OpenWrt Forum Archive

Topic: OpenVPN config oddities.

The content of this topic has been archived on 2 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
tuxwrt
30 Nov 2016, 11:53

Hi guys,

Ok this is driving me nuts. I have recently signed up for a VPN provider (BlackVPN)  who support lots of platforms including Linux and DDWRT. No OpenWRT yet but really that should not be an issue as the Linux config is standard.

Their config is :

auth-user-pass
remote vpn.blackvpn.nl 443 udp
nobind
client
dev tun
fast-io
persist-key
persist-tun
cipher AES-256-CBC
txqueuelen 486
sndbuf size 1655368
rcvbuf size 1655368
auth SHA512
pull
comp-lzo
tls-client
key-method 2
tls-remote nl
ns-cert-type server
ca ssl/ca.crt
tls-auth ssl/ta.key 1
verb 3
mute 10
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

There is no update-resolve-conf in OpenWRT so those last two lines can be disregarded.

So I diligently copy the parameters from the file resulting in this config.

uci show openvpn.BlackVPN


openvpn.BlackVPN=openvpn
openvpn.BlackVPN.client='1'
openvpn.BlackVPN.verb='3'
openvpn.BlackVPN.persist_key='1'
openvpn.BlackVPN.nobind='1'
openvpn.BlackVPN.dev='tun'
openvpn.BlackVPN.persist_tun='1'
openvpn.BlackVPN.txqueuelen='486'
openvpn.BlackVPN.pull='1'
openvpn.BlackVPN.remote_random='0'
openvpn.BlackVPN.tls_client='1'
openvpn.BlackVPN.key_method='2'
openvpn.BlackVPN.ca='/lib/uci/upload/cbid.openvpn.BlackVPN.ca'
openvpn.BlackVPN.ns_cert_type='server'
openvpn.BlackVPN.cipher='AES-256-CBC'
openvpn.BlackVPN.auth='SHA512'
openvpn.BlackVPN.sndbuf='1655368'
openvpn.BlackVPN.rcvbuf='1655368'
openvpn.BlackVPN.fast_io='1'
openvpn.BlackVPN.remote='vpn.blackvpn.nl'
openvpn.BlackVPN.enabled='1'
openvpn.BlackVPN.tls_auth='/etc/openvpn/tlsauth.key'
openvpn.BlackVPN.auth_user_pass='/etc/openvpn/userpass.txt'
openvpn.BlackVPN.port='443'
openvpn.BlackVPN.comp_lzo='yes'
openvpn.BlackVPN.tls_remote='nl'

Which in turn generates the following config file.

 


cat openvpn-BlackVPN.conf 


client
fast-io
nobind
persist-key
persist-tun
pull
tls-client
auth SHA512
auth-user-pass /etc/openvpn/userpass.txt
ca /lib/uci/upload/cbid.openvpn.BlackVPN.ca
cipher AES-256-CBC
comp-lzo yes
dev tun
key-method 2
ns-cert-type server
port 443
rcvbuf 1655368
remote vpn.blackvpn.nl
sndbuf 1655368
tls-auth /etc/openvpn/tlsauth.key
tls-remote nl
txqueuelen 486
verb 3

The problem is while I can run openvpn in the supplied config file, it works fine. When I run it with the generated script it always hangs. I have copied the original script to the router and used the same userpass.txt the same ca and the same tlscert.key as the generated config and it still works. But using the generated script does not. Grrrrr

I just cannot see what is so very different about the files that means one works and the other does not.

The error I am getting is this. (with verb 9 on)

openvpn openvpn-BlackVPN.conf 
Wed Nov 30 10:29:06 2016 DEPRECATED OPTION: --tls-remote, please update your configuration
Wed Nov 30 10:29:06 2016 us=539304 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2016
Wed Nov 30 10:29:06 2016 us=540284 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Nov 30 10:29:06 2016 us=547595 Control Channel Authentication: using '/etc/openvpn/tlsauth.key' as a OpenVPN static key file
Wed Nov 30 10:29:06 2016 us=548497 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Nov 30 10:29:06 2016 us=549540 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Nov 30 10:29:06 2016 us=550586 LZO compression initialized
Wed Nov 30 10:29:06 2016 us=552580 Control Channel MTU parms [ L:1602 D:210 EF:110 EB:0 ET:0 EL:0 ]
Wed Nov 30 10:29:06 2016 us=553603 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Nov 30 10:29:06 2016 us=561294 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov 30 10:29:06 2016 us=561586 UDPv4 link local: [undef]
Wed Nov 30 10:29:06 2016 us=561800 UDPv4 link remote: [AF_INET]188.122.86.197:443
Wed Nov 30 10:29:06 2016 us=562807 UDPv4 WRITE [86] to [AF_INET]188.122.86.197:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=90ecaf7b 44f3f8a8 tls_hmac=51f88488 aa3d6997 1066a151 abdea072 c9a3d642 efc20d73 cbe5ceab 98cde7bd a119ad56 df6e566e b60d70c5 6de30d45 73214833 747b0928 cf91d518 a9c7ce49 pid=[ #1 / time = (1480501746) Wed Nov 30 1
Wed Nov 30 10:29:06 2016 us=563194 UDPv4 write returned 86
Wed Nov 30 10:29:07 2016 us=577811  event_wait returned 0
Wed Nov 30 10:29:08 2016 us=591422  event_wait returned 0
Wed Nov 30 10:29:08 2016 us=592455 UDPv4 WRITE [86] to [AF_INET]188.122.86.197:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=90ecaf7b 44f3f8a8 tls_hmac=756c563b fa98e24a 6ea99b7d dda52d13 dda801e2 423b429c d6330158 3cbec754 e46c0656 a4153d09 be0cd8e6 95d85095 a0ff2ad3 a3a3ccf4 c0572e7d 0871dd11 pid=[ #2 / time = (1480501746) Wed Nov 30 1
Wed Nov 30 10:29:08 2016 us=592797 UDPv4 write returned 86
Wed Nov 30 10:29:09 2016 us=605870  event_wait returned 0
Wed Nov 30 10:29:10 2016 us=619287  event_wait returned 0
Wed Nov 30 10:29:11 2016 us=632585  event_wait returned 0

When running with this edited supplied config 

auth-user-pass /etc/openvpn/userpass.txt
remote vpn.blackvpn.nl 443 udp
nobind
client
dev tun
fast-io
persist-key
persist-tun
cipher AES-256-CBC
txqueuelen 486
sndbuf size 1655368
rcvbuf size 1655368
auth SHA512
pull
comp-lzo
tls-client
key-method 2
tls-remote nl
ns-cert-type server
verb 3
mute 10
script-security 2
ca /lib/uci/upload/cbid.openvpn.BlackVPN.ca
tls-auth /etc/openvpn/tlsauth.key 1
verb 9

I get this:

openvpn Privacy-Netherlands.conf 
Wed Nov 30 10:45:24 2016 DEPRECATED OPTION: --tls-remote, please update your configuration
Wed Nov 30 10:45:24 2016 us=847938 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 31 2016
Wed Nov 30 10:45:24 2016 us=848902 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Nov 30 10:45:24 2016 us=855546 Control Channel Authentication: using '/etc/openvpn/tlsauth.key' as a OpenVPN static key file
Wed Nov 30 10:45:24 2016 us=855979 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Nov 30 10:45:24 2016 us=856283 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Nov 30 10:45:24 2016 us=856600 LZO compression initialized
Wed Nov 30 10:45:24 2016 us=857648 Control Channel MTU parms [ L:1602 D:210 EF:110 EB:0 ET:0 EL:0 ]
Wed Nov 30 10:45:24 2016 us=858108 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Nov 30 10:45:24 2016 us=859356 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov 30 10:45:24 2016 us=859670 UDPv4 link local: [undef]
Wed Nov 30 10:45:24 2016 us=859953 UDPv4 link remote: [AF_INET]93.190.141.187:443
Wed Nov 30 10:45:24 2016 us=861575 UDPv4 WRITE [86] to [AF_INET]93.190.141.187:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=0297f790 f3e5a5d4 tls_hmac=56690e07 31c116c0 c75f4efb a3731d66 bea03b07 64b74232 0e9c522f dfa7a5cd 017d2fd1 38b9d5e6 fdbda81c 6788d2a5 8ea328bb 4b314121 f9947418 3330bd12 pid=[ #1 / time = (1480502724) Wed Nov 30 1
Wed Nov 30 10:45:24 2016 us=862083 UDPv4 write returned 86
Wed Nov 30 10:45:24 2016 us=875195  event_wait returned 1
Wed Nov 30 10:45:24 2016 us=875463 UDPv4 read returned 98
Wed Nov 30 10:45:24 2016 us=877248 UDPv4 READ [98] from [AF_INET]93.190.141.187:443: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=e724a0c7 67ae7a9c tls_hmac=a04d7995 c04012a4 c6fdf5f0 324bdc96 59923572 cb4843af 8b6c557a 7b540e24 ea570fad 9c49b5bc d8a5d656 e150e322 82208e61 fce43db0 ed7c8339 94d12317 pid=[ #1 / time = (1480502537) Wed Nov 30 1
Wed Nov 30 10:45:24 2016 us=878177 TLS: Initial packet from [AF_INET]93.190.141.187:443, sid=e724a0c7 67ae7a9c
Wed Nov 30 10:45:24 2016 us=880598 UDPv4 WRITE [94] to [AF_INET]93.190.141.187:443: P_ACK_V1 kid=0 sid=0297f790 f3e5a5d4 tls_hmac=b938a0b7 ec2d4e19 0b1f7ab1 033e0884 7e8c8770 515476a3 557a54b8 e55413ff 2642e04f a83465ad 98a0838e c5a32bdd 9fa6842f a0165f31 a149c384 df145363 pid=[ #2 / time = (1480502724) Wed Nov 30 10:45:24 2016 ] [ 0 sid
Wed Nov 30 10:45:24 2016 us=881530 UDPv4 write returned 94
Wed Nov 30 10:45:24 2016 us=882594 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov 30 10:45:24 2016 us=885519 UDPv4 WRITE [186] to [AF_INET]93.190.141.187:443: P_CONTROL_V1 kid=0 sid=0297f790 f3e5a5d4 tls_hmac=b9947225 24e9a5d8 253adb71 9634314c 6603863e ec48f020 8e20f4eb d1010da9 d083a82f 085a89be 88e50389 066999ec 4ddbe5d3 14cc312d fe78363a 43b3105f pid=[ #3 / time = (1480502724) Wed Nov 30 10:45:24 2016 ] [ ]
Wed Nov 30 10:45:24 2016 us=886617 UDPv4 write returned 186
Wed Nov 30 10:45:24 2016 us=888479 UDPv4 WRITE [148] to [AF_INET]93.190.141.187:443: P_CONTROL_V1 kid=0 sid=0297f790 f3e5a5d4 tls_hmac=6574a9fd 83255054 4f0a9773 3fe0134b 0e48b37c 5d094390 03e0be1e 50f68086 632e022a 8055bbdf 440c309d 8a93ce3e ce38c983 4df40ce6 6841857a 5e3d8fd8 pid=[ #4 / time = (1480502724) Wed Nov 30 10:45:24 2016 ] [ ]
Wed Nov 30 10:45:24 2016 us=888808 UDPv4 write returned 148
Wed Nov 30 10:45:24 2016 us=899809  event_wait returned 1
Wed Nov 30 10:45:24 2016 us=900049 UDPv4 read returned 94
Wed Nov 30 10:45:24 2016 us=900915 UDPv4 READ [94] from [AF_INET]93.190.141.187:443: P_ACK_V1 kid=0 sid=e724a0c7 67ae7a9c tls_hmac=0b92d6ac 8539d60e f23bd03d 6725fda6 2d04d1c9 29e87d5e c24fc7a4 75c0d48d 9408a2da fe4adf87 a473ff38 e016b595 2d9c55ee 2ec88e21 ba2ccb72 b017e9f1 pid=[ #2 / time = (1480502537) Wed Nov 30 10:42:17 2016 ] [ 1 sid
Wed Nov 30 10:45:24 2016 us=953453  event_wait returned 1
Wed Nov 30 10:45:24 2016 us=953694 UDPv4 read returned 198
Wed Nov 30 10:45:24 2016 us=955108 UDPv4 READ [198] from [AF_INET]93.190.141.187:443: P_CONTROL_V1 kid=0 sid=e724a0c7 67ae7a9c tls_hmac=292913be bc6ffd99 ec79ac4a 6ed60cc6 575db35d f970ac1f c077b24b 117bed65 79deef35 c71fbe35 5f0e8d1a 5489abf2 da30e54e 375452f2 9748eb28 0efa6199 pid=[ #3 / time = (1480502537) Wed Nov 30 10:42:17 2016 ] [ 2
Wed Nov 30 10:45:24 2016 us=957690 UDPv4 WRITE [94] to [AF_INET]93.190.141.187:443: P_ACK_V1 kid=0 sid=0297f790 f3e5a5d4 tls_hmac=abaa03e5 dc1c9401 b109e7ca a8a774a8 135ab0d8 cf8ce5aa f1d4a2a4 c851347b 1c057658 eceda236 dfab17d4 65de4f7f e9340267 01910e5d dc9b7434 eb240687 pid=[ #5 / time = (1480502724) Wed Nov 30 10:45:24 2016 ] [ 1 sid
Wed Nov 30 10:45:24 2016 us=958618 UDPv4 write returned 94
Wed Nov 30 10:45:24 2016 us=959737  event_wait returned 1
Wed Nov 30 10:45:24 2016 us=960612 UDPv4 read returned 186
Wed Nov 30 10:45:24 2016 us=963636 UDPv4 READ [186] from [AF_INET]93.190.141.187:443: P_CONTROL_V1 kid=0 sid=e724a0c7 67ae7a9c tls_hmac=55e6cb39 b0d84554 c87d0009 48473153 108121ed 66e5eb2d ce5539b5 7557c7f4 c3a3aeeb 08f91407 333eb498 5bb05f37 1b509a8f ba1d5d15 3bc91aed 66602fd9 pid=[ #4 / time = (1480502537) Wed Nov 30 10:42:17 2016 ] [ ]

So what the hell is going on ? Am I just blind and cannot see a glaring mistake in the differences between the files or is something weird going on? I spent 4 hours last night looking at this and feel I am going insane.

Could the order of the options really matter? Although I feel I have shuffled everything around by now. sad

Maybe some fresh eyes need to save me from my own madness?

Thanks for your help.

(Last edited by tuxwrt on 30 Nov 2016, 11:55)

Post #2
MikeLima
30 Nov 2016, 12:46

You can use an existing config for openvpn with:

openvpn.custom_config=openvpn
openvpn.custom_config.enabled='1'
openvpn.custom_config.config='/etc/openvpn_custom.conf'

Post #3
tuxwrt
30 Nov 2016, 12:48
MikeLima wrote:

You can use an existing config for openvpn with:

openvpn.custom_config=openvpn
openvpn.custom_config.enabled='1'
openvpn.custom_config.config='/etc/openvpn_custom.conf'


Would that still be editable by the LuCi interface ?

Post #4
tuxwrt
30 Nov 2016, 13:01

Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

Ok so while I was trying to parse the config file into uci script file I noticed THERE IS a difference. Ever so slight and seemingly insignificant but nonetheless important.

The parameters  sndbuf and rcvbuf NEED the extra param 'size' So:

sndbuf size 1655368!!!!

I think I can legitimately file this as a bug against OpenWRT/LuCi because that should be generated from the parameter option as selected.

A hack is just to include size NNNNN into the edit field and it seems to get passed along with no parsing (another bug perhaps?) and get added to the config file.

What a weird bug.. But hope it helps others. Now who do I file this as a bug with exactly?

Thanks

Post #5
ulmwind
30 Nov 2016, 13:14

tuxwrt, compound parameter 

tls-auth ssl/ta.key 1

equals two ordinary parameters:

tls-auth ssl/ta.key
key-direction 1
Post #6
tuxwrt
30 Nov 2016, 13:26
ulmwind wrote:

tuxwrt, compound parameter 

tls-auth ssl/ta.key 1

equals two ordinary parameters:

tls-auth ssl/ta.key
key-direction 1

Ahh yes.. that is important too. Again wish it was clearer in the gui to expose this but oh well all a learning experience.

Thanks.

The discussion might have continued from here.