Error when setting up OpenVPN

dellorianes · July 19, 2023, 6:31am

Hi,

I get a error message at the momment of seting up openvpn server, under 1. Preparation section:


root@OpenWrt:~# easyrsa build-server-full server nopass

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)


Easy-RSA error:

Option conflict:
* 'build-server-full' does not support setting an external commonName

EasyRSA Version Information
Version:     3.1.3
Generated:
SSL Lib:     OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
Git Commit:
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.3 | nix | Linux | /bin/ash

root@OpenWrt:~#

Can someone hep me?
Thank you

Regards

psherman · July 19, 2023, 6:36am

This is actually under section 2. Did you follow every step exactly in steps 1 and 2? Let's see the output of that entire process.

psherman · July 19, 2023, 6:38am

Also, before you get too deep into the configuration here, is there a reason you must use OpenVPN? I'd highly recommend considering WireGuard instead -- it is more modern, easier to setup, and much more performant than OpenVPN.

dellorianes · July 19, 2023, 6:39am

Yes, sorry, my mistake. Part 2

dellorianes · July 19, 2023, 6:40am

I have Wireguard on my NAS. I want to have the 2 options (OpenVPN and Wireguard available).

psherman · July 19, 2023, 6:41am

Ok.. fair enough. I actually do the same thing.

regarding your error, make sure you execute every step exactly as it is written.... can you do it again -- maybe we can spot an error along the way.

dellorianes · July 19, 2023, 6:51am

Find it here:

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/kmods/5.15.120-1-b48693d8094a8b16c0c8ab3aad1a179e/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_kmods
Downloading https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/kmods/5.15.120-1-b48693d8094a8b16c0c8ab3aad1a179e/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/Packages.sig
Signature check passed.
root@OpenWrt:~# opkg install openvpn-openssl openvpn-easy-rsa
Package openvpn-openssl (2.5.8-3) installed in root is up to date.
Package openvpn-easy-rsa (3.1.3-1) installed in root is up to date.
root@OpenWrt:~# VPN_DIR="/etc/openvpn"
root@OpenWrt:~# VPN_PKI="/etc/easy-rsa/pki"
root@OpenWrt:~# VPN_PORT="1194"
root@OpenWrt:~# VPN_PROTO="udp"
root@OpenWrt:~# VPN_POOL="192.168.8.0 255.255.255.0"
root@OpenWrt:~# VPN_DNS="${VPN_POOL%.* *}.1"
root@OpenWrt:~# VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)"
root@OpenWrt:~# NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
root@OpenWrt:~# . /lib/functions/network.sh
root@OpenWrt:~# network_flush_cache
root@OpenWrt:~# network_find_wan NET_IF
root@OpenWrt:~# network_get_ipaddr NET_ADDR "${NET_IF}"
root@OpenWrt:~# if [ -n "${NET_FQDN}" ]
> then VPN_SERV="${NET_FQDN}"
> else VPN_SERV="${NET_ADDR}"
> fi
root@OpenWrt:~# cat << EOF > /etc/profile.d/easy-rsa.sh
> export EASYRSA_PKI="${VPN_PKI}"
> export EASYRSA_TEMP_DIR="/tmp"
> export EASYRSA_REQ_CN="ovpnca"
> export EASYRSA_CERT_EXPIRE="3650"
> export EASYRSA_BATCH="1"
> EOF
root@OpenWrt:~# . /etc/profile.d/easy-rsa.sh
root@OpenWrt:~# easyrsa init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/easy-rsa/pki

* Using Easy-RSA configuration:

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: /etc/easy-rsa/x509-types

root@OpenWrt:~# easyrsa gen-dh

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

Generating DH parameters, 2048 bit long safe prime
..........+.....................................................................................................................................................................................+....................+..............................................................+...............+................................+.....................+......+....................................................................................................................................+.........................+.................+...................................................................................+................................................................+..........................................+.+....................................................................................................................................................+...................................................................................................................................+..............................................................+....................................+.....................................................................................................+......+......+...................................................................+......................................................................................................................................+...................................................................................................................................+..............................................................................+.....................................................................................+.........................................................+.............+.....................................................................................................+...............................................................................................................+............................+...............................................................................+...........................................+..........................................................................................................................................................+.......................................+..........................+...............................................................................................................................+...................................................................+..............................................................................................................................................................+.............+............................................................................................................................................................+.......................................................................................................................+....+......................................+......................................................................+...........................................................................................................................................................................+........+...................................................................................+.............................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+............................................+........................+...............................................................+.....................+.........+..........................................+........................+......+....................................................................+..................................................................................+...........................................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................+.................+...........................+....................................................................................................................................+.............................................................................................+.........+............................+...............................................................................................................................................................+....+............+............................................................................................................................................................................................................................................................................................................................................................................................................................+.............................................................................................................................................................+............................................................................................................................................................................+........+...................................................................+..................................................................................................................+..........................................................................................+..................................................+..................................................................................................................................................................................................................................................................+.................+...............+...............................................................................................................+...........................+.............+.....................+.................................................................................................................................................................+.....................................................................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................................................................................+.....................................................................................................................................................................................................................+.......................................+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................+...............................................................................................+..................................................................................................................................................................................................................................................+...............................................................................................................................................................................................+...............................................................................................................................+..........................................................................................................+......................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.........................................................+......................................................................................................................................................................................................................+.................................................................................................................+...........+................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.............................................................................................................................................................+......................++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
DH parameters appear to be ok.

Notice
------

DH parameters of size 2048 created at:
* /etc/easy-rsa/pki/dh.pem

root@OpenWrt:~# easyrsa build-ca nopass

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

Using configuration from /tmp/bab19f1f/temp.5.1
......................+...+.......+..+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.......+........+.+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+...+......+..........+...+......+......+......+.....+.............+......+.....+....+...........+......+...............+...+....+........+....+...............+...+........+.......+...+..+...............+.+..+...+.......+.....+...+....+..+.+............+..+.+..+.+......+...+..+.........+..........+..+.............+.....+.........+...+.........+...+..........+........+..........+...+......+.....+...+...+...+.+......+............+.....+......+......+.+..+.+.....+.......+.........+.....+.+...+.........+..+.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+............+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+......+.+...............+........+...+....+........+...+.........+....+.........+........+....+.....+...+.+............+..+.............+...+..............+...+....+...+..+.........+.+...+......+..+...+....+..+...+.......+.....+..........+...+...+............+.....+......+.+...........+............+...+...+....+...+..............+...+.+........................+............+...+..+...+......+.+.....+.+..+......+......+.+..+...+...+..........+...........+.+...+.........+..+.............+...+..+...+...+................+.....+....+..+...+............+...............+...............+....+.....+......+............+......+.......+...+......+......+........+....+........+...+....+...+.................+..........+...........+.+......+..+.+............+........+.+..................+........+.........+......+..........+............+..+....+......+......+.....+.........+.+...+...........+.+...+.....+.+...+...........+.+.....+.+...............+...+......+.........+.....+.+......+..+...+.......+..+.....................+....+......+...............+...+.....+......+...+.+.........+..+....+.....+....+.....................+...........+.+..+.+.....+.+.....+...+...+...+.+...........+............+...+............+...+.............+......+...+............+.....+.............+..+.+........+.+.......................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/easy-rsa/pki/ca.crt

root@OpenWrt:~# easyrsa build-server-full server nopass

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)


Easy-RSA error:

Option conflict:
* 'build-server-full' does not support setting an external commonName

EasyRSA Version Information
Version:     3.1.3
Generated:
SSL Lib:     OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
Git Commit:
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.3 | nix | Linux | /bin/ash

root@OpenWrt:~#

Thank you again

psherman · July 19, 2023, 7:04am

I’m not certain why you are getting that error.

I see you are running a snapshot version. Have you tried with a stable release?

dellorianes · July 19, 2023, 8:32am

I have a Xiaomi Redmi AX6000. It is currently at snapshop status.

Nevertheless, the problem is related with this,

No Easy-RSA 'vars' configuration file exists!

isn´t it?
at the step of include "easyrsa init-pki" it starts to say things about "vars". I do not know if it is related

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

pavelgl · July 19, 2023, 11:23am

The snapshots use a newer version of easyrsa (3.1.3) and there seem to be some changes.

	# Set commonName
	[ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
Option conflict:
* '$cmd' does not support setting an external commonName"
	EASYRSA_REQ_CN="$name"

If ChangeMe is used instead of ovpnca everything works (the Common Name is automatically set to Easy-RSA CA), but we should probably spend some time looking for a better option.

EDIT:

Replacing some of the commands seems to solve the problem and makes it possible to set a Common Name.

easyrsa --batch --req-cn="ovpnca" build-ca nopass

easyrsa gen-req server nopass
easyrsa sign-req server server

easyrsa gen-req client nopass
easyrsa sign-req client client

ulmwind · July 19, 2023, 6:18pm

Generate certificates on PC.

Zipdox · July 20, 2023, 8:12pm

It works. Can someone update the guide?

slh · July 20, 2023, 11:01pm

dellorianes · July 21, 2023, 4:32pm

It does not work for me:

root@OpenWrt:~# easyrsa build-ca nopass

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)

Using configuration from /tmp/9cd7906b/temp.5.1
......+....+........+.......+.....+...+....+......+..+...............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+..+.+..+...+.......+...+.....+...+......+...+..........+..+...+......+..........+.....+.......+..+.............+....................+..................+....+...+.....+....+.........+......+...+...+..+.+............+.........+...........+...+................+.....+.........+.........+.+......+...+......+.................+...+.+...+..+...+...............+......+.+........+.............+..................+...................................+....+..+.+........+.+.........+..+....+.....+..............................+..................+...+............+......+....+...+........+............+.......+...+..+...+.........+................+...+......+.....+...+...+.......+...+..+.+..+...+......+.........+.+.....+...+..........+.....+.......+...+...+...+...........+.+.....+....+.........+.........+........+.......+...+..+.+............+..+......+.+......+.........+...........+............+...+....+...+.....+.......+...+...+........+.+...+...........+..........+..+...+......+.........+...................+......+...........+...+...+...+............+.......+...+..+.+.....+.........+...+.......+.......................+...+....+...+.........+.....+....+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+..........+......+........+.+.........+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+............+..+.+.........+...+........+....+........+.+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......................................+...+........+.+......+..+.+.....+............+.........+...................+......+...+.......................+...+....+...+...+.....+.........+.+..+.......+..+..........+...+..+......+...+.........+.......+...............+........+.......+...+..+.+........................+.....+...+......+.+......+.................+..........+..+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----



Notice
------
CA creation complete. Your new CA certificate is at:
* /etc/easy-rsa/pki/ca.crt

root@OpenWrt:~# easyrsa build-server-full server nopass

* No Easy-RSA 'vars' configuration file exists!

* Using SSL: openssl OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)


Easy-RSA error:

Option conflict:
* 'build-server-full' does not support setting an external commonName

EasyRSA Version Information
Version:     3.1.3
Generated:
SSL Lib:     OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
Git Commit:
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.3 | nix | Linux | /bin/ash

pavelgl · July 21, 2023, 5:04pm

You are not following the updated guide on key management.

dellorianes · July 22, 2023, 12:17pm

What I understood is:

# Configuration parameters
cat << EOF > /etc/profile.d/easy-rsa.sh
export EASYRSA_PKI="${VPN_PKI}"
export EASYRSA_TEMP_DIR="/tmp"
export EASYRSA_CERT_EXPIRE="3650"
export EASYRSA_BATCH="1"
EOF
. /etc/profile.d/easy-rsa.sh
 
# Remove and re-initialize PKI directory
easyrsa init-pki
 
# Generate DH parameters
easyrsa gen-dh
 
# Create a new CA changing commonName if needed
easyrsa build-ca nopass
 
# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
 
# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem

isn´t it?

pavelgl · July 22, 2023, 12:41pm

dellorianes:

# Create a new CA changing commonName if needed
easyrsa build-ca nopass
 
# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
 
# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem

Press Ctrl + F5 to reload the page. The updated commands are as follows:

# Create a new CA changing commonName if needed
easyrsa --batch --req-cn="ovpnca" build-ca nopass
 
# Generate server keys and certificate
easyrsa gen-req server nopass
easyrsa sign-req server server
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
 
# Generate client keys and certificate
easyrsa gen-req client nopass
easyrsa sign-req client client
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem

dellorianes · July 24, 2023, 9:36am

Thank you. Working now.

system · August 3, 2023, 9:37am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.