Posted: Sat Aug 14, 2021 19:33 Post subject: OpenVPN client log warning and using ovpn files
I've set up an OpenVPN client using the GUI and it's connecting but I see "Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure" in the logs. What's causing this and how do I correct it (assuming it's a legit concern)?
My next step if possible is to use .ovpn files directly so I can apply updates from my vpn provider or switch regions without having to do a bunch of copying and pasting from the ovpn files to the GUI fields. Are the instructions at http://coertvonk.com/sw/networking/dd-wrt-and-openvpn-5591 ("3.3 OpenVPN Client") valid and good?
If I get that done, ultimately it would be sweet to remotely invoke a script on dd-wrt to choose a different ovpn file. Is remotely invoking scripts outside of the GUI possible?
You don't need to worry about those warning messages. That's intended for platforms where there may be multiple users who have access to the server running the OpenVPN client. But in the case of the router, there's only the one user, and its root. So adding a password for root is pointless. Of course, OpenVPN doesn't know this, and so issues the warning. And there's no way to suppress it.
As far as .ovpn files, dd-wrt can NOT import OpenVPN config files. You could, of course, manage the OpenVPN client using scripting at the command line rather than the GUI and use those .ovpn config files. I assume that's what the link you provided is offering (I only skimmed it).
Alternatively, you might find the following useful.
Thanks for setting my mind at ease about that warning.
And thanks for that link. That's pretty intriguing. I wonder if I could restore from an ovpn from my provider instead of restoring a dd-wrt generated ovpn (if that's even how the backup and restore works). At any rate it's something to ponder. That could be perhaps better in some ways and not as good in other so.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sun Aug 15, 2021 8:11 Post subject:
Alternatively consider using WireGuard, almost all good VPN providers support WireGuard on the router.
It is about 3 times faster than OpenVPN, easy to setup and you can make as many tunnels as you want and can easily disable and enable tunnels from the CLI/script.
There are differences between OpenVPN and Wireguard so sometimes OpenVPN is better
For OpenVPN the solution from @eibgrad is very elegant, but as most providers have the same keys/certs you only have to switch remote server/port that can be done fairly easily by replacing those in the config file and restarting OpenVPN.
I think @Surprisedatworks has a script for that.
Links in my signature at the bottom both for OpenVPN and WireGuard
Oh and always state router model and build number, otherwise we cannot provide the optimal support.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sun Aug 15, 2021 8:45 Post subject:
Necessary commands to stop OpenVPN replace server and port and start OpenVPN:
Code:
stopservice openvpn
#replace your remote ip address/port in the nvram parameter:
nvram set openvpncl_remoteip=<my_new_server_address>
nvram set openvpncl_remoteport=<my_new_port>
nvram commit
startservice openvpn
Joined: 04 Mar 2021 Posts: 65 Location: Manchester
Posted: Mon Sep 12, 2022 17:46 Post subject:
Necessary commands to stop OpenVPN replace server and port and start OpenVPN:
Code:
stopservice openvpn
#replace your remote ip address/port in the nvram parameter:
nvram set openvpncl_remoteip=<my_new_server_address>
nvram set openvpncl_remoteport=<my_new_port>
nvram commit
startservice openvpn
Will the above code stop the warnings and where do you apply the code please? _________________ Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500