DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

OpenVPN LAN-LAN 2927lac fw 4.2.2

  • krykngt
  • Topic Author
  • Offline
  • New Member
  • New Member
More
26 Jan 2021 16:42 #98295 by krykngt
OpenVPN LAN-LAN 2927lac fw 4.2.2 was created by krykngt
I have been using various routers at home over the years to connect to the office as a home worker using OpenVPN. I recently purchased the 2927lac which fitted nicely as I live in a rural location with poor DSL service, but good 4G/LTE from EE and Vodafone.

But, when I tried to set up the OpenVPN to the office, the problems started.

First, importing the .ovpn file threw a load of problems with an odd "HTTP Content Error. Try again!!!!!!!!!!" message, which was not all that helpful. After finally getting the file to load, and sorting out the issues with the certs and keys being correct, I uncovered a few more gotchas.

  • The 2927 OpenVPN does not support BF_CBC ciphers.

  • TLS Authentication is somewhat broken. If as a dial-out from the 2927 we use tls-auth we get a warning at the server indicating that the key-direction is incorrect and tls-auth is missing from the remote config.

  • The OpenVPN "pull" option, to gather the routes from the server is also very broken. The server duly provides the routes as we can see in the server log, but no routes ever appear in the 2927 other than those explicitly specified in the LAN-LAN profile.

  • The syslog appears to be very limited in the information it gives about the OpenVPN issues and not really a lot of use in diagnosing problems


The tls-auth issue is awkward, as the 2927 seems to simply ignore the lines in the imported ovpn file related to tls-auth other than the key itself. Turning tls-auth off on the 2927 duly fails the VPN so I must assume it is authenticating correctly. The syslog gives no hints as to what is happening, and seems to ignore the "verb 4" setting in the ovpn file.

The ciphers issue is ok for me, as I managed to get the office peeps to change the ciphers as BF_CBC is not flavour of the month at the moment. But I do think the Draytek OpenVPN should support it for those that want to use exiting OpenVPN servers which have existed for some years, and which we do not have control of.

The "pull" routes failure is fairly catastrophic as it means we have to put each route into the 2927 LAN-LAN profile manually. This means each time a route changes at the office network or routes within the corporate network, the 2927 LAN-LAN config has to be changed.

The syslog problems are also an issue as it makes it very difficult to work out what is going on. It seems to be either working or broken, with very little indication of what is actually going wrong.

The issue with the syslog saying simply " 2021-01-26 15:51:09 OpenVPN (VPN-0, x.x.x.x) Remote option is not matched" isn't all that helpful! I've been through every option I can think of and cannot fathom out which one(s) it is or whether they are missing, mismatched or missing from the server.

Please have a think about the next version of firmware and how this can be made more useable.

Please Log in or Create an account to join the conversation.

More
19 Mar 2021 18:00 #98838 by lightpathit
Replied by lightpathit on topic Re: OpenVPN LAN-LAN 2927lac fw 4.2.2
Hi krykngt,

We get the same HTTP Content Error. Try again!!!!" message when trying to import an .ovpn file. It's great to see that your message is the one reference on the entire internet to the issue!

How were you able to import the tls-auth key? There does not seem to be any other way than with the ovpn file or do you mean that eventually it will work? I've tried about 50 times.

Thanks for any help you can give, seems nothing from DrayTek and it has been almost 2 months.


Steve

Please Log in or Create an account to join the conversation.

More
31 Mar 2021 09:44 #98979 by arundalep
Replied by arundalep on topic Re: OpenVPN LAN-LAN 2927lac fw 4.2.2
I have just purchased a Vigor 2865 for use with an OpenVPN cloud tunnel. I have the newest firmware and get the same http error message most of the time but when it does import it doesn’t support TLS auth.

It seems the OpenVPN support is flakey at best.

Is there anyone from Draytek prepared to respond with a solution before I return the router?

Please Log in or Create an account to join the conversation.

More
31 Mar 2021 13:06 #98985 by hornbyp
Replied by hornbyp on topic Re: OpenVPN LAN-LAN 2927lac fw 4.2.2

arundalep wrote:
Is there anyone from Draytek prepared to respond with a solution before I return the router?


Not in this user forum.

See: https://www.draytek.co.uk/support/contact-support

Please Log in or Create an account to join the conversation.

More
29 Mar 2023 22:00 #102358 by arundalep
Replied by arundalep on topic Re: OpenVPN LAN-LAN 2927lac fw 4.2.2
2 years later, numerous support tickets and FW 4.4.2 finally fixed this issue! :D

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami