Issues with OpenVPN Server Setup

asdffdsa · March 20, 2018, 8:40pm

hello and thanks for reading this.
i have been a microsoft user since 1978 and i have decided to learn about linux so i purchased a shiny new linksys wrt3200acm router and i was pleased how easily i got openwrt to run on it and the nice gui to set it up.
the reason i want openwrt is to run openvpn.
i found the doc about openvpn and i tried to follow it.
i got a lot of errors such as

 # Creating Directory Structure #

------------------------------------------------------------
: not foundrts.sh: line 5:
: not foundrts.sh: line 7:
: No such file or directory
./create-certs.sh: cd: line 10: can't cd to /etc/openvpn/ssl
: not foundrts.sh: line 11:
: not foundrts.sh: line 14:
: not foundrts.sh: line 15:


  # Customizing openssl.cnf #

------------------------------------------------------------
: not foundrts.sh: line 18:
: not foundrts.sh: line 20:
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: not foundrts.sh: line 29:
: not foundrts.sh: line 39:
: not foundrts.sh: line 40:

and

  # Copying Certs & Keys to /etc/openvpn/ #

------------------------------------------------------------
: not foundrts.sh: line 66:
cp: can't stat 'ca.crt': No such file or directory
cp: can't stat 'my-server.*': No such file or directory
cp: can't stat 'my-client.*': No such file or directory
cp: can't stat 'tls-auth.key': No such file or directory

also, after running the script create-certs.sh, i noticed that in the /etc/openvpn is a
folder named ssl?
and a file named ssl??
and i have no clue what a question mark signifies.

i am hoping someone can help me get openvpn running without errors.

thanks in advance,
david

anon57995562 · March 20, 2018, 8:49pm

The link you included in your thread title is for creating an OpenVPN server...which means you want users (could be just you) to connect to you remotely using VPN.

In the event you just want to use VPN to connect to the Internet, follow these instructions...

OpenVPN Client Setup

asdffdsa · March 20, 2018, 8:51pm

jwoods, i am looking to setup the server, not the client.
thanks for the reply

anon57995562 · March 20, 2018, 8:55pm

Just wanted to confirm.

Did you get any errors on the first step?

opkg update && opkg install openvpn-openssl openssl-util luci-app-openvpn

OpenVPN Server Setup

asdffdsa · March 20, 2018, 9:25pm

no errors and i ran the command again and no errors
Package openvpn-openssl (2.4.4-3) installed in root is up to date.
Package openssl-util (1.0.2n-1) installed in root is up to date.
Package luci-app-openvpn (git-18.061.17832-d092772-1) installed in root is up to date.

and i tried to lookup foundrts.sh on google but i did not find anything

thanks much

thanks

anon57995562 · March 20, 2018, 9:35pm

In SSH, run the following...

cat /etc/openvpn/ssl

asdffdsa · March 20, 2018, 9:36pm

cat: can't open '/etc/openvpn/ssl': No such file or directory

anon57995562 · March 20, 2018, 9:43pm

Script is failing on the mkdir.

Run the following...

root@LEDE:~# cd /etc

then...

root@LEDE:/etc# ls -C

asdffdsa · March 20, 2018, 9:46pm

by the way, to execute create-certs.sh i typed 'sh create-certs.sh', i hope that was the correct way.

and here is the output of the ls command
TZ fw_env.config openvpn rc.d
banner group openwrt_release rc.local
banner.failsafe hosts openwrt_version resolv.conf
board.d hotplug-preinit.json opkg services
board.json hotplug.d opkg.conf shadow
config hotplug.json os-release shadow-
crontabs init.d passwd shells
device_info inittab passwd- ssl
diag.sh iproute2 ppp sysctl.conf
dnsmasq.conf localtime preinit sysctl.d
dropbear luci-uploads profile sysupgrade.conf
ethers modules-boot.d protocols uci-defaults
firewall.user modules.d rc.button urandom.seed
fstab mtab rc.common

anon57995562 · March 20, 2018, 9:56pm

Acting like the shell doesn't have the correct permissions...

First, navigate to the directory where you saved the shell.

Then...

chmod 777 create-certs.sh

Run it.

asdffdsa · March 20, 2018, 10:09pm

the first time i ran the script, i am using winscp to scp and i used it to change the permissions to 777. somehow i know about from something i read in the past.
so hust now, this time i used your suggestion of chmod and still the errors but seems a bit different
before i got not foundrts.sh and not i get not founds.sh.

and i noticed this
'unable to find 'distinguished_name' in config problems making Certificate Request'

thanks

anon57995562 · March 20, 2018, 10:14pm

Post the actual output of the script.

Thanks

asdffdsa · March 20, 2018, 10:17pm

login as: root
root@192.168.62.1's password:


BusyBox v1.25.1 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.4, r3560-79f57e422d)
    \________\/    -----------------------------------------------------------

root@asdffdsa:~# ls
root@asdffdsa:~# cd /
root@asdffdsa:/# ls
bin              index            overlay          serial?          var
ca.key           index.txt        proc             sys              www
create-certs.sh  init             rom              tls-auth.key?
dev              lib              root             tmp
etc              mnt              sbin             usr
root@asdffdsa:/# sh create-certs.sh
: not founds.sh: line 2:


  # Creating Directory Structure #

------------------------------------------------------------
: not founds.sh: line 5:
: not founds.sh: line 7:
: No such file or directory
create-certs.sh: cd: line 10: can't cd to /etc/openvpn/ssl
: not founds.sh: line 11:
: not founds.sh: line 14:
: not founds.sh: line 15:


  # Customizing openssl.cnf #

------------------------------------------------------------
: not founds.sh: line 18:
: not founds.sh: line 20:
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: No such file or directory
: not founds.sh: line 29:
: not founds.sh: line 39:
: not founds.sh: line 40:


  # Generating Server PSK and CA, Server, & Client Certs #

------------------------------------------------------------
: not founds.sh: line 43:
Generating a 2048 bit RSA private key
.+++
.......+++
writing new private key to 'ca.key'
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
3070002372:error:0E06D06C:lib(14):func(109):reason(108):NA:0:group=req name=distinguished_name
: not founds.sh: line 45:
/openssl.cnfe -1 of /etc/openvpn/ssl
','rb')l.cnfrror:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/openvpn/ssl
3069306052:error:2006D080:lib(32):func(109):reason(128):NA:0:
3069306052:error:0E078072:lib(14):func(120):reason(114):NA:0:
/openssl.cnfuration from /etc/openvpn/ssl
variable lookup failed for ca::default_ca
3069908164:error:0E06D06C:lib(14):func(109):reason(108):NA:0:group=ca name=default_ca
: not founds.sh: line 48:
/openssl.cnfe -1 of /etc/openvpn/ssl
','rb')l.cnfrror:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/openvpn/ssl
3069342916:error:2006D080:lib(32):func(109):reason(128):NA:0:
3069342916:error:0E078072:lib(14):func(120):reason(114):NA:0:
unknown option
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -selfsign       - sign a certificate with the key associated with it
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -utf8           - input characters are UTF8 (default ASCII)
 -multivalue-rdn - enable support for multivalued RDNs
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
: not founds.sh: line 51:
: not founds.sh: line 53:
chmod: my-server.key: No such file or directory
chmod: my-client.key: No such file or directory
: not founds.sh: line 55:
: not founds.sh: line 56:


  # May take a while to complete (>~25m on WRT3200ACM) #
------------------------------------------------------------
: not founds.sh: line 59:

  ...Generating Diffie-Hellman Cert...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............^C
root@asdffdsa:/#

asdffdsa · March 20, 2018, 10:40pm

also, if i run 'sh ./create-certs.sh' i got errors of 'not foundrts.sh'
however, if i run 'sh create-certs.sh' i got errors of 'not founds.sh'

does the mean anything to you?

tmomas · March 20, 2018, 11:38pm

Error even before Creating Directory Structure is getting printed looks strange:

#!/bin/sh
 
printf "\n\n  # Creating Directory Structure #\n\n"
printf %b "------------------------------------------------------------\n"

How did you get the script on your router?
a) Copy&Paste from the wiki
b) Via clicking on the link above the script grafik

asdffdsa · March 20, 2018, 11:47pm

hi tmomas,
what looks strange?

i run the command using 'sh create-certs.sh'.
do you think i should run the command differently?

do you think it could be an issue with cr/lf differences between windows-os 0d0a verses 0a?
i download the file from the website, save it to my computer and transfer it with winscp using binary mode.

thanks much

asdffdsa · March 20, 2018, 11:48pm

to be clear i clicked on the link to download it to my computer

tmomas · March 20, 2018, 11:49pm

Take a look at the script: What is in line 2?

tmomas · March 20, 2018, 11:59pm

Just curious: What happens if you ommit the sh?
root@asdffdsa:/# ./create-certs.sh

JW0914 · March 21, 2018, 2:21am

Line 2 is an empty line.

@asdffdsa Did you by chance download this on a Windows machine and open it before moving it to your router, or are you utilizing a non-English language pack for your OS (your terminal output isn't normal, and has a ton of misspellings [foundrts.sh, founds.sh, openssl.cnfe, l.cnfrror], which wouldn't occur except from corruption or non-English language packs)?

I triple checked that script when I modified the wiki's code snippets with the file plugin to make them downloadable scripts, and while specifying the shell as sh isn't required due to the shell shebang, even if you specify sh in front of the script, it will still run normally.

I cannot replicate and receive the following output:

I made two changes from the default script for convenience of testing: changed PKI_DIR to /tmp/etc/openvpn/ssl and key lengths to 1024.

[root@LEDE] /tmp : cd /tmp && wget https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/server.setup?codeblock=1

[root@LEDE] /tmp : mv server.setup?codeblock=1 create-certs.sh && chmod 754 ./create-certs.sh

[root@LEDE] /tmp : ./create-certs.sh


  # Creating Directory Structure #

------------------------------------------------------------


  # Customizing openssl.cnf #


------------------------------------------------------------


  # Generating Server PSK and CA, Server, & Client Certs #


------------------------------------------------------------

Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to 'ca.key'
-----

Generating a 1024 bit RSA private key
..............++++++
....++++++
writing new private key to 'my-server.key'
-----

Using configuration from /tmp/etc/openvpn/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 01:58:17 2018 GMT
            Not After : Mar 18 01:58:17 2028 GMT
        Subject:
            commonName                = my-server
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Mar 18 01:58:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to 'my-client.key'
-----

Using configuration from /tmp/etc/openvpn/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Mar 21 01:58:18 2018 GMT
            Not After : Mar 18 01:58:18 2028 GMT
        Subject:
            commonName                = my-client
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until Mar 18 01:58:18 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated


  # May take a while to complete (>~25m on WRT3200ACM) #
------------------------------------------------------------

  ...Generating Diffie-Hellman Cert...

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+...............+..+..................................+.........+................+.......................................+....................................+......................................................................................+............+...........+......................+.............+.............+.......................................................++*++*++*


  # Copying Certs & Keys to /etc/openvpn/ #

------------------------------------------------------------

What happens if you copy and paste the script text into the terminal?

It should resemble:

[root@LEDE] /tmp : #!/bin/sh
[root@LEDE] /tmp :
[root@LEDE] /tmp : printf "\n\n  # Creating Directory Structure #\n\n"


  # Creating Directory Structure #

[root@LEDE] /tmp : printf %b "------------------------------------------------------------\n"
------------------------------------------------------------
[root@LEDE] /tmp :
[root@LEDE] /tmp :   PKI_DIR="/tmp/etc/openvpn/ssl"
[root@LEDE] /tmp :
[root@LEDE] /tmp :     [ -d ${PKI_DIR} ] && rm -rf ${PKI_DIR}
[root@LEDE] /tmp :       mkdir -p ${PKI_DIR} && chmod -R 0600 ${PKI_DIR}
[root@LEDE] /tmp :       cd ${PKI_DIR}
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :     touch index.txt && touch index && echo 1000 > serial
[root@LEDE] /tmp/etc/openvpn/ssl :     cp /etc/ssl/openssl.cnf ${PKI_DIR}
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl : printf "\n\n  # Customizing openssl.cnf #\n\n"


  # Customizing openssl.cnf #

[root@LEDE] /tmp/etc/openvpn/ssl : printf %b "------------------------------------------------------------\n"
------------------------------------------------------------
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   PKI_CNF=${PKI_DIR}/openssl.cnf
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/^dir/   s:=.*:= /etc/openvpn/ssl:'                ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/^new_certs_dir/   s:=.*:= /etc/openvpn/ssl:'      ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/.*Name/ s:= match:= optional:'                    ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/organizationName_default/    s:= .*:= WWW Ltd.:'  ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/stateOrProvinceName_default/ s:= .*:= London:'    ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/countryName_default/         s:= .*:= GB:'        ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/default_days/   s:=.*:= 3650:'                    ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :     sed -i '/default_bits/   s:=.*:= 1024:'                    ${PKI_CNF}
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :     cat >> ${PKI_CNF} <<"EOF"
> [ my-server ]
>   keyUsage = digitalSignature, keyEncipherment
>   extendedKeyUsage = serverAuth
>
> [ my-client ]
>   keyUsage = digitalSignature
>   extendedKeyUsage = clientAuth
> EOF
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl : printf "\n\n  # Generating Server PSK and CA, Server, & Client Certs #\n\n"


  # Generating Server PSK and CA, Server, & Client Certs #

[root@LEDE] /tmp/etc/openvpn/ssl : printf %b "------------------------------------------------------------\n"
------------------------------------------------------------
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config ${PKI_CNF} -days 3650
Generating a 1024 bit RSA private key
.............++++++
..............++++++
writing new private key to 'ca.key'
-----
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl req -batch -nodes -new -keyout "my-server.key" -out "my-server.csr" -subj "/CN=my-server" -config ${PKI_CNF}
Generating a 1024 bit RSA private key
.............++++++
.........++++++
writing new private key to 'my-server.key'
-----
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-server.csr" -out "my-server.crt" -config ${PKI_CNF} -extensions my-server
Using configuration from /tmp/etc/openvpn/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Mar 21 02:16:04 2018 GMT
            Not After : Mar 18 02:16:04 2028 GMT
        Subject:
            commonName                = my-server
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Mar 18 02:16:04 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl req -batch -nodes -new -keyout "my-client.key" -out "my-client.csr" -subj "/CN=my-client" -config ${PKI_CNF}
Generating a 1024 bit RSA private key
.......++++++
..................++++++
writing new private key to 'my-client.key'
-----
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-client.csr" -out "my-client.crt" -config ${PKI_CNF} -extensions my-client
Using configuration from /tmp/etc/openvpn/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Mar 21 02:16:06 2018 GMT
            Not After : Mar 18 02:16:06 2028 GMT
        Subject:
            commonName                = my-client
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
Certificate is to be certified until Mar 18 02:16:06 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   openvpn --genkey --secret tls-auth.key
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   chmod 0600 "ca.key" "my-server.key" "my-client.key" "tls-auth.key"
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl : printf "\n\n  # May take a while to complete (>~25m on WRT3200ACM) #\n"


  # May take a while to complete (>~25m on WRT3200ACM) #
[root@LEDE] /tmp/etc/openvpn/ssl : printf %b "------------------------------------------------------------\n"
------------------------------------------------------------
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   printf "\n  ...Generating Diffie-Hellman Cert...\n"

  ...Generating Diffie-Hellman Cert...
[root@LEDE] /tmp/etc/openvpn/ssl :   openssl dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........+................+.......................................................................+..........................................+......................................................................................................................................................+..........................................................+..................+...........................................................+........+...............................................................................................................................+...............+.++*++*++*
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl : printf "\n\n  # Copying Certs & Keys to /etc/openvpn/ #\n\n"


  # Copying Certs & Keys to /etc/openvpn/ #

[root@LEDE] /tmp/etc/openvpn/ssl : printf %b "------------------------------------------------------------\n"
------------------------------------------------------------
[root@LEDE] /tmp/etc/openvpn/ssl :
[root@LEDE] /tmp/etc/openvpn/ssl :   cp ca.crt my-server.* my-client.* dh1024.pem tls-auth.key /tmp/etc/openvpn
[root@LEDE] /tmp/etc/openvpn/ssl :