OpenWrt Forum Archive

Topic: Luci Openvpn client setup with an ovpn file

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Is there a way to configure OpenVPN using Luci and an ovpn file.  The only way I have been able to see that one can use the ovpn file, is to start the VPN from the command line using the ovpn file. Or struggling through stripping the file down to it's pieces (key, cert, ca, and individual options) and entering them manually.  It seems that if OpenVPN designed this file for ease of use, it should make it easy to use!  I must be missing something.

(Last edited by baxterdmutt on 6 May 2016, 04:56)

Rename .ovpn file to .conf file, drop it into /etc/openvpn/ and restart the OpenVPN service. #worksforme
PS. You'd have to either embed or also upload key/certificate and upload/create locally credentials file.

(Last edited by stangri on 6 May 2016, 06:51)

Hi, Thanks, but that doesn't do anything.  I'm using Chaos Calmer and when I do as you suggested, nothing shows up in Luci on the openvpn tab.  I even tried restarting the router completely.

Ok, I kinda figured this out.  First let me say that the Wiki's on Openwrt to do with Openvpn are out of date and missing key ingredients for newbies like me.
1) It looks like OpenVPN no longer uses the /etc/openvpn/ directory as the default config directory and nor does it recognize .conf or .ovpn files.  The (only) config file is /etc/config/openvpn.  It needs to be formatted like this:
         option dev tun
         option persist_key 1
         etc.
The old way that I read about using a conf file would have just had:
        dev tun
Openwrt Chaos Calmer just ignores that format.

2)Chaos Calmer does not install the openvpn-openssl package when the openvpn is installed.  I think it should be a dependency because nothing works without it. For example without the openvpn-openssl package the '/etc/init.d/openvpn enable' command returns a not found error unless openssl is installed.  The /etc/config/openvpn example config file does not exist without openvpn-openssl.

You do have to strip any of the certificates and keys out of the ovpn file as well and create .key and .crt files and Luci puts them here by default:
        option key '/lib/uci/upload/cbid.openvpn.-your-.key'
    option cert '/lib/uci/upload/cbid.openvpn.-your-.cert'
    option ca '/lib/uci/upload/cbid.openvpn.-your-.ca'
It was a pain finding them (for a newbie) because Luci doesn't give a hint and the wiki and even the openvpn config file that openvpn-openssl gives suggests they are in /etc/openvpn. But nothing is there unless you create the directory yourself and put stuff there. 

Hopefully the 2 days of my life that are now gone can be of some help to other newbies trying to follow out of date wiki pages wink

Most of the wikis were created for OpenWrt OpenVpn servers and assume a PC client.  That's why (I think) there is no 'option' values in the config files for at least some of the wikis.  I currently think this page is the best and it does note that the clients are not openwrt.
https://wiki.openwrt.org/doc/howto/open … er-setup?s[]=openvpn&s[]=streamlined

There is no extension on the file, correct.

I think the current convention is to put the keys and certs into /etc/openvpn, though you can path them anywhere.  A proper install should create the etc\openvpn folder.  I do not recall ever manually creating this folder.  In general Luci has no help included for any package. 

There is NO openvpn package.  You need only one of the 3 openvpn packages, depending on the security you want to use (openvpn-openssl, openvpn-polarssl, or openvpn-nossl)  The luci-app-openvpn is just the gui, which is nice to have but I feel has some issues.  I think the controls are not reliable and there are more elements than in Luci, but I can not demonstrate this.

You have to *either* configure thru luci/uci (and then the settings are stored in /etc/config/openvpn) *or* use the original OpenVPN file (just change extension from .ovpn to .conf) in /etc/openvpn/ in which case at best luci shows that service is running, but you can't change any settings thru it. Both ways work.

Wiki is not out of date, it's accurate and it describes the former method.

Depending on your requirements you can run either of the openvpn-nossl, openvpn-openssl or openvpn-polarssl packages. Unless you already have libopenssl installed, it makes more sense to run openvpn-polarssl package.

RangerZ wrote:

Most of the wikis were created for OpenWrt OpenVpn servers and assume a PC client.  That's why (I think) there is no 'option' values in the config files for at least some of the wikis.  I currently think this page is the best and it does note that the clients are not openwrt.
https://wiki.openwrt.org/doc/howto/open … er-setup?s[]=openvpn&s[]=streamlined

There is no extension on the file, correct.

There is NO openvpn package. .

I searched google for wikis and this one never came up. Too bad, it would have saved me a lot of time. I'm not even sure which wiki I used (I started a couple days ago) but it did not indicate that I had to install Openvpn-OpenSSL separately.

stangri wrote:

You have to *either* configure thru luci/uci (and then the settings are stored in /etc/config/openvpn) *or* use the original OpenVPN file (just change extension from .ovpn to .conf) in /etc/openvpn/ in which case at best luci shows that service is running, but you can't change any settings thru it. Both ways work.

Wiki is not out of date, it's accurate and it describes the former method.

Depending on your requirements you can run either of the openvpn-nossl, openvpn-openssl or openvpn-polarssl packages. Unless you already have libopenssl installed, it makes more sense to run openvpn-polarssl package.

Sorry, I must disagree. Either the wiki is out of date for Chaos Calmer or it's not running as it should (seems unlikely because everything is working fine now that I have everything installed properly). Putting a valid .ovpn file in the /etc/Openvpn directory and renaming it a .conf does nothing. I have a working system, so I know the config I transcribed into the /etc/config/Openvpn file works. If I take the .opvn (which incidentally works on my Openvpn app on my Mac and iPhones and put it in that directory and rename it, I get the same results as if I'd put nothing there.

Regardless of my last 2 replies, the important thing is I have it working, so I appreciate all the help. Also if someone missunderstood the instructions then there is this posting that might help them. Especially if they can get an .ovpn file to work as a .conf file or work around it if it doesn't.

Renamed ovpn files work. If they don't work for you, you're doing something wrong or you're missing things.

You got openvpn client working thru uci/luci -- great, but don't misinform people that the ovpn files don't work just because you couldn't make them work.

baxterdmutt wrote:

... it did not indicate that I had to install Openvpn-OpenSSL separately.

Separately from what?

stangri wrote:

Renamed ovpn files work. If they don't work for you, you're doing something wrong or you're missing things.

You got openvpn client working thru uci/luci -- great, but don't misinform people that the ovpn files don't work just because you couldn't make them work.

baxterdmutt wrote:

... it did not indicate that I had to install Openvpn-OpenSSL separately.

Separately from what?

Fine, they work for you, but there must be a reason they don't always work. All I did was install luci-app-Openvpn, eventually realized I missed Openvpn-OpenSSL and installed it. I asked for your help because I wanted to just use the ovpn file if possible. You said that I should just put it in /etc/Openvpn and rename it .conf. That's all I did and it doesn't work. Isn't it fair that when someone else has this happen then should know that others can't make it work either.

So in the interest of figuring this out,  I've uninstalled luci-Openvpn-app, Openvpn-OpenSSL and removed all my config files and the /etc/Openvpn directory I created. Then I reinstalled both apps
The /etc/openvpn directory was not created on a new install so I created it myself and put the .ovpn file there and renamed it .conf. Luci does not see the configuration. I checked the privileges and they were 644 so I changed to 777 and luci still sees nothing. I restarted the router and still nothing. So what am I to think. Can you point me to the wiki that says changing .ovpn to .conf works. Maybe I'm missing something. Although I can't see what.

(Last edited by baxterdmutt on 7 May 2016, 16:46)

And incase you are wondering if I've messed up anything else on my system, anything else I've installed I've done with Luci. I've had no need to manually change anything in the past.

At least one of the wiki pages mentions using luci-app-openvpn, which I suspect is dated and not well maintained.

I'll try to cobble together a guide that uses uci as much as possible, as I'm trying to configure OpenWRT as an OpenVPN client as well.

https://github.com/dolanor/ovpnsplit will split .ovpn files quite nicely, but unfortunately requires installing golang if you don't have it. There are other .ovpn config splitters on github, etc. but I haven't used them so can't comment on their quality.

normblop wrote:

At least one of the wiki pages mentions using luci-app-openvpn, which I suspect is dated and not well maintained.

I'll try to cobble together a guide that uses uci as much as possible, as I'm trying to configure OpenWRT as an OpenVPN client as well.

https://github.com/dolanor/ovpnsplit will split .ovpn files quite nicely, but unfortunately requires installing golang if you don't have it. There are other .ovpn config splitters on github, etc. but I haven't used them so can't comment on their quality.

I'm wondering if you've been able to get Openvpn to recognize .opvn files (renamed to .conf) located in the /etc/Openvpn directory using Chaos Calmer. I had to split the file up to make it work. But one of the other forum members swore it should work.

Hi all, if your config file is /etc/openvpn/xxx.conf, you must edit /etc/config/openvpn and put inside something like this:

config openvpn 'vpn0'
    option enabled 1
    option config '/etc/openvpn/xxx.conf'

ema

And you can run multiple instances of openvpn, adding more sections, e.g. tun instance and tap instance, if you need.

ema wrote:

Hi all, if your config file is /etc/openvpn/xxx.conf, you must edit /etc/config/openvpn and put inside something like this:

config openvpn 'vpn0'
    option enabled 1
    option config '/etc/openvpn/xxx.conf'

ema

Ok thanks. That's the missing piece.

This works for me using UCI which is probably the Right Way to do it:

    uci set openvpn.vpnname='openvpn'
    uci set openvpn.vpnname.enabled='1'
    uci set openvpn.vpnname.config='/etc/openvpn/your_vpn_conf.ovpn'
    uci commit
    /etc/init.d/openvpn stop # if needed
    /etc/init.d/openvpn start

I have this working

config openvpn 'vpn0'
    option enabled 1
    option config '/etc/openvpn/xxx.conf'

but I wonder how to to get luci to work (it never starts, no error in system log):

-see next post-

(Last edited by enri1357 on 24 Jan 2017, 22:37)

Previous post have something wrong with the cert file path, after adjusting the settings, the openvpn have the log for me to look at. It is still not connecting properly.

interestingly, the original ovpn file does work without problem:

Here are the error

Tue Jan 24 13:26:06 2017 us=155419 OpenVPN 2.4.0 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Jan 24 13:26:06 2017 us=155670 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Tue Jan 24 13:26:06 2017 us=171208 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 24 13:26:06 2017 us=171544 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 24 13:26:06 2017 us=171810 LZO compression initializing
Tue Jan 24 13:26:06 2017 us=177385 Control Channel MTU parms [ L:36124 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Tue Jan 24 13:26:06 2017 us=186772 Data Channel MTU parms [ L:36124 D:36124 EF:124 EB:6156 ET:0 EL:3 ]
Tue Jan 24 13:26:06 2017 us=187312 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 36060,tun-mtu 36000,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Jan 24 13:26:06 2017 us=187561 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 36060,tun-mtu 36000,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Jan 24 13:26:06 2017 us=188307 TCP/UDP: Preserving recently used remote address: [AF_INET]119.247.82.85:443
Tue Jan 24 13:26:06 2017 us=188657 Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Jan 24 13:26:06 2017 us=188953 Attempting to establish TCP connection with [AF_INET]a.b.c.d:443 [nonblock]
Tue Jan 24 13:26:07 2017 us=189660 TCP connection established with [AF_INET]a.b.c.d:443
Tue Jan 24 13:26:07 2017 us=189974 TCP_CLIENT link local: (not bound)
Tue Jan 24 13:26:07 2017 us=190242 TCP_CLIENT link remote: [AF_INET]a.b.c.d:443
Tue Jan 24 13:26:07 2017 us=401714 Connection reset, restarting [0]
Tue Jan 24 13:26:07 2017 us=402422 TCP/UDP: Closing socket
Tue Jan 24 13:26:07 2017 us=403177 SIGUSR1[soft,connection-reset] received, process restarting
Tue Jan 24 13:26:07 2017 us=403523 Restart pause, 5 second(s)

Here are the config

config openvpn 'HOME_Client'
    option dev 'tun'
    list remote 'ddns-name-replaced'
    option port '443'
    option auth_nocache '1'
    option cipher 'AES-256-CBC'
    option comp_lzo 'yes'
    option float '1'
    option resolv_retry 'infinite'
    option nobind '1'
    option persist_key '1'
    option persist_tun '1'
    option client '1'
    option verb '4'
    option mssfix '0'
    option tun_mtu '36000'
    option key_direction '1'
    option remote_cert_tls 'server'
    option ca '/etc/openvpn/HOMEca.crt'
    option cert '/etc/openvpn/HOME.crt'
    option key '/etc/openvpn/HOME.key'
    option tls_auth '/etc/openvpn/HOMEta.key'
    option log '/tmp/openvpn.log'
    option status '/tmp/openvpn-status.log'
    option tls_client '1'
    option proto 'tcp'
    option enabled '1'

Edit ---------

Problem Solved, by changing tls_auth to this
    option tls_auth '/etc/openvpn/HOMEta.key 1'

(Last edited by enri1357 on 25 Jan 2017, 20:09)

Hi everybody,
someone can help me to convert this config of .ovpn ?

Compatible with chaos_calmer 15.05.1


Thanks in advance

client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote x.x.x.x 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
sadjsdhjksdnkjsdadsndslndasdsnlkdsnlkas
sadjsdhjksdnkjsdadsndslndasdsnlkdsnlkas
sadjsdhjksdnkjsdadsndslndasdsnlkdsnlkas
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 46 (0x2e)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=XXXXxxXXXX
        Validity
            Not Before: Jul 13 22:18:12 2017 GMT
            Not After : Jul 11 22:18:12 2027 GMT
        Subject: CN=XXX
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
                    xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
                    xxx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
            X509v3 Authority Key Identifier: 
                xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
                DirName:/CN=XXX
                xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
         xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
         xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
-----BEGIN CERTIFICATE-----
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
xx:xx:xxxx:xx:xxxx:xx:xxxx:xx:xx
-----END OpenVPN Static key V1-----
</tls-auth>

The discussion might have continued from here.