How do I connect the client to the router (OpenWRT 18.06.5), following the steps of the How to Setup a tor OpenVPN Server tutorial (which could use some cleaning up*)?
I've signed the torvpnclient on the router as instructed, but after exporting torvpnclient.ovpn to the client (Raspbian Buster) and doing 'openvpn --cd ~/vpnfiles/ --config ~/vpnfiles/torvpnclient.ovpn' there, I get this error:
Sat Dec 07 23:49:37 2019 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sat Dec 07 23:49:37 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 Enter Private Key Password: *********** Sat Dec 07 23:49:40 2019 WARNING: Your certificate is not yet valid! Sat Dec 07 23:49:40 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Dec 07 23:49:40 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Dec 07 23:49:40 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sat Dec 07 23:49:40 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sat Dec 07 23:49:40 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.1:666 Sat Dec 07 23:49:40 2019 Socket Buffers: R=[163840->163840] S=[163840->163840] Sat Dec 07 23:49:40 2019 UDP link local: (not bound) Sat Dec 07 23:49:40 2019 UDP link remote: [AF_INET]192.168.0.1:666 Sat Dec 07 23:49:40 2019 TLS: Initial packet from [AF_INET]192.168.0.1:666, sid=6be0a0ad 2acd6ffa Sat Dec 07 23:49:41 2019 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=UK, ST=Yorkshire, O=tor-Infraverse Sat Dec 07 23:49:41 2019 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Sat Dec 07 23:49:41 2019 TLS_ERROR: BIO read tls_read_plaintext error Sat Dec 07 23:49:41 2019 TLS Error: TLS object -> incoming plaintext read error Sat Dec 07 23:49:41 2019 TLS Error: TLS handshake failed Sat Dec 07 23:49:41 2019 SIGUSR1[soft,tls-error] received, process restarting Sat Dec 07 23:49:41 2019 Restart pause, 5 second(s)
What steps am I missing? (The tut doesn't cover this)
Also, once I established the tunnel, will all the network traffic automatically go through it and other traffic be blocked, or do I have to do more configuring on the client side?
- Section "Use-Case Scenario"'s expected previously followed guides are no prerequisite to it?, and their settings (e.g. outdated manual EasyRSA download & execution) partially contradict the tutorial? (e.g. /etc/tor/torrc DNSPort 0.0.0.0:9053, which also results in: "daemon.warn Tor: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.")
- Section "create-certs.sh" seems superfluous/confusing when only section "01.create-certs.tor.sh" needs to be done?
- Section "2. config interface 'torvpn'" is messy and lists too many unrelated slave and lanvpn interfaces (+no mentioning of the config location: vi /etc/config/network)
- Section "3. This configuration has multiple VPNs" also (+no vi /etc/config/openvpn)
- Section "4. Configurations for the firewall" dito (+missing vi /etc/config/firewall)
- Section "7. Create the end-users torvpnclient.ovpn file" erroneously points to VPN_DIR="/etc/openvpn/tor" instead of the previously created PKI_DIR="$VPN_DIR/ssl"
- And the overall language is a little too cryptic and unclear imo. Otherwise it's pretty good and the only viable guide I could find. I'd like to fix this once it worked, unfortunately so far I'm still the target audience (a noob).
P.S. Another interesting tutorial complementing this would be an open IsolatingProxy by extra interface (e.g. on eth0.3 + wlan AP) as suggested by the Tor Project itself (i.e. only accepting Tor's SocksPort (and only DNS/TCP) connections, and dropping the rest).