× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Re: OpenVPN not connecting

MedRedRaider
Aspirant

OpenVPN not connecting

I know there are countless posts about trying to get VPN access to an Orbi router.  I've looked all over for a solution to my issue but I still can't find it.

 

I'm trying to set up a VPN for my home network to access a NAS.  I went thru all the steps to set up OpenVPN with my Orbi router.  DDNS has been activated.  VPN access has been enabled.

 

I have downloaded the necessary files to my laptop (which will be the client) and the OpenVPN GUI software won't connect.  It gives me these same error messages, but from what I've read, it should still connect despite these warnings:

 

WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.

(I don't know how to fix this)


DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

(I have heard this is a security limitation of the Orbi router and cannot be fixed at this time)

 

Does anyone have any insight to these issues?  I feel like I'm pretty tech savvy, but all this networking stuff is pretty new to me.  Below is my setup:

 

Starlink Gen 1 Service

Orbi RBR40 Router

Message 1 of 4
CrimpOn
Guru

Re: OpenVPN not connecting

Doesn't OpenVPN Client on the laptop produce a log file?  Would help to see that (xxx out your actual DDNS name and IP address)

 

Probably useful to double check that the Orbi is not "behind" another router.  i.e. the IP address on the Advanced Tab home screen matches the IP shown on one of the "what is my IP address" web sites.

 

Message 2 of 4
MedRedRaider
Aspirant

Re: OpenVPN not connecting

So I did actually have my Orbi router behind a starlink router, likely causing some serious problems.  I wasn't aware that on Starlink Gen 1, you could just take out their router altogether.  This has been done now.  Still having issues though.  I've gone ahead and redone the VPN and certificates and such on the client laptop.As for the log files, that's what was in my last post.  Below is the same thing with the timestamps for clarity:

 

2023-02-27 17:17:38 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-02-27 17:17:38 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

Spoiler


  

 

Message 3 of 4
CrimpOn
Guru

Re: OpenVPN not connecting

Yes, when the Orbi is 'behind' another router, that first router firewall will block all connection attempts, which means

  • ports cannot be forwarded through the Orbi (because the connections never reach the Orbi)
  • certain internet gaming applications fail miserably.
  • and..... OpenVPN connections never reach the router.

Had expected more detail in the log. (Maybe it depends on which OpenVPN program is being used.  This is from an OpenVPN Connect session from last September.  (Connecting from home is a chore because I have to create a Hot Spot on the phone and connect a laptop to it. Right this minute, the laptop is involved in a <tragically failing> attempt to hack another router.)

[Sep 8, 2022, 12:28:03] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Sep 8, 2022, 12:28:03] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Sep 8, 2022, 12:28:03] UNUSED OPTIONS
3 [dev-node] [NETGEAR-VPN]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
14 [verb] [0]
15 [sndbuf] [393216]
16 [rcvbuf] [393216]
17 [route-method] [exe]
⏎[Sep 8, 2022, 12:28:03] EVENT: RESOLVE ⏎[Sep 8, 2022, 12:28:03] Contacting xxx.xxx.xxx.xxx:12973 via UDP
⏎[Sep 8, 2022, 12:28:03] EVENT: WAIT ⏎[Sep 8, 2022, 12:28:03] WinCommandAgent: transmitting bypass route to xxx.xxx.xxx.xxx
{
	"host" : "xxx.xxx.xxx.xxx",
	"ipv6" : false
}

⏎[Sep 8, 2022, 12:28:03] Connecting to [My-DDNS-Name]:12973 (xxx.xxx.xxx.xxx) via UDPv4
⏎[Sep 8, 2022, 12:28:03] EVENT: CONNECTING ⏎[Sep 8, 2022, 12:28:03] Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Sep 8, 2022, 12:28:03] Creds: UsernameEmpty/PasswordEmpty
⏎[Sep 8, 2022, 12:28:03] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext

⏎[Sep 8, 2022, 12:28:04] SSL Handshake: peer certificate: CN=server, 1024 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

⏎[Sep 8, 2022, 12:28:04] Session is ACTIVE
⏎[Sep 8, 2022, 12:28:04] EVENT: GET_CONFIG ⏎[Sep 8, 2022, 12:28:04] Sending PUSH_REQUEST to server...
⏎[Sep 8, 2022, 12:28:04] OPTIONS:
0 [dhcp-option] [DNS] [192.168.1.1]
1 [route-gateway] [192.168.2.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [120]
5 [redirect-gateway] [def1]
6 [ifconfig] [192.168.2.2] [255.255.255.0]
7 [peer-id] [0]
8 [cipher] [AES-256-GCM]

⏎[Sep 8, 2022, 12:28:04] PROTOCOL OPTIONS:
  cipher: AES-256-GCM
  digest: NONE
  key-derivation: OpenVPN PRF
  compress: LZO_STUB
  peer ID: 0
⏎[Sep 8, 2022, 12:28:04] EVENT: ASSIGN_IP ⏎[Sep 8, 2022, 12:28:04] CAPTURED OPTIONS:
Session Name: My-DDNS-Name
Layer: OSI_LAYER_3
Remote Address: xxx.xxx.xxx.xxx
Tunnel Addresses:
  192.168.2.2/24 -> 192.168.2.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
DNS Servers:
  192.168.1.1
Search Domains:

⏎[Sep 8, 2022, 12:28:07] SetupClient: transmitting tun setup list to \\.\pipe\agent_ovpnconnect
{
	"allow_local_dns_resolvers" : false,
	"confirm_event" : "dc0c000000000000",
	"destroy_event" : "440e000000000000",
	"tun" : 
	{
		"adapter_domain_suffix" : "",
		"block_ipv6" : false,
		"dns_servers" : 
		[
			{
				"address" : "192.168.1.1",
				"ipv6" : false
			}
		],
		"layer" : 3,
		"mtu" : 0,
		"remote_address" : 
		{
			"address" : "xxx.xxx.xxx.xxx",
			"ipv6" : false
		},
		"reroute_gw" : 
		{
			"flags" : 275,
			"ipv4" : true,
			"ipv6" : false
		},
		"route_metric_default" : -1,
		"session_name" : "My-DDNS-Name",
		"tunnel_address_index_ipv4" : 0,
		"tunnel_address_index_ipv6" : -1,
		"tunnel_addresses" : 
		[
			{
				"address" : "192.168.2.2",
				"gateway" : "192.168.2.1",
				"ipv6" : false,
				"metric" : -1,
				"net30" : false,
				"prefix_length" : 24
			}
		]
	},
	"wintun" : false
}
POST np://[\\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{279075C7-FDB0-4C2F-8216-E2BD700F83A4}' index=6 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{279075C7-FDB0-4C2F-8216-E2BD700F83A4}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=6
netsh interface ip set interface 6 metric=1
Ok.
netsh interface ip set address 6 static 192.168.2.2 255.255.255.0 gateway=192.168.2.1 store=active
netsh interface ip add route xxx.xxx.xxx.xxx/32 2 192.168.43.60 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 6 192.168.2.1 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 6 192.168.2.1 store=active
Ok.
netsh interface ip set dnsservers 6 static 192.168.1.1 register=primary validate=no
NRPT::ActionCreate names=[.] dns_servers=[192.168.1.1]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=6 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: 6806000000000000
⏎[Sep 8, 2022, 12:28:07] Connected via TUN_WIN
⏎[Sep 8, 2022, 12:28:07] LZO-ASYM init swap=0 asym=1
⏎[Sep 8, 2022, 12:28:07] Comp-stub init swap=0
⏎[Sep 8, 2022, 12:28:07] EVENT: CONNECTED My-DDNS-Name:12973 (xxx.xxx.xxx.xxx) via /UDPv4 on TUN_WIN/192.168.2.2/ gw=[192.168.2.1/]

 

Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 1960 views
  • 0 kudos
  • 2 in conversation
Announcements

Orbi 770 Series