First timer here. I've managed to install and get my OpenWRT setup on an x86 machine. I've set up OpenVPN using ExpressVPN but I can't get the instance to start. When I do, the system log says the following:
Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: library versions: OpenSSL 1.1.1s 1 Nov 2022, LZO 2.10
Fri Dec 16 12:40:01 2022 daemon.err openvpn(NewYork)[11922]: ERROR: Failed retrieving username or password
Fri Dec 16 12:40:01 2022 daemon.notice openvpn(NewYork)[11922]: Exiting due to fatal error
I followed this tutorial that was made on this forum to set me up, with a few modifications, but what I believe is the same end result.
When an ovpn file is used, it replaces any other settings (except enabled) that may be in /etc/config/openvpn. So attempting to set the userpass file there has no effect. It needs to be in the .ovpn file.
The file path is not there. Having only auth-user-pass without a file will need to prompt the user for credentials at every startup. That does not work when running as a service.
So I have to declare the file path in each .ovpn file that I have? I thought adding the option auth_user_pass '/etc/config/vpnfiles/user.auth' line in the main config was meant to cover for that?
Yes. option config will direct that OpenVPN instance to read the file instead of using UCI options. Without an option config, the options in /etc/config/openvpn are used to build a temporary .ovpn file that is then passed to OpenVPN. It's an either/or process. Configuration can't be combined from the two methods.
Thank you!! I've been looking at this for 2 days now and it's been solved in such a short time
Though I would want to understand. If option config is only reading the file and not the contents of it, why is adding it to the .ovpn as a path then able to?
I also set it up according to the tutorial linked in the OP, and in there, the author set up not just the auth file, but also the certificate and key files as paths. And they were also not working. It's really confusing
When option config is used, the OpenWrt script that starts OpenVPN doesn't look inside the .ovpn file at all. It only passes the name to OpenVPN, which will then use the file the same as on any other system. You can see that by using ps to see the command line used to launch the OpenVPN process.
The "community" area of the OpenVPN official website describes the options that can be in an .ovpn file. These are not OpenWrt specific. It is possible to embed certificates and keys or to refer to them as separate files. Most commercial providers supply a file with embedded certificates to simplify it to only distributing one file.
As you can see, the ca, cert and key files are defined as paths to existing files. This test.ovpn starts and stays on. But when I define those paths myself in the main openvpn config file as below:
Fri Dec 16 17:29:50 2022 daemon.err openvpn(NewYork)[20628]: Options error: You must define CA file (--ca) or CA path (--capath)
I ended up leaving the certificate in *.ovpn files because it was starting to grind my gears. Is it still the same issue as you described above? Am I supposed to find a path within the *.ovpn? I was attempting to avoid creating large files because of repeated information that can just be fed from one source
If there is anoption configpresent in an openvpn instance block in /etc/config/openvpn, nothing else in that block (other than option enabled) will have any effect.