OpenVPN Server

Hi

I'm following the guide for a basic VPN server found here but I'm struggling at creating the client config file.

Typing the following commands into a SSH session

wget --no-check-certificate -O /tmp/create-ovpn.sh "https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=6"
sh -v -x /tmp/create-ovpn.sh

It downloads perfectly fine

--2019-01-24 23:17:33--  https://openwrt.org/_export/code/docs/guide-user/services/vpn/openvpn/basic?codeblock=6
Resolving openwrt.org... 139.59.209.225, 2a03:b0c0:3:d0::1af1:1
Connecting to openwrt.org|139.59.209.225|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: '/tmp/create-ovpn.sh'

/tmp/create-ovpn.sh     [ <=>                ]   1.46K  --.-KB/s    in 0s      

2019-01-24 23:17:33 (44.8 MB/s) - '/tmp/create-ovpn.sh' saved [1498]

The instructions say to copy the text on screen but I'm not sure how much of the long block of text I'm supposed to be copying.

Can someone suggest where I'm going wrong?

Many thanks

Will

Aren't they copied in /etc/openvpn/automatically?

It doesn't seem it.
Screenshot%20from%202019-01-25%2000-12-18

You can capture the script output to a file, and post it in the router's web server.

sh -v -x /tmp/create-ovpn.sh > /www/myclient.ovpn

Then on the client PC, type http://192.168.1.1/myclient.ovpn into the web browser, and it will be downloaded to your Downloads directory on the PC.
Be sure to erase the file from the router (rm /www/myclient.ovpn) after you have it copied, both for security reasons and to free up the space in your flash.

That is weird, I just tried it and it got created. Did you refresh the folder view?

root@xeli:~# ls /etc/openvpn/*.ovpn
/etc/openvpn/vpnclient.ovpn

Moreover you can verify that the script is creating it properly:

+ CLIENT_CONF=/etc/openvpn/vpnclient.ovpn
+ cat
+ read CLIENT_ID

# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
+ chmod 600 /etc/openvpn/vpnclient.ovpn

# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
+ head -v -n -0 /etc/openvpn/vpnclient.ovpn
==> /etc/openvpn/vpnclient.ovpn <==
verb 3
nobind
dev tun
client
remote xxx.xxx.xxx.xxx 1194 udp
fast-io
compress lzo
auth-nocache
remote-cert-tls server

The client file starts under the full-path name.

Don't! The script is producing too much output, not just the config.

sh -v -x /tmp/create-ovpn.sh

Typing

sh -v -x /tmp/create-ovpn.sh

Returns a message along the lines of

'The file or path cannot be found'. I'm not in front of my computer at the moment but it was along those lines. I will get back to you once I can establish a SSH session at home.

Better paste here the whole output after you run the command. I suspect that some folder is missing and needs to be created, but let's see what the error is exactly.

It seems you've rebooted the router and /tmp is clean now.
Download the script again using wget, then run it using sh.

# Generating .ovpn-files
grep -l -e "TLS Web Client Authentication" "$VPN_DIR"/*.crt \
| sed -e "s/^.*\///;s/\.[^.]*$//" \
| while read CLIENT_ID
do
CLIENT_CERT="$(openssl x509 -in "$VPN_DIR/$CLIENT_ID.crt")"
CLIENT_KEY="$(cat "$VPN_DIR/$CLIENT_ID.key")"
CLIENT_CONF="$VPN_DIR/$CLIENT_ID.ovpn"
cat << EOF > "$CLIENT_CONF"
verb 3
nobind
dev $CLIENT_DEV
client
remote $SERVER_ADDR $SERVER_PORT $SERVER_PROTO
fast-io
compress $CLIENT_COMPR
auth-nocache
remote-cert-tls server
<tls-crypt>
$TC_KEY
</tls-crypt>
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
EOF
done
+ grep -l -e 'TLS Web Client Authentication' /etc/openvpn/ca.crt /etc/openvpn/vpnclient.crt /etc/openvpn/vpnserver.crt
+ sed -e 's/^.*\///;s/\.[^.]*$//'
+ read CLIENT_ID

# Setting permissions
chmod 600 "$VPN_DIR"/*.ovpn
+ chmod 600 '/etc/openvpn/*.ovpn'
chmod: /etc/openvpn/*.ovpn: No such file or directory

# Showing generated .ovpn-files
head -v -n -0 "$VPN_DIR"/*.ovpn
+ head -v -n -0 '/etc/openvpn/*.ovpn'
head: /etc/openvpn/*.ovpn: No such file or directory

Currently create-certs.sh requires client key passphrase, otherwise client key isn't created properly.

Hi sorry for the long delay.

Am I better off running all three scripts again? I swear the first two scripts ran perfectly, but I may have overlooked it.

@vgaetera thank you for keeping that wiki page updated, however:

  1. Copy-pasting code from a web-page into terminal is easier than downloading the script. Also gives user more control over what to do/not do and ability to easier inspect the commands they're about to run.
  2. Removing comp_lzo actually hurts compatibility with older systems (imho not a single Chromebook supports lz4. Also, comp_lzo option was added back to openvpn in 18.06.2.

I also think so, actually those edits to hide code and use wget are not mine.
You can change it the way you see it should be, or I can do it later.

Which ones?
AFAIK, compression has never been mandatory option.

Option comp_lzo is deprecated, you should use compress instead, see OpenVPN manual:
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/

There're several threads in the forum regarding compatibility issues with iPhone.
Take them into account if you want to enable compression by default.

1 Like

Ah, apologies then. Would be great if you brought it all back.

Ah, misunderstood what it meant -- because originally there was information on both lzo and lz4, I've had a wrong impression only lz4 was left. AFAIK Chromebooks (like all of them) do not support lz4 yet. If default now is no compression it may be the safest bet.

Provided compression setup here:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#compression
However, in addition to compatibility issues, there are security implications:
https://community.openvpn.net/openvpn/wiki/VORACLE

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.