Openvpn tls-crypt unwrap error

Openvpn is a very hard work for me. Now I have found a mistake: it was with the clients in target network not the openwrt router as GW registered. Sorry for my stupid question and thanks for the persistent support!

I now have a routed VPN. Excellent!

But there are two more steps to take. (I will discuss a third later)

Point 1) I need several routed VPNs. My idea is to copy all entries in /etc/config/openvpn and make the following changes:

  1. the name
  2. option tls_crypt '/etc/openvpn/tc.psk'
  3. option ie '/etc/openvpn/dh.pem'
  4. option ca '/etc/openvpn/ca.crt'
  5. option cert '/etc/openvpn/my-server.crt'
  6. option key '/etc/openvpn/my-server.key'

Presumably, I must / may not change everything. Do not have to stay option ca? And how can I generate the new certificates and keys?

Point 2) If I'm on a network with a notebook that has the same address as my destination network, a routed VPN will not work. So I still need (several bridges VPN) how can I adjust it?

What are you planning to achieve?
Do you understand that single VPN-server instance with topology subnet can handle multiple clients?

Either resolve the conflict changing your IPv4-network, or use IPv6.

I would like to have several clients (three notebooks, two mobile phones) with different secrets (certificates or keys). If a secret is compromised, I can selectively block access without having to touch the other clients. In addition, you can see which device has built a VPN.

Unfortunately, I still do not understand openvpn in its depth.

if I'm in a foreign network guest (hotel) I can not influence the network address. IP6 is another foreign world for me (in addition to openvpn). What speaks against a bridged VPN? In addition, a bridged VPN may also become necessary for other reasons, e.g. for broadcasting.

--crl-verify crl ['dir']
Check peer certificate against the file crl in PEM format.
A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact.

In addition to @vgaetera's answer regarding using a CRL, I'd also recommend utilizing CCD (Client Configuration Directory)

To create a CRL:

openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl.pem -config /etc/ssl/openssl.cnf

openssl crl -inform PEM -in ca.crl.pem -outform DER -out ca.crl
  • CA must have keyUsage = cRLSign

  • Ensure the following are contained within the openssl.cnf

    crldir                      = $dir/crl
    crlnumber                   = $crldir/crlnumber
    crl                         = $crldir/ca.crl
    default_crl_days            = 3650
    [ crl_ext ]
    issuerAltName               = issuer:copy
    authorityKeyIdentifier      = keyid:always, issuer:always
1 Like

The required luci-app-openvpn patches are now in 18.06 branch, too.

1 Like

how can I get it?
Before and After "opkg update" I have luci-app-openvpn git-18.247.71242-9541751-1 and I can't create a VPN.

Why are you wishing to utilize luci-app-openvpn to configure VPNs?

  • Utilizing SSH to directly edit /etc/config/openvpn is easier and far more efficient due to how convoluted luci-app-openvpn is.
1 Like

I hope the GUI guides me to set up a bridge VPN and several VPNs. For setting up with the console I miss the konwhow. It was very hard to get a simple standard VPN. But I'm afraid, the hard way over the console is not spared me anyway.

I am very grateful for the support but I do not understand much that was written here last. I'm still not clear what I need to do concrete to get to a bridge VPN or how I should do it, that I can define several keys for several notebooks.

I've read through the entire OpenVPN man page many times (takes ~45min) and OpenVPN's HowTo page (takes ~15min), and even I find using luci-app-openvpn convoluted for anything other than a status check from LuCI.

  • The luci-app-openvpn package is not going to make configuring a VPN easier for you, it's going to make it harder.

  • My recommendation to anyone configuring their own OpenVPN server has always been to take the hour it takes to actually read through the OpenVPN man page and HowTo, then begin configuring your server.
    • The answer to any question one could possibly have about OpenVPN is contained within those two documents, however, all too often, the majority of users don't want to take the time to actually read through them.

I would also recommend reading through the OpenVPN Comprehensive wiki, and especially reference the VPN Wikis section at the bottom of the wiki.

  • The only section that isn't accurate is the TLS-Auth section, which needs to be changed to TLS-Crypt and the key direction removed.
    • As mentioned in that wiki, you can run as many OpenVPN servers as you want from the /etc/config/openvpn config by separating each with a new line, or referencing each as a separate conf file.

  • SSL VPN Types:
    • A bridged VPN is a Layer 2 TAP configuration
      • Server essentially acts in the way a 2nd router would, if connected to the remote router's LAN ports, transparently routing traffic
    • A TUN configuration is Layer 3
      • Server essentially acts like a separate network interface

I have now read the documentation and found a lot of interesting stuff. But for my specific problem, it has helped me little.

To multiple routed VPN

In / etc / config / openvpn I have a section "config openvpn 'vpnserver'" with the corresponding options and lists. If I now copy the whole thing and a second time in the file entries, change the name "vpnserver" on "vpnserver2" and define other certificates and key data, I would have to get a second VPN.

Is that correct?

If so: Then I would just have to know how I can generate the certificates and key data. The ca.crt and possibly others probably remain the same for all VPNs.

To bridged VPN

In the docs I find only descriptions for routed VPN. Can someone send me an example configuration for server and client?

You can do this two ways:

Converting TUN into TAP:

Frankly speaking you are seeking problems on an empty place.
Topology subnet provides multiple client access and crl solves compromised key issues.
And possibility of IPv4 collision is too exaggerated, and anyway it can be solved with IPv6.
So the task you described requires neither multiple instances, nor bridging.

To multiple routed VPN:
If I set up a VPN and have two notebooks, I have to have the same certificates or keys on both laptops. For example, if the certificates or keys get stolen by a notebook to a third party, I must equip the other notebook with new certificates or keys. I want to avoid that. Additionally, I can not detect on the server which notebook has connected. If I can have several different client certificates or keys within a VPN, that would be optimal. But I have not come across any documentation that describes that and that I understand.

To bridged VPN
For example, if the same network address is used in a hotel wlan as in my home network then routed VPN does not work. To use IP6, I would have to tunnel IP6 through IP4 because neither my internet provider nor most hotel wlans offer IP6. Since I have no idea how to do that.

So far, I have not found a way to do without multiple VPNs. Therefore my question: Do I need a separate port for each VPN on the server (1194, 1195, 1196, ..)?

No, you can generate as many keys as you want and use them all for a single instance, one key per client.

No, you can do it using CCD.

There's no advantage using bridged configuration because it utilizes the same IPv4 private address space.

This should never be done. Each client should have their own PKI structure (certificate + key), and no two clients should ever utilize the same certificate and key, nor the same Common Name (CN)

  • Additionally, each client should have their key encrypted, and if using an Android device, the user must encrypt all keys, as Android has a non-customizable 771 permission structure for user land storage due to exFAT

  • The OpenSSL PKI wiki walks you through how to create keys for each individual client if you're not familiar enough with scripting to modify the script in the OpenVPN Basic wiki.

Utilize a different subnet for your LAN, which is recommended by many due to most keeping the default subnet.

  • If wishing to utilize the same IP block, an easy way to do this is to utilize a subnet mask in line with the amount of devices you have, allowing for free IPs for DHCP.
    • No home user will ever have a need for 252 IPs, so change the subnet to something besides /24 [] that's appropriate for your environment.
  • I always recommend using the Subnet Mask Cheat Sheet

Yes. Two servers cannot be configured to utilize the same listening port (at least not that I'm aware of).

In my research I have the problem that I come across again and again to contradictions. For example: here ( there is a script or program "build-key" that says openwrt does not exist. The same source has three certificates or keys on the client side. With openwrt, there are four. The more I read, the more confusing the whole thing becomes. But I do not want to give up, because only openvpn still stands against the productive use of openwrt.

To multiple routed VPN:
I now understand that I can have multiple client keys within a VPN instance.
I get another key set for a client like that
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out ca.crl.pem -config /etc/ssl/openssl.cnf
openssl crl -inform PEM -in ca.crl.pem -outform DER -out ca.crl
Or do I break my root CA certificate of the first client?

To bridged VPN
I definitely need a bridged VPN, because I also want to send broadcast packets over VPN.
Here is the excerpt from / etc / config / openvpn
config openvpn 'test_bridge'
option verb '3'
option dev 'tap0'
option topology 'subnet'
option proto 'udp'
option port '1196'
option client_to_client '1'
option compress 'lzo'
option keepalive '10 120 '
option persist_tun '1'
option persist_key '1'
option tls_crypt '/etc/openvpn/tc.psk'
option ie '/etc/openvpn/dh.pem'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
list push 'redirect-gateway def1'
list push 'route'
list push 'dhcp option DNS'
list push 'dhcp-option DNS'
list push 'compress lzo'
list push 'persist-do'
list push 'persist-key'
list push 'dhcp-option DOMAIN internal'
option enabled '1'
option server_bridge ''
I packed the tap0 interface into a bridge (LAN) together with eth0. Additionally there is the option server_bridge. What has to go in there? With me that is: = IP of the router = netmask and are free addresses
From the client I can only ping the but not ather adresses.

That's a command from Easy-RSA utility:

No, those commands are used to generate CRL and convert it to DER format.

Now the confusion is a little bigger. There is no script or program "build-key" under these links. Instead, it is described here to install a further package and to execute a series of kommados. Maybe this will create a new CA (and override the existing one), maybe not. The confusion is a little bigger now.
Is there an openssl command that creates the new keys for other clients based on the existing root certificate?