OpenVPN instructions

Hi, I'm new here - to the forum, and to Openwrt.
I've found the openvpn 'basic' instructions page (ie https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic ) for the openvpn server- and I'm unclear on some of it, so dumb question incoming:

In the 'basic server' part of it , specifically the 'configuration parameters' - where do I put it all? what am I supposed to do with it?

VPN_DEV="$(uci get firewall.@zone[0].device | sed -e "s/^.*\s//")"
VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
 Same for: 
# Configure VPN server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
user nobody
group nogroup
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart

Am I supposed to put it all in the openvpn file in /etc/config ..or?

Thank you so much in advance.

All the code is supposed to be copy-pasted directly into the terminal while connected via SSH:
https://openwrt.org/docs/guide-quick-start/sshadministration

thank you. Yes, I was already connected via ssh, but was unsure - I thought it was supposed to go into the config file.
I tried copy-pasting it into the terminal while in an ssh connection, but I get parse errors.

Make sure you completed all the previous steps.

What errors?
If there's too much text, you can post the output here:
https://paste.fedoraproject.org/

I completed everything before that, yes, and without any errors.

So I copy and paste the whole 'configuration parameters' chunk into the terminal, as you said. I have a few errors - among them 'no such file or directory' or 'unable to load certificate' - which I find kind of curious, seeing as I hadn't gotten any errors at all up till that point and was careful to do everything. Should I start over?

VPN_DEV="$(uci get firewall.@zone[0].device | sed -e "s/^.*\s//"
)"
uci: Parse error (invalid command) at line 171, byte 0
root@OpenWrt:/# VPN_POOL="192.168.8.0 255.255.255.0"
root@OpenWrt:/# VPN_DNS="${VPN_POOL%.* *}.1"
root@OpenWrt:/# VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
root@OpenWrt:/# EASYRSA_PKI="/etc/easy-rsa/pki"
root@OpenWrt:/# DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
cat: can't open '/etc/easy-rsa/pki/dh.pem': No such file or directory
root@OpenWrt:/# TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
root@OpenWrt:/# CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
Error opening Certificate /etc/easy-rsa/pki/ca.crt
2005142836:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/easy-rsa/pki/ca.crt','r')
2005142836:error:20074002:lib(32):func(116):reason(2):NA:0:
unable to load certificate

It seems you missed one of the previous steps.
Try this way.
It will download the wiki page and run all the commands for you.

I've left home for the day but I'll try it as soon as I'm back. Thanks so much for bearing with me

1 Like

Unfortunately I still get parsing errors. I tried copying the whole block - and it happened. I also tried copying each line individually, and it's the same. It's after the

sh /tmp/openvpn-basic.sh

line that the errors immediately pop up, so it looks like it's exactly the case as before.

uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
Parse error (invalid command) at line 171, byte 0
Error: Failed to load /etc/config/firewall

The firewall configuration file is corrupted.
Restore it to the factory default:

cp /etc/config/firewall /etc/config/firewall.bak
cp /rom/etc/config/firewall /etc/config/firewall
2 Likes

I came back to report back back but you'd already written.
That's indeed exactly what I did. I decided to start over and ,as usual, I'd made a backup of the whole config directory in /etc - which now came in handy. I restored the original firewall config file and no issues this time.
Thanks a lot for all - you've been really really helpful

1 Like