Posted: Thu Jul 09, 2020 7:05 Post subject: Bug: OpenVPN pre-shared key does not work
When you connect DD-WRT with openvpn client using a static preshared key (point to point / peer-to-peer) it does not work. The reason is, that the GUI wrongly puts a "client" statement in the openvpn config file, which openvpn does not allow when running with static key.
So it would be great, if the GUI could figure out to not put in "client" if there is something in the static key field, or you had a separate section for preshared key / p2p vpn settings.
The problem is, that this wrong entry is added every time you reboot the router and you have to log in, modify the file and restart the open vpn service
PS: Is this the place to report bugs? Not sure the SVN site allows outsiders to post bugs and the github repo is just a mirror, right?
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Thu Jul 09, 2020 9:46 Post subject:
It is a known problem and discussed before.
From the OpenVPN server setup guide:
Quote:
Due to an incompatibility in DDWRT it is not possible to setup with a static key only (both server and client) for a workaround see the paragraph "Running from the command line"
You can try to dynamically remove "client" from the openvpn.conf and restart openvpn (have not tried it myself) from Startup:
Code:
sleep 60
sed -i 's/client//' /tmp/openvpncl/openvpn.conf
openvpn --config /tmp/openvpncl/openvpn.conf --daemon
I have proposed to BS to let user use their own openvpn.conf (like you can do for a lot of other services) so that you can just tweak it copy it to /jffs/etc and it is read from there as a general workaround for these things.
I even wrote the patch and I have it running in my own builds but unfortunately not all my requests are granted _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I really did not want to try any of the CLI workarounds, because I want something that is simple to replicate on a clean install without touching the filesystem. With a bit of testing, I've come up with something that works for me without any scripting or manually creating local files. I hope this will help others as well.
I am depending on this "bug" behavior to fail to start the OpenVPN Client and instead manually configure the OpenVPN Server using a static key which I actually load into the config flash via the Client section. Leave all other fields as default or empty. Notice the line which specifies "secret" below and points to the key from the Client config section. Adjust the rest to fit your needs.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sat Nov 07, 2020 8:57 Post subject:
Thanks that is a viable option
Another option:
Quote:
Due to an incompatibility in DDWRT it is not possible to setup with a static key only (due to adding "server" directive (and "client"for client setup) int the openvpn.conf).
For a workaround see the paragraph "Running from the command line" or dynamically remove the "server" (or "client") from the openvpn.conf:
killall openpvn
sed -i 's/client//' /tmp/openvpncl/openvpn.conf #Replace client with server for server setup
openvpn --config /tmp/openvpncl/openvpn.conf --daemon
You can run this from the CLI or put in a script and run from startup (make sure to add a delay (sleep 60) to make sure the OpenVPN is up.
You can put the static key in the OpenVPN Additional Config with:
<secret>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</secret>
The OpenVPN client was never designed to support every possible configuration, esp. a static, point-to-point tunnel. While such a configuration offers convenience and simplicity, it also limits the OpenVPN server to a single OpenVPN client, and is far less secure (e.g., it's subject to man in the middle attacks; the longer the same static key is used, the more it becomes a liability). So it's never going to be supported by any commercial OpenVPN provider.
Like any feature in the GUI, the developers have to draw a fine line between what should and shouldn't be supported. And what's required for 99% of users is a big part of that decision. Each outlier configuration complicates the GUI at the expense of the 99%. For the outliers, they always have the CLI and scripting. And given how simple this is to implement, I believe it's best left out of the GUI (esp. given the GUI only offers a single OpenVPN client/server instance; why waste it for these purposes).