[hoegge]

When you connect DD-WRT with openvpn client using a static preshared key (point to point / peer-to-peer) it does not work. The reason is, that the GUI wrongly puts a "client" statement in the openvpn config file, which openvpn does not allow when running with static key.

So it would be great, if the GUI could figure out to not put in "client" if there is something in the static key field, or you had a separate section for preshared key / p2p vpn settings.

The problem is, that this wrong entry is added every time you reboot the router and you have to log in, modify the file and restart the open vpn service

PS: Is this the place to report bugs? Not sure the SVN site allows outsiders to post bugs and the github repo is just a mirror, right?

best
Hoegge

[kernel-panic69]

On what router, on which particular firmware build revision number?

[hoegge]

On WRT1900AC v1
on versions up until r43136 (have not tried later, since I could not find any release notes saying it was fixed)

[egc]

It is a known problem and discussed before.

From the OpenVPN server setup guide:

[N9bitmap]

I really did not want to try any of the CLI workarounds, because I want something that is simple to replicate on a clean install without touching the filesystem. With a bit of testing, I've come up with something that works for me without any scripting or manually creating local files. I hope this will help others as well.

I am depending on this "bug" behavior to fail to start the OpenVPN Client and instead manually configure the OpenVPN Server using a static key which I actually load into the config flash via the Client section. Leave all other fields as default or empty. Notice the line which specifies "secret" below and points to the key from the Client config section. Adjust the rest to fit your needs.

Services -> VPN -> OpenVPN Client
Start OpenVPN Client = Enable
Server IP = 127.127.127.127
TLS Cipher = None
Static Key = [paste key here]

Services -> VPN -> OpenVPN Server
OpenVPN = Enable
Start Type = [your preference]
Config as = Daemon
Additional Config =

Code:

daemon fast-io cipher aes-128-cbc auth sha256 comp-lzo adaptive mode p2p proto udp4 management 127.0.0.1 16 management-log-cache 100 tun-mtu 1500 mtu-disc yes nobind persist-key persist-tun resolv-retry infinite remote 192.168.168.192 1194 dev tun1 ifconfig 10.20.30.2 10.20.30.1 route 172.20.30.0 255.255.255.0 vpn_gateway script-security 2 secret /tmp/openvpncl/static.key writepid /var/run/openvpn.pid

--bitmap

Running dd-wrt on WRT54GL, WRT300N, WRT600N, WRT1900AC since at least 2008.

[egc]

Thanks that is a viable option

Another option:

[eibgrad]

I don't consider this a bug.

The OpenVPN client was never designed to support every possible configuration, esp. a static, point-to-point tunnel. While such a configuration offers convenience and simplicity, it also limits the OpenVPN server to a single OpenVPN client, and is far less secure (e.g., it's subject to man in the middle attacks; the longer the same static key is used, the more it becomes a liability). So it's never going to be supported by any commercial OpenVPN provider.

Like any feature in the GUI, the developers have to draw a fine line between what should and shouldn't be supported. And what's required for 99% of users is a big part of that decision. Each outlier configuration complicates the GUI at the expense of the 99%. For the outliers, they always have the CLI and scripting. And given how simple this is to implement, I believe it's best left out of the GUI (esp. given the GUI only offers a single OpenVPN client/server instance; why waste it for these purposes).

JMTC