Help with open VPN client on Fresh Tomato

Hi I’m running fresh tomato 2020.3 on a Netgear R7000. I have successfully configured the open VPN client with my provider config which in this case is surfshark. The VPN connects, but no matter which client device on my network I test from, the WAN IP is still my normal one. And traffic doesn’t seem to be redirecting down the VPN. I have the “redirect internet traffic” set to “all” and I’m not currently using a routing policy. I tried setting it to use the routing policy and added a single client device in to test with and again, it still came back with the norm WAN IP and traffic did not seem to be redirecting across the VPN tunnel. If I go to the status tab in the VPN configuration I can see that the “TCP/UDP write bites” is counting up, but all the other rows are static at zero. No TCP/UDP read bites or anything on the TUN/TAP read or write bites. So something isn’t quite right somewhere.

I haven’t figured out how to attach pictures in this post on the android app (if it’s even possible), I was going to attach some screenshots of my config.

Any assistance would be appreciated.

Cheers.

Assuming you followed their guide, all I can really advise is look in your logs to see if its connecting successfully or if something’s going wrong with the routing. Perhaps you don’t want their last custom line, log /tmp/vpn.log, because that would redirect the log away from tomato’s.

On the Basic tab:

Ensure that TLS control channel security is set to Outgoing Auth (1).

Edit: And that Auth digest is set to SHA512.

On the Advanced tab, ensure that:

• Cipher Negotiation is set to Disabled.
• Legacy/fallback cipher is set to AES-256-CBC.
• Compression is set to Disabled.
• Verify server certificate is checked.

i believe for surfshark you would need to copy and paste their authen key on the website

upon checking logs the following TLS handshake error is present. but I cannot work out what incorrect configuration there might be:

Jul 30 08:43:22 unknown daemon.err openvpn[28533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Jul 30 08:43:22 unknown daemon.err openvpn[28533]: TLS Error: TLS handshake failed

Jul 30 08:43:22 unknown daemon.notice openvpn[28533]: SIGUSR1[soft,tls-error] received, process restarting

Jul 30 08:43:22 unknown daemon.notice openvpn[28533]: Restart pause, 5 second(s)

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: WARNING: --ping should normally be used with --ping-restart or --ping-exit

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.226.139.225:1194

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: Socket Buffers: R=[122880->122880] S=[122880->122880]

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: UDP link local: (not bound)

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: UDP link remote: [AF_INET]5.226.139.225:1194

Jul 30 08:44:27 unknown daemon.err openvpn[28533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Jul 30 08:44:27 unknown daemon.err openvpn[28533]: TLS Error: TLS handshake failed

Jul 30 08:44:27 unknown daemon.notice openvpn[28533]: SIGUSR1[soft,tls-error] received, process restarting

Jul 30 08:44:27 unknown daemon.notice openvpn[28533]: Restart pause, 5 second(s)

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: WARNING: --ping should normally be used with --ping-restart or --ping-exit

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.125.207.177:1194

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: Socket Buffers: R=[122880->122880] S=[122880->122880]

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: UDP link local: (not bound)

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: UDP link remote: [AF_INET]185.125.207.177:1194

Jul 30 08:44:53 unknown daemon.err openvpn[28533]: event_wait : Interrupted system call (code=4)

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: OpenVPN STATISTICS

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: Updated,Thu Jul 30 08:44:53 2020

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TUN/TAP read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TUN/TAP write bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TCP/UDP read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TCP/UDP write bytes,168

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: Auth read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: END

upon checking the logs it seems there is a TLS handshake error which does suggest some confuguration problem:

Jul 30 08:43:22 unknown daemon.err openvpn[28533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Jul 30 08:43:22 unknown daemon.err openvpn[28533]: TLS Error: TLS handshake failed

Jul 30 08:43:22 unknown daemon.notice openvpn[28533]: SIGUSR1[soft,tls-error] received, process restarting

Jul 30 08:43:22 unknown daemon.notice openvpn[28533]: Restart pause, 5 second(s)

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: WARNING: --ping should normally be used with --ping-restart or --ping-exit

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Jul 30 08:43:27 unknown daemon.warn openvpn[28533]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.226.139.225:1194

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: Socket Buffers: R=[122880->122880] S=[122880->122880]

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: UDP link local: (not bound)

Jul 30 08:43:27 unknown daemon.notice openvpn[28533]: UDP link remote: [AF_INET]5.226.139.225:1194

Jul 30 08:44:27 unknown daemon.err openvpn[28533]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Jul 30 08:44:27 unknown daemon.err openvpn[28533]: TLS Error: TLS handshake failed

Jul 30 08:44:27 unknown daemon.notice openvpn[28533]: SIGUSR1[soft,tls-error] received, process restarting

Jul 30 08:44:27 unknown daemon.notice openvpn[28533]: Restart pause, 5 second(s)

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: WARNING: --ping should normally be used with --ping-restart or --ping-exit

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Jul 30 08:44:32 unknown daemon.warn openvpn[28533]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.125.207.177:1194

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: Socket Buffers: R=[122880->122880] S=[122880->122880]

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: UDP link local: (not bound)

Jul 30 08:44:32 unknown daemon.notice openvpn[28533]: UDP link remote: [AF_INET]185.125.207.177:1194

Jul 30 08:44:53 unknown daemon.err openvpn[28533]: event_wait : Interrupted system call (code=4)

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: OpenVPN STATISTICS

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: Updated,Thu Jul 30 08:44:53 2020

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TUN/TAP read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TUN/TAP write bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TCP/UDP read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: TCP/UDP write bytes,168

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: Auth read bytes,0

Jul 30 08:44:53 unknown daemon.notice openvpn[28533]: END

Yes I did follow their guide. I did consider that line, I am going to take a look at the logs today.

made the suggested changes to basic and advanced config, saved and attempted to start the client. It doesnt appear to start the service and upon looking at the log file nothing is written, so its almost like those changes cause it to not be able to even start the client to the point where it writes out to the log file. When i check then "verify server side certificate it adds a “common name” text field which im not sure is mandatory or not.

​

I also tested importing the .ovpn file directly into an openvpn client on windows and it worked fine. I really wish tomato had the functionality to import a .ovpn profile instead of having to set up all the options individually. I noticed some inconsistencies between their instructions and the ovpn file as well. For example the “remote” is set to random in the file, but they instruct you to set it to the address of the server you are connecting to in the instructions, in this case uk-lon.prod.surfshark.com

I’m sure I did paste everything in but I will double check today.

hi. I just checked and I have indeed copied the key and the ca cert into the correspondiing places in the “keys” section.

I’m no sure what you mean?

Seeing surfshark’s client vpn config would help. Perhaps you could download and post one of the configs from step #2 in this other OpenVPN guide. And you could omit the certificates; the single-line options are most helpful.

Oh yeah, put “server” in the common name field.

they actually have a specific tomato guide here which is what i was following. below is the config from the client config file which you are instructed to download from surfshark during the setup. I chose london as it’s my closest location and i chose UDP because… overheads.

dev tun
proto udp
remote uk-lon.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
CA cert redacted (although not really necessary)
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
Static key redacted
-----END OpenVPN Static key V1-----
</tls-auth>

doing that with your other suggested changes, has worked. You are right they must have an out of date guide, and i must admit my knowledge is limited when it comes to spotting descrepencies in TLS auth stuff. Thank you so much for your help I will take some screenshots of the config so that i can re-do it next time after an upgrade etc.

I wonder if their guide is out of date somehow for FreshTomato. I thought seeing the raw OpenVPN config might hint at what setting to change.

I found links in your comment that were not hyperlinked:

• uk-lon.prod.surfshark.com

I did the honors for you.

^[1](https://www.reddit.com/message/compose?to=%2Fu%2FLinkifyBot&subject=delete%20fzqtw01&message=Click%20the%20send%20button%20to%20delete%20the%20false%20positive.) ^| ^[2](https://np.reddit.com/u/LinkifyBot/comments/gkkf7p) ^| ^<3

1. delete ↩︎

2. information ↩︎

You’re totally right that being able to paste in a config would be easier sometimes.

What’s helpful (to me) is you can view the config that Tomato generates (when you click Start), in Tools / System Commands:

cat /etc/openvpn/client1/config.ovpn

Ah i was looking for this earlier! I was wondering if i could simply copy the profile that they give you into this location and simply name it the correct name. Kind of like a manual “import” without using a GUI button. But i wasn’t sure the location and i was working at the time so didnt have time to google around. Thanks so much man!