Vpn provider .ovpn to lede/wrt


i want to connect with my lede/openwrt device to a vpn provider. it works directly with openvpn and ovpn file, but not with lede/wrt settings. (LEDE 17.01.4 in use)
i have received the following nl.ovpn file.

remote vpn-nl.domain.tld
verify-x509-name CN=vpn-nl.domain.tld
dev tun
proto udp
cipher AES-256-CBC
resolv-retry infinite
verb 3
reneg-sec 0

When i try it directly with openVPN it works and asks for the user and password.
i placed it in /etc/openvpn/nl.ovpn
and tried it. tun interface is created, routes are pushed etc...

root@openwrt:/etc/openvpn# openvpn nl.ovpn 
Sat Feb 10 19:24:03 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 10 19:24:03 2018 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Enter Auth Username:1234567890
Enter Auth Password:
Sat Feb 10 19:25:13 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]209.250

but i haven't found out how to run it with openwrt settings.

i added a section under /etc/config/openvpn

config openvpn 'nl_vpn'
	list remote 'vpn-nl.domain.tld 1194'
	option auth_user_pass '/etc/openvpn/nl_userpass.txt'
	option client '1'
	option dev 'tun0'
	option proto 'udp'
	option cipher 'aes-256-cbc'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/nl_vpn.ca.crt'
	option verb '3'
	option reneg_sec '0'

placed the CA cert part from the ovpn file under /etc/openvpn/nl_vpn.ca.crt
placed a userpass file /etc/openvpn/nl_userpass.txt with user in the first line and password in the second line.

i haven't found an option for "verify-x509-name CN=vpn-nl.domain.tld"
any idea how to set this option?

how can i start the openvpn from CLI?
how can i have a look at the output if something went wrong.
when i start it in luci, there is no information about the connection.
where should i check for logs?

any settings missing?

Your /etc/config/openvpn file should be only this:

config openvpn 'nl_vpn'
   option enabled '1'
   option config "/etc/openvpn/nl.ovpn"

Edit the .ovpn file as necessary. You can use any config options defined by OpenVPN itself. For example put your userpass file name on the line with auth_user_pass, in the ovpn file.

1 Like

@mk24 thanks for the hint.

though i want to achieve to run it with lede/wrt directly.

one step further:


Use the tls-remotedirective on the client to accept/reject the server connection based on the common name of the server certificate.

Which i could find in luci:
option tls_remote 'remote_x509_name'

next step, syslog shows something:

Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Feb 10 22:04:49 2018 daemon.warn openvpn(nl_prem)[16431]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: OpenSSL: error:02001002:lib(2):func(1):reason(2)
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: OpenSSL: error:2006D080:lib(32):func(109):reason(128)
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: Cannot load CA certificate file /etc/openvpn/nl_prem.ca.crt (no entries were read)
Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: Exiting due to fatal error

cannot load CA certificate... any idea? wrong cert type?

/etc/openvpn/nl_prem.ca.crt and /etc/openvpn/nl_prem_ca.crt were different.

Sat Feb 10 22:10:01 2018 daemon.notice openvpn(nl_prem)[16892]: Initialization Sequence Completed

Some problems with gateway and routing, but i plan to run mwan3 too.

thanks alot

You have a client certificate. This proves to them that you are a paying subscriber.

It does not prove to you that you are connecting to the real legitimate server. For that you need their "CA" file. This is different from the client certificate.

When you put client or server options in /etc/config/openvpn, all that happens is a UCI script parses them into a temporary file in .ovpn format which is then passed to the OpenVPN program.

no, i do not. i have a user and a password.

OK I see that now. Some services have both a client certificate and a password.

if i'd config my own ovpn server, i'd harden it with https://bettercrypto.org/ :wink: instead of just a password and subject check

hmm, i think i'll also add some more tls checks and tls min version stuff too.

thanks for the hint with the parsing and inserting to the ovpn file. i guess in the ovpn file it's official openVPN syntax. which is having better documentation.

for the record and later user which search/read this.

option tls_remote 'remote_x509_name' is deprecated and won't be available in later openvpn versions 2.4+ or so... .

The new option is verify_x509_name instead.
option verify_x509_name ‘vpn-location.domain.tld name’

From: https://dev.openwrt.org/ticket/18807
     --verify-x509-name and --x509-username-field, are new arguments that is supposed to
 take over the old --tls-remote which according to the manual, will be completely removed in 
 OpenVPN v2.4 or v2.5 ( ​https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAK ). 

 However, they are still not supported in /etc/init.d/openvpn and
 therefore they are not included`
 in the generated files in /tmp/etc/openvpn-*.conf

Was introduced in: https://dev.openwrt.org/changeset/48969

hopefully it helps someone