OpenWrt Forum Archive

Topic: OpenWRT Noob needs serious help with OpenVPN

The content of this topic has been archived between 22 Apr 2018 and 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
Inf1n1nty
25 Mar 2018, 14:44

Greetings, I am new to DD-WRT and I need serial help with my OpenVPN configuration.

I use an Linksys WRT32X with Stock Firmware.

Here are my configuration files and log's.

I cannot find a config log on my Router.

Is ist possible that OpenVPN Server is locked out from Linksys on the WRT32X??

Thank you!

firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'DROP'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Samba'
    option src 'lan'
    option proto 'tcp'
    option dest_port '139'
    option target 'ACCEPT'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config include 'krouter'
    option path '/usr/lib/krouter-scripts/firemark.sh'

config redirect
    option enabled '1'
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option name 'RDP_Client1'
    option dest_ip '192.168.4.10'
    option dest_port '3310'
    option src_dport '3389'
    option proto 'tcp udp icmp'

config rule
    option name 'Allow-OpenVPN-Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'tcpudp'
    option dest_port '1194'

config zone
    option name 'vpnserver'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option network 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'wan'

config forwarding
    option src 'wan'
    option dest 'vpnserver'

config forwarding
    option src 'vpnserver'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'vpnserver'

network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd85:f178:0495::/48'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.4.254'

config interface 'wan'
    option ifname 'eth0'
    option disabled '0'
    option proto 'static'
    option ipaddr 'x.x.x.x'
    option gateway 'x.x.x.x'
    option netmask ''x.x.x.x'
    list dns ''x.x.x.x'
    list dns  'x.x.x.x'

config interface 'wan6'
    option ifname 'eth0'
    option proto 'dhcpv6'
    option disabled '0'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 6'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 5'

config interface 'vpnserver'
    option proto 'none'
    option ifname 'ovpns0'
    option auto '1'

OpenVPN Client Config

 client
  dev tun
  proto udp
  fast-io
  remote x.x.x.x. 1194
  remote-cert-tls server
  nobind
  persist-key
  persist-tun
  comp-lzo no
  verb 3
  key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
  -----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

Logfile OpenVPN Client (Windows):



Sun Mar 25 15:37:30 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Mar 25 15:37:30 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Mar 25 15:37:30 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Sun Mar 25 15:37:30 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Sun Mar 25 15:37:30 2018 Need hold release from management interface, waiting...
Sun Mar 25 15:37:31 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Sun Mar 25 15:37:31 2018 MANAGEMENT: CMD 'state on'
Sun Mar 25 15:37:31 2018 MANAGEMENT: CMD 'log all on'
Sun Mar 25 15:37:31 2018 MANAGEMENT: CMD 'echo all on'
Sun Mar 25 15:37:31 2018 MANAGEMENT: CMD 'hold off'
Sun Mar 25 15:37:31 2018 MANAGEMENT: CMD 'hold release'
Sun Mar 25 15:37:31 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Mar 25 15:37:31 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 15:37:31 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 25 15:37:31 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sun Mar 25 15:37:31 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Mar 25 15:37:31 2018 UDP link local: (not bound)
Sun Mar 25 15:37:31 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Mar 25 15:37:31 2018 MANAGEMENT: >STATE:1521985051,WAIT,,,,,,
Sun Mar 25 15:37:31 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:37:33 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:37:37 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:37:45 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:38:01 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:38:31 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Mar 25 15:38:31 2018 TLS Error: TLS handshake failed
Sun Mar 25 15:38:31 2018 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 25 15:38:31 2018 MANAGEMENT: >STATE:1521985111,RECONNECTING,tls-error,,,,,
Sun Mar 25 15:38:31 2018 Restart pause, 5 second(s)
Sun Mar 25 15:38:36 2018 NOTE: --fast-io is disabled since we are running on Windows
Sun Mar 25 15:38:36 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x.:1194
Sun Mar 25 15:38:36 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Mar 25 15:38:36 2018 UDP link local: (not bound)
Sun Mar 25 15:38:36 2018 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Mar 25 15:38:36 2018 MANAGEMENT: >STATE:1521985116,WAIT,,,,,,
Sun Mar 25 15:38:36 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:38:38 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:38:42 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:38:50 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:39:07 2018 read UDP: Unknown error (code=10054)
Sun Mar 25 15:39:36 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Mar 25 15:39:36 2018 TLS Error: TLS handshake failed
Sun Mar 25 15:39:36 2018 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar 25 15:39:36 2018 MANAGEMENT: >STATE:1521985176,RECONNECTING,tls-error,,,,,
Sun Mar 25 15:39:36 2018 Restart pause, 5 second(s)
Post #2
Inf1n1nty
25 Mar 2018, 15:09

I have found one more thing:

When I execute the command "#netstat -ltnup | grep 1194" I can see that OpenVPN is not listening on port 1194!?

What can I do?

Is is possible that the OEM-WRT Firmware is blocking OpenVPN Server?

Thank you

Post #3
600cc
25 Mar 2018, 16:05
Inf1n1nty wrote:

I am new to DD-WRT

This forum is devoted to OpenWRT. It's similar to DD-WRT, but there are differences. You might be better off asking in the DD-WRT forum.

However, in case we can tempt you away from DD-WRT and onto OpenWRT, we'll try to be helpful, if we can.

Try to launch the OpenVPN server on your router. Then, straight afterwards, obtain the output of the following two commands:

ps | grep openvpn
logread -e openvpn

The first command will tell you if openvpn is running. The second command will provide some log entries which might help to troubleshoot.

Post #4
Inf1n1nty
25 Mar 2018, 16:35

Sorry I am an Idiot..

I am new to Open-WRT.

My former router had DD-WRT installed, so I am sorry for this mistake.

This is what I get so I think OpenVPN is running:

root@WRT32X:~# ps | grep openvpn
19155 root      1080 S    grep openvpn


The logread-command shows no output

Post #5
Inf1n1nty
25 Mar 2018, 16:40

Maybe this helps too:

When I execute this command  to install openvpn I get an error, I have read that the Repo for my Router is rejected.
In GUI there is still an Openvpn Client. Maybe some installation package on my router are missing?

root@WRT32X:~# opkg update && opkg install openvpn-openssl openssl-util luci-app-openvp


Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base/Packages.gz.
# custom headers to add: 0
Updated list of available packages in /var/opkg-lists/designated_driver_base.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/base/Packages.sig.
# custom headers to add: 0
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/kernel/Packages.gz.
# custom headers to add: 0
Updated list of available packages in /var/opkg-lists/designated_driver_kernel.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/kernel/Packages.sig.
# custom headers to add: 0
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/linksys/Packages.gz.
# custom headers to add: 0
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/linksys/Packages.sig.
# custom headers to add: 0
Signature check failed.
Remove wrong Signature file.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/packages/Packages.gz.
# custom headers to add: 0
Updated list of available packages in /var/opkg-lists/designated_driver_packages.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/packages/Packages.sig.
# custom headers to add: 0
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/routing/Packages.gz.
# custom headers to add: 0
Updated list of available packages in /var/opkg-lists/designated_driver_routing.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/routing/Packages.sig.
# custom headers to add: 0
Signature check passed.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/telephony/Packages.gz.
# custom headers to add: 0
Updated list of available packages in /var/opkg-lists/designated_driver_telephony.
Downloading http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/telephony/Packages.sig.
# custom headers to add: 0
Signature check passed.
Collected errors:
 * opkg_download: Failed to download http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/linksys/Packages.gz, wget returned 8.
 * opkg_download: Failed to download http://downloads.openwrt.org/snapshots/trunk/mvebu/generic/packages/linksys/Packages.sig, wget returned 8.
Post #6
600cc
25 Mar 2018, 17:00

What OpenWRT build version is your router running? Is openvpn packaged for that build?

Post #7
Inf1n1nty
25 Mar 2018, 17:16
600cc wrote:

Is openvpn packaged for that build?


I don't have a Clue sorry..


Openvpn was already installed with this OEM Firmware.


This is what I get on Information from the Router:


BusyBox v1.24.2 () built-in shell (ash)

  _______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
-----------------------------------------------------
DESIGNATED DRIVER (Bleeding Edge, 50140)
-----------------------------------------------------
  * 2 oz. Orange Juice         Combine all juices in a
  * 2 oz. Pineapple Juice      tall glass filled with
  * 2 oz. Grapefruit Juice     ice, stir well.
  * 2 oz. Cranberry Juice
-----------------------------------------------------



root@WRT32X:~# uname -r
4.4.14

Post #8
600cc
25 Mar 2018, 17:33
Inf1n1nty wrote:
600cc wrote:

Is openvpn packaged for that build?


I don't have a Clue sorry..

[...]

DESIGNATED DRIVER (Bleeding Edge, 50140)

That's going to be your first hurdle.

If the manufacturer included an OpenVPN package with the firmware, then use that package. If the manufacturer didn't, then you'll need to delve into the mysteries of package compilation (which is one reason why I use stable release builds now; it might be behind the curve, but I don't have the time and patience for, or interest in, playing with snapshots).


Inf1n1nty wrote:

Openvpn was already installed with this OEM Firmware.

Let's prove it, one way or the other. The manufacturer might have included the GUI component, but might have failed to include the actual software that does the work. It's unlikely, but not impossible. One thing my job has taught me is to ask these three questions whenever I'm troubleshooting:

  • What's it supposed to be doing?

  • What do I think it's supposed to be doing (which might not be the same thing)?

  • What is it actually doing?

In other words, always check and verify your assumptions.

What are the outputs from these commands?

opkg list-installed | grep openvpn
openvpn --version

(Last edited by 600cc on 25 Mar 2018, 17:33)

Post #9
Inf1n1nty
25 Mar 2018, 17:39

Now I have a Log File (I inserted a Line in openvpn config file) but when I connect nothing happens at logging...

Sun Mar 25 18:33:13 2018 OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6]
Sun Mar 25 18:33:13 2018 library versions: PolarSSL 1.3.17, LZO 2.09
Sun Mar 25 18:33:13 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

root@WRT32X:~# opkg list-installed | grep openvpn
openvpn-easy-rsa - 2013-01-30-2
openvpn-polarssl - 2.3.11-1
root@WRT32X:~# openvpn --version
OpenVPN 2.3.11 arm-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6]
library versions: PolarSSL 1.3.17, LZO 2.09
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Post #10
Inf1n1nty
25 Mar 2018, 17:42

I have installed Easy-RSA for creating the Keys, the openvpn-polarssl Package was already installed from linksys.

Unfortunately there is no other Open-WRT Firmware (what I can see) for this Router so I cannot switch to another release sad

Post #11
600cc
25 Mar 2018, 17:46

Time for a couple of really dumb questions, I'm afraid. Apologies if these have already been addressed.

Firstly, in your first post, I can see a client configuration, but not a server configuration. What are the contents of /etc/config/openvpn on your router? If the certificates and keys are shown inline in the config file, then remove them.

Secondly, your client config in your first post has placeholders for certificates and keys, but the details are blank (which is good - we don't need to see your keys and certs). However, for the avoidance of doubt, does your real client config file have actual certificates in it?

(Last edited by 600cc on 25 Mar 2018, 17:49)

Post #12
Inf1n1nty
25 Mar 2018, 18:09

This are no dumb questions smile

This is the content of /etc/config/openvpn:

config openvpn 'vpnserver'
    option enabled '1'
    option dev_type 'tun'
    option dev 'ovpns0'
    option port '1194'
    option proto 'udp'
    option comp_lzo 'yes'
    option keepalive '10 120'
    option persist_key '1'
    option persist_tun '1'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/my-server.crt'
    option key '/etc/openvpn/my-server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option tls_auth '/etc/openvpn/tls-auth.key 0'
    option mode 'server'
    option tls_server '1'
    option server '192.168.200.0 255.255.255.0'
    option topology 'subnet'
    option route_gateway 'dhcp'
    option client_to_client '1'
    option log '/tmp/openvpn.log'
    list push 'comp-lzo yes'
    list push 'persist-key'
    list push 'persist-tun'
    list push 'topology subnet'
    list push 'route-gateway dhcp'
    list push 'redirect-gateway def1 bypass-dhcp'
    list push 'route 192.168.4.0 255.255.255.0'
    list push 'dhcp-option DNS 192.168.4.1'

I have removed the Certificates wink

Post #13
Inf1n1nty
25 Mar 2018, 18:26

[url]https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup?s[]=openvpn[/url]

Post #14
Inf1n1nty
25 Mar 2018, 18:29

This is the Guide I used to configure OpenVPN.


I believe that there is a Mistake:

cd /tmp && wget https://openwrt.org/_export/code/docs/g … odeblock=3

mv server.setup?codeblock=1 create-certs.sh && chmod 754 ./create-certs.sh && ./create-certs.sh

I have exchanged codeblock=3 with codeblock=1

Post #15
600cc
25 Mar 2018, 18:43

I'm not familiar with that particular document, so I can't comment. However, if you believe you've found a mistake in the documentation and can provide a correction, please do so. The wiki is open to everyone who registers.

Post #16
Inf1n1nty
25 Mar 2018, 18:53

Is my Server Configuration ok? Can you see if i made a mistake?

Thank you

Post #17
600cc
25 Mar 2018, 20:29
Inf1n1nty wrote:

Is my Server Configuration ok? Can you see if i made a mistake?

Your configuration doesn't quite match the way I'd do it - https://forum.openwrt.org/viewtopic.php … 75#p373075 - but you're running a different version of OpenWRT and OpenVPN.

There are some changes in the way the configurations are put together, so the fact that yours is different isn't necessarily a problem.

Nothing immediately leaps out at me about your configuration, but something must not be right because the openvpn process isn't running.

The configuration you're seeing isn't the real configuration used by OpenVPN. Instead, it's an abstracted configuration in OpenWRT's UCI syntax. It gets translated into a real OpenVPN configuration file, which is then used when launching the openvpn process.

In LEDE 17.01.4 the real configuration lives in /tmp/etc (on mine, using the configuration linked in the post above, the configuration is /tmp/etc/openvpn-routed_udp.conf). I don't know where it lives on Designated Driver, but I'd look in /tmp/etc to begin with, for a file called "openvpn-vpnserver.conf" (the part of the name after "openvpn-" is taken from the section name in /etc/config/openvpn).

If it's not there, search the entire filesystem, starting with /tmp and widening your search if nothing's in /tmp and below. The file might not be called "openvpn-vpnserver.conf"; be prepared to search for anything. You can also use grep to look for text which could help identify the file in question. For example: grep -ilr "redirect-gateway" /tmp/* would tell you the name of any file which contains the text "redirect-gateway" and lives in /tmp or below.

If you tried running "logread" immediately after trying to start the OpenVPN server and can't see anything, then it might be possible to see what's wrong by launching the openvpn process manually.

Once you've found your real OpenVPN configuration file, you can use it when launching the openvpn process:

openvpn --config /path/to/configuration/file.conf

Replace /path/to/configuration/file.conf with the real configuration file path.

If the process stops at the text "Initialization Sequence Completed" and doesn't do anything else, then OpenVPN is running. Open a second SSH session to continue investigations, if you want to see which port(s) are being used by OpenVPN. Alternately, press Ctrl-C to stop the OpenVPN server and close any open ports.

If the process fails to launch, somewhere in the bunch of on-screen text should be one or more clues about why.

Post #18
Inf1n1nty
26 Mar 2018, 07:07

Thank you very much, this is a very good hint!


I have seen a some parameters in the original OpenVPN config file with a path.

I have saved this file before i made my changes. For the next few hours I am at work and cannot connect to my router sad

When I am at home I will look up and post the content of the original config file.

Thank you!

Post #19
Inf1n1nty
26 Mar 2018, 19:27

Hello,

I have restored original openvpn file:

package openvpn

#################################################
# Sample to include a custom config file.       #
#################################################

config openvpn custom_config

    # Set to 1 to enable this instance:
    option enabled 0

    # Include OpenVPN configuration
    option config /etc/openvpn/my-vpn.conf


#################################################
# Sample OpenVPN 2.0 uci config for             #
# multi-client server.                          #
#################################################

config openvpn sample_server

    # Set to 1 to enable this instance:
    option enabled 0

    # Which local IP address should OpenVPN
    # listen on? (optional)
#    option local 0.0.0.0

    # Which TCP/UDP port should OpenVPN listen on?
    # If you want to run multiple OpenVPN instances
    # on the same machine, use a different port
    # number for each one.  You will need to
    # open up this port on your firewall.
    option port 1194

    # TCP or UDP server?
#    option proto tcp
    option proto udp

    # "dev tun" will create a routed IP tunnel,
    # "dev tap" will create an ethernet tunnel.
    # Use "dev tap0" if you are ethernet bridging
    # and have precreated a tap0 virtual interface
    # and bridged it with your ethernet interface.
    # If you want to control access policies
    # over the VPN, you must create firewall
    # rules for the the TUN/TAP interface.
    # On non-Windows systems, you can give
    # an explicit unit number, such as tun0.
    # On Windows, use "dev-node" for this.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
#    option dev tap
    option dev tun

    # SSL/TLS root certificate (ca), certificate
    # (cert), and private key (key).  Each client
    # and the server must have their own cert and
    # key file.  The server and all clients will
    # use the same ca file.
    #
    # See the "easy-rsa" directory for a series
    # of scripts for generating RSA certificates
    # and private keys.  Remember to use
    # a unique Common Name for the server
    # and each of the client certificates.
    #
    # Any X509 key management system can be used.
    # OpenVPN can also use a PKCS #12 formatted key file
    # (see "pkcs12" directive in man page).
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/server.crt
    # This file should be kept secret:
    option key /etc/openvpn/server.key

    # Diffie hellman parameters.
    # Generate your own with:
    #   openssl dhparam -out dh1024.pem 1024
    # Substitute 2048 for 1024 if you are using
    # 2048 bit keys.
    option dh /etc/openvpn/dh1024.pem

    # Configure server mode and supply a VPN subnet
    # for OpenVPN to draw client addresses from.
    # The server will take 10.8.0.1 for itself,
    # the rest will be made available to clients.
    # Each client will be able to reach the server
    # on 10.8.0.1. Comment this line out if you are
    # ethernet bridging. See the man page for more info.
    option server "10.8.0.0 255.255.255.0"

    # Maintain a record of client <-> virtual IP address
    # associations in this file.  If OpenVPN goes down or
    # is restarted, reconnecting clients can be assigned
    # the same virtual IP address from the pool that was
    # previously assigned.
    option ifconfig_pool_persist /tmp/ipp.txt

    # Configure server mode for ethernet bridging.
    # You must first use your OS's bridging capability
    # to bridge the TAP interface with the ethernet
    # NIC interface.  Then you must manually set the
    # IP/netmask on the bridge interface, here we
    # assume 10.8.0.4/255.255.255.0.  Finally we
    # must set aside an IP range in this subnet
    # (start=10.8.0.50 end=10.8.0.100) to allocate
    # to connecting clients.  Leave this line commented
    # out unless you are ethernet bridging.
#    option server_bridge "10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100"

    # Push routes to the client to allow it
    # to reach other private subnets behind
    # the server.  Remember that these
    # private subnets will also need
    # to know to route the OpenVPN client
    # address pool (10.8.0.0/255.255.255.0)
    # back to the OpenVPN server.
#    list push "route 192.168.10.0 255.255.255.0"
#    list push "route 192.168.20.0 255.255.255.0"

    # To assign specific IP addresses to specific
    # clients or if a connecting client has a private
    # subnet behind it that should also have VPN access,
    # use the subdirectory "ccd" for client-specific
    # configuration files (see man page for more info).

    # EXAMPLE: Suppose the client
    # having the certificate common name "Thelonious"
    # also has a small subnet behind his connecting
    # machine, such as 192.168.40.128/255.255.255.248.
    # First, uncomment out these lines:
#    option client_config_dir /etc/openvpn/ccd
#    list route "192.168.40.128 255.255.255.248"
    # Then create a file ccd/Thelonious with this line:
    #   iroute 192.168.40.128 255.255.255.248
    # This will allow Thelonious' private subnet to
    # access the VPN.  This example will only work
    # if you are routing, not bridging, i.e. you are
    # using "dev tun" and "server" directives.

    # EXAMPLE: Suppose you want to give
    # Thelonious a fixed VPN IP address of 10.9.0.1.
    # First uncomment out these lines:
#    option client_config_dir /etc/openvpn/ccd
#    list route "10.9.0.0 255.255.255.252"
#    list route "192.168.100.0 255.255.255.0"
    # Then add this line to ccd/Thelonious:
    #   ifconfig-push "10.9.0.1 10.9.0.2"

    # Suppose that you want to enable different
    # firewall access policies for different groups
    # of clients.  There are two methods:
    # (1) Run multiple OpenVPN daemons, one for each
    #     group, and firewall the TUN/TAP interface
    #     for each group/daemon appropriately.
    # (2) (Advanced) Create a script to dynamically
    #     modify the firewall in response to access
    #     from different clients.  See man
    #     page for more info on learn-address script.
#    option learn_address /etc/openvpn/script

    # If enabled, this directive will configure
    # all clients to redirect their default
    # network gateway through the VPN, causing
    # all IP traffic such as web browsing and
    # and DNS lookups to go through the VPN
    # (The OpenVPN server machine may need to NAT
    # the TUN/TAP interface to the internet in
    # order for this to work properly).
    # CAVEAT: May break client's network config if
    # client's local DHCP server packets get routed
    # through the tunnel.  Solution: make sure
    # client's local DHCP server is reachable via
    # a more specific route than the default route
    # of 0.0.0.0/0.0.0.0.
#    list push "redirect-gateway"

    # Certain Windows-specific network settings
    # can be pushed to clients, such as DNS
    # or WINS server addresses.  CAVEAT:
    # http://openvpn.net/faq.html#dhcpcaveats
#    list push "dhcp-option DNS 10.8.0.1"
#    list push "dhcp-option WINS 10.8.0.1"

    # Uncomment this directive to allow different
    # clients to be able to "see" each other.
    # By default, clients will only see the server.
    # To force clients to only see the server, you
    # will also need to appropriately firewall the
    # server's TUN/TAP interface.
#    option client_to_client 1

    # Uncomment this directive if multiple clients
    # might connect with the same certificate/key
    # files or common names.  This is recommended
    # only for testing purposes.  For production use,
    # each client should have its own certificate/key
    # pair.
    #
    # IF YOU HAVE NOT GENERATED INDIVIDUAL
    # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
    # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
    # UNCOMMENT THIS LINE OUT.
#    option duplicate_cn 1

    # The keepalive directive causes ping-like
    # messages to be sent back and forth over
    # the link so that each side knows when
    # the other side has gone down.
    # Ping every 10 seconds, assume that remote
    # peer is down if no ping received during
    # a 120 second time period.
    option keepalive "10 120"

    # For extra security beyond that provided
    # by SSL/TLS, create an "HMAC firewall"
    # to help block DoS attacks and UDP port flooding.
    #
    # Generate with:
    #   openvpn --genkey --secret ta.key
    #
    # The server and each client must have
    # a copy of this key.
    # The second parameter should be '0'
    # on the server and '1' on the clients.
    # This file is secret:
#    option tls_auth "/etc/openvpn/ta.key 0"

    # Select a cryptographic cipher.
    # This config item must be copied to
    # the client config file as well.
    # Blowfish (default):
#    option cipher BF-CBC
    # AES:
#    option cipher AES-128-CBC
    # Triple-DES:
#    option cipher DES-EDE3-CBC

    # Enable compression on the VPN link.
    # If you enable it here, you must also
    # enable it in the client config file.
    option comp_lzo yes

    # The maximum number of concurrently connected
    # clients we want to allow.
#    option max_clients 100

    # The persist options will try to avoid
    # accessing certain resources on restart
    # that may no longer be accessible because
    # of the privilege downgrade.
    option persist_key 1
    option persist_tun 1
    option user nobody

    # Output a short status file showing
    # current connections, truncated
    # and rewritten every minute.
    option status /tmp/openvpn-status.log

    # By default, log messages will go to the syslog (or
    # on Windows, if running as a service, they will go to
    # the "\Program Files\OpenVPN\log" directory).
    # Use log or log-append to override this default.
    # "log" will truncate the log file on OpenVPN startup,
    # while "log-append" will append to it.  Use one
    # or the other (but not both).
#    option log         /tmp/openvpn.log
#    option log_append  /tmp/openvpn.log

    # Set the appropriate level of log
    # file verbosity.
    #
    # 0 is silent, except for fatal errors
    # 4 is reasonable for general usage
    # 5 and 6 can help to debug connection problems
    # 9 is extremely verbose
    option verb 3

    # Silence repeating messages.  At most 20
    # sequential messages of the same message
    # category will be output to the log.
#    option mute 20


##############################################
# Sample client-side OpenVPN 2.0 uci config  #
# for connecting to multi-client server.     #
##############################################

config openvpn sample_client

    # Set to 1 to enable this instance:
    option enabled 0

    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    option client 1

    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
#    option dev tap
    option dev tun

    # Are we connecting to a TCP or
    # UDP server?  Use the same setting as
    # on the server.
#    option proto tcp
    option proto udp

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    list remote "my_server_1 1194"
#    list remote "my_server_2 1194"

    # Choose a random host from the remote
    # list for load_balancing.  Otherwise
    # try hosts in the order specified.
#    option remote_random 1

    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server.  Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    option resolv_retry infinite

    # Most clients don't need to bind to
    # a specific local port number.
    option nobind 1

    # Try to preserve some state across restarts.
    option persist_key 1
    option persist_tun 1
    option user nobody

    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here.  See the man page
    # if your proxy server requires
    # authentication.
    # retry on connection failures:
#    option http_proxy_retry 1
    # specify http proxy address and port:
#    option http_proxy "192.168.1.100 8080"

    # Wireless networks often produce a lot
    # of duplicate packets.  Set this flag
    # to silence duplicate packet warnings.
#    option mute_replay_warnings 1

    # SSL/TLS parms.
    # See the server config file for more
    # description.  It's best to use
    # a separate .crt/.key file pair
    # for each client.  A single ca
    # file can be used for all clients.
    option ca /etc/openvpn/ca.crt
    option cert /etc/openvpn/client.crt
    option key /etc/openvpn/client.key

    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build_key_server
    # script in the easy_rsa folder will do this.
#    option ns_cert_type server

    # If a tls_auth key is used on the server
    # then every client must also have the key.
#    option tls_auth "/etc/openvpn/ta.key 1"

    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
#    option cipher x

    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    option comp_lzo yes

    # Set log file verbosity.
    option verb 3

    # Silence repeating messages
#    option mute 20

When I try to open the untouched openvpn config from the tutorial I got the Following error:

client-to-client
persist-key
persist-tun
tls-server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-server.crt
comp-lzo yes
dev ovpns0
dev-type tun
dh /etc/openvpn/dh2048.pem
keepalive 10 120
key /etc/openvpn/my-server.key
log /tmp/openvpn.log
mode server
port 1194
proto udp
route-gateway dhcp
server 192.168.200.0 255.255.255.0
tls-auth /etc/openvpn/tls-auth.key 0
topology subnet
push comp-lzo yes
push persist-key
push persist-tun
push topology subnet
push route-gateway dhcp
push redirect-gateway def1 bypass-dhcp
push route 192.168.4.0 255.255.255.0
push dhcp-option DNS 192.168.4.1
root@WRT32X:~# root@WRT32X:~# openvpn -- config /tmp/etc/openvpn-vpnserver.conf
-ash: root@WRT32X:~#: not found
root@WRT32X:~# Options error: Unrecognized option or missing parameter(s) in [CM
D-LINE]:1:  (2.3.11)
-ash: syntax error: unexpected "("

When I start your config file I got the following error:

config openvpn 'vpnserver'
        option local 'x.x.x.x'
        option port '1194'
        option proto 'udp'
        option dev 'tun'
        option ca '/etc/openvpn/ca.crt'
        option cert '/etc/openvpn/my-server.crt'
        option key '/etc/openvpn/my-server.key'
        option dh '/etc/openvpn/dh2048.pem'
        option tls_auth '/etc/openvpn/tls-auth.key 0'
        option duplicate_cn '1'
        option server '192.168.200.0 255.255.255.0'
        option topology 'subnet'
        list push 'topology subnet'
        list push 'redirect-gateway def1 bypass-dhcp'
        list push 'route 192.168.4.0 255.255.255.0'
        list push 'dhcp-option DNS 192.168.4.1'
        list push 'dhcp-option DOMAIN lan'
        option client_to_client '1'
        option keepalive '10 120'
        option cipher 'AES-256-GCM'
        option compress 'lzo'
        option verb '3'
        option persist_key '1'
        option persist_tun '1'
        option user 'nobody'
        option status '/tmp/openvpn-udp-status.log'
        option mute '20'
        option enabled '1'
root@WRT32X:~# root@WRT32X:~# openvpn -- config /tmp/etc/test.conf
-ash: root@WRT32X:~#: not found


Now i have tested to import an OpenVPN Client file (.ovpn) and the file /etc/config/openvpn got filled, so maybe this is the right Config file?

config openvpn 'custom_config'
    option enabled '0'
    option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
    option enabled '0'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/server.crt'
    option key '/etc/openvpn/server.key'
    option dh '/etc/openvpn/dh1024.pem'
    option server '10.8.0.0 255.255.255.0'
    option ifconfig_pool_persist '/tmp/ipp.txt'
    option keepalive '10 120'
    option comp_lzo 'yes'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option status '/tmp/openvpn-status.log'
    option verb '3'

config openvpn 'sample_client'
    option enabled '0'
    option client '1'
    option dev 'tun'
    option proto 'udp'
    list remote 'my_server_1 1194'
    option resolv_retry 'infinite'
    option nobind '1'
    option persist_key '1'
    option persist_tun '1'
    option user 'nobody'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/client.crt'
    option key '/etc/openvpn/client.key'
    option comp_lzo 'yes'
    option verb '3'

config openvpn
    option enabled '1'
    option name 'test.ovpn'
    option config '/etc/openvpn/openvpn.conf'
    option ping_restart '0'
    option log '/tmp/openvpn.log'
    option dev 'tun0'
    option verb '4'
    option askpass 'test'
Post #20
Inf1n1nty
26 Mar 2018, 19:34

There is a Script /etc/openvpn_updown, i don't know if this matters but here is the content:



#!/bin/sh

echo "remote1: $remote_1"
echo "script_context: $script_context"
echo "script_type: $script_type"
echo "signal: $signal"
echo "trusted_ip: $trusted_ip"
echo "untrusted_ip: $untrusted_ip"

#use wan gateway in a case when it is different than ovpn detected gateway
gateway=$route_net_gateway
echo "gateway1: $gateway"
gateway2=$(ubus call network.interface.wan status 2>/dev/null | jsonfilter -e '@.route[@.target="0.0.0.0"].nexthop' 2>/dev/null)
echo "gateway2: $gateway2"
[ "$gateway" != "$gateway2" ] && [ "$gateway2" ] && gateway=$gateway2
echo "gateway: $gateway"

cleanup() {
    #remove ovpn resolv file and set system resolv file to be last modified because of dnsmasq pooling stuff
    rm /tmp/resolv.conf.openvpn 2> /dev/null
    touch /tmp/resolv.conf.auto
}

case $script_type in
  up)
    ubus call network.interface.vpn0 set_data '{ "status": "up", "last_context": "'$script_context'" }'

    cleanup

    #iterate over pushed options and store vpn dns servers to ovpn resolv file
    c=1
    while true ; do
         v=foreign_option_$c
         eval "fo=\$$v"
         [ -n "$fo" ] || break

         if [ "${fo%% *}" == "dhcp-option" ]; then
              s=${fo#dhcp-option }
              if [ "${s%% *}" == "DNS" ]; then
                echo "nameserver ${s#DNS }"
                   echo "nameserver ${s#DNS }" >> /tmp/resolv.conf.openvpn
              fi
         fi
        c=$(( $c+1 ))
    done
     ;;
  down)
    ubus call network.interface.vpn0 set_data '{ "status": "down", "last_context": "'$script_context'" }'

    #recreate default route to vpn server in case of a wan up/down
    #in case there is no default gateway on wan, restart vpn
    if [ "$script_context" == "restart" ]; then
        if [ -z "$gateway" ]; then
            echo "gateway empty"
            cleanup
                    /etc/init.d/openvpn restart
                    exit
        fi

        #can't resolve host
        if [[ -n "$remote_1" ]] && [[ -z "$trusted_ip" ]]; then
            echo "dns fail"
            cleanup
            /etc/init.d/openvpn restart
            exit
        fi

        echo "execute /sbin/route add -net $trusted_ip netmask 255.255.255.255 gw $gateway"
        /sbin/route add -net $trusted_ip netmask 255.255.255.255 gw $gateway
    fi

    cleanup
    ;;
esac
Post #21
600cc
26 Mar 2018, 19:53

There should be no space between "--" and "config". The switch is "--config", not "-- config".

Post #22
Inf1n1nty
26 Mar 2018, 19:58

I have got another hint:

The content from /etc/config/openvpn is copied to /tmp/etc/openvpn-vpnserver.conf when I start Openvpn Service.


I have googled a litte bit and maybe found the error:

Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1:  (2.3.11)

This Line could mean that my openvpn-server is not understanding a Line from the config file.

I found a thread that means the version 2.3.11 cannot handle compression !?

Post #23
Inf1n1nty
26 Mar 2018, 20:35

I have found something in the Router Log (non openVPN log):

Mon Mar 26 21:26:53 2018 daemon.err openvpn(my-vpn)[8976]: Options error: In /etc/openvpn/my-vpn.conf:1: Error opening configuration file: openvpn
Mon Mar 26 21:26:53 2018 daemon.warn openvpn(my-vpn)[8976]: Use --help for more information.
Mon Mar 26 21:26:53 2018 daemon.err openvpn(openvpn)[8977]: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/openvpn.conf:6: block-outside-dns (2.3.11)

Post #24
600cc
26 Mar 2018, 22:20
Inf1n1nty wrote:

Unrecognized option or missing parameter(s) in /etc/openvpn/openvpn.conf:6: block-outside-dns (2.3.11)

block-outside-dns is a Windows client-side option only. It won't work on the server-side, and won't work under Linux.

If you search for "OpenVPN DNS leak" you'll find a more in-depth explanation of what the block-outside-dns option does, and what the Linux client equivalent is (should you wish to run an OpenVPN client on Linux/Android/Mac/etc.).

(Last edited by 600cc on 26 Mar 2018, 22:20)

Post #25
Inf1n1nty
27 Mar 2018, 15:56

Thank you,

now my Port Forwardings are not working any more..

Something is wrong with my config and I will reset my router and make a new OpenVPN Config.

Is there a complete tutorial how I should configure OpenVPN with your config? (With Creating RSA Key's etc.).

Or should i start with this guide?

https://wiki.openwrt.org/doc/howto/open … rver-setup

Thank you!