Openvpn no tun0 create

Kyar · December 10, 2022, 4:51pm

Hello,

I come here after a few hours to configure openvpn.

I installed openvpn-openssl and luci-app-openvpn.

I used a lot of configuration but all the time I don't have tune0 on a new interface.

root@OpenWrt:~# logread -e openvpn
Sat Dec 10 17:38:45 2022 user.info : luci: accepted login on /admin/vpn/openvpn for root from 10.0.1.1

My openvpn config

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

My network

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        list remote 'my_server_1 1194'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/client.crt'
        option key '/etc/openvpn/client.key'
        option verb '3'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:9daf:db85::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan4'
        option ipv6 '0'
        option mtu '1500'
        option macaddr 'D8:EC:5E:44:01:4B'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'HOME'
        option proto 'static'
        option device 'lan3'
        option ipaddr '10.0.1.254'
        option netmask '255.255.255.0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'
        option type 'bridge'

config interface 'DMZ'
        option proto 'static'
        option ipaddr '10.0.0.254'
        option netmask '255.255.255.0'
        option device 'DMZ'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config device
        option type 'bridge'
        option name 'DMZ'
        list ports 'lan1'
        list ports 'lan2'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'wan'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config device
        option name 'lan2'
        option ipv6 '0'

config device
        option name 'wlan0'
        option ipv6 '0'

config device
        option name 'wlan1'
        option ipv6 '0'

config interface 'WIFI2'
        option proto 'static'
        list ipaddr '10.0.2.126/25'
        option device 'wlan0'

config interface 'WIFI5'
        option proto 'static'
        list ipaddr '10.0.2.254/25'
        option device 'wlan1'

No log, no idea now...

On belkin-rt3200 and the latest firmware

psherman · December 10, 2022, 4:56pm

tun0 will not be available until the OpenVPN tunnel has been established. Have you actually started your OpenVPN instance? I see you have a custom config, but you didn't share that.... it must be enabled and then you must start the OpenVPN process.

ninjanoir78 · December 10, 2022, 4:57pm

what is your vpn provider?

mk24 · December 10, 2022, 5:07pm

At first glance there are several other problems with your configuration, such as option type bridge in a config interface section, which is deprecated, and reference to a wifi device in /etc/config/network, which is incorrect.

If your provider offers a .ovpn file, copy it somewhere into the filesystem and point at it with a custom config. An option enabled 1 must be added to activate that instance. If using a .ovpn file for the bulk of config instead of UCI, you can delete the sample server and sample client.

Kyar · December 10, 2022, 5:08pm

Yes I deleted all.

I try to install a personnal vpn for me with a certificate and accès to my lan...

mk24 · December 10, 2022, 5:10pm

To build a server, enable the sample_server example. Make sure the certificates are in place and open port 1194 from the wan.

Kyar · December 10, 2022, 5:11pm

How can I generate a certficate with a password ?

I can install a openvpn serveur fast on a debian system but it's more complicate fore me on openwrt

psherman · December 10, 2022, 5:12pm

You might consider using WireGuard instead of OpenVPN. It is much easier to configure and much more performant than OpenVPN.

Kyar · December 10, 2022, 5:13pm

I can't, I need to use TCP port 80 to use my VPN

psherman · December 10, 2022, 5:14pm

Would UDP port 80 be a possibility? WireGuard is UDP only, but can run on any port.

mk24 · December 10, 2022, 5:14pm

Your server certificate private key must not be encrypted with a password, so it can be loaded unattended.

OpenVPN user password is a separate authentication layer on top of certificates. It adds relatively little security but if you want to use it you would add option user and password to the main config. I would not try that during initial testing.

Kyar · December 10, 2022, 5:14pm

I have make research and wireguard is not possible because it use only UDP yes and I need to use my VPN on my job with tcp 80

psherman · December 10, 2022, 5:15pm

Ok... well, OpenVPN it is, then,

Kyar · December 10, 2022, 5:17pm

Ok, tried to use sample_server and my log :

Sat Dec 10 18:16:37 2022 daemon.warn openvpn(sample_server)[9287]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat Dec 10 18:16:37 2022 daemon.notice openvpn(sample_server)[9287]: OpenVPN 2.5.7 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Dec 10 18:16:37 2022 daemon.notice openvpn(sample_server)[9287]: library versions: OpenSSL 1.1.1s  1 Nov 2022, LZO 2.10
Sat Dec 10 18:16:37 2022 daemon.notice openvpn(sample_server)[9287]: net_route_v4_best_gw query: dst 0.0.0.0
Sat Dec 10 18:16:37 2022 daemon.notice openvpn(sample_server)[9287]: net_route_v4_best_gw result: via 82.66.85.254 dev wan
Sat Dec 10 18:16:37 2022 daemon.warn openvpn(sample_server)[9287]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Dec 10 18:16:37 2022 daemon.err openvpn(sample_server)[9287]: OpenSSL: error:02001002:system library:fopen:No such file or directory
Sat Dec 10 18:16:37 2022 daemon.err openvpn(sample_server)[9287]: OpenSSL: error:2006D080:BIO routines:BIO_new_file:no such file
Sat Dec 10 18:16:37 2022 daemon.err openvpn(sample_server)[9287]: Cannot open /etc/openvpn/dh2048.pem for DH parameters
Sat Dec 10 18:16:37 2022 daemon.notice openvpn(sample_server)[9287]: Exiting due to fatal error

psherman · December 10, 2022, 5:18pm

Did you create the keys, certs, and dh file?

Kyar · December 10, 2022, 5:19pm

it's the problem, I follow many tutorial and no one generate this certificate

psherman · December 10, 2022, 5:22pm

See the "Key management" section of the link I sent earlier.

I recommend creating keys on a normal computer and then transferring them to your router. Unless your router is x86, most routers have relatively weak CPUs and the key generation will take forever!

Kyar · December 10, 2022, 5:27pm

I'm looking on the same time, can you tell me which inteface had problem ?

mk24 · December 10, 2022, 5:28pm

The no such file errors are the problem. The dh parameter file specified in the config does not exist.

The tun0 interface is created as the last step. If there is a fatal error such as a missing file before then, there won't be a tun0 interface.

Kyar · December 10, 2022, 5:50pm

It's very complicate, they are too much certificate for a personal use.

Where I add this cmd : export EASYRSA_PKI="${OVPN_PKI}" ?

Mhmm, need to follow a cleary tutorial