[Solved] Setting up an OpenVPN server on my TP-Link Archer C7

kenny83 · May 12, 2020, 5:41pm

Hi all,

I have followed the instructions in https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic but I can't connect to the VPN. It even took more fiddling than should have been necessary just to get the LuCI app to recognise the created server.conf file, since it was:

a) expecting a server.ovpn file and
b) not picking up the file from the /etc/openvpn directory, even after fixing a).

The solution to a) was to simply rename the file, which seemingly worked (eventually), but I had to manually upload it through the LuCI interface to get that app to recognise it as a valid config file (that was the solution to b)).

Even after doing all of that, I had to manually reboot the router to be able to start the OpenVPN service, since it was complaining about a resource busy error (i.e. the server was already running under another process, even though the LuCI app couldn't see that).

I now have both a server and client process running on the router (is the latter necessary?? It would seem as though that belongs on my PC, but the instructions have me very confused) and that prevents my internet from working at all...but I presume that is because I'm not connected to the VPN! Please correct me if I'm wrong.

In summary, I have followed all of the "official" instructions to the letter, and have tried using both Pritunl and OpenVPN's official client apps for Windows with the generated client.ovpn file, but I still can't connect. What gives??

The Pritunl client app times out after 60 seconds, as does the OpenVPN app, but at least the latter gives me a reason why:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

MTIA for any advice on this rather confusing and frustrating situation

mk24 · April 27, 2020, 6:13pm

Remove the client settings from the router. The router should only be running a server.

Files named *.conf in /etc/openvpn will be automatically parsed by any OpenVPN process-- you usually do not want that to happen thus the convention to name them .ovpn instead.

That looks like a network issue such as the firewall or a problem with port forwarding. What is the network path between the Windows client and the server C7?

kenny83 · April 27, 2020, 11:36pm

Yeah I thought it was pretty silly of me to put that on there LOL. And the fact that my internet connection died as soon as I did it should have been a big hint as well!

Ahh OK makes sense. Thanks for clearing that up

My Windows laptop isn't running a third-party software firewall, just the built-in one (part of Windows Defender in Win 10), and I've even tried disabling that but it made no difference. It is connected to the C7 via WiFi and there are no other switches or modems to worry about. On the other side, I have a fibre connection that runs from the street to a termination box in the house, and a Cat 6 cable running from that to the C7.

All of the firewall settings in the C7 should be correct, since setting those up is part of the guide. But here are some screenshots just in case something jumps out at you (or anyone for that matter):

Thanks again for your assistance with this

kenny83 · May 5, 2020, 7:51am

Apologies for bumping this, but it's been a week and still no-one has any ideas? I find that hard to believe...

kenny83 · May 5, 2020, 10:51am

Never mind actually, it was a silly misconfiguration error on my part. I had the remote address in the client config set to my public IP, while still connected to my LAN. I just needed to set it to the router's IP and now it works .

I am still curious as to why using my public IP doesn't work...do I need to be connected to a totally different LAN for that to work?

trendy · May 5, 2020, 11:05am

When you connect from inside the lan you should use the lan ip of the router. But generally speaking there is no reason to connect the VPN from inside the lan.
Using the wan IP is possible, but some manipulation is needed, which in my opinion is a bad practice.

kenny83 · May 5, 2020, 11:37am

Why not? Doesn't this at least encrypt my traffic? How else would I connect if not by using my WAN IP, or router IP from inside the LAN?

trendy · May 5, 2020, 11:39am

Is your lan insecure and you need a vpn to encrypt the communication with the router?

kenny83 · May 5, 2020, 11:41am

No it's not particularly insecure, but I just thought strengthening its security couldn't hurt

trendy · May 5, 2020, 11:46am

It will hurt the weak cpu of your router when you'll download something.
In a similar device I had around 16Mbps when connecting with OpenVPN on a 100Mbps line.

kenny83 · May 5, 2020, 11:48am

Holy crap! OK thanks for the advice. Goodbye self-hosted OpenVPN. Might have to dish out for a subscription service. At least then my IP/location would be hidden too!

trendy · May 5, 2020, 12:45pm

The self hosted OpenVPN server is fine for connecting to your home when you are outside for secure browsing or reaching some files on the internal server. But when you are already at home, there is no reason to do that. Let alone the extra stress on the cpu to encrypt/decrypt.
So keep the OpenVPN server but limit it when you need to connect from outside and not general access.

kenny83 · May 5, 2020, 6:15pm

Yeah I thought about using it just for those purposes that you mentioned, but the main idea was to encrypt my internet traffic; not just https but everything.

I don't leave home very often so I think a paid solution might be better for me.

trendy · May 5, 2020, 6:25pm

Only for anonymity, otherwise if you are not using end to end encryption you cannot be sure what will happen after the traffic leaves the VPN provider.

mk24 · May 5, 2020, 6:39pm

Only the path between the VPN client and server is protected by encryption. If your server is in the home, everything leaving home will be non-encrypted as if there was no VPN.

kenny83 · May 6, 2020, 12:17am

Yes I came to that realisation after trendy explained things to me several posts ago. I don't understand why there is so much hype around VPNs as they seem pretty freaking useless now that I fully understand what they're capable of.

Sure they will anonymise your IP address and let you connect to a different network (i.e. home or work) from anywhere, but from a security standpoint, they seem pretty useless and I was previously led to believe otherwise.

Oh well, I may still find a need for setting up PiVPN or something. Won't use OpenVPN on my router though after what trendy told me about the performance bottlenecks that would create.

Thanks everyone for your advice and time I think we can close this thread now.

trendy · May 6, 2020, 7:18am

They are not useless, they will encrypt the traffic between the 2 (or more) endpoints that you will configure. And this is basically what they do.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.