Openvpn installation - multiple howtos

Hi,
there are multiple websites related to the setup of openvpn server...
https://oldwiki.archive.openwrt.org/doc/howto/vpn.openvpn
or
https://oldwiki.archive.openwrt.org/doc/howto/openvpn-streamlined-server-setup

As the former contains link to the latter as more secure howto, I tried to install openvpn server based on that wiki... there is missing description at all... no idea why they try to setup CA and ICA ... etc.. I just wanted setup opevnp server on my openwrt and create access to lets say 2-3 clients...

Any idea? what page can i use as best practice etc...

Thank you

"oldwiki" links should have a big banner across them

This are read only contents of the former OpenWrt wiki system. The pages are provided for archival purposes only. Refer to https://openwrt.org/ for up-to-date information.

A good starting place is https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

I created redirects now from the oldwiki urls to the openvpn/basic page, in order to lessen the confusion and direct users to up-to-date documentation.

hi,
its not working at all ... on the client side when i try to connect i got error as: (its win7, openvpn connect 2.6x)
Core exception: connection error: PEM_PASSWORD_FAILED: PolarSSL error parsing config private key : PK - Private key password can't be empty.

Also i dont understand client section in howto... each time i run script to generate client config... the config is exactly same ... ie each client has same keys/ etc... which i think from the sec perspective is really bad idea?

based on the https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04 they use commands as revoke-full cleintXY, i cant find any revoke-full binary... also to gen client conf ./make_config.sh clientXY which i assume is specific per clientXY. Also cant find make_config.sh... its really weird.

For non-interactive applications (i.e. a web server, or an OpenVPN client that starts automatically), the private key files must be stored with no password.

The server and each client should have their own separate certificate. Sign all these certificates with the same CA that you created.

I suggest using xca or other GUI CA application to create your certificates offline of the router instead of easy-rsa and its scripts that vary by distribution.

apparently you didnt read my issue. Your answer is out of topic...

Yes each client should have their own, but the script on openwrt site (part of howto) apparently doesnt do that correctly and also there is issue as described: Core exception: connection error: PEM_PASSWORD_FAILED: PolarSSL error parsing config private key : PK - Private key password can't be empty.

Well what is meant by dual_Stack?
Seems complicated how-to, is there any way how to extend https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic for multiple users? thank you

in that case how / where i can provide password on client side for that pass-protected key and cert? I am so confused ;-/ Is there any working guide how to set it up for multiple clients? thank you

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#multi-client

its pretty messed up now:
wget --no-check-certificate -O /tmp/create-certs.sh "...ode/docs/guide-user/services/vpn/openvpn/basic?codeblock=1" sh -v -x /tmp/create-certs.sh

• create-certs.sh

the script downloaded via wget is different as a script provided on howtopage... which one is correct now? Execution of the script from wget ... produced multiple errors: /tmp/create-certs.sh: line 1: service: not found

But again its completely different as the one on the howto website...

The one where wget points seem to me same as create-configs.sh ... so i executed the one as part of the howtopage.

server config:
wget --no-check-certificate -O /tmp/create-configs.sh ".... user/services/vpn/openvpn/basic?codeblock=3"

this one points to wrong direction 404

and script says:

create-configs.sh: line 1: service: not found

Client section
wget --no-check-certificate -O /tmp/create-ovpn.sh "...services/vpn/openvpn/basic?codeblock=5
"
--2019-02-07 00:59:20-- h...uide-user/services/vpn/openvpn/basic?codeblock=5
Resolving openwrt.org... 139.59.209.225, 2a03:b0c0:3:d0::1af1:1
Connecting to openwrt.org|139.59.209.225|:443... connected.
WARNING: cannot verify openwrt.org's certificate, issued by 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US':
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 404 Not Found
2019-02-07 00:59:20 ERROR 404: Not Found.

Do not use wget, just copy paste the code, you can copy-paste several lines at once.

copy paste is mess... it shifts everything by tab or something... so it doesnt work properly then.

What OS and terminal are you using?

ok, fixed.

I changed client config because generated file has:
remote local_ip instead of hostname

I imported a config - now i got Waiting on VPN server and after a while -> timeout

on lede: netstat -alpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 21490/openvpn

seems that openvpn server is running

https://openwrt.org/docs/guide-user/services/vpn/openvpn/server#troubleshooting

i am on the same LAN and i tried remote as IP of router WAN port and its still time outing...
even the lede says

root@LEDE:/tmp# netstat  -tulpn|grep  1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           21490/openvpn

eth1      Link encap:Ethernet            inet addr:10.0.0.4   (WAN)
lan is 10.0.1.x

there must be some wrong FW rule?

plus i found the "errors" in log:

Thu Feb  7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: tls-crypt unwrap error: packet too short
Thu Feb  7 01:40:07 2019 daemon.err openvpn(vpnserver)[21490]: TLS Error: tls-crypt unwrapping failed from [AF_INET]10.0.1.137:54052

where 10.0.1.137 acts like client

This looks like a bug, specific to LEDE 17.01:
https://forums.openvpn.net/viewtopic.php?t=23181