Please help, whatever I do, I can not get my VPN to start. Its an OpenVPN with PIA.
I followed this guide PIA published to a T trying it multiple times.
but still every time I his start on the VPN.... Nothing
Please help, whatever I do, I can not get my VPN to start. Its an OpenVPN with PIA.
I followed this guide PIA published to a T trying it multiple times.
but still every time I his start on the VPN.... Nothing
Please OCR your picture.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
In addition please show after you have rebooted (again: redact keys etc.):
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
Here is this
root@openwrt:/# ubus call system board
{
"kernel": "6.8.12-1-pve",
"hostname": "openwrt",
"system": "Intel(R) Xeon(R) CPU E5-2420 0 @ 1.90GHz",
"model": "System",
"board_name": "System",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "x86/64",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@openwrt:/# cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.*.*.*'
option netmask '255.0.0.0'
option device 'lo'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0'
config interface 'lan'
option proto 'static'
option device 'eth1'
option ipaddr '10.*.*.*'
option netmask '255.255.255.0'
config interface 'PIA_VPN'
option proto 'none'
option device 'eth1'
root@openwrt:/# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@openwrt:/# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@openwrt:/# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'PIA_VPN'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'```
client
dev tun
proto udp
remote us-chicago.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
dhcp-option DNS 10.0.0.241
auth-user-pass /etc/openvpn/PIAChicago.auth
compress
verb 4
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
-----END CERTIFICATE-----
</ca>
disable-occ
After reboot, the log was empty, I selected start once and this was the result.
Thu Aug 22 10:07:37 2024 daemon.err uhttpd[971]: [info] luci: accepted login on /admin/vpn/openvpn/file/PIAChicago for root from 192.*.*.*
If I select enable on that instance then save and apply it will fail and not rollback, the LuCI will be come unresponsive unless I stop OpenVPN from command line.
But the log becomes this
Thu Aug 22 10:07:37 2024 daemon.err uhttpd[971]: [info] luci: accepted login on /admin/vpn/openvpn/file/PIAChicago for root from 192.168.*.*
Thu Aug 22 10:09:37 2024 daemon.warn openvpn(PIAChicago)[2944]: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OpenVPN 2.5.8 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Thu Aug 22 10:09:37 2024 daemon.warn openvpn(PIAChicago)[2944]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
# (Redacted CRL content for brevity)
-----END X509 CRL-----
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:1198
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: UDP link local: (not bound)
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: UDP link remote: [AF_INET]*.*.*.*:1198
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: TLS: Initial packet from [AF_INET]*.*.*.*:1198, sid=1238accd 886bd2bb
Thu Aug 22 10:09:37 2024 daemon.warn openvpn(PIAChicago)[2944]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: VERIFY KU OK
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Validating certificate extended key usage
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: VERIFY EKU OK
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=chicago411, name=chicago411
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA512
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: [chicago411] Peer Connection Initiated with [AF_INET]*.*.*.*:1198
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.*.*.*,route-gateway 10.*.*.*,topology subnet,ping 10,ping-restart 60,ifconfig 10.*.*.* 255.255.255.0,peer-id 7,cipher AES-128-GCM'
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: compression parms modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: route options modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: route-related options modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: peer-id set
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: OPTIONS IMPORT: data channel crypto options modified
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Data Channel: using negotiated cipher 'AES-128-GCM'
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v4_best_gw result: via 192.168.*.* dev eth0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: GDG6: remote_host_ipv6=n/a
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v6_best_gw query: dst ::
Thu Aug 22 10:09:37 2024 daemon.warn openvpn(PIAChicago)[2944]: sitnl_send: rtnl: generic error (-101): Network unreachable
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: TUN/TAP device tun0 opened
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: do_ifconfig, ipv4=1, ipv6=0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_iface_mtu_set: mtu 1500 for tun0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_iface_up: set tun0 up
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_addr_v4_add: 10.../24 dev tun0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: /usr/libexec/openvpn-hotplug up PIAChicago tun0 1500 1553 10... 255.255.255.0 init
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v4_add: .../32 via 192.168.. dev [NULL] table 0 metric -1
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v4_add: 0.0.0.0/1 via 10...* dev [NULL] table 0 metric -1
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v4_add: 128.../1 via 10... dev [NULL] table 0 metric -1
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: net_route_v6_add: 2000::/3 via :: dev tun0 table 0 metric -1
Thu Aug 22 10:09:37 2024 daemon.notice openvpn(PIAChicago)[2944]: Initialization Sequence Completed
Thu Aug 22 10:12:24 2024 daemon.err openvpn(PIAChicago)[2944]: event_wait : Interrupted system call (code=4)
Thu Aug 22 10:12:24 2024 daemon.notice openvpn(PIAChicago)[2944]: TCP/UDP: Closing socket
Thu Aug 22 10:12:24 2024 daemon.notice openvpn(PIAChicago)[2944]: /usr/libexec/openvpn-hotplug route-pre-down PIAChicago tun0 ```
Remove list network 'PIA_VPN'
Add list network 'PIA_VPN'
to the wan zone:
Add this to the OpenVPN config:
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6
pull-filter ignore "redirect-gateway ipv6"
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
Remove from the openvpn config:
compress
Reboot and test again, let's view:
cat /etc/config/firewall
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
Thanks for reviewing!
root@openwrt:/# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'PIA_VPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
root@openwrt:/# for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
/etc/openvpn/PIAChicago.ovpn
client
dev tun
proto udp
remote us-chicago.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
block-ipv6
pull-filter ignore "redirect-gateway ipv6"
comp-lzo no
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
dhcp-option DNS 10.0.0.241
auth-user-pass /etc/openvpn/PIAChicago.auth
verb 4
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
disable-occ
root@openwrt:/# logread | grep openvpn
Thu Aug 22 15:02:00 2024 daemon.err uhttpd[979]: [info] luci: accepted login on /admin/vpn/openvpn/file/PIAChicago for root from 192.168.0.51
Thu Aug 22 15:02:50 2024 daemon.warn openvpn(PIAChicago)[2483]: DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OpenVPN 2.5.8 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Thu Aug 22 15:02:50 2024 daemon.warn openvpn(PIAChicago)[2483]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: CRL: loaded 1 CRLs from file -----BEGIN X509 CRL----- MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5 jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A== -----END X509 CRL-----
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: TCP/UDP: Preserving recently used remote address: [AF_INET]181.*.*.*:1198
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: UDP link local: (not bound)
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: UDP link remote: [AF_INET]181.*.*.*:1198
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: TLS: Initial packet from [AF_INET]181.*.*.*:1198, sid=669b5ad7 3c5f2bd5
Thu Aug 22 15:02:50 2024 daemon.warn openvpn(PIAChicago)[2483]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, emailAddress=secure@privateinternetaccess.com
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: VERIFY KU OK
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Validating certificate extended key usage
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: VERIFY EKU OK
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=chicago419, name=chicago419
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA512
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: [chicago419] Peer Connection Initiated with [AF_INET]181.*.*.*:1198
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.*.*.*,topology subnet,ping 10,ping-restart 60,ifconfig 10.*.*.* 255.255.255.0,peer-id 3,cipher AES-128-GCM'
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Pushed option removed by filter: 'route-ipv6 2000::/3'
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: compression parms modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: route options modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: route-related options modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: peer-id set
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: adjusting link_mtu to 1625
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: OPTIONS IMPORT: data channel crypto options modified
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Data Channel: using negotiated cipher 'AES-128-GCM'
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_best_gw query: dst 0.0.0.0
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_best_gw result: via 192.*.*.* dev eth0
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: TUN/TAP device tun0 opened
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: do_ifconfig, ipv4=1, ipv6=0
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_iface_mtu_set: mtu 1500 for tun0
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_iface_up: set tun0 up
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_addr_v4_add: 10.*.*.*/24 dev tun0
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: /usr/libexec/openvpn-hotplug up PIAChicago tun0 1500 1553 10.*.*.* 255.255.255.0 init
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_add: 181.*.*.*/32 via 192.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_add: 0.0.0.0/1 via 10.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_add: 128.0.0.0/1 via 10.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:02:50 2024 daemon.notice openvpn(PIAChicago)[2483]: Initialization Sequence Completed
Thu Aug 22 15:04:20 2024 daemon.err openvpn(PIAChicago)[2483]: event_wait : Interrupted system call (code=4)
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: TCP/UDP: Closing socket
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: /usr/libexec/openvpn-hotplug route-pre-down PIAChicago tun0 1500 1553 10.*.*.* 255.255.255.0 init
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_del: 181.*.*.*/32 via 192.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_del: 0.0.0.0/1 via 10.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: net_route_v4_del: 128.0.0.0/1 via 10.*.*.* dev [NULL] table 0 metric -1
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: Closing TUN/TAP interface
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: net_addr_v4_del: 10.*.*.* dev tun0
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: /usr/libexec/openvpn-hotplug down PIAChicago tun0 1500 1553 10.*.*.* 255.255.255.0 init
Thu Aug 22 15:04:20 2024 daemon.notice openvpn(PIAChicago)[2483]: SIGTERM[hard,] received, process exiting
root@openwrt:/# ```
This strongly suggests that you're trying to use some kind of containerization, which does not work with OpenWrt. OpenWrt expects to be able to (un-)load its own kernel modules at will and relies a) on a given set of sysctl configurations and being able to make changes to the hardware configuration in various ways. While this does work on full system virtualization (kvm, qemu, virtualbox, proxmox, etc.), it does NOT work within a container (lxc, lxd, docker, etc.). Yes, you can make the webinterface to show up, maybe even get some partial functionality out of it, but there are huge gaps and quite serious security issues trying to showhorn it into a container.
It is indeed in a container per the video, he even specifies that its created through the command line as the template does not work.
Good catch from @slh he pointed to the culprit of your problem your settings are OK so cannot do more
Try running openwrt bare metal and you should have success.
I have installed the OpenWRT as a VM in Proxmox not in a container and followed this guide once again and no luck?
https://helpdesk.privateinternetaccess.com/guides/routers/lede/lede-21-02-3-openvpn-setup-from-config-file
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "QEMU Virtual CPU version 2.5+",
"model": "QEMU Standard PC (i440FX + PIIX, 1996)",
"board_name": "qemu-standard-pc-i440fx-piix-1996",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "x86/64",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3c:6a0b:9081::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'PIA_VPN'
option proto 'none'
option device 'tun0'
root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'PIA_VPN'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Read the system log to see if OpenVPN ever reached "Initialization Sequence Complete", which indicates a successful negotiation with the server and startup of the tun0 device. If this was not reached look for the error message. OpenVPN writes many useful messages to the system log to help diagnose a connection negotiation problem.
This is all i'm getting when I try and enable it then save & apply, if i just hit start and check the log nothing happens
Wed Sep 4 17:04:59 2024 daemon.warn openvpn(PIACali)[3400]: Use --help for more information.
Wed Sep 4 17:05:16 2024 daemon.err openvpn(PIAChacogo)[4079]: Options error: Unrecognized option or missing or extra parameter(s) in PIAChacogo.ovpn:14: dhcp-options (2.5.8)
Wed Sep 4 17:05:16 2024 daemon.warn openvpn(PIAChacogo)[4079]: Use --help for more information.
Wed Sep 4 17:05:21 2024 daemon.err openvpn(PIAChacogo)[4177]: Options error: Unrecognized option or missing or extra parameter(s) in PIAChacogo.ovpn:14: dhcp-options (2.5.8)
Wed Sep 4 17:05:21 2024 daemon.warn openvpn(PIAChacogo)[4177]: Use --help for more information.
I had to remove this from the config even though the tutorial was pretty certain about it
dhcp-option DNS 10.0.0.241
dhcp-option DNS 10.0.0.243
Thanks for all your help!
That option is only valid in server mode, and it is what the server will push to a client as it connects. As your end of the link is a client, it is not the proper way to specify a tunneled DNS server, indeed it is a fatal configuration error. I think that changing the DNS server upon connection has to be done in the up and down scripts, I'm not sure if OpenWrt has any prepared integration.
I think for server mode it is:
push "dhcp-option DNS 10.0.0.241"
As far as I know dhcp-option DNS 10.0.0.241
should be valid for client mode, no idea why this is problematic.
You are correct that it is not doing anything by itself it should be handled by up and down scripts: