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 26 19:00:22 openvpn-cli[1369]: NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Sep 26 19:00:22 openvpn-cli[1369]: Socket Buffers: R=[163840->131072] 
S=[163840->131072]
Sep 26 19:00:22 openvpn-cli[1369]: UDPv4 link local: [undef]
Sep 26 19:00:22 openvpn-cli[1369]: UDPv4 link remote: 
[AF_INET]55.21.34.122.23:8081
Sep 26 19:00:22 openvpn-cli[1369]: TLS: Initial packet from 
[AF_INET]55.21.34.122.23:8081, sid=de53a98a b3b00dbf
Sep 26 19:00:23 openvpn-cli[1369]: VERIFY OK: depth=2, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Sep 26 19:00:23 openvpn-cli[1369]: VERIFY OK: depth=1, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Sep 26 19:00:23 openvpn-cli[1369]: VERIFY OK: depth=0, C=HK, ST=Hong Kong, 
L=Kwun Tong, O=OneHop Network Solutions Ltd., CN=*.networksolutions.com
Sep 26 19:00:25 openvpn-cli[1369]: Data Channel Encrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 26 19:00:25 openvpn-cli[1369]: Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 26 19:00:25 openvpn-cli[1369]: Data Channel Decrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 26 19:00:25 openvpn-cli[1369]: Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 26 19:00:25 openvpn-cli[1369]: Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 4096 bit RSA
Sep 26 19:00:25 openvpn-cli[1369]: [*.networksolutions.com] Peer Connection 
Initiated with [AF_INET]55.21.34.122.23:8081
Sep 26 19:00:27 openvpn-cli[1369]: SENT CONTROL [*.networksolutions.com]: 
'PUSH_REQUEST' (status=1)
Sep 26 19:00:27 openvpn-cli[1369]: AUTH: Received control message: AUTH_FAILED
Sep 26 19:00:27 openvpn-cli[1369]: /sbin/route del -net 55.21.34.122.23 netmask 
255.255.255.255
Sep 26 19:00:27 openvpn-cli[1369]: /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Sep 26 19:00:27 openvpn-cli[1369]: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 
gw 50.152.160.1
Sep 26 19:00:27 openvpn-cli[1369]: Closing TUN/TAP interface
Sep 26 19:00:27 openvpn-cli[1369]: /sbin/ifconfig tap0 0.0.0.0
Sep 26 19:00:27 openvpn-cli[1369]: ovpnc.script tap0 1500 1590 10.3.14.88 
255.255.255.0 init
Sep 26 19:00:27 kernel: br0: port 4(tap0) entered disabled state
Sep 26 19:00:27 openvpn-cli[1369]: SIGTERM[soft,auth-failure] received, process 
exiting

Original issue reported on code.google.com by michael....@gmail.com on 27 Sep 2013 at 2:12

GoogleCodeExporter commented 9 years ago

Is there any kind of temporary work-around I can do until there's fix for this? 
 I tried searching on google.com about this error; but, I didn't see anything 
that could help me.

I've already tried replacing the 'secret' file with one that I made manually; 
but, that didn't help.  I also tried adding more permissions to 'secret' file, 
but that didn't help either.  I also tried specifying a different password file 
in  "/etc/openvpn/client/client.conf" other than 'secret' however, it looks 
like it's forcing me to use the 'secret' file that it creates.

Thanks for any help you can offer!

Original comment by michael....@gmail.com on 27 Sep 2013 at 3:32

GoogleCodeExporter commented 9 years ago

Please check 
1) file /etc/openvpn/client/secret (generated in run-time) contents correct your
user
password

2) comp-lzo settings must equal on server and client

Original comment by andy.pad...@gmail.com on 27 Sep 2013 at 3:54

GoogleCodeExporter commented 9 years ago

3) 'auth' and 'cipher' settings must equal on server and client site

Original comment by andy.pad...@gmail.com on 27 Sep 2013 at 3:57

GoogleCodeExporter commented 9 years ago

I dont have access to the OpenVPN server settings.  However, I have access to 
the client.ovpn file that's created specifically for me to use.  The 
client.ovpn settings provided to me are all correct; and, work perfectly when I 
use it with other OpenVPN client devices without issues; providing me with full 
Internet access.

I was able to get rid of authorization errors by disabling comp-lzo.  However, 
there is no access to the Internet after the Padavan openvpn client connects to 
openvpn server successfully.  Even Padavan GUI shows that OpenVPN client is 
"connected" (green icon).  However, there is no access to the Internet.  I 
can't ping www.google.com (or anything else) from ssh command-line.  DNS names 
are resolved (probably cached). 

Padavan System Log:
-------------------
Sep 27 09:47:01 RT-N56U: starting OpenVPN client...
Sep 27 09:47:01 openvpn-cli[6056]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  1 2013
Sep 27 09:47:01 openvpn-cli[6056]: WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 27 09:47:01 openvpn-cli[6056]: NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Sep 27 09:47:01 openvpn-cli[6056]: Socket Buffers: R=[163840->131072] 
S=[163840->131072]
Sep 27 09:47:01 openvpn-cli[6057]: nice 3 succeeded
Sep 27 09:47:01 openvpn-cli[6057]: UDPv4 link local: [undef]
Sep 27 09:47:01 openvpn-cli[6057]: UDPv4 link remote: [AF_INET]72.123.15.39:8081
Sep 27 09:47:02 openvpn-cli[6057]: TLS: Initial packet from 
[AF_INET]72.123.15.39:8081, sid=ad46d01f 808e3fc7
Sep 27 09:47:02 openvpn-cli[6057]: WARNING: this configuration may cache 
passwords in memory -- use the auth-nocache option to prevent this
Sep 27 09:47:03 openvpn-cli[6057]: VERIFY OK: depth=2, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Sep 27 09:47:03 openvpn-cli[6057]: VERIFY OK: depth=1, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Sep 27 09:47:03 openvpn-cli[6057]: VERIFY OK: depth=0, C=US, ST=New York, L=New 
York, O=Network Solutions Ltd., CN=*.networksolutions.com
Sep 27 09:47:07 openvpn-cli[6057]: Data Channel Encrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 27 09:47:07 openvpn-cli[6057]: Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 27 09:47:07 openvpn-cli[6057]: Data Channel Decrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 27 09:47:07 openvpn-cli[6057]: Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 27 09:47:07 openvpn-cli[6057]: Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 4096 bit RSA
Sep 27 09:47:07 openvpn-cli[6057]: [*.hide.me] Peer Connection Initiated with 
[AF_INET]72.123.15.39:8081
Sep 27 09:47:09 openvpn-cli[6057]: SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' 
(status=1)
Sep 27 09:47:09 openvpn-cli[6057]: PUSH: Received control message: 
'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 
5,ping-restart 15,route-gateway 10.3.48.96,redirect-gateway,ifconfig 10.3.48.96 
255.255.255.0'
Sep 27 09:47:09 openvpn-cli[6057]: OPTIONS IMPORT: timers and/or timeouts 
modified
Sep 27 09:47:09 openvpn-cli[6057]: OPTIONS IMPORT: --ifconfig/up options 
modified
Sep 27 09:47:09 openvpn-cli[6057]: OPTIONS IMPORT: route options modified
Sep 27 09:47:09 openvpn-cli[6057]: OPTIONS IMPORT: route-related options 
modified
Sep 27 09:47:09 openvpn-cli[6057]: OPTIONS IMPORT: --ip-win32 and/or 
--dhcp-option options modified
Sep 27 09:47:09 kernel: ADDRCONF(NETDEV_CHANGE): tap0: link becomes ready
Sep 27 09:47:09 openvpn-cli[6057]: TUN/TAP device tap0 opened
Sep 27 09:47:09 openvpn-cli[6057]: TUN/TAP TX queue length set to 100
Sep 27 09:47:09 openvpn-cli[6057]: do_ifconfig, tt->ipv6=0, 
tt->did_ifconfig_ipv6_setup=0
Sep 27 09:47:09 openvpn-cli[6057]: /sbin/ifconfig tap0 10.3.48.96 netmask 
255.255.255.0 mtu 1500 broadcast 10.3.48.255
Sep 27 09:47:09 openvpn-cli[6057]: ovpnc.script tap0 1500 1589 10.3.48.96 
255.255.255.0 init
Sep 27 09:47:09 kernel: br0: port 4(tap0) entered listening state
Sep 27 09:47:09 openvpn-cli[6057]: /sbin/route add -net 72.123.15.39 netmask 
255.255.255.255 gw 150.12.161.1
Sep 27 09:47:09 openvpn-cli[6057]: /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Sep 27 09:47:09 openvpn-cli[6057]: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 
gw 10.3.48.96
Sep 27 09:47:09 openvpn-cli[6057]: Initialization Sequence Completed
Sep 27 09:47:24 kernel: br0: port 4(tap0) entered learning state
Sep 27 09:47:39 kernel: br0: topology change detected, propagating
Sep 27 09:47:39 kernel: br0: port 4(tap0) entered forwarding state

Below, is contents of custom "client.ovpn" file created specifically for me 
that works perfectly on other openvpn client devices:
--------------------------------------------------------------------------------
-----
client
dev tap
proto udp
remote myvpnserver.com 8081
cipher AES-128-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca TrustedRoot.pem
verb 3
auth-user-pass userpass.txt
reneg-sec 0

Padavan: /etc/openvpn/client/client.conf:
-----------------------------------------
client
proto udp
remote myvpnserver.com 8081
resolv-retry infinite
nobind
dev tap0
ca /etc/storage/openvpn/client/ca.crt
auth-user-pass secret
persist-key
script-security 2
writepid /var/run/openvpn_cli.pid
up ovpnc.script
down ovpnc.script

### User params:
auth SHA1      # SHA1 160 bit (default)
cipher AES-128-CBC   # AES 128 bit
nice 3
verb 3
mute-replay-warnings
reneg-sec 0
persist-tun

Padavan: /etc/storage/openvpn/client/client.conf:
-------------------------------------------------
# Custom user conf file for OpenVPN client
# Please add needed params only!

### Authenticate packets with HMAC using message digest algorithm
;auth SHA1      # SHA1 160 bit (default)
;auth SHA256    # SHA256 256 bit
;auth SHA512    # SHA512 512 bit

### Encrypt packets with cipher algorithm
;cipher BF-CBC        # Blowfish 128 bit (default)
cipher AES-128-CBC   # AES 128 bit
;cipher AES-256-CBC   # AES 256 bit
;cipher DES-EDE3-CBC  # Triple-DES 192 bit
;cipher none          # No encryption

### Enable LZO compression on the VPN link
;comp-lzo

### If your server certificates with the nsCertType field set to "server"
;ns-cert-type server

### All outgoing IP traffic will be redirected over the VPN
;redirect-private def1

### Process priority level (0..19)
nice 3

### Syslog verbose level
verb 3
;mute 10
mute-replay-warnings

reneg-sec 0
persist-tun
;auth-retry nointeract

Original comment by michael....@gmail.com on 27 Sep 2013 at 5:13

GoogleCodeExporter commented 9 years ago

So, am I doing something wrong?  Or is there an problem with Padavan openVPN 
client?  I have all configuration information posted above...

Original comment by michael....@gmail.com on 27 Sep 2013 at 8:45

GoogleCodeExporter commented 9 years ago

1) Authorization now successful, because server-side used cipher AES-128-CBC and
comp-lzo is disabled

2) You needed TUN encapsulation!!!

Remote server pushed this params
'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 
5,ping-restart 15,route-gateway 10.3.48.96,redirect-gateway,ifconfig 10.3.48.96 
255.255.255.0'

Your VPN IP is 10.3.48.96, TAP encapsulation (on router) used only for combine 
equal remote LAN subnets (e.g. server LAN is 192.168.1.x and client LAN is 
192.168.1.x). TAP for router and TAP for single host - it's not the same thing!

Original comment by andy.pad...@gmail.com on 28 Sep 2013 at 9:57

GoogleCodeExporter commented 9 years ago

Andy thank you so much for helping me!  I've been struggling all day trying to 
get this to work (mostly due to my inexperience).  I think what confused me was 
because I was trying to use the same openVPN client (client.ovpn) settings I 
use for my other devices (mobile phone, Windows 7 PC, etc.  I guess openvpn 
clients on routers, it's different.

I have already tried using "Encapsulation Layer: TUN - Tunnel".  Unfortunately, 
the Padavan OpenVPN client exited with a "fatal error".  It doesnt connect at 
all; apparently from an incorrect/incompatible ifconfig command??  I have no 
idea where to fix this.

Here's the log:
--------------------------------------------------------------------------------
----
Sep 28 10:21:40 RT-N56U: starting OpenVPN client...
Sep 28 10:21:40 openvpn-cli[9624]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  1 2013
Sep 28 10:21:40 openvpn-cli[9624]: WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 28 10:21:40 openvpn-cli[9624]: NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Sep 28 10:21:40 openvpn-cli[9624]: Control Channel MTU parms [ L:1557 D:138 
EF:38 EB:0 ET:0 EL:0 ]
Sep 28 10:21:40 openvpn-cli[9624]: Socket Buffers: R=[163840->131072] 
S=[163840->131072]
Sep 28 10:21:40 openvpn-cli[9624]: Data Channel MTU parms [ L:1557 D:1450 EF:57 
EB:4 ET:0 EL:0 ]
Sep 28 10:21:40 openvpn-cli[9625]: nice 3 succeeded
Sep 28 10:21:40 openvpn-cli[9625]: UDPv4 link local: [undef]
Sep 28 10:21:40 openvpn-cli[9625]: UDPv4 link remote: 
[AF_INET]53.234.123.117:8081
Sep 28 10:21:41 openvpn-cli[9625]: TLS: Initial packet from 
[AF_INET]53.234.123.117:8081, sid=ea5c110b 7111e1fa
Sep 28 10:21:41 openvpn-cli[9625]: WARNING: this configuration may cache 
passwords in memory -- use the auth-nocache option to prevent this
Sep 28 10:21:41 openvpn-cli[9625]: VERIFY OK: depth=2, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Sep 28 10:21:41 openvpn-cli[9625]: VERIFY OK: depth=1, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Sep 28 10:21:41 openvpn-cli[9625]: VERIFY OK: depth=0, C=HK, ST=New York, L=New 
York, O=Network Solutions Ltd., CN=*.networksolutions.com
Sep 28 10:21:43 openvpn-cli[9625]: Data Channel Encrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 28 10:21:43 openvpn-cli[9625]: Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 28 10:21:43 openvpn-cli[9625]: Data Channel Decrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 28 10:21:43 openvpn-cli[9625]: Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 28 10:21:43 openvpn-cli[9625]: Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 4096 bit RSA
Sep 28 10:21:43 openvpn-cli[9625]: [*.hide.me] Peer Connection Initiated with 
[AF_INET]53.234.123.117:8081
Sep 28 10:21:45 openvpn-cli[9625]: SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' 
(status=1)
Sep 28 10:21:45 openvpn-cli[9625]: PUSH: Received control message: 
'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 
5,ping-restart 15,route-gateway 10.3.15.154,redirect-gateway,ifconfig 
10.3.15.154 255.255.255.0'
Sep 28 10:21:45 openvpn-cli[9625]: OPTIONS IMPORT: timers and/or timeouts 
modified
Sep 28 10:21:45 openvpn-cli[9625]: OPTIONS IMPORT: --ifconfig/up options 
modified
Sep 28 10:21:45 openvpn-cli[9625]: OPTIONS IMPORT: route options modified
Sep 28 10:21:45 openvpn-cli[9625]: OPTIONS IMPORT: route-related options 
modified
Sep 28 10:21:45 openvpn-cli[9625]: OPTIONS IMPORT: --ip-win32 and/or 
--dhcp-option options modified
Sep 28 10:21:45 openvpn-cli[9625]: WARNING: Since you are using --dev tun with 
a point-to-point topology, the second argument to --ifconfig must be an IP 
address.  You are using something (255.255.255.0) that looks more like a 
netmask. (silence this warning with --ifconfig-nowarn)
Sep 28 10:21:45 openvpn-cli[9625]: TUN/TAP device tun0 opened
Sep 28 10:21:45 openvpn-cli[9625]: TUN/TAP TX queue length set to 100
Sep 28 10:21:45 openvpn-cli[9625]: do_ifconfig, tt->ipv6=0, 
tt->did_ifconfig_ipv6_setup=0
Sep 28 10:21:45 openvpn-cli[9625]: /sbin/ifconfig tun0 10.3.15.154 pointopoint 
255.255.255.0 mtu 1500
Sep 28 10:21:45 openvpn-cli[9625]: Linux ifconfig failed: external program 
exited with error status: 1
Sep 28 10:21:45 openvpn-cli[9625]: Exiting due to fatal error
--------------------------------------------------------------------------------
-----

Original comment by michael....@gmail.com on 28 Sep 2013 at 5:39

GoogleCodeExporter commented 9 years ago

Hmmm...

Server pushed to client "point-to-point" (P2P) topology, I have not tested P2P 
(P2P is deprecated on new version OpenVPN). Tested only "Subnet" and "NET30" 
topology. 

Try to add line to config:

topology net30

And remove persist-tun (not needed for client, with persist-tun connected 
status will not work).

Original comment by andy.pad...@gmail.com on 28 Sep 2013 at 9:14

GoogleCodeExporter commented 9 years ago

I commented out persist-tun.  'topology net30' didn't make any difference in 
the system log error messages related to ifconfig.  However, when I changed it 
to 'topology subnet', it immediately connected successfully using TUN 
encapsulation!  There are no more errors in the system log.  I even got a green 
"connected" message.

However, none of my devices connected to my router have Internet access after 
the Padavan openVPN client connects. If I disconnect Padavan OpenVPN client, my 
normal, non-VPN Internet connection is restored.  These were the same exact 
symptoms I had when connecting via TAP encapsulation.  I'm not sure if it's the 
same cause or not though.

Below is my system log after padavan openvpn client connects; but no Internet 
connection:
--------------------------------------------------------------------------------
-----
Sep 28 17:44:36 RT-N56U: starting OpenVPN client...
Sep 28 17:44:36 openvpn-cli[10857]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL 
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep  1 2013
Sep 28 17:44:36 openvpn-cli[10857]: WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 28 17:44:36 openvpn-cli[10857]: NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Sep 28 17:44:36 openvpn-cli[10857]: Control Channel MTU parms [ L:1557 D:138 
EF:38 EB:0 ET:0 EL:0 ]
Sep 28 17:44:36 openvpn-cli[10857]: Socket Buffers: R=[163840->131072] 
S=[163840->131072]
Sep 28 17:44:36 openvpn-cli[10857]: Data Channel MTU parms [ L:1557 D:1450 
EF:57 EB:4 ET:0 EL:0 ]
Sep 28 17:44:36 openvpn-cli[10858]: nice 3 succeeded
Sep 28 17:44:36 openvpn-cli[10858]: UDPv4 link local: [undef]
Sep 28 17:44:36 openvpn-cli[10858]: UDPv4 link remote: 
[AF_INET]67.212.234.180:8081
Sep 28 17:44:36 openvpn-cli[10858]: TLS: Initial packet from 
[AF_INET]67.212.234.180:8081, sid=d26bdbf5 24350b4a
Sep 28 17:44:36 openvpn-cli[10858]: WARNING: this configuration may cache 
passwords in memory -- use the auth-nocache option to prevent this
Sep 28 17:44:36 openvpn-cli[10858]: VERIFY OK: depth=2, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Sep 28 17:44:36 openvpn-cli[10858]: VERIFY OK: depth=1, C=US, O=DigiCert Inc, 
OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Sep 28 17:44:36 openvpn-cli[10858]: VERIFY OK: depth=0, C=US, ST=New York, 
L=New York, O=Network Solutions Ltd., CN=*.networksolutions.com
Sep 28 17:44:38 openvpn-cli[10858]: Data Channel Encrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 28 17:44:38 openvpn-cli[10858]: Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 28 17:44:38 openvpn-cli[10858]: Data Channel Decrypt: Cipher 'AES-128-CBC' 
initialized with 128 bit key
Sep 28 17:44:38 openvpn-cli[10858]: Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Sep 28 17:44:38 openvpn-cli[10858]: Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 4096 bit RSA
Sep 28 17:44:38 openvpn-cli[10858]: [*.networksolutions.com] Peer Connection 
Initiated with [AF_INET]67.212.234.180:8081
Sep 28 17:44:41 openvpn-cli[10858]: SENT CONTROL [*.hide.me]: 'PUSH_REQUEST' 
(status=1)
Sep 28 17:44:41 openvpn-cli[10858]: PUSH: Received control message: 
'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 
5,ping-restart 15,route-gateway 10.3.14.213,redirect-gateway,ifconfig 
10.3.14.213 255.255.255.0'
Sep 28 17:44:41 openvpn-cli[10858]: OPTIONS IMPORT: timers and/or timeouts 
modified
Sep 28 17:44:41 openvpn-cli[10858]: OPTIONS IMPORT: --ifconfig/up options 
modified
Sep 28 17:44:41 openvpn-cli[10858]: OPTIONS IMPORT: route options modified
Sep 28 17:44:41 openvpn-cli[10858]: OPTIONS IMPORT: route-related options 
modified
Sep 28 17:44:41 openvpn-cli[10858]: OPTIONS IMPORT: --ip-win32 and/or 
--dhcp-option options modified
Sep 28 17:44:41 openvpn-cli[10858]: TUN/TAP device tun0 opened
Sep 28 17:44:41 openvpn-cli[10858]: TUN/TAP TX queue length set to 100
Sep 28 17:44:41 openvpn-cli[10858]: do_ifconfig, tt->ipv6=0, 
tt->did_ifconfig_ipv6_setup=0
Sep 28 17:44:41 openvpn-cli[10858]: /sbin/ifconfig tun0 10.3.14.213 netmask 
255.255.255.0 mtu 1500 broadcast 10.3.14.255
Sep 28 17:44:41 openvpn-cli[10858]: ovpnc.script tun0 1500 1557 10.3.14.213 
255.255.255.0 init
Sep 28 17:44:41 openvpn-cli[10858]: /sbin/route add -net 67.212.234.180 netmask 
255.255.255.255 gw 77.111.160.1
Sep 28 17:44:41 openvpn-cli[10858]: /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Sep 28 17:44:41 openvpn-cli[10858]: /sbin/route add -net 0.0.0.0 netmask 
0.0.0.0 gw 10.3.14.213
Sep 28 17:44:41 openvpn-cli[10858]: Initialization Sequence Completed
--------------------------------------------------------------------------------
-----

Original comment by michael....@gmail.com on 29 Sep 2013 at 1:06

GoogleCodeExporter commented 9 years ago

Sorry to bother you again... Just a friendly reminder to please take a look at 
the above; and see why Internet doesnt work while connected to VPN using 
"topology subnet" setting and TUN encapsulation.  I dont get any errors; and, 
even get green "Connected" message in GUI; samesame exact symptom I had after 
connected to VPN using TAP encapsulation.  I'm hoping since it's connecting 
successfully without errors using TUN encapsulation, there is just a minor 
issue that I can manually fix.

Thanks again for all your help!

Original comment by michael....@gmail.com on 1 Oct 2013 at 3:09

GoogleCodeExporter commented 9 years ago

See commit 
http://code.google.com/p/rt-n56u/source/detail?r=d993004c18d5120148b99b3d5642c16
acd5e2357

Original comment by andy.pad...@gmail.com on 17 Oct 2013 at 4:42

GoogleCodeExporter commented 9 years ago

Thank you very much!!

Original comment by michael....@gmail.com on 17 Oct 2013 at 9:47

mtchang / rt-n56u

OpenVPN Client TLS: username/password (secret) causes: AUTH_FAILED: SIGTERM[soft,auth-failure] #1003