How to start openvpn client from the command line?

Hi,

on my router (19.07.7) I have an openvpn client installed and I can configure, start and stop it via the web-interface.

But I cannot figure out how to start it from the command line.

I would have expected something like "sudo /etc/init.d/openvpn start" (yes - I treat my router a bit like a linux-system and log in via a non-root user and have sudo installed) but that does not seem to do anything (it does not throw any error either).

So with everything in place, openvpn installed and working via lucy with a valid opvn-file in /etc/openvpn/ovpn1: How do I start the client from the command line?

Many thanks!

Remove the sudo. Openwrt runs with the root user.

This will look to the openvpn.conf file for the config to start.

See the section "Starting the client"

First of all (as I explained above) I do (ususally) not log into my router as root. I have created a non-root user and have setup sudo for it. With this user I evidently need to use sudo.

I have now tried to log in as root and run the command without sudo and the behaviour (as expected) is identical. No error - but no started client either.

This is not working for me.

If I run (as root) "openvpn /etc/openvpn/ovpn1/myfile.ovpn" an openvpn process is started but it does not work properly - I lose all internet access until I kill it again.

You might ask on the OpenVPN forum -

https://forums.openvpn.net/

Ok, but it works in principal (via lucy).

Is there no way to figure out what lucy is doing when I press the "connect" button?

Check the Troubleshooting sections on the OpenVPN page posted above, and the OpenWRT wiki.

Run logread | grep openvpn and look for clues.

All I see when I connect via the GUI is this:

Tue May  3 01:10:34 2022 user.info : 1246: gl-vpn-client>> Start, vpnpath=/etc/openvpn/ovpn1, serverfile=Windscribe-London-Crumpets-GNS.ovpn
Tue May  3 01:10:34 2022 user.info : 1323: gl-vpn-client>> glconfig.openvpn.ovpn=/etc/openvpn/ovpn1/Windscribe-London-Crumpets-GNS.ovpn, glconfig.openvpn.clientid=ovpn1

That indicates that the proper ovpn-file is used but it does not show me the command line...

It looks like you are using the GL-inet firmware, which is based on OpenWrt, but is different. Can you confirm if you have loaded an official version of OpenWrt or if you are using the stock firmware?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik

ubus call system board

Running top or htop will show the command line of the running process.

The log should show why it failed on the command line.

logread | grep 'warn\|err'

At least on the official OpenWrt builds, the LuCI OpenVPN app triggers /etc/init.d/openvpn start -- and when it does this, it will look for the OpenVPN configuration that is enabled in /etc/config/openvpn -- it's as simple as that.

As I mentioned in my previous post, you may be running a GL-inet version of OpenWrt which may operate differently. Please confirm the version you are running.

ubus call system board
{
        "kernel": "4.14.221",
        "hostname": "GL-AR300M",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "GL.iNet GL-AR300M (NAND)",
        "board_name": "glinet,gl-ar300m-nand",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ath79/nand",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}

ok... good. So that looks like it is probably the official OpenWrt build. I would recommend upgrading to 19.07.10 (which is the latest, but the 19.07 series is now officially EOL), or better yet 21.02.3.

Let's take a look at your config files (as mentioned below -- please redact any sensitive info:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/openvpn

Then, try to start the VPN by issuing:
/etc/init.d/openvpn start
and provide the log that results from that (again, redact any private details)

Hello! Have you found a solution? Because I've a TRENDnet router (TWG-431BR) which have a subset of openwrt installed with openvpn. And as you said when I connect from the cli I loose the internet connection. In the trendnet webapp I can only create a openvpn server.

Your device is not supported by the official OpenWrt Project (it doesn't show up in the table of hardware)

This is not official OpenWrt.

You should ask the provider of the firmware (Trendnet or a 3rd party) since this is not OpenWrt and a "subset" will not work the same way that the real openwrt firmware does.

How can I make this pick out specific ovpns to launch? It's great that I can have my 3 default ovpns that I want started up, but when I have a race-condition scenario where they are all connecting simultaneously due to a WAN revival, I'd like to stagger them but that doesn't seem possible. There's not a command that exists from the reading in any of the links given here.

When I used the command openvpn /etc/openvpn/myconfig.ovpn via ssh into the root of my openwrt router, it said it got started up, but refreshing the luci at http://192.168.1.1/cgi-bin/luci/admin/vpn/openvpn did not show the connection for "myconfig.ovpn" as running. The terminal said it was, but not luci, so we have a disconnect. So that's why I tried the /etc/init.d/openvpn start as suggested here, and that re-starts any that I have manually clicked Stop on in the luci but leave with the Enabled checkmark. That's how you explained it would work. That's great! The next step is to figure out how to make it specific per configuration. So I can run /etc/init.d/openvpn/myconfig1 start and sleep 10 then /etc/init.d/openvpn/myconfig2 inside of the /etc/rc.local but unfortunately me making up code doesn't work and I can't find anything similar in the wiki.

To the extent we have the command service openvpn restart that seems improper. I could edit the individual .ovpn config files and include a rule down service openvpn restart but that means if I have 1 out of 3 servers go down, then the whole service restarts, taking everything down with it for a while until we can establish all 3 as simultaneously up and that actively makes the problem worse for a race condition. That race condition is validating with a commercial service; it'll work great for one vpn connection being established at a time, but nothing gets through if they all try to connect simultaneously.

Edit: Digging around in the code for /etc/init.d/openvpn, it gets cheeky with variables, etc. I'm thinking my solution should be editing this chunk of code. ORiginally it is

                 for path in /etc/openvpn/*.conf; do
235                         if [ -f "$path" ]; then
236                                 name="${path##*/}"; name="${name%.conf}"
237
238                                 # don't start configs again that are already started by uci
239                                 if echo "$UCI_STARTED" | grep -qxF "$path"; then
240                                         continue
241
242                                 # don't start configs which are set to disabled in uci
243                                 elif echo "$UCI_DISABLED" | grep -qxF "$path"; then
244                                         logger -t openvpn "$name.conf is disabled in /etc/config/o>
245                                         continue
246                                 fi
247
248                                 get_openvpn_option "$path" up up || up=""
249                                 get_openvpn_option "$path" down down || down=""
250                                 openvpn_add_instance "$name" "${path%/*}" "$path" "" "$up" "$down"
251                         fi
252                 done

If I take line 247 and put some sleep 10 in there, it should delay connecting to the vpns... At the moment testing the home network by taking everything offline isn't great so I haven't tried this yet. This serves as a memo to myself on what I did. I made the change, but will wait to test it until later.