Hello,
I am running the latest openwrt 19.7.3 on TP-Link Archer C7 AC1750 v5. I have a problem setting up openvpn. With NM on Debian Buster I don't even get to the server, so since NM on Debian is a bit buggy I tried it with the CLI:
# openvpn --config /etc/openvpn/home.ovpn
on Debian client I get the following in syslog:
Thu Jun 18 20:37:27 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun 18 20:37:27 2020 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jun 18 20:37:27 2020 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jun 18 20:37:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.30.1:1194
Thu Jun 18 20:37:27 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Jun 18 20:37:27 2020 UDP link local: (not bound)
Thu Jun 18 20:37:27 2020 UDP link remote: [AF_INET]10.0.30.1:1194
Thu Jun 18 20:37:27 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jun 18 20:37:27 2020 TLS: Initial packet from [AF_INET]10.0.30.1:1194, sid=2d8f09bd f60a6f48
Thu Jun 18 20:37:27 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jun 18 20:37:27 2020 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Jun 18 20:37:27 2020 VERIFY KU OK
Thu Jun 18 20:37:27 2020 Validating certificate extended key usage
Thu Jun 18 20:37:27 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Jun 18 20:37:27 2020 VERIFY EKU OK
Thu Jun 18 20:37:27 2020 VERIFY OK: depth=0, CN=server
Thu Jun 18 20:38:27 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jun 18 20:38:27 2020 TLS Error: TLS handshake failed
Thu Jun 18 20:38:27 2020 SIGUSR1[soft,tls-error] received, process restarting
Thu Jun 18 20:38:27 2020 Restart pause, 5 second(s)
on openwrt openvpn.log:
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 TLS: Initial packet from [AF_INET]10.0.30.200:47828, sid=8f289a13 9eead910
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_VER=2.4.7
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_PLAT=linux
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_PROTO=2
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_NCP=2
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZ4=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZ4v2=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_LZO=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_COMP_STUB=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_COMP_STUBv2=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_TCPNL=1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_HWADDR=3c:97:0e:41:32:fc
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 peer info: IV_SSL=OpenSSL_1.1.1d__10_Sep_2019
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Jun 18 18:37:26 2020 10.0.30.200:47828 SIGTERM[soft,auth-control-exit] received, client-instance exiting
here is my server config:
config openvpn 'homevpn'
option local '10.0.30.1'
option enabled '1'
option dev 'tun'
option port '1194'
option comp_lzo 'yes'
option status '/var/log/openvpn_status.log'
option log '/var/log/openvpn.log'
option mute '5'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option group 'nogroup'
option ca '/etc/openvpn/easyrsa/pki/ca.crt'
option cert '/etc/openvpn/easyrsa/pki/issued/server.crt'
option key '/etc/openvpn/easyrsa/pki/private/server.key'
option dh '/etc/openvpn/easyrsa/pki/dh.pem'
option mode 'server'
option tls_server '1'
option server '10.8.0.0 255.255.255.0'
option route_gateway 'dhcp'
option client_to_client '1'
option tls_auth '/etc/openvpn/easyrsa/pki/private/ta.key 0'
option key_direction '0'
option duplicate_cn '1'
option sndbuf '393216'
option rcvbuf '393216'
option auth 'SHA256'
option cipher 'AES-256-CBC'
option verify_client_cert 'none'
option username_as_common_name '1'
list push 'comp-lzo yes'
list push 'persist-key'
list push 'persist-tun'
list push 'user nobody'
list push 'group nogroup'
list push 'topology subnet'
list push 'route-gateway dhcp'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route 10.0.30.0 255.255.255.0'
list push 'dhcp-option DNS 10.0.30.1'
list push 'dhcp-option DNS 1.1.1.1'
list push 'sndbuf 393216'
list push 'rcvbuf 393216'
option verb '3'
option auth_user_pass_verify '/etc/openvpn/config/ovpnauth.sh via-file'
option script_security '2'
and the client config:
###############################################################################
# OpenVPN Client Configuration for Remote Access VPN at Home
###############################################################################
# Specify that we are a client
client
remote 10.0.30.1 1194
# TUN server
dev tun
# VPN protocol
proto udp
# allow a remote peer to change it's IP address and/or port number
# Essentially, --float tells OpenVPN to accept authenticated packets
# from any address, not only the address which was specified in the --remote option.
float
# Set output verbosity to n (default=1).
verb 3
# Push additional information about the client to server.
push-peer-info
# Keep trying indefinitely to resolve the host name of the OpenVPN server. Very useful
resolv-retry infinite
# Most clients don't need to bind to a specific local port number.
nobind
# Downgrade privileges after initialization (uncomment for non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# Enable compression on the VPN link. Don't enable this unless it is also enabled in the server config file.
comp-lzo
# Authentication with user/password on server depending on the module in use.
auth-user-pass
###########################################################################
# This script uses the resolvconf utility to update DNS information for Linux clients.
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
###########################################################################
# TLS-Settings for authentication of the connection from client to server
tls-client
remote-cert-tls server
# Encrypt data channel packets with cipher algorithm AES-128-CBC
cipher AES-256-CBC
# Authenticate packets with HMAC using message digest algorithm SHA256.
auth SHA256
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
ca.crt
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ta.key
-----END OpenVPN Static key V1-----
</tls-auth>
the ovpnauth.sh
is from github here
I tried almost every thing the internet suggested, changing the script security, using via-env
instead of via-file
, I tried to put the script body in a function and call at the end of the file, and a lot of strange suggestions, but non has worked for me.
For now I cannot have any down time in our internet connection, (which is another TP-Link runs openwrt as well), that is why I am testing now with the LAN IP of my new TP-Link, which I cannot access via internet.
Thanks for any help.