Bug: OpenVPN pre-shared key does not work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
hoegge
DD-WRT Novice


Joined: 26 Mar 2020
Posts: 24

PostPosted: Thu Jul 09, 2020 7:05    Post subject: Bug: OpenVPN pre-shared key does not work Reply with quote
When you connect DD-WRT with openvpn client using a static preshared key (point to point / peer-to-peer) it does not work. The reason is, that the GUI wrongly puts a "client" statement in the openvpn config file, which openvpn does not allow when running with static key.

So it would be great, if the GUI could figure out to not put in "client" if there is something in the static key field, or you had a separate section for preshared key / p2p vpn settings.

The problem is, that this wrong entry is added every time you reboot the router and you have to log in, modify the file and restart the open vpn service

PS: Is this the place to report bugs? Not sure the SVN site allows outsiders to post bugs and the github repo is just a mirror, right?

best
Hoegge
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 7610
Location: Texas, USA

PostPosted: Thu Jul 09, 2020 7:10    Post subject: Reply with quote
On what router, on which particular firmware build revision number?
_________________
Official Forum Rules, Guidelines, and Helpful InformationFirmware FAQInstallation WikiWhere Do I Download Firmware?
DON'T use Chromium-based browsersRTFM/STFW - TL;DR is NOT an excuse. • Why Should I Care What Color the Bikeshed Is?
Please DO NOT PM me with questions; Ask in the forum.

---------------------------------------------------------

Linux User #377467 counter.li.org / linuxcounter.net
hoegge
DD-WRT Novice


Joined: 26 Mar 2020
Posts: 24

PostPosted: Thu Jul 09, 2020 7:33    Post subject: Reply with quote
On WRT1900AC v1
on versions up until r43136 (have not tried later, since I could not find any release notes saying it was fixed)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6929
Location: Netherlands

PostPosted: Thu Jul 09, 2020 9:46    Post subject: Reply with quote
It is a known problem and discussed before.

From the OpenVPN server setup guide:
Quote:
Due to an incompatibility in DDWRT it is not possible to setup with a static key only (both server and client) for a workaround see the paragraph "Running from the command line"


You can try to dynamically remove "client" from the openvpn.conf and restart openvpn (have not tried it myself) from Startup:
Code:
sleep 60
sed -i 's/client//' /tmp/openvpncl/openvpn.conf
openvpn --config /tmp/openvpncl/openvpn.conf --daemon


Or just run the client from the command line for the necessary files see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325621&postdays=0&postorder=asc&start=15

I have proposed to BS to let user use their own openvpn.conf (like you can do for a lot of other services) so that you can just tweak it copy it to /jffs/etc and it is read from there as a general workaround for these things.
I even wrote the patch and I have it running in my own builds but unfortunately not all my requests are granted Sad

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
N9bitmap
DD-WRT Novice


Joined: 07 Nov 2020
Posts: 1

PostPosted: Sat Nov 07, 2020 6:40    Post subject: Reply with quote
I really did not want to try any of the CLI workarounds, because I want something that is simple to replicate on a clean install without touching the filesystem. With a bit of testing, I've come up with something that works for me without any scripting or manually creating local files. I hope this will help others as well.

I am depending on this "bug" behavior to fail to start the OpenVPN Client and instead manually configure the OpenVPN Server using a static key which I actually load into the config flash via the Client section. Leave all other fields as default or empty. Notice the line which specifies "secret" below and points to the key from the Client config section. Adjust the rest to fit your needs.

    Services -> VPN -> OpenVPN Client
    Start OpenVPN Client = Enable
    Server IP = 127.127.127.127
    TLS Cipher = None
    Static Key = [paste key here]

    Services -> VPN -> OpenVPN Server
    OpenVPN = Enable
    Start Type = [your preference]
    Config as = Daemon
    Additional Config =
    Code:
    daemon
    fast-io
    cipher aes-128-cbc
    auth sha256
    comp-lzo adaptive
    mode p2p
    proto udp4
    management 127.0.0.1 16
    management-log-cache 100
    tun-mtu 1500
    mtu-disc yes
    nobind
    persist-key
    persist-tun
    resolv-retry infinite
    remote 192.168.168.192 1194
    dev tun1
    ifconfig 10.20.30.2 10.20.30.1
    route 172.20.30.0 255.255.255.0 vpn_gateway
    script-security 2
    secret /tmp/openvpncl/static.key
    writepid /var/run/openvpn.pid


--bitmap

Running dd-wrt on WRT54GL, WRT300N, WRT600N, WRT1900AC since at least 2008.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6929
Location: Netherlands

PostPosted: Sat Nov 07, 2020 8:57    Post subject: Reply with quote
Thanks that is a viable option Smile

Another option:
Quote:
Due to an incompatibility in DDWRT it is not possible to setup with a static key only (due to adding "server" directive (and "client"for client setup) int the openvpn.conf).
For a workaround see the paragraph "Running from the command line" or dynamically remove the "server" (or "client") from the openvpn.conf:
killall openpvn
sed -i 's/client//' /tmp/openvpncl/openvpn.conf #Replace client with server for server setup
openvpn --config /tmp/openvpncl/openvpn.conf --daemon
You can run this from the CLI or put in a script and run from startup (make sure to add a delay (sleep 60) to make sure the OpenVPN is up.

You can put the static key in the OpenVPN Additional Config with:
<secret>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</secret>


_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8444

PostPosted: Sat Nov 07, 2020 20:19    Post subject: Reply with quote
I don't consider this a bug.

The OpenVPN client was never designed to support every possible configuration, esp. a static, point-to-point tunnel. While such a configuration offers convenience and simplicity, it also limits the OpenVPN server to a single OpenVPN client, and is far less secure (e.g., it's subject to man in the middle attacks; the longer the same static key is used, the more it becomes a liability). So it's never going to be supported by any commercial OpenVPN provider.

Like any feature in the GUI, the developers have to draw a fine line between what should and shouldn't be supported. And what's required for 99% of users is a big part of that decision. Each outlier configuration complicates the GUI at the expense of the 99%. For the outliers, they always have the CLI and scripting. And given how simple this is to implement, I believe it's best left out of the GUI (esp. given the GUI only offers a single OpenVPN client/server instance; why waste it for these purposes).

JMTC
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum