Configuring OpenVPN Server on OpenWrt and accessing with Windows OpenVPN Client

Installing and Using OpenWrt Network and Wireless Configuration
1

===============================

Hi everyone!

I'm noob user and would like to Setup OpenVPN in my router like a Server and connect with my router using one PC with OpenVPN GUI.

================================

  1. Premises
  1. Problem OpenVPN Client Side:
Mon Dec 30 17:36:55 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Dec 30 17:36:55 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Dec 30 17:36:55 2019 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Management Password:
Mon Dec 30 17:36:55 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Dec 30 17:36:55 2019 Need hold release from management interface, waiting...
Mon Dec 30 17:36:55 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'state on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'log all on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'echo all on'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'bytecount 5'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'hold off'
Mon Dec 30 17:36:55 2019 MANAGEMENT: CMD 'hold release'
Mon Dec 30 17:37:07 2019 MANAGEMENT: CMD 'password [...]'
Mon Dec 30 17:37:07 2019 MANAGEMENT: Client disconnected
Mon Dec 30 17:37:07 2019 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
Mon Dec 30 17:37:07 2019 Exiting due to fatal error
  1. Doubts
  • How can I test if OpenVPN (Server Side ) is working fine?
  • How can I solve this problem in OpenVPN Client?

Thx!

2

Please, provide your configuration files. It looks like your certificate doesn't possess necessary security for OpenVPN 2.4.8

3

Sorry @ulmwind if I make stupid questions I know almost nothing about OpenVPN... setup I just follow the steps in the guidance... You talking about the "client.ovpn"?

Here you are!

verb 3
dev tun
nobind
client
remote XXX.XXX.XXX.XXX 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>

</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----

MIIDITCC....

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

MIIDQDCCA....

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFDj......

-----END ENCRYPTED PRIVATE KEY-----
</key>
4

Yes, and server's one. Check length of inline files.

5

Server.conf

"

verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----

MIIBCAK...

-----END DH PARAMETERS-----
</dh>
<tls-crypt>

</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----

MIIDITCC....

-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----

MIIDVz....
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

MIIEvgIBA...

-----END PRIVATE KEY-----
</key>

"

6

Check length of inline files.

7

Sorry, but what are the inline files? I'm a noob user... :slightly_smiling_face:

8

For client file:

  1. copy contents between tags <ca> and </ca> to file ca.crt, place it in the same directory, where client.ovpn, include it by ca ca.crt
  2. similar to other files, see result.
9

Yes it looks like the core of this problem is that something about the server certificates is garbled and unusable. I usually put them in files rather than inline in the config file.

Your client is configured with an encrypted private key, this requires the additional step to prompt the user for the passphrase needed to decrypt the key.

I would think you could have two instances of OpenVPN on a router one the server and one a client to see if you can at least auth with yourself.

10

So I need to create 3 files in the same directory of client.ovpn:

  • ca ca.crt
  • cert client.crt
  • key client.key

Am I correct?

So now my new Client.ovpn is like this:

verb 3

dev tun

nobind

client

remote XXX.XXX.XXX.XXX 1194 udp

auth-nocache

remote-cert-tls server

ca ca.crt

cert client.crt

key client.key

I tryied but the result was:

Mon Dec 30 20:57:52 2019 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Dec 30 20:57:52 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Dec 30 20:57:52 2019 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Enter Management Password:
Mon Dec 30 20:57:52 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Dec 30 20:57:52 2019 Need hold release from management interface, waiting...
Mon Dec 30 20:57:53 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'state on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'log all on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'echo all on'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'bytecount 5'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'hold off'
Mon Dec 30 20:57:53 2019 MANAGEMENT: CMD 'hold release'
Mon Dec 30 20:57:53 2019 MANAGEMENT: Client disconnected
Mon Dec 30 20:57:53 2019 Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max)
Mon Dec 30 20:57:53 2019 Exiting due to fatal error

One thing that I noticed is now is not asking the password...

11

"I would think you could have two instances of OpenVPN on a router one the server and one a client to see if you can at least auth with yourself"

I don't know how can I do this yet, but I could try with your help... :smirk:

12

Put the full path to each certificate file on its line in the ovpn file.

Why is it still looking [INLINE] after you took the inline certs out? Are you sure it is running the config file you think it is? Make sure there are no stray files .conf in the openvpn directory because OpenVPN will try to parse them.

1 Like
13

My Client.ovpn is this:

verb 3
dev tun
nobind
client
remote XXX.XXX.XXX.XXX 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>

</tls-crypt>
ca ca.crt
cert client.crt
key client.key

And the files in the directory is this:

Imagem_OpenVPN
Imagem_OpenVPN779×264 13.4 KB

14

Make separate file tls-crypt also (it looks like problem in it).

15

You are correct. I don't have this key... Is empty... How can I solve this?

16

I don't know, try to generate manually from script:
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"

Try also common method: openvpn --genkey --secret ta.key
It is for tls-auth, I haven't found example for tls-crypt, I think, it is the same.

17

The correct path for this file is be in "/root/EasyRSA-v3.0.6/pki" or "/etc/easy-rsa/pki"? What's the difference?

So I get this key and put between the "<tls-crypt" "</tls-crypt" in Client.ovpn?

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
9e221.....ec
-----END OpenVPN Static key V1-----
~
18

Yes it is stored like that. The generation phase produces a random key that needs to be loaded into the server and deployed to all the clients that use that server.

The TLS-crypt is an optional additional layer of encryption on top of everything else. If the server is configured not to use it, the client would not use it either.

19

Which one?

"/root/EasyRSA-v3.0.6/pki" or "/etc/easy-rsa/pki"? In my case the script( https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic) that I'm using used "/etc/easy-rsa/pki"

20

Check filesystem of your router. Generate file manually, as it is written above.