OpenWrt Forum Archive

Topic: Openvpn init script doesnt work

The content of this topic has been archived on 4 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Does anyone have the default installed openvpn initscript actually starting their vpns?  Or do i need to write my own?  Using Kamikaze (r18961) and openvpn 2.0.9-5.1.  Thanks!

Yes, it works for me and I'm running the same versions of Kamikaze and OpenVPN that you are.

Here is my server side configuration:

/etc/config/openvpn:

package openvpn

config openvpn ptp_config
        option enable 1
        option config /etc/openvpn/server.conf

/etc/openvpn/server.conf:

dev tun
port 1194
ifconfig 10.1.254.1 10.1.254.2
secret /etc/openvpn/static.key
status /tmp/openvpn-status.log
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
route 192.168.10.0 255.255.255.0 10.1.254.2
verb 3

Add this to the /etc/config/firewall:

config 'zone'                             
        option 'name' 'vpn'               
        option 'input' 'ACCEPT'           
        option 'output' 'ACCEPT'          
        option 'forward' 'ACCEPT'         
                                          
config 'forwarding'                       
        option 'src' 'lan'                
        option 'dest' 'vpn'

And add interface and static route to /etc/config/network:

config 'interface' 'vpn'
        option 'ifname' 'tun0'
        option 'proto' 'static'
        option 'ipaddr' '10.1.254.1'
        option 'netmask' '255.255.255.0'

config 'route'
    option 'interface' 'vpn'
    option 'target' '192.168.10.0'
    option 'netmask' '255.255.255.0'
    option 'gateway' '10.1.254.2'

I have a similar client configuration on the client side:

/etc/config/openvpn:

package openvpn

config openvpn ptp_config
    option enable 1
    option config /etc/openvpn/client.conf

/etc/openvpn/client.conf:

remote myserver.mydomain.com
dev tun
port 1194
ifconfig 10.1.254.2 10.1.254.1
secret /etc/openvpn/static.key
status /tmp/openvpn-status.log
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
route 192.168.1.0 255.255.255.0 10.1.254.1

Add this to the /etc/config/firewall:

config 'zone'                             
        option 'name' 'vpn'               
        option 'input' 'ACCEPT'           
        option 'output' 'ACCEPT'          
        option 'forward' 'ACCEPT'         
                                          
config 'forwarding'                       
        option 'src' 'lan'                
        option 'dest' 'vpn'

Add interface and route addition to /etc/config/network:

config 'interface' 'vpn'                
        option 'ifname' 'tun0'          
        option 'proto' 'static'         
        option 'ipaddr' '10.1.254.2'    
        option 'netmask' '255.255.255.0'

config 'route'
    option 'interface' 'vpn'
    option 'target' '192.168.1.0'
    option 'netmask' '255.255.255.0'
    option 'gateway' '10.1.254.1'

Server's lan is 192.168.1.0/24 and client's lan is 192.168.10.0/24. Tunnel addresses are 10.1.254.1 and 2. This is a simple routed tunnel configuration with a static key.

I am Using Kamikaze (r19957) and openvpn 2.1.1  , the default installed openvpn not starting vpns !

how can i do ?

ccbcfan wrote:

I am Using Kamikaze (r19957) and openvpn 2.1.1  , the default installed openvpn not starting vpns !

how can i do ?

working for me with r20299 and openvpn 2.1.1

For me it works. I am using a OpenVPN (client) configured entierly with UCI.

Dogge wrote:

For me it works. I am using a OpenVPN (client) configured entierly with UCI.

Really? That's very interesting. What type of VPN setup do you have? Is it a road warrior client configuration or something a little more? How do you configure OpenVPN in Luci? I'm running 8.09.2 and don't see a way to do a complete configuration so any help would be greatly appreciated. I would be willing to throw some documentation together to help others (and myself) if I can get a handle on it myself. Any details you can provide on your setup and what the Luci configuration steps are would be great. Thanks!

Well, I use Backfire 10.03 which is more or less trunk. I just installed luci-app-openvpn. On OpenWrt I run a OpenVPN client (routed) connected to StrongVPN (http://www.strongvpn.com/). All works fine.

Here is my OpenVPN UCI config (/etc/config/openvpn):

package 'openvpn'

config 'openvpn' 'custom_config'
        option 'enable' '0'
        option 'config' '/etc/openvpn/ovpn022.ovpn'

config 'openvpn' 'strongvpn_client'
        option 'enable' '1'
        list 'remote' '188.40.203.151 4672'
        option 'ca' '/etc/openvpn/ca.crt'
        option 'cert' '/etc/openvpn/ovpn022.crt'
        option 'key' '/etc/openvpn/ovpn022.key'
        option 'tls_auth' '/etc/openvpn/ta.key 1'
        option 'client' '1'
        option 'dev' 'tun'
        option 'resolv_retry' 'infinite'
        option 'nobind' '1'
        option 'persist_key' '1'
        option 'persist_tun' '1'
        option 'verb' '4'
        option 'mute' '5'
        option 'tun_mtu' '1500'
        option 'explicit_exit_notify' '2'
        option 'fragment' '1300'
        option 'mssfix' '1450'
        option 'script_security' '2'
        option 'up' '/etc/openvpn/up.sh'

/etc/openvpn/up.sh

#!/bin/sh

ACTION=ifup DEVICE=tun0 INTERFACE=vpn /sbin/hotplug-call iface

exit 0

/etc/config/firewall

package 'firewall'

config 'defaults'
        option 'syn_flood' '1'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'lan'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'

config 'zone'
        option 'name' 'wan'
        option 'input' 'REJECT'
        option 'output' 'ACCEPT'
        option 'forward' 'REJECT'
        option 'masq' '1'
        option 'mtu_fix' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'wan'

config 'rule'
        option 'src' 'wan'
        option 'proto' 'udp'
        option 'dest_port' '68'
        option 'target' 'ACCEPT'

config 'include'
        option 'path' '/etc/firewall.user'

config 'zone'
        option 'input' 'ACCEPT'
        option 'output' 'ACCEPT'
        option 'name' 'vpn'
        option 'forward' 'REJECT'
        option 'masq' '1'

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'vpn'

config 'rule'
        option 'src' 'wan'
        option 'port' '4672'
        option 'target' 'ACCEPT'
        option 'proto' 'udp'

/etc/config/network

package 'network'

config 'switch' 'eth0'
        option 'enable' '1'

config 'switch_vlan' 'eth0_0'
        option 'device' 'eth0'
        option 'vlan' '0'
        option 'ports' '1 2 3 4 5'

config 'switch_vlan' 'eth0_1'
        option 'device' 'eth0'
        option 'vlan' '1'
        option 'ports' '0 5'

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'ifname' 'eth0.0'
        option 'proto' 'static'
        option 'netmask' '255.255.255.0'
        option 'ipaddr' '192.168.1.1'

config 'interface' 'wan'
        option 'ifname' 'eth0.1'
        option 'proto' 'dhcp'

config 'interface' 'vpn'
        option 'ifname' 'tun0'
        option 'auto' '1'
        option 'proto' 'static'

(Last edited by Dogge on 18 Apr 2010, 20:04)

ccbcfan wrote:

how can i do ?

"Does not work" is a very precise problem description to work with. However I assume you placed one or more .conf files in /etc/openvpn/ and now you wonder why no OpenVPN instance is started for them.

In order to make the initscript start the instances you have to define entries like the following in /etc/config/openvpn.

config openvpn my_instance_name
        option enable 1
        option config /etc/openvpn/my_config.conf

To make OpenVPN autostart on boot you have to run "/etc/init.d/openvpn enable" .
You can see what's going on with "logread".

~ JoW

Nice! Thanks Dogge! And jow, it never even occurred to me that the original poster may not have "enabled" the script. That could very well be all he needed.

The basic UCI config I understand, but why take a perfectly good .conf or .ovpn file (usable on multiple platforms) and convert it into UCI?
This just seems like too much work, especially when you're defining multiple client configs.

I prefer to have all in UCI format for easier handling.

I had never encountered uci before so i had no idea why the configs weren't loading.  Void Main's post gave me the hint i needed and i'm up and running now.  Rather than convert my configs to uci, i just load them in /etc/config/openvpn with the config option.

(Last edited by thegewp on 30 Mar 2010, 18:07)

I according to this wiki:
http://wiki.openwrt.org/oldwiki/openvpn … ure.client
http://openvpn.net/bridge.html

when i use  Kamikaze (r18045) and openvpn 2.1.0  , it work well!

now i am upgrade  Kamikaze (r19957) and openvpn 2.1.1 ,
when i same bridge tap0 to br-lan,and start vpn server,  when the client( openvpn gui 2.09)connected to AP's VPN from lan or wan to , the AP immediately  reboot ?
this is my config:
/etc/openvpn/startupscript  up

#!/bin/sh
#/etc/openvpn/startupscript
# OpenVPN Bridge Config File
# Creates TAP devices for use by OpenVPN and bridges them into OpenWRT Bridge
# Taken from http://openvpn.net/bridge.html
# Define Bridge Interface
# Preexisting on OpenWRT
br="br-lan"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
case "$1" in
        up)
                # Make sure module is loaded
                insmod tun
                # Build tap devices
                for t in $tap; do
                    openvpn --mktun --dev $t
                done
                # Add TAP interfaces to OpenWRT bridge
                for t in $tap; do
                    brctl addif $br $t
                done
                #Configure bridged interfaces
                for t in $tap; do
                    ifconfig $t 0.0.0.0 promisc up
                done
        ;;
        down)
                for t in $tap; do
                    ifconfig $t 0.0.0.0 down
                done
                for t in $tap; do
                    brctl delif $br $t
                done
                for t in $tap; do
                    openvpn --rmtun --dev $t
                done
                rmmod tun
        ;;
         *)
                echo "$0 {up|down}"
        ;;
esac

/etc/config$ brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        8000.007404037df3    no        eth1.0
                                                           wlan0
                                                           tap0

/etc/init.d/openvpn start

/etc/config/network

config 'switch' 'eth1'
    option 'reset' '1'
    option 'enable_vlan' '1'
    option 'vlan0' '0 1 2 5*'
    option 'vlan1' '3 5*'

config 'switch_vlan'
    option 'device' 'eth1'
    option 'vlan' '0'
    option 'ports' '0 1 2 5*'

config 'switch_vlan'
    option 'device' 'eth1'
    option 'vlan' '1'
    option 'ports' '3 5*'

config 'interface' 'loopback'
    option 'ifname' 'lo'
    option 'proto' 'static'
    option 'ipaddr' '127.0.0.1'
    option 'netmask' '255.0.0.0'

config 'interface' 'lan'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'nat' '1'
    option 'ipaddr' '192.168.3.1'
    option 'ifname' 'eth1.0'
    option 'defaultroute' '0'
    option 'peerdns' '0'

config 'interface' 'wan'
    option 'ifname' 'eth1.1'
    option 'macaddr' '00:1B:38:9E:7B:01'
    option 'proto' 'pppoe'
    option 'username' 'xxxx
    option 'password' 'xxxxx'
    option 'defaultroute' '1'
    option 'peerdns' '1'
    option 'mtu' '1492'

config 'interface' 'vpn'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'defaultroute' '0'
    option 'peerdns' '0'
    option 'nat' '1'
    option 'ifname' 'tap0'
    option 'ipaddr' '192.168.3.1'

/etc/config/openvpn

config 'openvpn' 'custom_config'
    option 'config' '/etc/openvpn/my-vpn.conf'

config 'openvpn' 'sample_server'
    option 'port' '443'
    option 'dev' 'tap'
    option 'ca' '/etc/openvpn/ca.crt'
    option 'cert' '/etc/openvpn/server.crt'
    option 'key' '/etc/openvpn/server.key'
    option 'dh' '/etc/openvpn/dh1024.pem'
    option 'server' '192.168.10.0 255.255.255.0'
    option 'keepalive' '10 120'
    option 'comp_lzo' '1'
    option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'log' '/etc/openvpn/openvpn.log'
    option 'verb' '4'
    option 'enable' '1'
    option 'proto' 'tcp'
    option 'client_to_client' '1'
    option 'dev_type' 'tap'

config 'openvpn' 'vpn0'
                option 'enable' '0'
                option 'port' '443'
    option 'dev' 'tap0'
    option 'secret' '/etc/openvpn/server-static.key'
    option 'verb' '3'
    option 'dev_type' 'tap'
    option 'proto' 'tcp-server'
                option 'persist_key' '1'
    option 'persist_tun' '1'
    option 'log' '/etc/openvpn/openvpn.log'

openvpn gui 2.09 client.conf

dev tap0
secret key.txt
proto tcp-client
remote 192.168.3.1 443
keepalive 30 180
resolv-retry infinite
verb 3
comp-lzo

or

tls-client
dev tap
proto tcp-client
remote 192.168.3.1 443

keepalive 10 60
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cfan.crt
key cfan.key
comp-lzo
verb 3

server log

Thu Apr  1 11:32:42 2010 OpenVPN 2.1.1 mips-openwrt-linux [SSL] [LZO2] built on Mar 29 2010
Thu Apr  1 11:32:42 2010 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Thu Apr  1 11:32:42 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Apr  1 11:32:42 2010 Diffie-Hellman initialized with 1024 bit key
Thu Apr  1 11:32:42 2010 WARNING: file '/etc/openvpn/server.key' is group or others accessible
Thu Apr  1 11:32:42 2010 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Apr  1 11:32:42 2010 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Apr  1 11:32:42 2010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr  1 11:32:42 2010 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr  1 11:32:42 2010 TLS-Auth MTU parms [ L:1575 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Apr  1 11:32:42 2010 TUN/TAP device tap0 opened
Thu Apr  1 11:32:42 2010 TUN/TAP TX queue length set to 100
Thu Apr  1 11:32:42 2010 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Thu Apr  1 11:32:42 2010 Listening for incoming TCP connection on [undef]:443
Thu Apr  1 11:32:42 2010 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Apr  1 11:32:42 2010 TCPv4_SERVER link local (bound): [undef]:443
Thu Apr  1 11:32:42 2010 TCPv4_SERVER link remote: [undef]
Thu Apr  1 11:32:42 2010 MULTI: multi_init called, r=256 v=256
Thu Apr  1 11:32:42 2010 IFCONFIG POOL: base=192.168.3.201 size=50
Thu Apr  1 11:32:42 2010 MULTI: TCP INIT maxclients=1024 maxevents=1028
Thu Apr  1 11:32:42 2010 Initialization Sequence Completed
Thu Apr  1 11:36:16 2010 Control Channel MTU parms [ L:1575 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Apr  1 11:36:16 2010 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Thu Apr  1 11:36:16 2010 Local Options hash (VER=V4): '47106f19'
Thu Apr  1 11:36:16 2010 Expected Remote Options hash (VER=V4): '8a6c6b5b'
Thu Apr  1 11:36:16 2010 TCP connection established with 192.168.3.100:3345
Thu Apr  1 11:36:16 2010 Socket Buffers: R=[131072->131072] S=[131072->131072]
Thu Apr  1 11:36:16 2010 TCPv4_SERVER link local: [undef]
Thu Apr  1 11:36:16 2010 TCPv4_SERVER link remote: 192.168.3.100:3345
Thu Apr  1 11:36:16 2010 192.168.3.100:3345 TLS: Initial packet from 192.168.3.100:3345, sid=796d73e1 301295d9
Thu Apr  1 11:36:16 2010 192.168.3.100:3345 VERIFY OK: depth=1, /C=CN/ST=HN/L=HH/O=OpenVPN/OU=openvpn_org/CN=OpenVPN_RootCA/emailAddress=xxxx@qq.com
Thu Apr  1 11:36:16 2010 192.168.3.100:3345 VERIFY OK: depth=0, /C=CN/ST=HN/O=OpenVPN/OU=openvpn_org/CN=cfan/emailAddress=xxxx@qq.com
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1575', remote='link-mtu 1576'
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Apr  1 11:36:17 2010 192.168.3.100:3345 [cfan] Peer Connection Initiated with 192.168.3.100:3345
Thu Apr  1 11:36:41 2010 cfan/192.168.3.100:3345 MULTI: Learn: 1e:b4:cb:07:ed:2d -> cfan/192.168.3.100:3345

now the ap restart!
this is AP  ttl :

root@Openwrt:/# skb_under_panic: text:802110f8 len:343 put:14 head:831e9802 data:831e9800 tail:0x831e9957 end:0x831e9960 dev:wlan0
Kernel bug detected[#1]:
Cpu 0
$ 0   : 00000000 10008400 00000079 00000001
$ 4   : 8026a270 00002cf7 00000001 00002cf7
$ 8   : 0000000a 00000001 00000400 802a5c5c
$12   : 0000000e 83930910 ffffffff 00000000
$16   : 83b57380 83adcd80 831dccc0 83ac3ac0
$20   : 80211190 00000003 00000000 80273878
$24   : 00000000 831e9957                  
$28   : 8329a000 8329bba8 00000001 8019ccac
Hi    : 00000000
Lo    : 00000095
epc   : 8019ccac 0x8019ccac
    Not tainted
ra    : 8019ccac 0x8019ccac
Status: 10008403    KERNEL EXL IE 
Cause : 00800024
PrId  : 0002a010 (Broadcom BCM6358)
.....
Code: afa9001c  0c0065a5  afa20020 <0200000d> 0806732c  00000000  8fbf002c  01001021  03e00008 
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 3 seconds..
Address 0xbe000000g soft-reset...

I need the client connect to internet get throuth httpproxy  to vpn .
How can i set the config with  the luci  when bridged tap0 to br-lan , like this : http://openvpn.net/bridge.html
or, dont bridge tap0 to br-lan , how config?
help me  thinks!

(Last edited by ccbcfan on 1 Apr 2010, 05:00)

The discussion might have continued from here.