Hi, I'm new here - to the forum, and to Openwrt.
I've found the openvpn 'basic' instructions page (ie https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic ) for the openvpn server- and I'm unclear on some of it, so dumb question incoming:
In the 'basic server' part of it , specifically the 'configuration parameters' - where do I put it all? what am I supposed to do with it?
VPN_DEV="$(uci get firewall.@zone[0].device | sed -e "s/^.*\s//")"
VPN_POOL="192.168.8.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
EASYRSA_PKI="/etc/easy-rsa/pki"
DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
NL=$'\n'
Same for:
# Configure VPN server
grep -l -r -e "TLS Web Server Authentication" "${EASYRSA_PKI}/issued" \
| sed -e "s/^.*\///;s/\.\w*$//" \
| while read VPN_ID
do
VPN_CONF="/etc/openvpn/${VPN_ID}.conf"
VPN_CERT="$(openssl x509 -in "${EASYRSA_PKI}/issued/${VPN_ID}.crt")"
VPN_KEY="$(cat "${EASYRSA_PKI}/private/${VPN_ID}.key")"
cat << EOF > "${VPN_CONF}"
verb 3
user nobody
group nogroup
dev ${VPN_DEV}
port 1194
proto udp
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DOMAIN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>${NL}${DH_KEY}${NL}</dh>
<tls-crypt>${NL}${TC_KEY}${NL}</tls-crypt>
<ca>${NL}${CA_CERT}${NL}</ca>
<cert>${NL}${VPN_CERT}${NL}</cert>
<key>${NL}${VPN_KEY}${NL}</key>
EOF
chmod "u=rw,g=,o=" "${VPN_CONF}"
done
service openvpn restart
Am I supposed to put it all in the openvpn file in /etc/config ..or?
thank you. Yes, I was already connected via ssh, but was unsure - I thought it was supposed to go into the config file.
I tried copy-pasting it into the terminal while in an ssh connection, but I get parse errors.
I completed everything before that, yes, and without any errors.
So I copy and paste the whole 'configuration parameters' chunk into the terminal, as you said. I have a few errors - among them 'no such file or directory' or 'unable to load certificate' - which I find kind of curious, seeing as I hadn't gotten any errors at all up till that point and was careful to do everything. Should I start over?
VPN_DEV="$(uci get firewall.@zone[0].device | sed -e "s/^.*\s//"
)"
uci: Parse error (invalid command) at line 171, byte 0
root@OpenWrt:/# VPN_POOL="192.168.8.0 255.255.255.0"
root@OpenWrt:/# VPN_DNS="${VPN_POOL%.* *}.1"
root@OpenWrt:/# VPN_DOMAIN="$(uci get dhcp.@dnsmasq[0].domain)"
root@OpenWrt:/# EASYRSA_PKI="/etc/easy-rsa/pki"
root@OpenWrt:/# DH_KEY="$(cat "${EASYRSA_PKI}/dh.pem")"
cat: can't open '/etc/easy-rsa/pki/dh.pem': No such file or directory
root@OpenWrt:/# TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "${EASYRSA_PKI}/tc.pem")"
root@OpenWrt:/# CA_CERT="$(openssl x509 -in "${EASYRSA_PKI}/ca.crt")"
Error opening Certificate /etc/easy-rsa/pki/ca.crt
2005142836:error:02001002:lib(2):func(1):reason(2):NA:0:fopen('/etc/easy-rsa/pki/ca.crt','r')
2005142836:error:20074002:lib(32):func(116):reason(2):NA:0:
unable to load certificate
Unfortunately I still get parsing errors. I tried copying the whole block - and it happened. I also tried copying each line individually, and it's the same. It's after the
sh /tmp/openvpn-basic.sh
line that the errors immediately pop up, so it looks like it's exactly the case as before.
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
uci: Parse error (invalid command) at line 171, byte 0
Parse error (invalid command) at line 171, byte 0
Error: Failed to load /etc/config/firewall
I came back to report back back but you'd already written.
That's indeed exactly what I did. I decided to start over and ,as usual, I'd made a backup of the whole config directory in /etc - which now came in handy. I restored the original firewall config file and no issues this time.
Thanks a lot for all - you've been really really helpful