i want to connect with my lede/openwrt device to a vpn provider. it works directly with openvpn and ovpn file, but not with lede/wrt settings. (LEDE 17.01.4 in use)
i have received the following nl.ovpn file.
When i try it directly with openVPN it works and asks for the user and password.
i placed it in /etc/openvpn/nl.ovpn
and tried it. tun interface is created, routes are pushed etc...
root@openwrt:/etc/openvpn# openvpn nl.ovpn
Sat Feb 10 19:24:03 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 10 19:24:03 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Enter Auth Username:1234567890
Enter Auth Password:
Sat Feb 10 19:25:13 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]209.250
but i haven't found out how to run it with openwrt settings.
placed the CA cert part from the ovpn file under /etc/openvpn/nl_vpn.ca.crt
placed a userpass file /etc/openvpn/nl_userpass.txt with user in the first line and password in the second line.
i haven't found an option for "verify-x509-name CN=vpn-nl.domain.tld"
any idea how to set this option?
how can i start the openvpn from CLI?
how can i have a look at the output if something went wrong.
when i start it in luci, there is no information about the connection.
where should i check for logs?
Edit the .ovpn file as necessary. You can use any config options defined by OpenVPN itself. For example put your userpass file name on the line with auth_user_pass, in the ovpn file.
Use the tls-remotedirective on the client to accept/reject the server connection based on the common name of the server certificate.
Which i could find in luci: option tls_remote 'remote_x509_name'
next step, syslog shows something:
Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10
Sat Feb 10 22:04:49 2018 daemon.warn openvpn(nl_prem)[16431]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: OpenSSL: error:02001002:lib(2):func(1):reason(2)
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: OpenSSL: error:2006D080:lib(32):func(109):reason(128)
Sat Feb 10 22:04:49 2018 daemon.err openvpn(nl_prem)[16431]: Cannot load CA certificate file /etc/openvpn/nl_prem.ca.crt (no entries were read)
Sat Feb 10 22:04:49 2018 daemon.notice openvpn(nl_prem)[16431]: Exiting due to fatal error
cannot load CA certificate... any idea? wrong cert type?
/etc/openvpn/nl_prem.ca.crt and /etc/openvpn/nl_prem_ca.crt were different.
Finally:
Sat Feb 10 22:10:01 2018 daemon.notice openvpn(nl_prem)[16892]: Initialization Sequence Completed
Some problems with gateway and routing, but i plan to run mwan3 too.
You have a client certificate. This proves to them that you are a paying subscriber.
It does not prove to you that you are connecting to the real legitimate server. For that you need their "CA" file. This is different from the client certificate.
When you put client or server options in /etc/config/openvpn, all that happens is a UCI script parses them into a temporary file in .ovpn format which is then passed to the OpenVPN program.
if i'd config my own ovpn server, i'd harden it with https://bettercrypto.org/ instead of just a password and subject check
hmm, i think i'll also add some more tls checks and tls min version stuff too.
thanks for the hint with the parsing and inserting to the ovpn file. i guess in the ovpn file it's official openVPN syntax. which is having better documentation.
for the record and later user which search/read this.
option tls_remote 'remote_x509_name' is deprecated and won't be available in later openvpn versions 2.4+ or so... .
The new option is verify_x509_name instead.
option verify_x509_name ‘vpn-location.domain.tld name’
From: https://dev.openwrt.org/ticket/18807
--verify-x509-name and --x509-username-field, are new arguments that is supposed to
take over the old --tls-remote which according to the manual, will be completely removed in
OpenVPN v2.4 or v2.5 ( https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAK ).
However, they are still not supported in /etc/init.d/openvpn and
therefore they are not included`
in the generated files in /tmp/etc/openvpn-*.conf