Easy-RSA OpenVPN Server Setup Help

Hi,

I am having some problems setting up a basic "road warrior" style VPN server, hopefully somebody can point out the mistake I am making.

I am running a Linksys WRT1900ACS with firmware "Lede Reboot SNAPSHOT r5032-9e9696afc8 / LuCI Master (git-17.281.27378-2d011a5)" (davidc502 prebuilt firmware).

I am using the OpenVPN Server guide found here as a rough guide. My firmware is using Easy-RSA 3 so the commands differ from the guide.

Here is the setup process I am using:

mkdir /etc/config/openvpn-config
mv /etc/easy-rsa/* /etc/config/openvpn-config/
rm -rf /etc/easy-rsa/
ln -s /etc/config/openvpn-config/ /etc/easy-rsa

cd /etc/easy-rsa/
easyrsa init-pki

nano vars

I then add the following to the vars file:

set_var EASYRSA_REQ_COUNTRY "GB"
set_var EASYRSA_REQ_PROVINCE "London"
set_var EASYRSA_REQ_CITY "London"
set_var EASYRSA_REQ_ORG "OpenVPN"
set_var EASYRSA_REQ_EMAIL "email at gmail .com"
set_var EASYRSA_REQ_OU "myhost.ddns .net"
set_var EASYRSA_KEY_SIZE 2048

easyrsa build-ca nopass
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:myhost.ddns.net

easyrsa gen-dh
easyrsa build-server-full vpnserver nopass
openvpn --genkey --secret /etc/easy-rsa/pki/ta.key

nano /etc/config/openvpn

I then add the following to the openvpn file:

config openvpn 'vpnserver'
option enabled '1'
option dev 'tun'
option port '1194'
option proto 'udp'
option status '/var/log/openvpn_status.log'
option log '/tmp/openvpn.log'
option verb '3'
option mute '5'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option ca '/etc/easy-rsa/pki/ca.crt'
option cert '/etc/easy-rsa/pki/issued/vpnserver.crt'
option key '/etc/easy-rsa/pki/private/vpnserver.key'
option dh '/etc/easy-rsa/pki/dh.pem'
option mode 'server'
option tls_server '1'
option tls_auth '/etc/easy-rsa/pki/ta.key 0'
option server '10.8.0.0 255.255.255.0'
option topology 'subnet'
option route_gateway 'dhcp'
option client_to_client '1'
list push 'persist-key'
list push 'persist-tun'
list push 'redirect-gateway def1'
# allow your clients to access to your network
list push 'route 192.168.0.0 255.255.255.0'
# push DNS to your clients
list push 'dhcp-option DNS 192.168.0.1'
option comp_lzo 'no'

I then follow the rest of the guide to setup the networking/firewalling.

/etc/init.d/openvpn start

Server appears to startup fine:

Wed Oct 18 19:38:58 2017 OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Oct 18 19:38:58 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Wed Oct 18 19:38:58 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Oct 18 19:38:58 2017 Diffie-Hellman initialized with 2048 bit key
Wed Oct 18 19:38:58 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 18 19:38:58 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 18 19:38:58 2017 TUN/TAP device tun0 opened
Wed Oct 18 19:38:58 2017 TUN/TAP TX queue length set to 100
Wed Oct 18 19:38:58 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Oct 18 19:38:58 2017 /sbin/ifconfig tun0 10.8.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Wed Oct 18 19:38:58 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Oct 18 19:38:58 2017 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Oct 18 19:38:58 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Oct 18 19:38:58 2017 UDPv4 link remote: [AF_UNSPEC]
Wed Oct 18 19:38:58 2017 GID set to nogroup
Wed Oct 18 19:38:58 2017 UID set to nobody
Wed Oct 18 19:38:58 2017 MULTI: multi_init called, r=256 v=256
Wed Oct 18 19:38:58 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Wed Oct 18 19:38:58 2017 Initialization Sequence Completed

easyrsa build-client-full user1 nopass
cd pki/
nano Default.txt

I create the Default.txt as instructed in the guide:

client
dev tun
proto udp
remote myhost.ddns .net 1194
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
key-direction 1
verb 1
mute 20
comp-lzo no

mv ./issued/user1.crt ./
openssl rsa -in /etc/easy-rsa/pki/private/user1.key -des3 -out /etc/easy-rsa/pki/user1.3des.key
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

I then downloaded & executed the script as instructed

root@LEDE:/etc/config/openvpn-config/pki# ./MakeOpenVPN.sh
Please enter an existing Client Name:
user1
Client's cert found: user1
Client's Private Key found: user1.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! user1.ovpn Successfully Created.

The generated user1.ovpn file:

client
dev tun
proto udp
remote myhost.ddns .net 1194
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
key-direction 1
verb 1
mute 20
comp-lzo no
#uncomment for Windows 7 clients
#route-method exe
#route-delay 2

-----BEGIN CERTIFICATE-----
MIIDR..SNIP...EFvkA
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
MIIDQzCC..SNIP...8VqSg=
-----END CERTIFICATE-----


-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,25E8FAAA76CFCFCF

lPD1H..SNIP...V936vPG
-----END RSA PRIVATE KEY-----

#2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
457f1..SNIP...63
-----END OpenVPN Static key V1-----

I copied this over to my client machine and on connection I get the following error messages:

Client Log:

Wed Oct 18 19:53:59 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Wed Oct 18 19:53:59 2017 Windows version 6.1 (Windows 7) 64bit
Wed Oct 18 19:53:59 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Enter Management Password:
Wed Oct 18 19:53:59 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Oct 18 19:54:02 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 18 19:54:02 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:1194
Wed Oct 18 19:54:02 2017 UDP link local: (not bound)
Wed Oct 18 19:54:02 2017 UDP link remote: [AF_INET]123.123.123.123:1194
Wed Oct 18 19:54:02 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Wed Oct 18 19:54:02 2017 TLS_ERROR: BIO read tls_read_plaintext error
Wed Oct 18 19:54:02 2017 TLS Error: TLS object -> incoming plaintext read error
Wed Oct 18 19:54:02 2017 TLS Error: TLS handshake failed
Wed Oct 18 19:54:02 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Oct 18 19:54:07 2017 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Oct 18 19:54:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:1194
Wed Oct 18 19:54:07 2017 UDP link local: (not bound)
Wed Oct 18 19:54:07 2017 UDP link remote: [AF_INET]123.123.123.123:1194
Wed Oct 18 19:54:09 2017 SIGTERM[hard,] received, process exiting

Server Log:

Wed Oct 18 19:54:02 2017 123.123.123.123:63767 TLS: Initial packet from [AF_INET]123.123.123.123:63767, sid=0d018689 ea1e37f4
Wed Oct 18 19:54:07 2017 123.123.123.123:63768 TLS: Initial packet from [AF_INET]123.123.123.123:63768, sid=0c9125d8 0a99df45
Wed Oct 18 19:55:02 2017 123.123.123.123:63767 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 18 19:55:02 2017 123.123.123.123:63767 TLS Error: TLS handshake failed
Wed Oct 18 19:55:02 2017 123.123.123.123:63767 SIGUSR1[soft,tls-error] received, client-instance restarting

(I have added the extra space to myhost.ddns .net to get this forum thread to post, its not a typo).

I appreciate any help trying to resolve this.

Thanks

1 Like

i didnt find key-directon 0 in your server file and key-direction 1 on your client is OK, i guess this may be an issue.

It's included here:

However the topic is outdated.


@engfabiom, if you need a guide, follow the link:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

1 Like