JW0914 wrote:

gaga wrote:

In my Android openvpn.ovpn file I had to remove

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
 
-----END OpenVPN Static key V1-----
</tls-auth>

and replace it with

tls-auth ta.key 1

When you pasted your ta.key in the xml layout, was there a blank line between the key and the lines BEGIN or END?  It would have either been that or you maybe missed a character when you copied it over.  (I hope that doesn't come across as arrogant, as it's not my intent). 

• The reason why it would have had to be either/or is OpenVPN for Android applies the ovpn config in xml format, not in the format it's written as in the config file. You can view the ovpn config in the way it's actually applied by selecting the edit [pencil] icon, and scrolling all the way to right, until you reach the last tab.  It applies the ca.crt, client.key, client.crt, and ta.key in xml format.

• Because of this, the only reason the xml code within the ovpn config couldn't work would have to be user error.

In reference to the key direction (i.e. the 1 after ta.key), when configuring with the ta.key in xml format, the value key-direction 1 is what specifies the 1.  If that isn't included when you configure an ovpn with the ta.key in xml format, it'll fail.  (The server and client configs are literally the exact same ones I use, and the only differences between the ones in the wiki and the ones I use are the subnets, port numbers, and certificate names.)

Uhm, ok, I did this probably ten times or more so far. I didn't pay too much attention to the copying process. After reading your post, I did. Now, it works, of course.

What happened? Well, there is a blank after each line including the last line. I never copied the last blank from the last line...

Feeling stupid right now.

lol glad you figured out where the issue was =]

Also, when it comes to firewalls, especially and even more so on routers, an SPI firewall with a default drop policy is the way to go.  It's a bit more hands on for the end user, as that means manually configuring things like Plug N Play, as port 1900 will be auto blocked, but a default deny policy is the #1 guarantee you have against intrusion. 

It's extremely important a default deny approach is taken with routers because they're literally the front door to your home, and once access is gained, physical access to your devices is granted.  To provide a real world example, while not typical it does demonstrate why it's necessary.... A friend of mine owns an auto customization shop and utilizes ~5 devices connected to a router running DD-WRT, and is serviced via Charter Spectrum Business.  About 2 months ago, I was creating a vlan for a guest network for his customers when I saw firewall logging wasn't enabled (it's disabled by default on DD-WRT for some reason).  So I enabled it and checked it about an hour later and there were hundreds of inbound connection attempts that were coming from China and Hong Kong.  DD-WRT doesn't include the greatest of firewall implementations so I pulled the iptables rules OpenWRT utilizes via fw3 and deployed them on the R6300. The next day I checked the logs and there were over 1000 blocked inbound connections originating in China.

Keep in mind this was a small business in a mid size town experiencing intrusion attempts at a rate one would expect to be seen against a financial institution or corporate network... it wasn't normal, with Charter stating they've never seen that kind of intrusion traffic against a small business in the region they serviced.  Granted, this isn't by any means a typical experience, but does show it's vitally important to ensure you do everything to prevent, or at the very least make it extremely difficult, for someone to gain access to your router and the devices behind it.

JW0914 wrote:

lol glad you figured out where the issue was =]

Also, when it comes to firewalls, especially and even more so on routers, an SPI firewall with a default drop policy is the way to go.  It's a bit more hands on for the end user, as that means manually configuring things like Plug N Play, as port 1900 will be auto blocked, but a default deny policy is the #1 guarantee you have against intrusion. 

It's extremely important a default deny approach is taken with routers because they're literally the front door to your home, and once access is gained, physical access to your devices is granted.  To provide a real world example, while not typical it does demonstrate why it's necessary.... A friend of mine owns an auto customization shop and utilizes ~5 devices connected to a router running DD-WRT, and is serviced via Charter Spectrum Business.  About 2 months ago, I was creating a vlan for a guest network for his customers when I saw firewall logging wasn't enabled (it's disabled by default on DD-WRT for some reason).  So I enabled it and checked it about an hour later and there were hundreds of inbound connection attempts that were coming from China and Hong Kong.  DD-WRT doesn't include the greatest of firewall implementations so I pulled the iptables rules OpenWRT utilizes via fw3 and deployed them on the R6300. The next day I checked the logs and there were over 1000 blocked inbound connections originating in China.

Keep in mind this was a small business in a mid size town experiencing intrusion attempts at a rate one would expect to be seen against a financial institution or corporate network... it wasn't normal, with Charter stating they've never seen that kind of intrusion traffic against a small business in the region they serviced.  Granted, this isn't by any means a typical experience, but does show it's vitally important to ensure you do everything to prevent, or at the very least make it extremely difficult, for someone to gain access to your router and the devices behind it.

I agree, and my first step was to replace the stock firmware  :-D

gufus wrote:

@kaloz

RC2

I can't reproduce the stalls and lock-ups but then again I don't have any Mac devices.

I don't do Mac <grin>

root@AC1900M:~# uptime
14:28:16 up 15 days, 15:47,  load average: 0.07, 0.05, 0.04
root@AC1900M:~#

I wish I had that problem. My wife and kids have various ipads/iphones so no chance of ditching Apple

I just posted another dump for issue #21. And this is on today's trunk too. Hopefully yuhhaurlin is reading them.

https://github.com/kaloz/mwlwifi/issues/21#issuecomment-121393929

davidc502 wrote:

gufus wrote:

It's been a on-going issue, even in the early days, ie: McWRT

BTY

You could run McWRT and...

EDIT: /etc/config/wireless

config wifi-iface
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Network_Name'
option encryption 'psk2+ccmp'
option key 'password'
option disassoc_low_ack '0' ---> add this line

reboot

Sorry, I was skimming and not reading..

This is to what your are referring > https://github.com/Chadster766/McWRT

Yes.

davidc502 wrote:

What have your experiences been with this build?

McWRT works fine, And as for wifi, I had the same speed.

The wifi driver is here https://github.com/TheDgtl/mrvl_wlan_v7drv

Try McWRT with the Mac fix.

and to direct new users to ALSO report the issues.

tusc wrote:

gufus wrote:

@kaloz

RC2

I can't reproduce the stalls and lock-ups but then again I don't have any Mac devices.

I don't do Mac <grin>

root@AC1900M:~# uptime
14:28:16 up 15 days, 15:47,  load average: 0.07, 0.05, 0.04
root@AC1900M:~#

I wish I had that problem. My wife and kids have various ipads/iphones so no chance of ditching Apple

I just posted another dump for issue #21. And this is on today's trunk too. Hopefully yuhhaurlin is reading them.

https://github.com/kaloz/mwlwifi/issues/21#issuecomment-121393929

Issue 20 (at least) is not restricted to just Apple devices.

I triggered it with an Android phone and Windows laptop.

davidc502 wrote:

McWRT works fine, And as for wifi, I had the same speed.

The wifi driver is here https://github.com/TheDgtl/mrvl_wlan_v7drv

Try McWRT with the Mac fix.

Please do not give unguarded advice to run McWRT.

McWRT is unsupported and the base code (AA) is old and has not received - and will not receive - security patches for several "severe" rated published flaws.

YOU might be fine with that, but others need to make an informed decision - or at least be aware of the risks - before taking this path.

Of course the real solution is for Belkin to fix the latest driver.  And the best thing we can do to aid that is to KEEP reporting problems to them - and to direct new users to ALSO report the issues.

DavidMcWRT wrote:

and to direct new users to ALSO report the issues.

New WRT1900AC user chiming in. Is there a portal or email address I can use to nag Belkin about this? I'd be happy to help out in any way i can, even if it's just by nagging and putting pressure on Belkin.

DavidMcWRT wrote:

tusc wrote:

I wish I had that problem. My wife and kids have various ipads/iphones so no chance of ditching Apple

I just posted another dump for issue #21. And this is on today's trunk too. Hopefully yuhhaurlin is reading them.

https://github.com/kaloz/mwlwifi/issues/21#issuecomment-121393929

Issue 20 (at least) is not restricted to just Apple devices.

I triggered it with an Android phone and Windows laptop.

Report it to yuhhaurlin then.

gaga wrote:

Many thanks for any input!

Maybe ask here...
https://openvpn.net/index.php/open-source.html

gufus wrote:

DavidMcWRT wrote:

Issue 20 (at least) is not restricted to just Apple devices.

I triggered it with an Android phone and Windows laptop.

Report it to yuhhaurlin then.

I have, also asking (again) about a progress update for the v1, and specifically drawing out the point I can trigger issue 20 with non-Apple devices.

gufus wrote:

gaga wrote:

Many thanks for any input!

Maybe ask here...
https://openvpn.net/index.php/open-source.html

I posted, but this forum needs someone to approve my post...right...

Thats all we can do.

gufus wrote:

gaga wrote:

Many thanks for any input!

Maybe ask here...
https://openvpn.net/index.php/open-source.html

I posted, but this forum needs someone to approve my post...right...

Is anyone running stock firmware? If so how do I access "http://192.168.1.1/sysinfo.cgi" I have tried multiple ways and what used to work does not work on ver. FW_WRT1900AC_1.1.10.167514_prod.img The last trunk image lasted 2 days I came home to a rebooted router so it was not a complete lockup.....But also no logs to see what happened. And there was no one using it while I was at work Usually I run a vpn connection so I can see what is happening but I did not do that today.
Thanks in advance.

What kind of information is available from http://192.168.1.1/sysinfo.cgi ?