RV50x not connecting to OpenVPN Access Server 2.8.3

Hello, I am having a problem connecting a RV50x gateway to an OpenVPN Access server 2.8.3. I tried multiple configurations with no luck. I disabled TLS auth to try and remove the HMAC erros, but I’m still getting these errors:

Jul 9 20:58:54 err openvpn-1[5804]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.17)

And then:

Jul 9 20:59:05 err openvpn-1[5804]: Authenticate/Decrypt packet error: packet HMAC authentication failed

Here is the configuration I’m using on the RV50x:

OpenVPN Role Client
Tunnel Mode Routing
Protocol UDP
Encryption Algorithm AES-256
Authentication Algorithm SHA 256
Compression LZO
Load Root Certificate
Root Certificate Name ca1.crt
Client Certificate Enable
Load Client Certificate
Client Certificate Name client1.crt
Load Client Certificate Key
Client Certificate Key Name client1.key
User Name
User Password
User Name/Password Retry Disable
Additional TLS Authentication Disable
Server Certificate Verification NS Cert Type
Advanced
Tunnel-MTU 1500
MSS Fix 1400
Fragment 1300
Allow Peer Dynamic IP Enable
Re-negotiation (seconds) 86400
Ping Interval (seconds) 10
Tunnel Restart (seconds) 60
NAT Enable

Attaching client and server logs.

client log 4.txt (32.9 KB)
server log 4.txt (23.4 KB)

Thank you

Hi @hussmozen,
The first issue: HMAC erros
From the server log, it is using ‘SHA1’ for HMAC authentication"

2020-07-09T16:58:34-0400 [stdout#info] [OVPN 1] OUT: “Thu Jul 9 20:58:34 2020 xxx.xxx.19.103:2823 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication”

However, RV50 is setting Authentication Algorithm SHA 256 so it might cause the mismatch.
Please change Authentication Algorithm to SHA1 and try again.
The second issue, Unrecognized option or missing parameter. I think you should push the DNS for the server by inserting below to server.ovpn file
For example, suppose you would like connecting clients to use an internal DNS server at 10.66.0.4 or 10.66.0.5 and a WINS server at 10.66.0.8. Add this to the OpenVPN server configuration:

push “dhcp-option DNS 10.66.0.4”
push “dhcp-option DNS 10.66.0.5”
push “dhcp-option WINS 10.66.0.8”

Tell me if you have any concerns and help tick Solution if it is helpful to you
Thanks

Thanks

Hi @Vianney,
Thank you for the prompt response.

I changed the RV50 Authentication Algorism to SHA1 and it seems the HMAC error are gone now. But I’m getting a compression related error. So I disabled Compression on the RV50, the server was already disabled, but I’m still seeing the errors:

Server:
2020-07-10T07:44:58-0400 [stdout#info] [OVPN 1] OUT: ‘Fri Jul 10 11:44:58 2020 rv50x22_AUTOLOGIN/xxx.xxx.20.243:8988 Bad compression stub decompression header byte: 0’

Thank you.

client log 5.txt (115.4 KB) server log 5.txt (20.2 KB)

Hi @hussmozen,
Just confirm that the openVPN server is working properly and the error appear when RV50 tried to connect to the server?
Can you share the server.ovpn configuration file as well
Thanks

Hello @Vianney

Yes confirming that the server is working fine with a Windows workstation with no errors. Only when I connect using the RV50x i get the compression errors. I tried disabling compression on the server and the RV50x with no luck. The RV50x will not connect.

Attaching the server configuration file.

Thank you
server config.txt (2.3 KB)

Hi @hussmozen,
Are you sure compression is disabled on both client and server. The sever log (https://forum.sierrawireless.com/uploads/short-url/toGoxdinN1JcrhQ0W1E2a8MJ9SF.txt ) is showing

WARNING: ‘comp-lzo’ is present in local config but missing in remote config, local=‘comp-lzo’"

I think you can enable the parameter on both then try again
Thanks

Hi @Vianney,

Yes compression was disabled on server when last tests were done. I went through again and tried setting compression on on both devices and off on both devices. Attached are the logs for both tests.

rv50x log no compression.txt (27.0 KB)
server log no compression.txt (7.0 KB)

rv50x log with compression.txt (27.5 KB)
server log with compression.txt (6.8 KB)

Thank you again.

In the rv50x log no compression, I still see the warming
Jul 17 14:56:15 warning openvpn-1[1592]: WARNING: ‘comp-lzo’ is present in remote config but missing in local config, remote=‘comp-lzo’
Please make sure you reset VPN tunnel after change any configuration

The server log shows
2020-07-17T16:31:04+0000 [stdout#info] [OVPN 2] OUT: ‘Fri Jul 17 16:31:04 2020 xxxxxxxx_AUTOLOGIN/xxxxxxxx.138.239:12627 Bad LZO decompression header byte: 0’
2020-07-17T16:31:04+0000 [stdout#info] [OVPN 2] OUT: ‘Fri Jul 17 16:31:04 2020 xxxxxxxx_AUTOLOGIN/xxxxxxxx.138.239:12627 Bad LZO decompression header byte: 0’
2020-07-17T16:31:06+0000 [stdout#info] [OVPN 2] OUT: ‘Fri Jul 17 16:31:06 2020 xxxxxxxx_AUTOLOGIN/xxxxxxxx.138.239:12627 Bad LZO decompression header byte: 0’
When you got the entry in connection log, it might the " fragment 1400 ", “tun-mtu 1400” and " mssfix 1400 " paramaters are missed in your config file. Please add them then try again with LZO enabled
Again, please reset VPN tunnel after any change
Thanks

Hello @Vianney

I was able to make it work beautifully with the community version of OpenVPN. But no luck with the OpenVPN Access Server.

I tried the above settings you mentioned, and the RV50 worked but then my Windows clients stopped working.

Any ideas?

Thanks.

Hi @hussmozen,
It’s great to hear that the RV50 works well. It has no problem with the community version meaning RV50 is configured correctly. Please contact OpenVPN Access Server administrator for next support
Please help tick Solution the above information is useful to you guy
Thanks

Just an FYI, Compression LZO has been deprecated as any compression reduces the security of the link.
I’d suggest disabling it all together.

I would like to add that our IT department said the OpenVPN version on these modems is so old and very inflexible. Hard to believe that Sierra Wireless left so few options for VPN setup.