When I upload the Clent-Key-File to the OpenVPN-client of my RUT956, I get the following error message ! FAILED TO EDIT CONFIGURATION when I try to SAVE & APPLY the configuration. This error message does not make much sense to me. Just to give it a try, I removed the header and footer of the Client Key-file and to my surprise, I coud SAVE & APPLY without error message … but of course, the tunnel still does not come up.
This what the log says:
Sat Aug 12 08:38:34 2023 kern.info kernel: openvpn configuration has been changed
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (BF-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: OpenSSL: error:0909006C:lib(9):func(144):reason(108)
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: Cannot load private key file /etc/vuci-uploads/cbid.openvpn.Bodmeli.keyBodmeli_Key.key
Sat Aug 12 08:38:36 2023 daemon.err openvpn(Bodmeli)[6957]: Error: private key password verification failed
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: Exiting due to fatal error
root@Teltonika-RUT956:~#
Any idea?
Thanks for your support!
Best regards
Fritz
The certificates should be uploaded in .pem format, however, I’m not sure if this is the issue here. Could you clarify what setup are you using? Are you uploading .ovpn file that contains the configuration as well as the certificates? Or is everything being configured manually?
Make sure you are using the latest firmware.
Additionally, make sure all certificate files are uploaded, as without at least one of the, the configuration will not be saved.
Hi!
Here is some more Information:
As a base, I have a .ovpn-file, which works perfectliy fine with the OpenVPN-Client for Windows. When I upload the same file to my RUT956 it says ‘Missing required option: TUN/TAP’. As this information definitely IS contained in the .ovpn-file, I assumed, that there is a general problem with the file format. So I tried to enter the configuration manually and uploaded the key- and certificate parts from the .ovpn-file separately. When I upload the Client-Key part, I get the mentionned error massage right away, but I can upload almost any rubbish-file without getting the error message …
By the way, this is how the .ovpn-file looks like:
client
dev tun
proto udp
remote XXXXXXXXXXX.dyndns.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name DietPi_fad653db-84e4-4eee-a48e-d4d4fac9e180 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca]
-----BEGIN CERTIFICATE-----
*** Data removed ***
-----END CERTIFICATE-----
</ca]
<cert]
-----BEGIN CERTIFICATE-----
*** Data removed ***
-----END CERTIFICATE-----
</cert]
<key]
-----BEGIN ENCRYPTED PRIVATE KEY-----
*** Data removed ***
-----END ENCRYPTED PRIVATE KEY-----
</key]
<tls-crypt]
#]
'# 2048 bit OpenVPN static key
#]
-----BEGIN OpenVPN Static key V1-----
*** Data removed ***
-----END OpenVPN Static key V1-----
</tls-crypt]
If the device you’re connecting to supports it, can you generate the client-server certificates on the RUT956 and upload the server parts on the remote side? This can be done by navigating to System → Administration → Certificates, selecting the file type as simple and pressing generate. After the files are generated, they can be downloaded from Certificates Manager tab.