OpenVPN client log warning and using ovpn files

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TheShanMan
DD-WRT User


Joined: 23 Jul 2007
Posts: 101

PostPosted: Sat Aug 14, 2021 19:33    Post subject: OpenVPN client log warning and using ovpn files Reply with quote
I've set up an OpenVPN client using the GUI and it's connecting but I see "Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure" in the logs. What's causing this and how do I correct it (assuming it's a legit concern)?

My next step if possible is to use .ovpn files directly so I can apply updates from my vpn provider or switch regions without having to do a bunch of copying and pasting from the ovpn files to the GUI fields. Are the instructions at http://coertvonk.com/sw/networking/dd-wrt-and-openvpn-5591 ("3.3 OpenVPN Client") valid and good?

If I get that done, ultimately it would be sweet to remotely invoke a script on dd-wrt to choose a different ovpn file. Is remotely invoking scripts outside of the GUI possible?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Aug 14, 2021 20:32    Post subject: Reply with quote
You don't need to worry about those warning messages. That's intended for platforms where there may be multiple users who have access to the server running the OpenVPN client. But in the case of the router, there's only the one user, and its root. So adding a password for root is pointless. Of course, OpenVPN doesn't know this, and so issues the warning. And there's no way to suppress it.

As far as .ovpn files, dd-wrt can NOT import OpenVPN config files. You could, of course, manage the OpenVPN client using scripting at the command line rather than the GUI and use those .ovpn config files. I assume that's what the link you provided is offering (I only skimmed it).

Alternatively, you might find the following useful.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326230

Granted, you still have to copy/paste from the .ovpn files to the GUI, but you're at least still working w/ the GUI, which means you maintain access to things like PBR (policy based routing), the kill switch, etc. Something you'd have to implement yourself if you decided to manage your own scripts using .ovpn files.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
TheShanMan
DD-WRT User


Joined: 23 Jul 2007
Posts: 101

PostPosted: Sat Aug 14, 2021 20:42    Post subject: Reply with quote
Thanks for setting my mind at ease about that warning.

And thanks for that link. That's pretty intriguing. I wonder if I could restore from an ovpn from my provider instead of restoring a dd-wrt generated ovpn (if that's even how the backup and restore works). At any rate it's something to ponder. That could be perhaps better in some ways and not as good in other so.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Sun Aug 15, 2021 8:11    Post subject: Reply with quote
Alternatively consider using WireGuard, almost all good VPN providers support WireGuard on the router.

It is about 3 times faster than OpenVPN, easy to setup and you can make as many tunnels as you want and can easily disable and enable tunnels from the CLI/script.

There are differences between OpenVPN and Wireguard so sometimes OpenVPN is better Smile

For OpenVPN the solution from @eibgrad is very elegant, but as most providers have the same keys/certs you only have to switch remote server/port that can be done fairly easily by replacing those in the config file and restarting OpenVPN.
I think @Surprisedatworks has a script for that.

Links in my signature at the bottom both for OpenVPN and WireGuard

Oh and always state router model and build number, otherwise we cannot provide the optimal support.

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Sun Aug 15, 2021 8:45    Post subject: Reply with quote
Necessary commands to stop OpenVPN replace server and port and start OpenVPN:

Code:
stopservice openvpn
#replace your remote ip address/port in the nvram parameter:
nvram set openvpncl_remoteip=<my_new_server_address>
nvram set openvpncl_remoteport=<my_new_port>
nvram commit
startservice openvpn

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TheShanMan
DD-WRT User


Joined: 23 Jul 2007
Posts: 101

PostPosted: Sun Aug 15, 2021 14:30    Post subject: Reply with quote
Super helpful info. Thank you!
manchesterblack
DD-WRT User


Joined: 04 Mar 2021
Posts: 65
Location: Manchester

PostPosted: Mon Sep 12, 2022 17:46    Post subject: Reply with quote
Necessary commands to stop OpenVPN replace server and port and start OpenVPN:

Code:
stopservice openvpn
#replace your remote ip address/port in the nvram parameter:
nvram set openvpncl_remoteip=<my_new_server_address>
nvram set openvpncl_remoteport=<my_new_port>
nvram commit
startservice openvpn

Will the above code stop the warnings and where do you apply the code please?

_________________
Netgear R7000
DD-WRT DD-WRT v3.0-r50595 std (10/23/22)
Manchester
Enable dnsmasq- Yes
Encrypt DNS- NO
DNSCrypt Resolver- No Using Smart DNS
Cache DNSSEC Data- Yes
Validate DNS Replies (DNSSEC)- NO
Check Unsigned DNS Replies- NO
No DNS Rebind- Enable
Query DNS in Strict Order- Enable
Add Requestor MAC to DNS Query- Disable
RFC4039 Rapid Commit Support- Enable
Maximum Cached Entries- 1500

Smart DNS - YES

server-https https://9.9.9.9/dns-query
server-tls 9.9.9.9:853 -host-name: dns.quad9.net
server-tls 5.2.75.75:853 -host-name: dot.nl.ahadns.net
server-https https://1.1.1.1/dns-query

Additional VPN Configuration-
pull-filter ignore "dhcp-option DNS6 "
pull-filter ignore "dhcp-option DNS "

Dnsmasq Additional Options

server=/pool.ntp.org/9.9.9.9
server=/pool.ntp.org/1.0.0.1
server=/adquard-dns.com/9.9.9.9


BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Tue Sep 13, 2022 10:27    Post subject: Reply with quote
From the CLI (telnet/Putty) or put those in a script and call that script.
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum