I have been using various routers at home over the years to connect to the office as a home worker using OpenVPN. I recently purchased the 2927lac which fitted nicely as I live in a rural location with poor DSL service, but good 4G/LTE from EE and Vodafone.

But, when I tried to set up the OpenVPN to the office, the problems started.

First, importing the .ovpn file threw a load of problems with an odd "HTTP Content Error. Try again!!!!!!!!!!" message, which was not all that helpful. After finally getting the file to load, and sorting out the issues with the certs and keys being correct, I uncovered a few more gotchas.

• The 2927 OpenVPN does not support BF_CBC ciphers.

• TLS Authentication is somewhat broken. If as a dial-out from the 2927 we use tls-auth we get a warning at the server indicating that the key-direction is incorrect and tls-auth is missing from the remote config.

• The OpenVPN "pull" option, to gather the routes from the server is also very broken. The server duly provides the routes as we can see in the server log, but no routes ever appear in the 2927 other than those explicitly specified in the LAN-LAN profile.

• The syslog appears to be very limited in the information it gives about the OpenVPN issues and not really a lot of use in diagnosing problems

The tls-auth issue is awkward, as the 2927 seems to simply ignore the lines in the imported ovpn file related to tls-auth other than the key itself. Turning tls-auth off on the 2927 duly fails the VPN so I must assume it is authenticating correctly. The syslog gives no hints as to what is happening, and seems to ignore the "verb 4" setting in the ovpn file.

The ciphers issue is ok for me, as I managed to get the office peeps to change the ciphers as BF_CBC is not flavour of the month at the moment. But I do think the Draytek OpenVPN should support it for those that want to use exiting OpenVPN servers which have existed for some years, and which we do not have control of.

The "pull" routes failure is fairly catastrophic as it means we have to put each route into the 2927 LAN-LAN profile manually. This means each time a route changes at the office network or routes within the corporate network, the 2927 LAN-LAN config has to be changed.

The syslog problems are also an issue as it makes it very difficult to work out what is going on. It seems to be either working or broken, with very little indication of what is actually going wrong.

The issue with the syslog saying simply " 2021-01-26 15:51:09 OpenVPN (VPN-0, x.x.x.x) Remote option is not matched" isn't all that helpful! I've been through every option I can think of and cannot fathom out which one(s) it is or whether they are missing, mismatched or missing from the server.

Please have a think about the next version of firmware and how this can be made more useable.

Hi krykngt,

We get the same HTTP Content Error. Try again!!!!" message when trying to import an .ovpn file. It's great to see that your message is the one reference on the entire internet to the issue!

How were you able to import the tls-auth key? There does not seem to be any other way than with the ovpn file or do you mean that eventually it will work? I've tried about 50 times.

Thanks for any help you can give, seems nothing from DrayTek and it has been almost 2 months.


Steve

I have just purchased a Vigor 2865 for use with an OpenVPN cloud tunnel. I have the newest firmware and get the same http error message most of the time but when it does import it doesn’t support TLS auth.

It seems the OpenVPN support is flakey at best.

Is there anyone from Draytek prepared to respond with a solution before I return the router?

arundalep wrote:
Is there anyone from Draytek prepared to respond with a solution before I return the router?

Not in this user forum.

See: https://www.draytek.co.uk/support/contact-support

2 years later, numerous support tickets and FW 4.4.2 finally fixed this issue!