Issues with OpenVPN Server Setup

Installing and Using OpenWrt Network and Wireless Configuration
21

I got the same result as the OP.

Windows machine, no language packs, no editing of the script.

Clicked on the snippets button, downloaded the script, and used WinSCP to copy it to the router...as I have done for many other scripts.

Ran the script...didn't work.

22

@asdffdsa -- try copying commands from the wiki page and pasting them into the SSH client.

@JW0914 -- great idea with the file plugin, do you have a clue why the scripts it generates may be failing?

23

Tried several tests, including using SCP instead of WinSCP...executing the script continues to fail, when downloaded as a snippet and uploaded to /tmp.

The only way I could get it to work was to copy and paste the entire contents of the script directly in to SSH.

24

@stangri thanks =]

It appears if the script is downloaded through the web browser on a Windows machine, the file will have Windows EOLs [CRLF]. When I have time this morning, I'll boot up my Ubuntu VM and see if downloading via Ubuntu FireFox results with Linux EOLs.

  • If it does, I'll need to do some research on DokuWiki's file plugin's wiki page to determine if there's a way to force EOLs, regardless of OS used to download. The code block is specified as bash, hence the syntax highlighting, so one would think the file plugin would have been coded to recognize the EOLs should match the shell type.

  • I just confirmed if using wget on Windows (included with Git for Windows, GitHub Desktop, and Cygwin), it downloads the script with the correct LF EOL.

I'm not sure if dos2unix is apart of the default BusyBox config, and if not, perhaps it could be suggested to include it in the default BusyBox config.

  • If any have it installed, issue the following:
    dos2unix -u ./create-certs.sh && chmod 754 ./create-certs.sh && ./create-certs.sh
    • Else, with Windows, one can utilize Notepad++ or Atom to change the EOLs before copying to the router

It didn't occur to me users would download it via a web browser versus wget on the router, so that's a glaring oversight. This is what I did:

cd /tmp && wget https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/server.setup?codeblock=3

mv server.setup?codeblock=1 create-certs.sh && chmod 754 ./create-certs.sh

./create-certs.sh
  • When using the File Plugin, all code snippets are chronologically ordered, so the next code block down would end in codeblock=4, etc. This makes it convenient if one if downloading multiple scripts from a wiki, as they don't need to revisit the page each time to get a new link.
25

Problem solved by replacing non-functional tagging by simple < code >.

26

@tmomas what is the point of supporting user convenient dokuwiki plugins if you complain about every single one someone tries to utilize?

  • Users prefer syntax highlighting, as it makes code, logs, configs, easier to read.
  • There's also nothing wrong with the file plugin, as I've already demonstrated.

Either remove dokuwiki plugin support entirely or stop complaining when it's utilized.

27

If everything is working correctly and as expected, then what is this thread about?

BTW: Please let me know what "file plugin" you are talking about and provide a link to the plugin description page.

28

The issue is not with the file plugin, and would exist if someone copied the code into notepad on Windows, saved it, then copied the script to their router, as the EOLs would be incorrect, hence the issue.

  • You claim everything is not working as expected... perhaps you missed this post, of which shows there is no issue with the script or the file plugin

  • Code Replacement Plugin

Actual demonstration of EOL issue:

[root@LEDE] /tmp : ./create-certs_crlf.sh
-ash: ./create-certs_crlf.sh: not found

[root@LEDE] /tmp : dos2unix -u ./create-certs_crlf.sh && ./create-certs_crlf.sh


  # Creating Directory Structure #

------------------------------------------------------------


  # Customizing openssl.cnf #

------------------------------------------------------------



  # Generating Server PSK and CA, Server, & Client Certs #

------------------------------------------------------------


  ...Generating Certifcate Authority Cert & Key...
------------------------------------------------------------

Generating a 4096 bit RSA private key
..^C
[root@LEDE] /tmp : ^C

[root@LEDE] /tmp : dos2unix -d create-certs_crlf.sh && ./create-certs_crlf.sh
-ash: ./create-certs_crlf.sh: not found

Exacerbating the EOL issue with the OP is likely non-English language packs (and a different text encoding) due to the mispelled terminal output, as even with the script having a CRLF EOL, if one opens the script in the terminal and copies from it, those commands will execute successfully (or at least do on the 17.x LEDE development branch 4.9.73- 2018.01.09, r5695-56767dfa42)
29

@stangri I've added three annotations regarding the downloadable snippets under Generate Certficates
Please review and change as necessary.

@tmomas I haven't ran a stock build of OpenWrt since 2015, so this may be moot, but since a lot, if not most, users also use Windows, perhaps CONFIG_BUSYBOX_CONFIG_DOS2UNIX=y could be added to the master openwrt .config

  • I assume the master .config would be easier than the config.seeds of every device.
30

well, i am most impressed with the reponses that i sparked but a classic linux newbie problem. the issues of cr/lf.
i have been a microsoft bunky since 1978 but i thought wanted to run openvpn and decided to purchase a shiny, expensive linksys wrt3200acm. it was so easy to install openwrt and get myself onto the internet using the gui.
so i tried to get openvpn working, the reason why i purchased the router. i failed and posted for help at the openwrt forum. i am impressed with the help i got.
last night, i realized the issue was to do with text conversion between dos/windows and linux.
i did try to post my realization as soon as i realized it but it seems as a new user of the forum i could only post 20 messages in the first 24 hours of signing up. so of course, i was trying to post the 20th message with my solution and i got a popup telling me i could not post. "You've reached the maximum number of replies a new user can create on their first day. "

in the mean time, you all figured it out and made change to the webpage for openvpn support, most impressive, very quick!

now that openvpn is running on my router, i tried to connect using the .opvn file but every time i try to import the .opvn fails to import into my openvpn client. it just will not import.

not sure if i should be asking for help via the openwrt forum or not?

thanks much,
david

31

I can't be bothered with little scripts.
This is what I do to run a OpenVPN server.

  • I generate my own CA, server and client certs with this, and export them in PEM format
    Server cert must have Digital Signature, Key Encipherment, TLS Web Server Authentication extensions
    Client cert must have Digital Signature, TLS Web Client Authentication extensions
  • generate DH param with openssl
    openssl dhparam -out dhparam.pem 1024
  • put everything in a ovpn file (it's a simple text file like the one bellow)
  • then bring it via scp on the router and run it
    openvpn --config /path/to/my/config.ovpn

This is how ovpn file looks like:

proto udp
port 443
#cipher AES-128-GCM
#auth sha1
ncp-ciphers AES-128-GCM
mode server
tls-server
ifconfig 172.16.0.1 172.16.0.2
#ifconfig-pool 172.16.0.100 172.16.0.200
route 172.16.0.0 255.255.255.0
route 10.0.0.0 255.0.0.0
route 192.168.10.0 255.255.255.0
ccd-exclusive
client-config-dir "client-config-dir"
push "route 172.16.0.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
client-to-client

log "VPN Server.log"
verb 3

<ca>
-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZWUE4g
...
uU2V5ODeUIrTJGCMNlz4VfP6xlbxda8Wxjj5xpvIzJtCqkHAGBYcYTRoxAT6Bhpz
/OZI
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIBAjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZWUE4g
...
S4752cU9Y2TQLEgHLLPZjCjEJ3xRAm5LHmhXYRWJtnkM8jPPlmBU
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArInVaJ6MRNXCaQQnD8x51Y0cSU1bQKk/iBG3nefbJajDYIn9
...
gK6oPgMvJIVaQoojorpg5ZpMSLcmrWO6hZiB8zAw0ZNHtXe9zfV+
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAgP6DPmH/HEqDFT8Ajvm+VxIYSDfUn0MlyLeUmCKGzDH+DfFxTN1z
...
uuXtKki3PDQa7CvBM1zEx/FckrUDJ+0xWwIBAg==
-----END DH PARAMETERS-----
</dh>

Use OpenVPN manual to understand what the options do.