Hi,Based in the UK, have a third party DSL router which provides Internet access. This is connected to our SXK30 on its WAN port. All VLANs on the Orbi Pro network can surf the Internet fine.On SXK30, needed a VPN with DDNS, so setup a no-ip account. Enabled VPN and Dynamic DNS, copied OpenVPN config setup, all VPN passthrough traffic worked through DSL router and could access the Orbi Pro admin over VPN. All good.We now have a static Internet address, so don't need no-ip and other DDNS services, so turned off Dynamic DNS in the SXK30 menu and that was when the issue started.When I downloaded the OpenVPN config files, the .ovpn file is showing 0.0.0.0 as the destination server and not the static external address of the router. Even if I change the IP address within the .ovpn file to the actual static Internet address, OpenVPN still won't connect because the key was created when the target was 0.0.0.0So the question is, how (with the Dynamic DNS off) can I tell the VPN listener on the SXK30 to create a key for the external DSL router address and not default to 0.0.0.0?TIABSG

I hsd the OpenVPN config file I had in mind ... typo, sorry

Put in the IP address you want into the remote field of the .ovpn file.

Hi,Manually adding the actual external address client.ovpn, on the remote line doesn't work.Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status.When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx".I'm thinking that maybe a workaround would be to activate Dynamic DNS, create a no-ip account with a temp hostname. Set that hostname to be the external IP address. The Orbi Pro VPN config would pull that external address from no-ip and use it when creating the encryption key. Once the correct key is made, hopefully dynamic DNS could be disabled rather than every 30 days, keeping the temp hostname alive and that with the VPN active with the correct IP in the key AND the .ovpn file, the whole system will work.

BrainSuperGlue wrote: Manually adding the actual external address client.ovpn, on the remote line doesn't work. You can enter any valid IP4 or DNS hostname there, of course. BrainSuperGlue wrote: Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status. The OpenVPN client does offer a Show Log File (naming depends on the language version) along with the OpenVPN, nicely accumulated with timestamps. Post the log file (with the DNS name or IP address xxxx-ed), and we can have an eye on it. BrainSuperGlue wrote: When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0.. None of the OpenVPN certificates generated does contain any reference to the IP or th hostname - these are always the same. This isn't https. Yes, there are some or several shortcomings in this design, for example can the keys not re-generated from scratch. BrainSuperGlue wrote: There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx".. For the few users with static IP addresses, this would be nice.

Hi,In regards to adding IPv4 or DNS hostname in the .ovpn config, true but the issue still exists that where is some extra checking which is still seeing 0.0.0.0, even thought the external lookup is correct.With the client.log, the settings given by the Orbi Pro config show as the following warnings and deprication in the OpenVPN logging."2024-03-29 04:24:21 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.2024-03-29 04:24:21 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations."I had these when the VPN was working and pulling the external address from dynamic DNS, so these don't appear to be the issue why the handshaking isn't completing.The question remains, given in the UK, given we have to use a DSL modem which provides passthrough, how can we make the Orbi Pro automatically see what the external Internet address has been allocated to the connection.We know that the Orbi Pro mesh can route correctly to the Internet given we can do whatismyip.com on any browser on any VLAN and it will show us.Why then, when dynamic DNS is turned off, can't the Orbi Pro firmware pick up the external Internet address even though it can see it and still provides 0.0.0.0, plus how can we, even if we have to go into the command line on the Orbi Pro, manually tell it the external IP address, if it won't pick it up itself?TIABSG

SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

12 Replies

schumaku
Guru - Experienced User
Mar 28, 2024
Put in the IP address you want into the remote field of the .ovpn file.
- BrainSuperGlue
  Tutor
  Mar 29, 2024
  Hi,
  
  Manually adding the actual external address client.ovpn, on the remote line doesn't work.
  Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status.
  
  When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0
  
  There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx".
  
  I'm thinking that maybe a workaround would be to activate Dynamic DNS, create a no-ip account with a temp hostname. Set that hostname to be the external IP address. The Orbi Pro VPN config would pull that external address from no-ip and use it when creating the encryption key.
  
  Once the correct key is made, hopefully dynamic DNS could be disabled rather than every 30 days, keeping the temp hostname alive and that with the VPN active with the correct IP in the key AND the .ovpn file, the whole system will work.
  - schumaku
    Guru - Experienced User
    Mar 29, 2024
    BrainSuperGlue wrote:
    
    Manually adding the actual external address client.ovpn, on the remote line doesn't work.
    
    You can enter any valid IP4 or DNS hostname there, of course.
    
    BrainSuperGlue wrote:
    
    Whilst that config file correctly routes the client through to the external router and the router passes though the TAP traffic through to the Orbi Pro, the encryption key doesn't recognise that external address, so you get a yellow status, rather than the green status.
    
    The OpenVPN client does offer a Show Log File (naming depends on the language version) along with the OpenVPN, nicely accumulated with timestamps.
    
    Post the log file (with the DNS name or IP address xxxx-ed), and we can have an eye on it.
    
    BrainSuperGlue wrote:
    
    When you download the VPN file set from the Orbi Pro VPN admin page (ca.crt, client.crt, client.key and client.ovpn) they all rely on the external IP address that the Orbi Pro can see at the time of the generation, which being dynamic DNS is turned off, is 0.0.0.0..
    
    None of the OpenVPN certificates generated does contain any reference to the IP or th hostname - these are always the same. This isn't https.
    
    Yes, there are some or several shortcomings in this design, for example can the keys not re-generated from scratch.
    
    BrainSuperGlue wrote:
    
    There needs to be an an additional option on that file generation page that says "Manually enter external Internet address that will be used : xxx.xxx.xxx.xxx"..
    
    For the few users with static IP addresses, this would be nice.

Forum Discussion

SXK30 VPN : 0.0.0.0 issue when not using dynamic DNS

12 Replies

Related Content

cax30 - dhcp reservation 0.0.0.0

Nighthawk RS300 Dynamic QoS Missing or Disabled - Help

WAX206 Dynamic DNS

Dynamic QoS Decreasing Speed

403 Forbidden Error with Dynamic DNS

NETGEAR Academy

ProSupport for Business