I installed OpenVPN on my Cudy WR2100 with OpenWrt 21.02.1 r16325-88151b8303 on it according to this guide
The problem is: I can't connect to the VPN server. Not from the Internet, and also not from the WAN side when I put the router's WAN interface into an existing LAN and try to connect to its IP from the WAN side.
Driving a port scan shows me that the 1194 port that should be open is closed.
I checked the Firewall rules and all is set up like it should be.
I checked the log of OpenVPN via SSH and found out the server received the requests but had TLS error.
Oppenvpn says this maybe because of servers firewall (that should be configured right) or client has wrong IP in connection config.
Because the network manager in mint and also MX could not import .opvn files with embedded certificates, I had to extract the certificates from the .opvn file using a Python script to extract the certificates.
One problem also is that it left the OpenVPN tls-crypt-v2 client key in the .opvn was left by the script, so I had to manually put it into one of the .crt files.
Not additional and also not as replacement for the particular certificate.
I tested all kinds of variations but neither in ca.cert, nor in .client cert file nor in the client.key it does work. I found no place for this certificate.
Maybe I'm just to stupid to put the certificates in the right files, but I have 3 certificates for 2 certificate files, so I have no idea what to do with the OpenVPN tls-crypt-v2 client key the also dies not work as client.key.
Also there is the fact that all port scans show that the port 1194 is closed what confuses me because if it's closed nothing should go through to the OpenVPN server.
A packet came in but the server was unable to decrypt its outer encryption (the TLS shared key). You have to install the TLS key properly. It can be in a separate file or embedded in the .ovpn file. It can't be part of a certificate file, this encryption is different from the certificate system.
It's not a certificate at all, it's simply a random number that is used as a key. The server and the client(s) have to have the same key.
This is an optional extra encryption step which isn't that critical to overall security. Mostly it protects against brute-force attempts by someone who doesn't have the TLS key.
This raises the question of what to do with this certificate.
The network manager has no option to import it, neither in Linux mint (Ubuntu) nor on MX Linux (Debian stable).
Is there no guide or something how to set up a connection with the OpenVPN and TLS server using one of the biggest Linux distributions.
I find it good adding a security layer, but it seems to be on the cost that no one can use it...
I now used a tip from ask Ubuntu and saved the TLS key into a separate file and added "tls-auth ta.key 1" to the .opvn file before import.
I can import it with these settings, but it still dies not work.
This results in absolutely nothing in the OpenVPN log, so the network manager on MX and also Mint can't handle it.
The easy way, you can remove the tls-crypt-v2 option
For example, this is my openvpn configuration
server:
root@OpenWrt:~# cat /etc/openvpn/openvpn.conf
user nobody
group nogroup
dev tun
port 1194
proto udp6
dh /etc/easy-rsa/pki/dh.pem
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/server.crt
key /etc/easy-rsa/pki/private/server.key
server 192.168.20.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.20.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
root@OpenWrt:~#
client:
root@OpenWrt:~# cat /etc/openvpn/test.ovpn
user nobody
group nogroup
dev tun
nobind
client
remote here_is_ip_address 1194 udp
persist-key
persist-tun
ca /etc/easy-rsa/pki/ca.crt
cert /etc/easy-rsa/pki/issued/test.crt
key /etc/easy-rsa/pki/private/test.key
root@OpenWrt:~#
Your log screenshot indicates the client IP is private, so it is expected to fail.
Test the VPN connection from outside using a client with a public IP address.
The latest instruction is tested and works with NetworkManager @ Fedora 35.
If your distro is not compatible with TLS Crypt v2, use an earlier revision of the article.
Note that WireGuard is preferable for better performance and easier configuration.
@shenwii
THX for this, I will give it a try this week.
Just a short question.
I installed nano and checked the file and mines is a little different because it has inline certificates.
It looks like:
nanuser nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
So if I remove the OpenVPN tls-crypt-v2 server key from the config file, safe it and restart the router I should be able to connect without tls v2?
@vgaetera
I also tested from outside with a public IP from 77.xx.xx.xx range and got same results.
The I suspected the "exposted host" function from the Fritz Box cable that sits in front of the OpenWrt to be not working, so I tried it from inside the Lan of the Fritz Box that is connected to the WAN.
Debian & Ubuntu seem to dint have OpenVPN TLS implementation for their network manager, I did not even find a setup using the terminal.
Also the network manager GUI in both distros seems to have 10 years old bugs.
Maybe sometime I'm ready for a distro Fedora;)
@mk24
Sorry for my harsh post, in this situation I was really upset.
1.Inline certificates and Specify the certificates file path are some.
2.When remove the OpenVPN tls-crypt-v2 server key from the config file, you should connect to the server without tls v2.
