OpenVPN problem in OpenWrt

I am new to Openwrt. Decided to give it a try after years of dd-wrt. I was excited to read about how you can just upload a .opvn config file into openwrt. Thought for sure this would solve any vpn connection issues. I was wrong. Openvpn in openwrt does not work like OpenVPN GUI software in windows. Why?

OpenVPN GUI in windows has no problem loading the same config file and connecting to the vpn.

Here is the error log if anyone can help. Thanks.

Wed May  4 13:40:49 2022 daemon.warn openvpn(BolehVpn2day)[19378]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Wed May  4 13:40:49 2022 daemon.warn openvpn(BolehVpn2day)[19378]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.99.44.200:4443
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: UDP link local: (not bound)
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: UDP link remote: [AF_INET]192.99.44.200:4443
Wed May  4 13:40:49 2022 daemon.warn openvpn(BolehVpn2day)[19378]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Wed May  4 13:40:49 2022 daemon.notice openvpn(BolehVpn2day)[19378]: [bviserver] Peer Connection Initiated with [AF_INET]192.99.44.200:4443
Wed May  4 13:40:50 2022 daemon.err openvpn(BolehVpn2day)[19378]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:1: block-outside-dns (2.5.3)
Wed May  4 13:40:50 2022 daemon.warn openvpn(BolehVpn2day)[19378]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Wed May  4 13:40:50 2022 daemon.warn openvpn(BolehVpn2day)[19378]: sitnl_send: rtnl: generic error (-13): Permission denied
Wed May  4 13:40:50 2022 daemon.notice netifd: Interface 'vpn0' is enabled
Wed May  4 13:40:50 2022 daemon.notice netifd: Network device 'tun0' link is up
Wed May  4 13:40:50 2022 daemon.notice netifd: Interface 'vpn0' has link connectivity
Wed May  4 13:40:50 2022 daemon.notice netifd: Interface 'vpn0' is setting up now
Wed May  4 13:40:50 2022 daemon.notice openvpn(BolehVpn2day)[19378]: TUN/TAP device tun0 opened
Wed May  4 13:40:50 2022 daemon.notice netifd: Interface 'vpn0' is now up
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_iface_mtu_set: mtu 1500 for tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_iface_up: set tun0 up
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_addr_v4_add: 172.16.0.81/24 dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_iface_mtu_set: mtu 1500 for tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_iface_up: set tun0 up
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: net_addr_v6_add: fd35:4d33:9a09:9d09::104f/64 dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: /usr/libexec/openvpn-hotplug up BolehVpn2day tun0 1500 1552 172.16.0.81 255.255.255.0 init
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: add_route_ipv6(2000::/3 -> fd35:4d33:9a09:9d09::1 metric -1) dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: add_route_ipv6(::/3 -> fd35:4d33:9a09:9d09::1 metric -1) dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: add_route_ipv6(2000::/4 -> fd35:4d33:9a09:9d09::1 metric -1) dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: add_route_ipv6(3000::/4 -> fd35:4d33:9a09:9d09::1 metric -1) dev tun0
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: add_route_ipv6(fc00::/7 -> fd35:4d33:9a09:9d09::1 metric -1) dev tun0
Wed May  4 13:40:51 2022 daemon.warn openvpn(BolehVpn2day)[19378]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May  4 13:40:51 2022 daemon.notice openvpn(BolehVpn2day)[19378]: Initialization Sequence Completed
Wed May  4 13:40:51 2022 user.notice firewall: Reloading firewall due to ifup of vpn0 (tun0)

The log appears to have several warnings and one error. They're pretty clear, IMO. For example:

this error shows that the option is not valid as specified. You have other warnings about deprecated options and/or inconsistencies in the local and remote configs.

Go through the warnings one at a time and make sure your config files are set correctly. If you get stuck on a particular item, ask specifically about that item (sometimes it is a syntax thing).

OpenVPN did complete the connection with only warnings, no fatal errors. The tunnel is up now, so you should be able to pass VPN traffic. Check the routing and firewall. A simple test that doesn't require routing or firewall is to ping the other end of the VPN tunnel in this case it would be 172.16.0.X where X is likely 1.

Thanks psherman and mk24. I did notice that there were errors. Only thing is I don't know how to fix them. All internet is cut off when I start the vpn. Don't know what is causing that.

Like I mentioned before. Why does OpenVPN, in windows, have zero problem loading and connecting fine without problems? Internet works fine. Everything checks out in an ip check too.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn

Thanks psherman. I don't know what platform that screenshot is from. No idea where to enter those commands. Sorry.

The screenshot (with the circled icon) is from this forum -- as you reply, look at the top of the textbox and you will see that icon (you've probably already used it for your OP).

the command cat /etc/config/network (and the others) is run on the OpenWrt device. You will connect by ssh (using the built-in terninal on Mac/linux, or an application like putty for windows), then run those commands, copy/paste the output into a </> code block here on the forum.

Sorry, the info ran together. Here it is.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdda:a157:b566::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr 'a0:63:91:e3:d4:94'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'A0:63:91:E3:D4:95'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 5t'

config interface 'vpn0'
        option proto 'none'
        option device 'tun0'
__________________________________________
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'
________________________________________________
root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'custom_config'
        option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/server.crt'
        option key '/etc/openvpn/server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option server '10.8.0.0 255.255.255.0'
        option ifconfig_pool_persist '/tmp/ipp.txt'
        option keepalive '10 120'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-status.log'
        option verb '3'

config openvpn 'sample_client'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option ca '/etc/openvpn/ca.crt'
        option secret '/etc/openvpn/ta.key'
        option cert '/etc/openvpn/cscp193077.crt'
        option key '/etc/openvpn/cscp193077.key'
        option port '443'
        list remote '1yul.bolehvpn.net'
        option dev_type 'tun'
        option verb '5'
        option client_to_client '0'
        option key_direction '1'

config openvpn 'BolehVpn2day'
        option config '/etc/openvpn/BolehVpn2day.ovpn'
        option enabled '1'```

This is probably the problem... the VPN should be in either the wan zone or its own zone... the simple fix is to do this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'vpn0'

That won't resolve the other issues (warnings/errors), but it should presumably fix connectivity.

Thanks psherman. Where do I edit to correct these things? Is it in the .ovpn config file? Here is the beginning part where any editing would change something.

script-security 2
#Connection Settings
client
dev tun
proto udp
nobind
persist-key

#Security Settings
auth sha512
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
verify-x509-name bviserver name

#Canada
remote 1yul.bolehvpn.net 443
remote 192.99.44.200 4443
remote-random

# Set log file verbosity.
verb 1

# Silence repeating messages
mute 20

#User Info

key-direction 1
#cscp193077
<tls-auth>

Thanks.

Those edits are in the firewall file (/etc/config/firewall). You can also make the changes using the web interface - edit the vpn0 network, remove it from the lan firewall zone and put it in the wan firewall zone.

Are there edit commands from within ssh that I need to use? I tried copying "/etc/config/firewall", without the quotes of course. All I got was "-ash: /etc/config/firewall: Permission denied"

You can use the vi editor or install nano or similar text editors on your OpenWrt device.

I'd recommend that you read up on the basics of editing text files in linux...
this might be helpful:

Thanks for your help. Be nice if it didn't take hours and hours of schooling to make a vpn work. Especially when it looked like all I had to do was upload the .ovpn file for it to work, like I was hoping. Hopefully openwrt will develop to that point some day. Thanks again.

I mentioned that you can do this in the web interface... it should take about 30 seconds max.

It sounds like you're looking for the fast food experience -- go in, ask for a burger, pay, eat. OpenWrt is more like the experience of grilling your own burger. You need to be able to prepare your burger, start the grill, cook it (and know when it is time to flip it, when it's done, etc.). Not hard stuff, but it is a little bit of work that is your responsibility to complete.

OpenWrt is well documented with lots of examples and you don't have to understand all of it to manage the basics.

OpenWrt is actually quite good in terms of being user friendly, powerful, and flexible. The web interface can do many of the common tasks with no need to learn linux type tools. Users with more complex requirements and/or more low-level knowledge will often use the CLI because it can be faster and easier at times.

It's all a balancing act... for example, there are consumer wifi platforms (many ISP provided routers,
Apple's now-discontinued Airport line, Google/Nest Wifi, etc.) which are really easy to use, but they do not expose many/any advanced features to the user, and you can't typically extend the capabilities with VPNs and other features. On the other side of the coin are the more sophisticated platforms aimed at enthusiasts and business/enterprise -- Ubiquiti, Cisco, 'Tik, pfSense, etc -- which are quite hard to use unless you are well versed in network technology and often require knowledge of the CLI. OpenWrt basically gives you the best of both worlds.

Learning how to edit config files with a standard editor doesn't seem like a big lift or steep learning curve. Here are the basics of vi -- a relatively short page -- yes, the commands are a bit archaic compared to modern GUI driven editors, but it's not hard to learn.

Openwrt implied simplicity though, with the option of uploading a .ovpn file. I'm completely new to openwrt, so I thought "Awesome! This is what I've been looking for!!" Thought it would just work. What magic is OpenVPN GUI in windows doing that can't be duplicated on the router level? It's open source and available to all developers. I'm honestly just curious as to why whatever OpenVPN GUI is doing to load the .ovpn file and connect no problem, can't just be copied in openwrt on the router.

I get it. I can figure it out eventually. I just really want to know why openvpn in openwrt can't perform the same magic that openvpn software does with the very same .ovpn config file.

I assume you created the vpn0 network interface, right? If so, you probably also associated tun0 with vpn0 and then assigned it a protocol (none/unmanaged) and finally assigned the firewall zone. It was the firewall zone that you assigned incorrectly -- it should be assigned to wan, not lan.

This is fully documented here (and step 6 states that you should use firewall zone wan): https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Yes. I followed all the steps to create a new interface and checked "unmanaged" and saved and applied. It says next to that device "Error: Network device is not present". I tried rebooting too, to see if that would correct it. It did not. The tutorials do not cover this error if you run into it.

you didn't mention this earlier. Is this a new problem?

I know. Sorry. No, it's not new. Happened right after I created the device yesterday. After the vpn cut off all internet when I uploaded the config file and started the vpn, I searched further for a tutorial on how to configure openvpn client in openwrt. I thought I found the solution for my problem, but when I followed the steps shown, I ran into that error. Do you know about this error?