OpenVPN server - TLS key failed to occur within 60 secs

Sh500 · February 3, 2018, 9:11pm

If I temporarily add the old server config, that one starts/stops/restarts as expected.

This is the error log for the new server config:

root@LEDE:~# /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log
Sat Feb  3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4]          [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Feb  3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb  3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb  3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1         500 broadcast 192.168.200.255
Sat Feb  3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3          ]
Sat Feb  3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb  3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb  3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb  3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb  3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb  3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb  3 20:58:00 2018 us=203952  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=222001  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=491861  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=531872  read from TUN/TAP returned 76
Sat Feb  3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb  3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb  3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb  3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap

JW0914 · February 3, 2018, 9:28pm

You're not using the config I posted, or the copy and paste went awry... please post /etc/config/openvpn

Sh500 · February 3, 2018, 9:39pm

I create and edit these files with WinSCP if that makes any difference. All I did was copy and paste the config you posted earlier to the location.

This is the current /etc/config/openvpn i have just extracted:

config openvpn 'VPNserver'
    option  enabled             1

    # Protocol #
#------------------------------------------------
    option  dev                 'tun'
    option  dev                 'tun0'
    option  topology            'subnet'
    option  proto               'tcp'
    option  port                'ovpns0'

    # Routes #
#------------------------------------------------
    option  server              '192.168.200.0 255.255.255.0'
    option  ifconfig            '192.168.200.1 255.255.255.0'
    option  route_gateway       'dhcp'

    # Client Config #
#------------------------------------------------
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   '/etc/openvpn/clients/ipp.txt'
    #   option  client_config_dir       '/etc/openvpn/clients/'

    # Pushed Routes #
#------------------------------------------------
    list    push                'route 192.168.1.0 255.255.255.0'
    list    push                'dhcp-option    DNS 192.168.1.1'
    list    push                'dhcp-option    WINS 192.168.1.1'
    list    push                'dhcp-option    DNS 208.67.222.123'
    list    push                'dhcp-option    DNS 208.67.220.123'
    list    push                'dhcp-option    NTP 129.6.15.30'

    # Pushed Gateways #
#------------------------------------------------
    list    push                'route-gateway    dhcp'
    list    push                'redirect-gateway def1'

    # Encryption #
#------------------------------------------------
    # Diffie-Hellman:
    option  dh                  '/etc/openvpn/dh2048.pem'

    # PKCS12:
    #   option  pkcs12             '/etc/openvpn/my-server.p12'

    # SSL:
    option  cipher              AES-256-CBC
    option  auth                'SHA256'
    option  tls_auth            '/etc/openvpn/tls-auth.key 0'

    # TLS:
    option  tls_server          1
    option  tls_version_min     1.2
    option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

    # X509:
    option  ca                  '/etc/openvpn/ca.crt'
    option  cert                '/etc/openvpn/my-server.crt'
    option  key                 '/etc/openvpn/my-server.key'

    # Logging #
#------------------------------------------------
    option  log_append          '/tmp/openvpn.log'
    option  status              '/tmp/openvpn-status.log'
    option  verb                5

    # Connection Options #
#------------------------------------------------
    option  keepalive           '10 120'
    option  comp_lzo            'yes'

    # Connection Reliability #
#------------------------------------------------
    option  client_to_client    1
    option  persist_key         1
    option  persist_tun         1

    # Connection Speed #
#------------------------------------------------
    option  sndbuf              393216
    option  rcvbuf              393216
    option  fragment            0
    option  mssfix              0
    option  tun_mtu             48000

    # Pushed Buffers #
#------------------------------------------------
    list    push                'sndbuf 393216'
    list    push                'rcvbuf 393216'

    # Permissions #
#------------------------------------------------
    option  user                'nobody'
    option  group               'nogroup'

JW0914 · February 3, 2018, 9:42pm

My bad, I mistyped a setting and doesn't look like you caught it when you double checked if I ported everything over correctly.

Change:

option dev 'tun0' to option dev 'ovpns0'
option port 'ovpns0' to option port 1194

Please verify if all the parameters, especially the network IPs, match your environment.

192.168.1.0/24 subnet

192.168.200.0/24 subnet

I also updated my post with the configs

Sh500 · February 3, 2018, 10:08pm

Are those network addresses not just the ones that will be assigned for the VPN server/client? Therefore independent of my internal LAN addresses (my internal LAN is a 10.x.x.x range).

After making the changes, restarting vpn from command line, this is the openvpn.log:

Sat Feb  3 20:58:00 2018 us=193934 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 20:58:00 2018 us=194014 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sat Feb  3 20:58:00 2018 us=194817 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 20:58:00 2018 us=196108 TLS-Auth MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=199740 TUN/TAP device ovpns0 opened
Sat Feb  3 20:58:00 2018 us=199825 TUN/TAP TX queue length set to 100
Sat Feb  3 20:58:00 2018 us=199878 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 20:58:00 2018 us=199949 /sbin/ifconfig ovpns0 192.168.200.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.200.255
Sat Feb  3 20:58:00 2018 us=203251 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Sat Feb  3 20:58:00 2018 us=203340 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 20:58:00 2018 us=203396 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Feb  3 20:58:00 2018 us=203448 Listening for incoming TCP connection on [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203496 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Sat Feb  3 20:58:00 2018 us=203534 TCPv4_SERVER link remote: [AF_UNSPEC]
Sat Feb  3 20:58:00 2018 us=203575 MULTI: multi_init called, r=256 v=256
Sat Feb  3 20:58:00 2018 us=203644 IFCONFIG POOL: base=192.168.200.2 size=252, ipv6=0
Sat Feb  3 20:58:00 2018 us=203715 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sat Feb  3 20:58:00 2018 us=203806 Initialization Sequence Completed
Sat Feb  3 20:58:00 2018 us=203952  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=222001  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=491861  read from TUN/TAP returned 76
Sat Feb  3 20:58:00 2018 us=531872  read from TUN/TAP returned 76
Sat Feb  3 21:01:44 2018 us=96693 TCP/UDP: Closing socket
Sat Feb  3 21:01:44 2018 us=96829 Closing TUN/TAP interface
Sat Feb  3 21:01:44 2018 us=96881 /sbin/ifconfig ovpns0 0.0.0.0
Sat Feb  3 21:01:44 2018 us=141946 SIGTERM[hard,] received, process exiting
only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.

JW0914 · February 3, 2018, 10:25pm

Something isn't right with your config encoding or EOLs, or gateway redirect is improperly configured, as this is what the log should resemble, and should generate "No valid translation" errors for the TLS ciphers I disabled:

[root@LEDE] ~ # /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/vpnsec-server.log
Sat Feb  3 15:26:04 2018 us=606624 OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb  3 15:26:04 2018 us=606910 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Feb  3 15:26:04 2018 us=609137 Diffie-Hellman initialized with 2048 bit key
Sat Feb  3 15:26:04 2018 us=609396 No valid translation found for TLS cipher '!aNULL'
Sat Feb  3 15:26:04 2018 us=609545 No valid translation found for TLS cipher '!eNULL'
Sat Feb  3 15:26:04 2018 us=609715 No valid translation found for TLS cipher '!3DES'
Sat Feb  3 15:26:04 2018 us=609850 No valid translation found for TLS cipher '!MD5'
Sat Feb  3 15:26:04 2018 us=609987 No valid translation found for TLS cipher '!SHA'
Sat Feb  3 15:26:04 2018 us=610154 No valid translation found for TLS cipher '!PSK'
Sat Feb  3 15:26:04 2018 us=610321 No valid translation found for TLS cipher '!DSS'
Sat Feb  3 15:26:04 2018 us=610463 No valid translation found for TLS cipher '!RC4'
Sat Feb  3 15:26:04 2018 us=657073 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb  3 15:26:04 2018 us=657230 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Feb  3 15:26:04 2018 us=657368 TLS-Auth MTU parms [ L:48122 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Feb  3 15:26:04 2018 us=683084 TUN/TAP device tun1 opened
Sat Feb  3 15:26:04 2018 us=683263 TUN/TAP TX queue length set to 100
Sat Feb  3 15:26:04 2018 us=683440 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Feb  3 15:26:04 2018 us=683907 /sbin/ifconfig tun1 10.10.3.1 netmask 255.255.255.248 mtu 48000 broadcast 10.10.3.7
Sat Feb  3 15:26:04 2018 us=697828 Data Channel MTU parms [ L:48122 D:48122 EF:122 EB:8156 ET:0 EL:3 ]
Sat Feb  3 15:26:04 2018 us=698162 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Feb  3 15:26:04 2018 us=698321 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Feb  3 15:26:04 2018 us=698503 UDPv4 link local (bound): [AF_INET][undef]:50950
Sat Feb  3 15:26:04 2018 us=698632 UDPv4 link remote: [AF_UNSPEC]
Sat Feb  3 15:26:04 2018 us=698754 GID set to nogroup
Sat Feb  3 15:26:04 2018 us=698882 UID set to nobody
Sat Feb  3 15:26:04 2018 us=699006 MULTI: multi_init called, r=256 v=256
Sat Feb  3 15:26:04 2018 us=699173 IFCONFIG POOL: base=10.10.3.2 size=4, ipv6=0
Sat Feb  3 15:26:04 2018 us=699321 IFCONFIG POOL LIST
Sat Feb  3 15:26:04 2018 us=700163 Initialization Sequence Completed

In order to narrow down the issue, please disable the 3 options for gateway redirect:

    #option  route_gateway       'dhcp'
    #list    push                'route-gateway    dhcp'
    #list    push                'redirect-gateway def1'

then issue:
cd /etc/config ; mv openvpn openvpn.bak ; cat openvpn.bak > openvpn ; /etc/init.d/openvpn restart ; sleep 2 ; cat /tmp/openvpn.log

option server '192.168.200.0 255.255.255.0': OpenVPN subnet
option ifconfig '192.168.200.1 255.255.255.0': OpenVPN server IP
list push 'route 192.168.1.0 255.255.255.0': LAN or other network subnet you want accessible to clients
list push 'dhcp-option DNS 192.168.1.1': DNS Server for clients accessing LAN or other network subnet
list push 'dhcp-option WINS 192.168.1.1': Windows clients sometimes need a WINS address specified, of which will always be the DNS server IP for the LAN or other network subnet

JW0914 · February 3, 2018, 10:43pm

Please also post your network config: /etc/config/network

Sh500 · February 3, 2018, 10:43pm

This is the error log after disabling those three lines:

Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.
Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.

Yes, I cannot see an issue with the network IP addresses.

Sh500 · February 3, 2018, 10:45pm

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:9152:16f0::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.10.10.10'
	option _orig_ifname 'eth0.1 radio0.network1 radio1.network1'
	option _orig_bridge 'true'
	option dns '8.8.8.8'
	option ifname 'eth0 eth0.1'

config interface 'wan'
	option ifname 'eth1.2'
	option _orig_ifname 'eth1.2'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '172.16.0.2'
	option netmask '255.255.255.0'
	option gateway '172.16.0.1'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'Guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'

config interface 'vpnserver'
	option proto 'none'
	option ifname 'ovpns0'
	option auto '1'

JW0914 · February 3, 2018, 10:51pm

There is no server directive, as that error refers to option mode 'server', of which is not needed and is not in my config...

At this point, I'd recommend following a known working wiki, else @stangri needs to troubleshoot since it's his wiki you followed, and is a wiki he still has not fixed.

Sh500 · February 3, 2018, 10:58pm

Ok, thanks for your help.

The guide that I did use just seemed easier (not knowing whether it works or not), so followed that. I'll restore back to a backed up config with just my basic network running and follow the guide you linked.

JW0914 · February 3, 2018, 11:24pm

Why did you leave the 192.168.1.0/24 subnet in your server config... this needs to be changed to your LAN subnet

    list    push                'route 10.10.10.0 255.255.255.0'
    list    push                'dhcp-option    DNS 10.10.10.1'
    list    push                'dhcp-option    WINS 10.10.10.1'

Try the following:

/etc/config/network

config interface 'vpnserver'
    option  ifname           'ovpns0'
    option  proto            'static'
    option  ipaddr           192.168.200.1
    option  netmask          255.255.255.0
    option  broadcast        192.168.200.255
    option  dns              '208.67.222.222 208.67.220.220'
    option  delegate         0

/etc/config/dhcp

config dhcp 'vpnserver'
    option  interface        'vpnserver'
    option  leasetime        '24h'
    option  start            2
    option  limit            253
    option  force            1

/etc/config/firewall

config zone
    option  name             'vpnserver'
    option  network          'vpnserver'
    option  input            'ACCEPT'
    option  output           'ACCEPT'
    option  forward          'ACCEPT'

config rule
    option  target           'ACCEPT'
    option  family           'ipv4'
    option  proto            'tcp udp'
    option  src              *
    option  dest_port        1194
    option  name             'Allow Forwarded OpenVPN Request -> Router'

config rule
    option  target           'ACCEPT'
    option  family           'ipv4'
    option  proto            'tcp udp'
    option  src              'vpnserver'
    option  src_ip           '192.168.200.0/24'
    option  dest_ip          '10.10.10.0/24'
    option  name             'Allow OpenVPN -> LAN'

config rule
    option  target           'ACCEPT'
    option  family           'ipv4'
    option  proto            'tcp udp'
    option  src              'vpnserver'
    option  dest             *
    option  name             'Allow Forwarded OpenVPN -> Router'

config rule
    option  target           'ACCEPT'
    option  family           'ipv4'
    option  proto            'icmp'
    option  src              'vpnserver'
    option  src_ip           '192.168.200.0/24'
    option  dest             'lan'
    option  name             'Allow OpenVPN (ICMP) -> LAN'

config rule
    option  target           'ACCEPT'
    option  family           'ipv4'
    option  proto            'icmp'
    list    icmp_type        'echo-request'
    option  src              'vpnserver'
    option  src_ip           '10.10.30.0/29'
    option  dest             'wan'
    option  name             'Allow OpenVPN (echo-request) -> WAN'

config forwarding
    option  dest             'lan'
    option  src              'vpnserver'
 
config forwarding
    option  dest             'wan'
    option  src              'vpnserver'

Now issue the following:
cd /etc/init.d ; ./network restart ; ./dnsmasq restart ; ./odhcpd restart ; ./firewall restart ; ./openvpn restart ; sleep 2 ; cat /tmp/openvpn.log

If this doesn't resolve your issue, reboot, then check /tmp/openvpn.log, as the above is from a known working configuration. The only other thing that plays into this are the SSL certs.

stangri · February 6, 2018, 12:40am

Is that the actual file or did you truncate the ca certificate, the client certificate and the key?

Sh500 · February 6, 2018, 9:57am

Sorry for the late reply. JW: Unfortunately I had already reverted to a backup config before your last reply. Given that the guide I followed is not yours,. I'm not sure if it is worth getting the config back to this stage or try out your guide.

Sh500 · February 6, 2018, 9:58am

Yes, the certs and keys were truncated before posting on here.

stangri · February 6, 2018, 2:42pm

I've sent you a PM which might help.

PS. I've modified the guide to include the use of tls-auth.key both on server and client.

JW0914 · February 6, 2018, 4:58pm

It doesn't matter which guide you follow, as the issues you were having, while initially due to information missing in the wiki you followed, were due to something in your environment, or user error, of which I mentioned above. You were getting log output impossible to get if your openvpn server was utilizing the config I posted, as a known bug has existed in OpenVPN for years that causes disabled ciphers to barf an error in the logfile:

No valid translation found for TLS cipher '!<disabled cipher>'

which is something not shown in your log file, hence the config I posted wasn't being loaded by your openvpn server. OpenVPN devs were made aware of this issue years ago and since it's purely aesthetic, it will not be addressed.

Additionally, your original config was still being loaded into the openvpn server due to this error

Options error: --server directive only makes sense with --dev tun or --dev tap
Use --help for more information.

as the server directive option mode server is not needed, and thereby not utilized in my configs, if:

option tls_server 1 is utilized
AND
EKU server-auth is specified in the server cert and EKU client-auth in the client cert

That error was generated with your initial config due to

option dev_type 'tun', which should be option dev 'tun'

After looking at the config in your OP again, it's likely you were still specifying

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

in your server config, instead of moving that config to openvpn.bak and using only the output in config I

Sh500 · February 7, 2018, 10:43am

Just to update the thread, I'd like to thank everyone who replied, it has given me a slightly better understanding of how things work.

In the end, I re-setup @stangri's guide, with the minor changes he mentioned in his last post. I am glad to say this worked perfectly.

remenakb1 · February 12, 2018, 2:26am

I am trying to follow the same guide that has been discussed here and made some good progress but am stuck. My server if failing to start and I don't know enough about LEDE to know what to look for to know what is wrong. I am basically to the same point Sh500 was at and the server is failing to start. Here is my log output I am getting while attempting to start the server
Sun Feb 11 21:21:45 2018 us=919701 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Feb 11 21:21:45 2018 us=919892 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sun Feb 11 21:21:45 2018 us=922472 Diffie-Hellman initialized with 2048 bit key
Sun Feb 11 21:21:45 2018 us=923001 No valid translation found for TLS cipher '!aNULL'
Sun Feb 11 21:21:45 2018 us=923322 No valid translation found for TLS cipher '!eNULL'
Sun Feb 11 21:21:45 2018 us=923693 No valid translation found for TLS cipher '!3DES'
Sun Feb 11 21:21:45 2018 us=923999 No valid translation found for TLS cipher '!MD5'
Sun Feb 11 21:21:45 2018 us=924309 No valid translation found for TLS cipher '!SHA'
Sun Feb 11 21:21:45 2018 us=924677 No valid translation found for TLS cipher '!PSK'
Sun Feb 11 21:21:45 2018 us=925047 No valid translation found for TLS cipher '!DSS'
Sun Feb 11 21:21:45 2018 us=925352 No valid translation found for TLS cipher '!RC4'
Sun Feb 11 21:21:45 2018 us=958444 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Sun Feb 11 21:21:45 2018 us=958701 Exiting due to fatal error

JW0914 · February 12, 2018, 2:40am

Did you generate an encrypted server key (server keys must be generated with -nodes if using openssl to generate them)?