VPN for guest wifi

Tr0tter · April 23, 2022, 1:23pm

Hey! I want to set up openvpn for the guest network (wifi), I got an error:
Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/cfg_vpn.ovpn:91: script-security (2.5.3)
I open the configuration file and on line 91:
line 90: script-security 2
line 91: up /etc/openvpn/update-resolv-conf
line 92: down /etc/openvpn/update-resolv-conf

How to fix and set up a working vpn for a guest network?

Tr0tter · April 23, 2022, 1:50pm

Selected a different configuration file for routers, got a different error:
Options error: Unknown key direction '1' -- must be '0' or '1'

trendy · April 23, 2022, 5:11pm

Does it exist?
It would be better to post the whole configuration file, rather than parts of it. You can omit the key sections.

Tr0tter · April 23, 2022, 8:10pm

It is not there, there are only 2 files:
cfg_vpn.auth cfg_vpn.ovpn
"cfg_vpn" is the name of my setting

trendy · April 23, 2022, 9:51pm

You have your answer then.

Tr0tter · April 24, 2022, 3:27am

regonfig:
client
dev tun
proto udp

remote 143.244.44.161 4569
remote 143.244.44.161 80
remote 143.244.44.161 1194
remote 143.244.44.161 5060
remote 143.244.44.161 443
remote 143.244.44.161 5060
remote 143.244.44.161 4569
remote 143.244.44.161 443
remote 143.244.44.161 80
remote 143.244.44.161 80
remote 143.244.44.161 1194
remote 143.244.44.161 1194
remote 143.244.44.161 1194
remote 143.244.44.161 4569
remote 143.244.44.161 5060
remote 143.244.44.161 443
remote 143.244.44.161 4569
remote 143.244.44.161 5060
remote 143.244.44.161 443
remote 143.244.44.161 80
server-poll-timeout 20

remote-random
resolv-retry infinite
nobind

# The following setting is only needed for old OpenVPN clients compatibility. New clients
# automatically negotiate the optimal cipher.
#cipher AES-256-CBC

data-ciphers-fallback 'AES-256-CBC' 
auth-user-pass "/etc/openvpn/cfg_vpn.auth"
--askpass
--auth-nocache
auth SHA512
verb 3

setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

new error:
neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

trendy · April 24, 2022, 7:26am

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

Did you compile the config file yourself or did you download it from some vpn provider? Did you modify it? Which provider is this?

Tr0tter · April 25, 2022, 12:28pm

Yes. Same error without fix

ProtonVPN

trendy · April 25, 2022, 2:20pm

I am using the same provider. I copy-pasted the file into /etc/openvpn/proton.ovpn and /etc/openvpn/proton.auth for the authentication.
However I don't have some lines that you have, such as

regonfig:
...
--askpass
--auth-nocache

RuralRoots · April 25, 2022, 3:35pm

What version of OpenWrt are you running?

Please post your .ovpn file:

cat/etc/openvpn/<name>.ovpn

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please redact any text relating to username/password, and any text delimited by ——-BEGIN . . . ——-END tags.
Thank you!

mk24 · April 25, 2022, 3:52pm

Those are used for a desktop config. Be sure to request a router configuration from ProtonVPN don't copy it from a phone / desktop configuration.

I don't think that up and down scripts are necessary on OpenWrt.

If your certificate private key is encrypted with a passphrase you will need to re-save it without a passphrase. OpenVPN cannot operate headless with an encrypted private key.

trendy · April 25, 2022, 3:54pm

They are not, I have disabled them. Same for the default route.

Tr0tter · April 26, 2022, 4:34am

I googled the recommendations and added them

config above

OpenWrt 21.02.2 r16495-bf0c965af0 / LuCI openwrt-21.02 branch git-22.046.85957-59c3392

Tr0tter · April 26, 2022, 6:54am

Raised my vps server with openvpn server and it works, but protonvpn doesn't want to work...
Maybe in this thread they will tell you how to redirect packets to vpn with a virtual wifi ssid?

RuralRoots · April 26, 2022, 7:35am

I don’t know where you came up with that .ovpn file. In any event you can remove the noted lines below from the .ovpn file. That should let the tunnel establish at .4 if you are following the configuration guide from https://protonvpn.com/support/how-to-set-up-protonvpn-on-openwrt-routers/

regonfig:               # remove
client
dev tun
proto udp
       .
data-ciphers-fallback 'AES-256-CBC' 
auth-user-pass "/etc/openvpn/cfg_vpn.auth"
--askpass               # remove
--auth-nocache          # remove
auth SHA512
verb 3
    .
auth-user-pass          # remove
pull
fast-io
<ca>