Using OpenVPN and not starting

Hello everyone,
I am trying to use a VPN on my router. I followed a few tutorials and I do not see anything missing or not working just when I try to start my OpenVPN instance. It never starts. I have here my config:

root@OpenWrt:/tmp/etc# uci show openvpn
openvpn.custom_config=openvpn
openvpn.custom_config.config='/etc/openvpn/my-vpn.conf'
openvpn.sample_server=openvpn
openvpn.sample_server.port='1194'
openvpn.sample_server.proto='udp'
openvpn.sample_server.dev='tun'
openvpn.sample_server.ca='/etc/openvpn/ca.crt'
openvpn.sample_server.cert='/etc/openvpn/server.crt'
openvpn.sample_server.key='/etc/openvpn/server.key'
openvpn.sample_server.dh='/etc/openvpn/dh2048.pem'
openvpn.sample_server.server='10.8.0.0 255.255.255.0'
openvpn.sample_server.ifconfig_pool_persist='/tmp/ipp.txt'
openvpn.sample_server.keepalive='10 120'
openvpn.sample_server.persist_key='1'
openvpn.sample_server.persist_tun='1'
openvpn.sample_server.user='nobody'
openvpn.sample_server.status='/tmp/openvpn-status.log'
openvpn.sample_server.verb='3'
openvpn.sample_client=openvpn
openvpn.sample_client.client='1'
openvpn.sample_client.dev='tun'
openvpn.sample_client.proto='udp'
openvpn.sample_client.remote='my_server_1 1194'
openvpn.sample_client.resolv_retry='infinite'
openvpn.sample_client.nobind='1'
openvpn.sample_client.persist_key='1'
openvpn.sample_client.persist_tun='1'
openvpn.sample_client.user='nobody'
openvpn.sample_client.ca='/etc/openvpn/ca.crt'
openvpn.sample_client.cert='/etc/openvpn/client.crt'
openvpn.sample_client.key='/etc/openvpn/client.key'
openvpn.sample_client.verb='3'
openvpn.Ivancy=openvpn
openvpn.Ivancy.dev='tun'
openvpn.Ivancy.ifconfig='10.0.0.2 10.0.0.1'
openvpn.Ivancy.secret='shared-secret.key'
openvpn.Ivancy.nobind='1'
openvpn.Ivancy.comp_lzo='yes'
openvpn.Ivancy.port='53'
openvpn.Ivancy.persist_tun='1'
openvpn.Ivancy.verb='1'
openvpn.Ivancy.client='1'
openvpn.Ivancy.proto='udp'
openvpn.Ivancy.resolv_retry='infinite'
openvpn.Ivancy.auth_user_pass='/etc/openvpn/userpass.txt'
openvpn.Ivancy.remote='cav2-auto-udp.dns2use.com'
openvpn.Ivancy.auth='SHA1'
openvpn.Ivancy.cipher='AES-256-CBC'
openvpn.Ivancy.mute_replay_warnings='1'
openvpn.Ivancy.tls_client='1'
openvpn.Ivancy.tls_auth=' /etc/openvpn/tls-auth.key'
openvpn.Ivancy.auth_nocache='1'
openvpn.Ivancy.remote_cert_tls='server'
openvpn.Ivancy.key_direction='1'
openvpn.Ivancy.ca='/etc/openvpn/ca.crt'
openvpn.Ivancy.enabled='1'
openvpn.IvanVancouver=openvpn
openvpn.IvanVancouver.config='/etc/openvpn/IvanVancouver.ovpn'
openvpn.IvanVancouver.enabled='1'

My Firewall:

root@OpenWrt:/tmp/etc# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='Ivacy_fw'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='Ivancy' 'IvanVancouver'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='Ivacy_fw'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='Ivacy_fw'
firewall.@forwarding[2].dest='lan'

I am trying to connect to a VPN provider so I do not have the config of the server. Other than also a file that I applied as a separate instance and with a different interface and it is added as a covered network on the firewall.

what do the logs say?

Where should I look for logs?

See the troubleshooting section:

LuCI -> Status -> System Log would be good place to look for 'openvpn' messages.

fwiw, take a look at
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci#alternative_guide_for_openvpn_client_using_luci
I've not tested Ivacy VPN but no reason why it should not work.

Here are the logs. Not really familiar with the errors but these are the instructions that I followed. Those are pretty straight forward:

https://support.ivacy.com/setup_guide/how-to-configure-and-install-openvpn-on-your-openwrt-router/

Fri Jan  7 06:35:51 2022 daemon.warn openvpn(Ivancy)[22762]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Fri Jan  7 06:35:51 2022 daemon.warn openvpn(Ivancy)[22762]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Jan  7 06:35:51 2022 daemon.err openvpn(Ivancy)[22762]: Options error: specify only one of --tls-server, --tls-client, or --secret
Fri Jan  7 06:35:51 2022 daemon.warn openvpn(Ivancy)[22762]: Use --help for more information.
Fri Jan  7 06:35:55 2022 daemon.warn openvpn(IvanVancouver)[22771]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Jan  7 06:35:55 2022 daemon.notice openvpn(IvanVancouver)[22771]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jan  7 06:35:55 2022 daemon.notice openvpn(IvanVancouver)[22771]: library versions: OpenSSL 1.1.1m  14 Dec 2021, LZO 2.10
Fri Jan  7 06:35:55 2022 daemon.err openvpn(IvanVancouver)[22771]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Jan  7 06:35:55 2022 daemon.notice openvpn(IvanVancouver)[22771]: Exiting due to fatal error

Thanks

The big one is here -- your credentials cannot be entered, so it fails.

You need to make sure you have the appropriate directive in your openvpn config file to enable the user-auth. See this article...

And then this thread

You have another few issues, but I don't think they are fatal (cipher and tls server/client/secret settings)

As pointed out by @psherman, perhaps the userpass.txt is missing, or there is wrong username and/or password is contained within the file.

fwiw, their openwrt guide has not been updated to use .ovpn config files.

.ovpn files can be found in 'OpenVPN Files with Certificates' on this page if you wish to use the OpenVPN client using LuCI to make it far easier and quicker to set up more than one VPN instance.
https://support.ivacy.com/vpnusecases/openvpn-files-windows-routers-ios-linux-and-mac/

I am afraid the file is there and it has the right credentials I even ssh and cat to double check and it has in the first line my username and in the second my password. It is in the right place:

Screenshot 2022-01-07 2308101120×388 20.9 KB

I also notice that the noticed that the interfaces for the OpenVPN are down and marked as not working. Not sure if there is anything else that I am missing

Thanks for all the help so far

What are the permissions on the user pass.txt file? Try changing it to 777 as a test to see if that resolves the problem.

openvpn.IvanVancouver=openvpn
openvpn.IvanVancouver.config='/etc/openvpn/IvanVancouver.ovpn'
openvpn.IvanVancouver.enabled='1'

I just realised in your original post, there are TWO vpn client instances. One called 'Ivancy' and the other is 'IvanVancouver'.

The Ivancy instance was perhaps created by following the outdated Ivacy tutorial, and you separately imported the .ovpn file to create the IvanVancouver instance?

The deamon error message is for 'IvanVancouver' instance which uses an .ovpn file.

Did you remember to edit the IvanVancouver.ovpn to include the path to the userpass.txt file as per OpenWrt LuCI guides?
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci#b_upload_a_openvpn_config_file

Extract from 'OpenVPN Client for HH5A'

0auth804×421 39 KB

yes I did that 777 and still did not worked... that was one of the first things I did

You are right on the 2 VPN interfaces. I created one following the tutorial and the other just uploading the file. Neither work and I just left the IvanVoucer as there is not much to change on that file you just upload the file and that is it. I have been trying to make work the Ivancy, the one I added manually but let me give it a go to editing the file.

Thanks

that worked!!

thanks... I guess the file and just adding the credentials is the way to go with Ivacy

Please mark as Solved

Maybe you can use this, did you make a file with your username and password?
it is explained in the youtube video

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.