XR500 Custom Hybrid AWS VPN not working

walle1 · ‎2020-07-29

I can connect to my vpn with the .ovpn files generated from the AWS debian 10 buster linux server with or without password(made 2 .ovpn accounts, one with pass, one without) on both a pc and mac.

After pasting in the .ovpn file in the XR500 Hybrid VPN custom field, with no username or password, and click connect, I get this error:

Wed Jul 29 16:13:06 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 16 2019
Wed Jul 29 16:13:06 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06
Wed Jul 29 16:13:06 2020 ERROR: username from Auth authfile '/tmp/lua_J1lnA6' is empty
Wed Jul 29 16:13:06 2020 Exiting due to fatal error

If I use a username and password, I get this error:

Wed Jul 29 16:15:19 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 16 2019
Wed Jul 29 16:15:19 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06
Wed Jul 29 16:15:19 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jul 29 16:15:19 2020 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Wed Jul 29 16:15:19 2020 Exiting due to fatal error

I've tried 2 different OpenVPN install scripts,with all defauld options, both give the same error as above:

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh ; chmod +x openvpn-install.sh ; ./openvpn-install.sh

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Netduma-Fraser · ‎2020-07-29

Could you provide one of the ovpn files you're using please and we'll take a look.

walle1 · ‎2020-07-29

.ovpn with user and pass:

client
proto udp
explicit-exit-notify
remote <VPN IP> <PORT>
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_rdKGYtqAmhMbmhTW name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB2DCCAX2gAwIBAgIUOsSCkzpVhqaeUySDjnsZD7vx9nkwCgYIKoZIzj0EAwIw
HjEcMBoGA1UEAwwTY25fT2NSVHZYWWkwaE45Uk1MZTAeFw0yMDA3MjkxOTIwNTNa
Fw0zMDA3MjcxOTIwNTNaMB4xHDAaBgNVBAMME2NuX09jUlR2WFlpMGhOOVJNTGUw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS9LXZFzmJQAyfW8StZsqanpwif1Ogt
LeWNDWkpkVzfcGlSPPx9VRk0CC++DRKGQMP9FTOgaK8903l2Z5GCCPtDo4GYMIGV
MB0GA1UdDgQWBBQ82TQHtC81Y+WU8zcQ18EoSMU07DBZBgNVHSMEUjBQgBQ82TQH
tC81Y+WU8zcQ18EoSMU07KEipCAwHjEcMBoGA1UEAwwTY25fT2NSVHZYWWkwaE45
Uk1MZYIUOsSCkzpVhqaeUySDjnsZD7vx9nkwDAYDVR0TBAUwAwEB/zALBgNVHQ8E
BAMCAQYwCgYIKoZIzj0EAwIDSQAwRgIhAIQYKPezgKgt0KdEQTV0JZgVm/GyO6RR
wvyI9a1RLaDLAiEAxs8Xu7flAhXyb8YkN//2Giw7egHH2uXax1gbA2oAFsE=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB0zCCAXqgAwIBAgIRALEeH/HYMlAtQfuzRmbA/pAwCgYIKoZIzj0EAwIwHjEc
MBoGA1UEAwwTY25fT2NSVHZYWWkwaE45Uk1MZTAeFw0yMDA3MjkxOTIxMTFaFw0y
MjExMDExOTIxMTFaMAwxCjAIBgNVBAMMAWIwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAT5jC5lR4yrihQD9n1rCkSGujQF3k3hKnmlUj5KDjMQve8DO8mkVAae6r2q
0kbUwWex+etWnW/qPcNT9s1pXBr1o4GqMIGnMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FE8nswyecw42NcwGUeI6I8U40sNUMFkGA1UdIwRSMFCAFDzZNAe0LzVj5ZTzNxDX
wShIxTTsoSKkIDAeMRwwGgYDVQQDDBNjbl9PY1JUdlhZaTBoTjlSTUxlghQ6xIKT
OlWGpp5TJIOOexkPu/H2eTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
B4AwCgYIKoZIzj0EAwIDRwAwRAIgfOLUOvAAyZdo44G5XwaUjS0QFtysPWFmlAE8
O2z65vQCIEmYFsdNVK0EijKz7GnPcPmL6wZS1JPblvz8JW9n3yqA
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAheNNSTHzY53QICCAAw
DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIQOtxHjZomHIEgZA9amDCcaMUExqT
ktus72eaOPv/pst+XlBEXJrKOi2cSF2VQDX5c0ojVkdE73djKefDKOPBpHyRVari
cMM49kDiSdCF+Xc7VesqM7tM1EHLIpFHggDUz5LA7D97TkHYmLmA9A7zJE3vWcy4
0EvTVyyzrGwCuu10xyTCJz7+kSFu7RwWxvdC7ErGgIqQhDh89dY=
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
9981e4a0bca3ba15221fa2398796e820
22eef89f94ae7e13eff7f2e7fd1d3d67
ee1e984a8c6873e143f26c2e2aa8c4cd
0405cf8cd30093b9289f029adecd1aa6
3e3a7c18a94315a99edbfc5a56c3ffc3
9e940ac0299a4c9ef0a095ad64b2bebe
6c98dcbf18ea7bcb02cc0324b0fd8051
f670d78abda8d957a2e9c71afd33c028
0be4fac80cba92b6a4c69531bf4a50e6
50305eae8766ab2b9e87f5fb9f709e8f
6778947f9a5c5d11c0546dff7b8999e4
4c52695dfe448a61d3f436bbca7c5885
b812174e12bff5aaaf6dcbeea79d31e9
c6524dfbe056e0f99da19de6620c67c4
27320dbd7acc794cfa4f300fafdd8a2d
4310048d1eaf795b8a187b988789f69c
-----END OpenVPN Static key V1-----
</tls-crypt>

Netduma-Fraser · ‎2020-07-29

Thank you, while I look over this do you know which OpenVPN version this will be using?

walle1 · ‎2020-07-30

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Netduma-Fraser · ‎2020-07-30

Thank you, I think the issue is that it's trying to authenticate with the user/pass as part of the config but we don't support that. Can they provide a new config where you can input the user/pass outside the config?

walle1 · ‎2020-08-02

This is the error in Custom VPN Hybrid with no user/pass .ovpn:

Wed Jul 29 16:13:06 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 16 2019
Wed Jul 29 16:13:06 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06
Wed Jul 29 16:13:06 2020 ERROR: username from Auth authfile '/tmp/lua_J1lnA6' is empty
Wed Jul 29 16:13:06 2020 Exiting due to fatal error

walle1 · ‎2020-08-02

Forum would not paste text so here's 2 images of the .ovpn with no user/pass:

walle1 · ‎2020-08-02

Netduma-Fraser · ‎2020-08-03

Looks like the same config but regardless could you try this please:

client
dev tun
proto udp
remote <VPN IP> <PORT>
cipher AES-128-GCM
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
verify-x509-name server_rdKGYtqAmhMbmhTW name
auth-user-pass

Put this entry under the rest of the file:
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

walle1 · ‎2020-08-03

Same error:

Mon Aug 3 15:59:05 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 16 2019
Mon Aug 3 15:59:05 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06
Mon Aug 3 15:59:05 2020 ERROR: username from Auth authfile '/tmp/lua_hJ51f1' is empty
Mon Aug 3 15:59:05 2020 Exiting due to fatal error

If you have access to Amazon AWS, you could try using the 2 different OpenVPN install scripts in message #1

Netduma-Fraser · ‎2020-08-03

I don't have easy access to this unfortunately. I can ask a dev to see if they can take a look and see if they have an idea but they are very busy at the moment.

walle1 · ‎2020-08-03

@Netduma-Fraser I set you up with an AWS login to try it out.
Any IPs/ports have been set to open in the AWS console security group, and no firewall is setup.
I sent the login details in a private message.

Netduma-Fraser · ‎2020-08-04

Thanks a lot I/we will take a look and get back to you when we can.

walle1 · ‎2020-08-09

It's been over a week, has anyone looked at this yet?

Netduma-Fraser · ‎2020-08-09

We've been really busy this week but I'll try to get a dev to take a look next week if they're able to.

XR500 Custom Hybrid AWS VPN not working

XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working

Re: XR500 Custom Hybrid AWS VPN not working