Configuring OpenVPN Server on OpenWrt and accessing with Windows OpenVPN Client

Installing and Using OpenWrt Network and Wireless Configuration
21

@ulmwind, thanks for your time. But I'm a bit lost ... I understood that @mk24 said this key is not essencial. Is that true? I really need to generate this key?

If yes, Which is the correct place to I put this file? "/root/EasyRSA-v3.0.6/pki" or "/etc/easy-rsa/pki"?

22

It is not essential, in this case you should remove tags tls-crypt both on client, and server. It provides extra layer of security.

You can generate it with openvpn, place it in openvpn-directory, where openvpn-config is located. You should include it both in client, and server config.

23

Ok I will do it. Thx!

What is the difference between the path "/root/EasyRSA-v3.0.6/pki" or "/etc/easy-rsa/pki"?

Wich one is really used by OpenVPN?

24

I don't know, I think, all files are located in /etc Home of /root shouldn't be used for such purpose.

25

You can store the file almost anywhere you want as long as you include the full path in the OpenVPN config so that OpenVPN can find it. I would not trust there to be a consistent default working directory, always use the full path.

Technically the TLS-crypt key is not a PKI secret, it is a separate type of encryption.

26

Where I find the OpenVpn config file?

27

Must be a place ( path + config file ) that says the paths that OpenVPN look for to do the negotion to close the VPN...

28

Sorry, don't understand. OpenVPN works in directory /etc/openvpn, directory ...easy-rsa... is auxiliary directory for certificates and keys during generation.

29

Thanks @ulmwind. I asked because I found 2 Client.ovpn. One in /etc/openvpn and other in /root/EasyRSA-v3.0.6/

I didn't know which to use. So I tryied both. The Current status is:

The client.ovpn(/root/EasyRSA-v3.0.6/) ask the password but don't work. This file don't have info.

The client.ovpn(/etc/openvpn) don't ask me any password . This file have info. But have one thing interesting. I try connect out of my network and this don't work but If I try to connect from another computer inside of my internal network It works!

I did the "port foward" in the ISP Router but It's not working yet. I'm receiving the message : " TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"

30

Try to connect from WAN of router initially, port forwarding is next step. Compare files by contents.

1 Like
31

@ulmwind Thanks!

Worked!

I would like to know two things :

  • How I enable and disable the openvpn service ( Ex: If the service is disable, after the roter reboot the service must continue disable )

  • How could I setup my OpenVPN Client to ask user/password?

32 
/etc/init.d/openvpn enable
/etc/init.d/openvpn disable
  1. Default authentication is certificate-key. Login-password authentication is performed via additional script: https://openvpn.net/community-resources/using-alternative-authentication-methods/
33

@ulmwind Thanks,

I saw the message bellow in my log(Server):

Sun Jan  5 12:52:54 2020 daemon.warn openvpn(server)[2358]: 192.168.0.1:51609 WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
Sun Jan  5 12:52:54 2020 daemon.err openvpn(server)[2358]: 192.168.0.1:51609 TLS Auth Error: Auth Username/Password verification failed for peer
Sun Jan  5 12:52:54 2020 daemon.notice openvpn(server)[2358]: 192.168.0.1:51609 SIGTERM[soft,auth-control-exit] received, client-instance exiting
Sun Jan  5 12:53:12 2020 daemon.err uhttpd[2217]: luci: accepted login on / for root from 172.16.255.14

And the OpenVPN Client is trying to Connect to the Server. I was thinking that maybe I need to install the package of Perl to run this script...

Then I run this:

opkg update
opkg install perl

But still not working..

34

Commonly when user-pass authentication is configured on a server, the auth-user-pass path/to/userpass/file method is used. Userpass authentication offers little security, certificates should always be used in addition to it.

Entering a password at runtime is complicated especially on a "headless" system like OpenWrt.

35

My intention is have something to check in the Client side (like user/password). In my understanding if anyone stolen your Client.ovpn this guy will have access to your OpenVPN Server. Am I correctly?

36

I found this toturial...

https://github.com/troydm/ovpnauth.sh/blob/master/README

But I received this error:

Sun Jan  5 14:12:35 2020 daemon.err openvpn(ovpnauth)[2977]: Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ovpnauth.conf:1: vpnuser=$1$kY9... (2.4.5)
Sun Jan  5 14:12:35 2020 daemon.warn openvpn(ovpnauth)[2977]: Use --help for more information.
37

What you are trying to do, is not what you want. A runtime password entry on the server will require you to be logged in to the router to enter the password every time the server starts up. If you are away from home working via VPN and there is a power failure at home, the server cannot automatically restart and you will be unable to use the VPN.

1 Like
38

Yes. I see... you right...

39

Pointing out another rookie mistake here. OpenVPN will attempt to read and parse any file named .conf in /etc/config/openvpn. If you have a file for another OpenVPN configuration you don't want to use now, or in this case it was a file for a program other than OpenVPN, it will cause problems. Thus there is the convention to name OpenVPN config files .ovpn instead of .conf. In general try to keep /etc/openvpn free of clutter.

40

Thanks Mike! Regards