Hi @stevets42 

Thanks for posting in our business forum.

1. Recommend you remove

stevets42 wrote

Hello,

I'm running:

• Software Controller (version 5.13.23)
• ER605 V2.0 router (firmware version 2.2.3 Build 20231201 Rel.32918)

Issue

I can't get my router to connect to a vpn server and I can't figure out whats wrong with my config.

Unfortunately, I'm not able to access any logs or receive any feedback regarding this issue. This is the second time in as many days, since setting up the system, that I've encountered challenges with tasks that I expected would be straightforward for a business solution like Omada. The intent was for Omada to simplify network management, but instead, it has been consuming a significant amount of my time, including my weekends. My apologies for the tone of frustration, but this situation has been quite challenging.

Config

Purpose: Client-to-Site VPN
VPN Type: VPN Client - OpenVPN
Mode: Certificate+Account
Local Network Type:  Network
Local Networks: All
WAN: WAN
Configuration:

client
dev tun
proto udp
remote ... 1194
remote-cert-tls server
nobind
mssfix
reneg-sec 432000
resolv-retry infinite
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
tun-mtu 1440
fragment 1400
comp-lzo yes
tls-version-min 1.0
cipher bf-cbc
verb 1
auth-user-pass

Set this string as comp-lzo and save and test. If this does not work, ask your VPN provider what kind of encryption they offer.

For example, encryption AES-CBC might not be supported. See the search result from the related threads on the forum.

Hi @stevets42 

Thanks for posting in our business forum.

stevets42 wrote

  @Clive_A Thanks for the quick response.

 

Testing on my lokal computer.

Just comp-lzo works.

 

Tried cipher AES-128-CBC

Mon Jan 29 08:08:09 2024 WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'

 

Tried no cipher at all and let them figure out the best cipher.

Works local, but not the er605 i guess.

 

I there a way to access the logs or run openvpn through ssh directly on the er605 in controller mode to at least see what the problem is i'm trying to fix here?

 

I read GCM is not supported.

BF-CBC seems not to work.

 

Do you know which ciphers are supported?

 

AES-128-CBC?

AES-256-CBC?

DES-EDE3-CBC?
CAMELLIA-128-CBC?

CAMELLIA-256-CBC?

So, if your service provider supports the compatible mode, get a file from the compatible mode.

AFAIK, our built-in OVPN version is not the latest one. Some encryption might not be compatible.

I think AES-CBC and others if they are very new and the latest gen of encryption, they don't work on the old(version of) OVPN client.

Hi @stevets42 

Thanks for posting in our business forum.

stevets42 wrote

@Clive_A

 

Hello,

 

I wanted to provide an update and extend a partial apology. In hindsight, a debug log would have been immensely helpful in diagnosing the problem.

Although I had tested the configuration locally, I overlooked a crucial detail: the local setup used "tls-auth fipTA.key 1".

What I missed in my initial setup was the key-direction 1 parameter.

 

After including this, the connection is now visible in Insight.

 

I want to express my gratitude for the swift support offered.

It has been a learning experience, and I appreciate the assistance. Thank you!

 

Best regards,

Steve

Very happy to know that.

Can you share the full config again? That might be helpful for others who run into the same issue in future.