[Solved] How to Configure "Trivial" OpenVPN Client - Config Files Only

Yes, I've gone through the completely inscrutable https://openwrt.org/docs/guide-user/services/vpn/openvpn/client

All I want to do is configure a trivial, point-to-point, shared-key, OpenVPN client.

LuCI and uci do a marvelous job of changing whitespace and stripping comments, making them unusable for me.

Working from openvpn_recipes, I crafted /etc/config/openvpn

jeff@test:/etc/config$ cat openvpn

package openvpn

#
# Routed point-to-point client
#
config openvpn client_tun_ptp
	option _description	'Simple client configuration for a routed point-to-point VPN'
	option _role		'client'
	option dev			'tun0'
	list remote			'10.0.0.2'
	option ifconfig		'172.16.1.1 172.16.1.2'
	option secret		'/etc/openvpn/static.key'
	option nobind		'1'
#	option comp_lzo		'yes'
	option verb			'3'

consistent with a known-good, four-liner on Debian.

Note: As pointed out in the next post, the above config is missing

	option enabled		'1'

The static key is in place.

tun0 has been added to the firewall. I did not see anything on the linked page about defining an interface.

--- a/config/firewall
+++ b/config/firewall
@@ -18,6 +18,7 @@ config zone
        list   network          'wan'
        list   network          'wan6'
        list   network          'wg0'
+       list   network          'tun0'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

(yes, ACCEPT is intentional)

/etc/init.d/openvpn start does not result in any log messages, or a running instance.

jeff@test:/etc/config$ sudo sh -x /etc/init.d/openvpn start
+ START=90
+ STOP=10
+ USE_PROCD=1
+ PROG=/usr/sbin/openvpn
+ LIST_SEP='
'
+ UCI_STARTED=
+ UCI_DISABLED=

(end of output)

What am I missing with this?

I think an option enabled 1 is mandatory in the /etc/config/openvpn for the instance to start.

1 Like

Your use case is limited to speed testing relying on simplicity and performance, while actual use cases also take into account many other aspects such as fault tolerance, security, resource efficiency, interoperability, compatibility, automation and scalability.
Those wiki guides intentionally put aside file-level modification of the UCI configurarions, as it adds an additional level of complexity and may lead to potentially hard to diagnose issues.
If you don't plan to maintain those guides and actively participate in the related user support threads, please refrain from changing the paradigm.

Actually my use case is to be able to properly select and securely configure the services. It is only the first step to evaluate the options. Your mind-reading abilities are poor as to the extent to which I evaluate the various options.

If you find clarifications to the wiki page, which in no way modify the prescription presented, objectionable, then that would be a topic to take up in the Talk About Documentation section. I continue to maintain that what was presented there is nearly inscrutable as to what the results should be, if the "magical formula" is followed.

Had the OpenWrt-specific configuration options and overall syntax of UCI-based configuration of OpenVPN been properly documented, somewhere on the wiki, this thread would never had been necessary. Don't kid yourself, using uci commands and sed is just editing the persisted config files with tools other than vi.

Well, technically this is not just editing.
It is a fast, unambiguous, automated and reproducible method to provide the required configuration modifications.

In my opinion, all those config slices and alternative descriptions in the middle of the instruction section look quite redundant and just divert the attention from the main content.

Although I don't really mind if you want to contribute, so let's see how it goes. :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.