URGENT HELP -Problem with RUT 241 connecting to OpenVPN server after fw upgrade

Dear Members,

We have just upgraded to latest FW on our RUT 241 and now we cannot connect to our OpenVPN AS using the config file

Any suggestions much appreciated

Please see below logs

Thu Aug 29 13:03:21 2024 daemon.err openvpn(VPN)[27213]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.6.9)
Thu Aug 29 13:03:21 2024 daemon.err openvpn(VPN)[27213]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.6.9)
Thu Aug 29 13:03:21 2024 daemon.err openvpn(VPN)[27213]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.6.9)
Thu Aug 29 13:03:21 2024 daemon.warn openvpn(VPN)[27213]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Thu Aug 29 13:03:21 2024 daemon.warn openvpn(VPN)[27213]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Thu Aug 29 13:03:21 2024 daemon.err openvpn(VPN)[27213]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:21: register-dns (2.6.9)
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: OPTIONS IMPORT: route options modified
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: OPTIONS IMPORT: route-related options modified
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: OPTIONS IMPORT: tun-mtu set to 1500
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_route_v4_best_gw result: via 0.0.0.0 dev qmimux0
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_iface_new: add tun_c_VPN type ovpn-dco
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: DCO device tun_c_VPN opened
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_iface_mtu_set: mtu 1500 for tun_c_VPN
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_iface_up: set tun_c_VPN up
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: net_addr_v4_add: 10.2.9.10/16 dev tun_c_VPN
Thu Aug 29 13:03:21 2024 daemon.notice openvpn(VPN)[27213]: /etc/openvpn/updown.sh tun_c_VPN 1500 0 10.2.9.10 255.255.0.0 init
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: dco_new_key: netlink reports object not found, ovpn-dco unloaded?
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: dco_new_key: failed to send netlink message: No such file or directory (-2)
Thu Aug 29 13:03:24 2024 daemon.err openvpn(VPN)[27213]: Impossible to install key material in DCO: No such file or directory
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: Exiting due to fatal error
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: Closing DCO interface
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: net_addr_v4_del: 10.2.9.10 dev tun_c_VPN
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: net_iface_del: delete tun_c_VPN
Thu Aug 29 13:03:24 2024 daemon.notice openvpn(VPN)[27213]: /etc/openvpn/updown.sh tun_c_VPN 1500 0 10.2.9.10 255.255.0.0 init
Thu Aug 29 13:03:30 2024 daemon.warn openvpn(VPN)[27579]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
Thu Aug 29 13:03:30 2024 daemon.notice openvpn(VPN)[27579]: OpenVPN 2.6.9 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Thu Aug 29 13:03:30 2024 daemon.notice openvpn(VPN)[27579]: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Thu Aug 29 13:03:30 2024 daemon.notice openvpn(VPN)[27579]: DCO version: N/A
Thu Aug 29 13:03:30 2024 daemon.warn openvpn(VPN)[27579]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Hello

I’m not sure how it worked for you priorly, but I cannot find any of these push options in the documentation: dhcp-pre-release; dhcp-renew ; dhcp-release ; register-dns

These options might have been introduced through custom scripts or configurations in a specific environment, rather than being standard OpenVPN push options. In some cases, custom solutions are built around OpenVPN to handle DHCP-related tasks.

Anyway, I think push options shouldn’t be the main issue.

But this error looks concerning:

“Thu Aug 29 13:03:24 2024 daemon.err openvpn(VPN)[27213]: Impossible to install key material in DCO: No such file or directory”

DCO is a feature in OpenVPN that offloads data channel processing to the kernel, which can improve performance. It requires specific kernel support and modules to function.

“Impossible to install key material”: This means OpenVPN tried to load the necessary encryption keys into the DCO module but failed.

“No such file or directory”: This suggests that the necessary DCO support files or kernel modules are missing or not properly installed on your system.

Issue: The OpenVPN configuration might be referencing or enabling DCO when it’s not supported on the system.

Why It’s Relevant: If the configuration file was automatically updated during the firmware upgrade to include DCO, or if the new OpenVPN version has DCO enabled by default, and the system doesn’t support it, this error would be thrown.

Solution: check OpenVPN configuration file and explicitly disable DCO by adding the line “dco no” to the OpenVPN configuration file. This will prevent OpenVPN from attempting to use a feature that the system doesn’t support.

Additionally, depending on when you last updated your firmware, it’s worth noting that the firmware version released on July 18, 2024, includes an update to OpenVPN version 2.6.9. If your firmware was older than version 07.08 before this update, the recent firmware upgrade may have introduced this new version of OpenVPN. There could be compatibility issues if your server is running an older version of OpenVPN.

To assist with troubleshooting this issue effectively, we would appreciate it if you could provide us with some key files and information. I’ll send you instructions on how to share these details with us privately through Hubspot:

  • Could you please send us your OpenVPN configuration file, excluding any sensitive information?
  • Could you also send us the troubleshooting file from your RUT241 router?
  • Additionally, could you provide more details about the server configuration? Is the server another one of our RUT devices, or is it something else?

Providing this information will greatly aid us in investigating the issue further.

Kind regards,

Hi LukasV,

The DCO option is already been disabled .

Issue seems to be like we need to add AES 128 ciphers and it connected fine.
Issue seems to be related to Cipher.

Hello once again,

It looks like the issue was indeed related to the ciphers. Good to hear that adding AES 128 ciphers fixed the problem and that everything is working fine now. If anything else comes up, feel free to reach out!

Kind regards,
Lukas