Posted: Sun Apr 04, 2021 12:56 Post subject: Unable to configure client OpenVpN
Hi All,
I am using build 40009 with a 4200 linksys. I am having trouble setting up this router client.
I have a raspberry pi at the other side that I would like to connect to. When using openVPN Connect everything is good but I am unable to configure it from my router.
I have left all settings by default, addeing my host and the CA cert, Public client cert and private client key generated out from the raspi in its .ovpn file.
When I go to status/openvpn there is nothing present and of course the log is empty.
/tmp/openvpn/openvpn.conf is for the OpenVPN *server*.
OpenVPN client's config file is /tmp/openvpncl/openvpn.conf.
When the log shows nothing, it usually means you made such an egregious error, it couldn't even start. Like placing the a cert/key in the wrong field. Or adding contradictory directives, or a misspelled directive to the Additional Config field.
/tmp/openvpn/openvpn.conf is for the OpenVPN *server*.
OpenVPN client's config file is /tmp/openvpncl/openvpn.conf.
When the log shows nothing, it usually means you made such an egregious error, it couldn't even start. Like placing the a cert/key in the wrong field. Or adding contradictory directives, or a misspelled directive to the Additional Config field.
There's no point in messing w/ the management directive.
There is one cert key that i did not placed though. There is no field for that, right?
I set that build up since it was stable for nordvpn connection.
See my cert file below. If you need anything removed with BLA let me know
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Sun Apr 04, 2021 15:32 Post subject:
Apart from the pictures which are way to large (forum guidelines: no more than 768 pixels:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087)
It does not look to bad
The cipher should be cipher AES-256-CBC according to your .ovpn file, so set it accordingly.
Enable NAT (as you control the server you can set a static route but for now enable it)
I do not see any compression mentioned in your .ovpn file so I would disable the compression (compression is a safety risk so it should be disabled)
The keys and certs look OK But you are also using tls-crypt key and this version you are using does not have possibilities to use tls crypt from the GUI.
That has been added later I think in 41273.
Like I said a lot has changed so consider upgrading.
If you do not want or can upgrade it is possible to set the tls-crypt key manually at least I think it is supported in the OpenVPN version that that build is using (you need at least OpenVPN 2.4).
Even without the tls-crypt key the OpenVPN status page should show something.
So adapt the settings as outlined above, restart the router and then check the OVPN status page.
But as said I would upgrade (and as you are coming form a rather old build do a full reset and put your settings in manually do not restore from a backup)
A lot of information can be found in the OpenVPN server setup guide also how to wet the tls-crypt key manually but it is as simple as pasting everything between and including <tls-crypt> ...... </tls-crypt> into the additional config (so that should be the only thing in it then _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Apart from the pictures which are way to large (forum guidelines: no more than 768 pixels:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087)
It does not look to bad
The cipher should be cipher AES-256-CBC according to your .ovpn file, so set it accordingly.
Enable NAT (as you control the server you can set a static route but for now enable it)
I do not see any compression mentioned in your .ovpn file so I would disable the compression (compression is a safety risk so it should be disabled)
The keys and certs look OK But you are also using tls-crypt key and this version you are using does not have possibilities to use tls crypt from the GUI.
That has been added later I think in 41273.
Like I said a lot has changed so consider upgrading.
If you do not want or can upgrade it is possible to set the tls-crypt key manually at least I think it is supported in the OpenVPN version that that build is using (you need at least OpenVPN 2.4).
Even without the tls-crypt key the OpenVPN status page should show something.
So adapt the settings as outlined above, restart the router and then check the OVPN status page.
But as said I would upgrade (and as you are coming form a rather old build do a full reset and put your settings in manually do not restore from a backup)
A lot of information can be found in the OpenVPN server setup guide also how to wet the tls-crypt key manually but it is as simple as pasting everything between and including <tls-crypt> ...... </tls-crypt> into the additional config (so that should be the only thing in it then
Managed to update the firmware to: r46259
And I still have the same issue . I have noticed one thing though. With OpenVPN Connect I need to set the password to get connected.
I have tried leaving the user empty and inputting the password and inputting the password in the static key also. But I could not get connected or see anything in the log.
I am sure I must be missing a dummy config but I am unable to find it. I attach my current config (this time at 800px )
The private key is also set (but didn't get into the screenshot)
And I still have the same issue . I have noticed one thing though. With OpenVPN Connect I need to set the password to get connected.
I have tried leaving the user empty and inputting the password and inputting the password in the static key also. But I could not get connected or see anything in the log.
I am sure I must be missing a dummy config but I am unable to find it. I attach my current config (this time at 800px )
The private key is also set (but didn't get into the screenshot)
Edit: I have tried with and without compression
Here it is the output from: cat /tmp/openvpncl/openvpn.conf
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Sun Apr 04, 2021 19:40 Post subject:
Just a friendly reminder (to @egc as well):
Current image width on attachments is 768 pixels per the updated rules and guidelines (and announcement in nearly every sub-forum). Larger resolution images must be linked to an image hosting site. Thank you. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Current image width on attachments is 768 pixels per the updated rules and guidelines (and announcement in nearly every sub-forum). Larger resolution images must be linked to an image hosting site. Thank you.
Apologies javascript:emoticon('')
BTW: I got the log out from syslog:
Code:
either stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected ke
Any clue?
Edit: Finally I worked that out: we cannot input passwords, so the server must not have password for connection.
I am now able to see the log under the OpenVPN section but still one ore time does not work. I can connect but then I have no internet
Code:
Clientlog:
19700101 01:00:34 W DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
19700101 01:00:34 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
19700101 01:00:34 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
19700101 01:00:34 I OpenVPN 2.5.1 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 3 2021
19700101 01:00:34 I library versions: OpenSSL 1.1.1k 25 Mar 2021 LZO 2.09
19700101 01:00:34 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
19700101 01:00:34 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
19700101 01:00:34 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210404 23:31:26 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20210404 23:31:26 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
20210404 23:31:26 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20210404 23:31:26 NOTE: --mute triggered...
20210404 23:31:27 1 variation(s) on previous 3 message(s) suppressed by --mute
20210404 23:31:27 I TCP/UDP: Preserving recently used remote address: [AF_INET]BLA.IP:1194
20210404 23:31:27 Socket Buffers: R=[262144->262144] S=[262144->262144]
20210404 23:31:27 W --mtu-disc is not supported on this OS
20210404 23:31:27 I UDP link local: (not bound)
20210404 23:31:27 I UDP link remote: [AF_INET]BLA.IP:1194
20210404 23:31:27 TLS: Initial packet from [AF_INET]BLA:IP:1194 sid=59f408ea 5a2e83cc
20210404 23:31:27 VERIFY OK: depth=1 CN=ChangeMe
20210404 23:31:27 VERIFY OK: depth=0 CN=raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA
20210404 23:31:27 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1569'
20210404 23:31:27 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20210404 23:31:27 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit EC curve: prime256v1
20210404 23:31:27 I [raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA] Peer Connection Initiated with [AF_INET]BLA:IP:1194
20210404 23:31:28 SENT CONTROL [raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA]: 'PUSH_REQUEST' (status=1)
20210404 23:31:28 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 block-outside-dns redirect-gateway def1 route-gateway 10.8.0.1 topology subnet ping 15 ping-restart 120 ifconfig 10.8.0.5 255.255.255.0 peer-id 0 cipher AES-256-GCM'
20210404 23:31:28 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.1)
20210404 23:31:28 OPTIONS IMPORT: timers and/or timeouts modified
20210404 23:31:29 OPTIONS IMPORT: --ifconfig/up options modified
20210404 23:31:29 OPTIONS IMPORT: route options modified
20210404 23:31:29 NOTE: --mute triggered...
20210404 23:31:29 5 variation(s) on previous 3 message(s) suppressed by --mute
20210404 23:31:29 Data Channel: using negotiated cipher 'AES-256-GCM'
20210404 23:31:29 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210404 23:31:29 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210404 23:31:29 net_route_v4_best_gw query: dst 0.0.0.0
20210404 23:31:29 net_route_v4_best_gw result: via 192.168.1.1 dev vlan2
20210404 23:31:29 I TUN/TAP device tun1 opened
20210404 23:31:29 I net_iface_mtu_set: mtu 1500 for tun1
20210404 23:31:29 I net_iface_up: set tun1 up
20210404 23:31:29 I net_addr_v4_add: 10.8.0.5/24 dev tun1
20210404 23:31:29 net_route_v4_add: BLA.IP32 via 192.168.1.1 dev [NULL] table 0 metric -1
20210404 23:31:29 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
20210404 23:31:29 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
20210404 23:31:29 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20210404 23:31:29 I Initialization Sequence Completed
20210404 23:33:28 I [raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA] Inactivity timeout (--ping-restart) restarting
20210404 23:33:28 I SIGUSR1[soft ping-restart] received process restarting
20210404 23:33:28 Restart pause 5 second(s)
20210404 23:33:33 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20210404 23:33:33 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20210404 23:33:33 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20210404 23:33:33 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
20210404 23:33:33 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
20210404 23:33:33 NOTE: --mute triggered...
20210404 23:33:33 1 variation(s) on previous 3 message(s) suppressed by --mute
20210404 23:33:33 I TCP/UDP: Preserving recently used remote address: [AF_INET]BLA.IP:1194
20210404 23:33:33 Socket Buffers: R=[262144->262144] S=[262144->262144]
20210404 23:33:33 W --mtu-disc is not supported on this OS
20210404 23:33:33 I UDP link local: (not bound)
20210404 23:33:33 I UDP link remote: [AF_INET]BLA.IP:1194
20210404 23:33:33 TLS: Initial packet from [AF_INET]BLA.IP:1194 sid=4289fe07 11a1ce00
20210404 23:33:33 VERIFY OK: depth=1 CN=ChangeMe
20210404 23:33:33 VERIFY OK: depth=0 CN=raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA
20210404 23:33:33 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1570' remote='link-mtu 1569'
20210404 23:33:33 W WARNING: 'comp-lzo' is present in local config but missing in remote config local='comp-lzo'
20210404 23:33:33 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 256 bit EC curve: prime256v1
20210404 23:33:33 I [raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA] Peer Connection Initiated with [AF_INET]BLA.IP:1194
20210404 23:33:35 SENT CONTROL [raspberrypi_0163c8bb-a8a9-4f54-afca-01b5c2e8dBLA]: 'PUSH_REQUEST' (status=1)
20210404 23:33:35 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.4.4 block-outside-dns redirect-gateway def1 route-gateway 10.8.0.1 topology subnet ping 15 ping-restart 120 ifconfig 10.8.0.5 255.255.255.0 peer-id 1 cipher AES-256-GCM'
20210404 23:33:35 N Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.1)
20210404 23:33:35 OPTIONS IMPORT: timers and/or timeouts modified
20210404 23:33:35 OPTIONS IMPORT: --ifconfig/up options modified
20210404 23:33:35 OPTIONS IMPORT: route options modified
20210404 23:33:35 NOTE: --mute triggered...
20210404 23:33:35 5 variation(s) on previous 3 message(s) suppressed by --mute
20210404 23:33:35 Data Channel: using negotiated cipher 'AES-256-GCM'
20210404 23:33:35 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210404 23:33:35 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20210404 23:33:54 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20210404 23:33:54 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Apr 05, 2021 9:32 Post subject:
As you are already using Private keys passwords are not so much needed.
You can use username/passwords if you enable "User Pass authentication" in the GUI but as said you do not need it.
Set the logging to verb 5, add in the additional config: verb 5
What we can see now is that OpenVPN complains about the missing datacipher, as first datacipher set AES-256-CBC, as second AES-128-GCM and as third AES-256-GCM
OpenVPN also complains about compression, set Compression as disabled (note Disabled is different from No)
When done reboot the router and post a screenshot of the whole OVPN status page.
Edit: you can ignore the warning about block-outside DNS, that is only for Windows clients but can be ignored on other clients (it is described in the OVPN server setup guide)
As you are already using Private keys passwords are not so much needed.
You can use username/passwords if you enable "User Pass authentication" in the GUI but as said you do not need it.
Set the logging to verb 5, add in the additional config: verb 5
What we can see now is that OpenVPN complains about the missing datacipher, as first datacipher set AES-256-CBC, as second AES-128-GCM and as third AES-256-GCM
OpenVPN also complains about compression, set Compression as disabled (note Disabled is different from No)
When done reboot the router and post a screenshot of the whole OVPN status page.
Edit: you can ignore the warning about block-outside DNS, that is only for Windows clients but can be ignored on other clients (it is described in the OVPN server setup guide)
Make sure your server can route/nat traffic from the client out via its WAN interface
Its working now! thank you so much!
I get lost between the server config and the client config within the docs.
Do you reckon I should add additional security settings?