What should I specifically enter where?
I already tried
tls-crypt [path]\my-client.key (in the client config)
and got this error:
Key file ('[path]\my-client.key') can be a maximum of 2048 bytes
First, I get a connection now! In so far the problem is solved. Many Thanks!
But there are still some questions left:
At the client I get the following message:
WARNING: this configuration may cache passwords in memory - use the auth-nocache option to prevent this
I need several TUN and several TUP connections. How can I do that best?
I would like that I am asked at the mobile device (client) when connecting in addition to a password. Can one configure that? The traget is that not all the data you need to build the VPN are be stored on the mobile device.
For info to the developers:
The script does not work with "sh -e -v -x /tmp/create-ovpn.sh". There was no ovpn file generated and on the screen came a large amount of garbage.
That's how it went
cd / tmp
chmod + x create-ovpn.sh
./create-ovpn.sh
The current IP, not a DDNS name was entered in the ovpn file (note: I have multiple DDNS).
That's not a garbage, but information for debugging / troubleshooting.
I've updated script in the guide, it should be more fault tolerant now.
I've added auth-nocache to the script to fix the warning message.
It depends on differences in firewall zone policies and whether you need to run those VPN-connections simultaneously or not.
In general case you need to change every vpnserver to vpnserverN at least, and run the scripts again.
Generally speaking, it's better to manage and configure OpenVPN via SSH, and not through LuCI, as the OpenVPN LuCI app is ridiculously convoluted and extremely inefficient to utilize. I always recommend installing it, but only utilizing it for a status check from LuCI.
luci-app-openvpn has been in need of a rewrite for years, as it really should either just have the most common options as check boxes, with a code box for any additional options, or just a code box with a link to the OpenVPN man page.
You'll encrypt the client key. If using an Android device, the client key must always be encrypted, as Android has a non-customizable 771 permission structure for it's internal storage due to exFAT.
Thanks a lot for all the answers. Unfortunately, I have now lost a bit of the overview and will come back later to the other questions.
There is still a very fundamental problem. Although it is possible to set up the VPN and I can ping the router of the destination network, it is not possible to ping a client in the destination network.
Before the connection is established, ipconfig shows the following on the Windows client: IP 192.168.8.189/24, GW 192.168.8.1, after the connection is established the IP 192.168.200.2/24 but no further gateway is added.
My idea was that the password is stored on the server. This would mean that you can not build the VPN with the files on the client alone. Is that possible?
The not so good alternative I'm using so far is to encrypt the files on the client.
Restart the OpenVPN server: service openvpn restart
Disconnect, then connect, client
Disconnect must be utilized in lieu of the Reconnect button, as Reconnect will not load any changes made to the config since the initial connection.
Attempt to ping device in the destination network, and once the ping fails, please post:
Server Log:logread -l 50 -e openvpn
Client Log: Right click on OpenVPN tray icon → View Log
Ensure you remove your WAN IP, DDNS, and port number
OpenVPN can be configured to accept a user name and password for login, however I'm not entirely sure of how to configure OpenVPN to do so, and even with a username/password login, the client key should still be encrypted.
The only private portion of the client files is the client key, however the Basic wiki is using -nodes for the client key, which prevents the key from being encrypted. To encrypt a key that was created without encryption:
openssl rsa -in my-client.key -out my-client.key
Once the new key is encrypted, open the key in a text editor (Notepad, Atom, etc.), copy the contents, then paste them into the client ovpn between <key> and </key>
Openvpn is a very hard work for me. Now I have found a mistake: it was with the clients in target network not the openwrt router as GW registered. Sorry for my stupid question and thanks for the persistent support!
I now have a routed VPN. Excellent!
But there are two more steps to take. (I will discuss a third later)
Point 1) I need several routed VPNs. My idea is to copy all entries in /etc/config/openvpn and make the following changes:
the name
option tls_crypt '/etc/openvpn/tc.psk'
option ie '/etc/openvpn/dh.pem'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
Presumably, I must / may not change everything. Do not have to stay option ca? And how can I generate the new certificates and keys?
Point 2) If I'm on a network with a notebook that has the same address as my destination network, a routed VPN will not work. So I still need (several bridges VPN) how can I adjust it?
I would like to have several clients (three notebooks, two mobile phones) with different secrets (certificates or keys). If a secret is compromised, I can selectively block access without having to touch the other clients. In addition, you can see which device has built a VPN.
Unfortunately, I still do not understand openvpn in its depth.
if I'm in a foreign network guest (hotel) I can not influence the network address. IP6 is another foreign world for me (in addition to openvpn). What speaks against a bridged VPN? In addition, a bridged VPN may also become necessary for other reasons, e.g. for broadcasting.