OpenVPN-Client on RUT956 not connecting

Teltonika Networks
1

Hi there!
I am having difficulties to bring up an OpenVPN Tunnel between the client on a RUT956 box and an OpenVPN Server. OpenVPN-Traffic is enabled on the RUT966 and also the other settings look ok to me. But the tunnel always stays disconnected. As I found out (using WireShark) there is not a single Datapacket recieved by the server, so it looks like the client on RUT966 is not sending out anything!
Therefore it seems to be a basic problem. I hope you can help me there!
By the way, if I run the OpenVPN-Client on a PC behind the RUT966, the tunnel comes up right away, but this is not what I am looking for.
Best regards Fritz

3

Hello,

Could you please clarify if you have configured the OpenVPN client manually or uploaded a configuration file? If you did upload a file, can you share the method you used to create this file? Perhaps you entered or modified the configurations using a text editor?

Additionally, please turn on OpenVPN on your device and wait for a minute or two. Afterwards, you can access the command line of your device following the instructions given here, using ‘root’ as the username and your WebUI password.

Next, execute the following command to view OpenVPN logs:

  • logread | grep openvpn

Before sharing these logs here, please ensure you remove any sensitive data, such as public IP addresses.

Kind Regards,

4

Hi!
Thanks for your response!
Actually, I tried both, configuring using a *.ovpn-file and since I got an error message I tried to enter the data manually. But this didn’t work either.

As I am not permitted to upload files, I paste the text into the reply and because I am not permitted to include more than two links in the text, I had to relace the “http://” with “h-t-t-p://” in the logdata.

Here is the ovpn-file I used (which works perfectly for a Windows OpenVPN-Connect client):

client
dev tun
proto udp
remote XXXXXXXXXXX.dyndns.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name DietPi_fad653db-84e4-4eee-a48e-d4d4fac9e180 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3

-----BEGIN CERTIFICATE-----
*** Data removed ***
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
*** Data removed ***
-----END CERTIFICATE-----


-----BEGIN ENCRYPTED PRIVATE KEY-----
*** Data removed ***
-----END ENCRYPTED PRIVATE KEY-----

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
*** Data removed ***
-----END OpenVPN Static key V1-----

and the log-info you asked for:

Teltonika-RUT956.com login: root
Password:

BusyBox v1.34.1 (2023-06-29 07:39:59 UTC) built-in shell (ash)

| _ \ _ | | / _ / |
| |) | | | | | | | _ \
| _ <| || | || || |) |
|| _\,|_|__/|____/

Teltonika RUT9M series 2023

root@Teltonika-RUT956:~# logread | grep openvpn
Mon Jul 31 14:38:56 2023 kern.info kernel: openvpn configuration has been changed
Mon Jul 31 14:39:31 2023 kern.info kernel: openvpn configuration has been changed
Mon Jul 31 14:53:50 2023 kern.info kernel: openvpn configuration has been changed
Mon Jul 31 14:53:53 2023 daemon.notice openvpn(Bodmeli)[12291]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:53:53 2023 daemon.notice openvpn(Bodmeli)[12291]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:53:53 2023 daemon.warn openvpn(Bodmeli)[12291]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:53:53 2023 daemon.warn openvpn(Bodmeli)[12291]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:53:53 2023 daemon.err openvpn(Bodmeli)[12291]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:53:53 2023 daemon.notice openvpn(Bodmeli)[12291]: Exiting due to fatal error
Mon Jul 31 14:53:58 2023 daemon.notice openvpn(Bodmeli)[12343]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:53:58 2023 daemon.notice openvpn(Bodmeli)[12343]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:53:58 2023 daemon.warn openvpn(Bodmeli)[12343]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:53:58 2023 daemon.warn openvpn(Bodmeli)[12343]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:53:58 2023 daemon.err openvpn(Bodmeli)[12343]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:53:58 2023 daemon.notice openvpn(Bodmeli)[12343]: Exiting due to fatal error
Mon Jul 31 14:54:03 2023 daemon.notice openvpn(Bodmeli)[12369]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:54:03 2023 daemon.notice openvpn(Bodmeli)[12369]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:54:03 2023 daemon.warn openvpn(Bodmeli)[12369]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:54:03 2023 daemon.warn openvpn(Bodmeli)[12369]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:54:03 2023 daemon.err openvpn(Bodmeli)[12369]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:54:03 2023 daemon.notice openvpn(Bodmeli)[12369]: Exiting due to fatal error
Mon Jul 31 14:54:08 2023 daemon.notice openvpn(Bodmeli)[12384]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:54:08 2023 daemon.notice openvpn(Bodmeli)[12384]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:54:08 2023 daemon.warn openvpn(Bodmeli)[12384]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:54:08 2023 daemon.warn openvpn(Bodmeli)[12384]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:54:08 2023 daemon.err openvpn(Bodmeli)[12384]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:54:08 2023 daemon.notice openvpn(Bodmeli)[12384]: Exiting due to fatal error
Mon Jul 31 14:54:13 2023 daemon.notice openvpn(Bodmeli)[12405]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:54:13 2023 daemon.notice openvpn(Bodmeli)[12405]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:54:13 2023 daemon.warn openvpn(Bodmeli)[12405]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:54:13 2023 daemon.warn openvpn(Bodmeli)[12405]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:54:13 2023 daemon.err openvpn(Bodmeli)[12405]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:54:13 2023 daemon.notice openvpn(Bodmeli)[12405]: Exiting due to fatal error
Mon Jul 31 14:54:18 2023 daemon.notice openvpn(Bodmeli)[12427]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jul 31 14:54:18 2023 daemon.notice openvpn(Bodmeli)[12427]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Jul 31 14:54:18 2023 daemon.warn openvpn(Bodmeli)[12427]: WARNING: No server certificate verification method has been enabled. See h-t-t-p://openvpn.net/howto.html#mitm for more info.
Mon Jul 31 14:54:18 2023 daemon.warn openvpn(Bodmeli)[12427]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 31 14:54:18 2023 daemon.err openvpn(Bodmeli)[12427]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Mon Jul 31 14:54:18 2023 daemon.notice openvpn(Bodmeli)[12427]: Exiting due to fatal error
Mon Jul 31 14:54:18 2023 daemon.info procd: Instance openvpn::Bodmeli s in a crash loop 6 crashes, 0 seconds since last crash
root@Teltonika-RUT956:~#

So, as it looks like, the OpenVPN keeps on crashing for some reason …
By the way… the ovpn-file was created by a PiVPN server.

Hope you can help me further!
Best regards
Fritz

5

Hello,

If you are using credentials to authenticate, then, whenever you are configuring OpenVPN, pick TLS/Password as authentication. There should be a new field where you can enter your credentials. If you are uploading a file, you can choose TLS/Password as well. You may need to cut out CA and other certificates from the config file, paste them into separate files and upload them.

If the issue persists, can you try adding the following to the config file?:

  • askpass /etc/vpnclient.txt

You may need to delete '–auth-nocache ’ option. Also, instead of 'askpass ’ you can try using 'auth-user-pass ', whichever works for you.

Then, connect to the router via command line as described here using username 'root '. Execute the following commands to create a file with username and password:

  • vi /etc/vpnclient.txt

Press 'i ’ to start editing. Enter username on one line and password on another. Press ESC button, enter ':wq ’ and press Enter .

Restart openvpn with:

  • /etc/init.d/openvpn restart

It should now use credentials in the file for authentication. If you will need to use a password for private key decryption, there is also an option at the very bottom of the configuration page.

Kind Regards,

6

Thanks for your reply!
I tried several things you suggested, but there is still no success.
One problem is that I get the error message ! FAILED TO EDIT CONFIGURATION when I try to SAVE & APPLY the configuration. I found out that this seems to be caused by the Client Key-File. The Client Key-File contains the respective part of the ovpn-file. This error message does not make much sense to me.
Just to give it a try, I removed the header and footer of the Client Key-file and to my surprise, I coud SAVE & APPLY without error message … but of course, the tunnel still does not come up.
This what the log says:

Sat Aug 12 08:38:34 2023 kern.info kernel: openvpn configuration has been changed
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (BF-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: OpenSSL: error:0909006C:lib(9):func(144):reason(108)
Sat Aug 12 08:38:36 2023 daemon.warn openvpn(Bodmeli)[6957]: Cannot load private key file /etc/vuci-uploads/cbid.openvpn.Bodmeli.keyBodmeli_Key.key
Sat Aug 12 08:38:36 2023 daemon.err openvpn(Bodmeli)[6957]: Error: private key password verification failed
Sat Aug 12 08:38:36 2023 daemon.notice openvpn(Bodmeli)[6957]: Exiting due to fatal error
root@Teltonika-RUT956:~#

Any idea?
Thanks for your support!
Best regards
Fritz

7

This topic was automatically closed after 15 days. New replies are no longer allowed.

9

Hello,

Apologies for the late reply.

Have you tried extracting certificates from the OVPN config file (cut), putting them into separate certificate files (.pem) and uploading via WebUI? Make sure that the files do not contain any extra characters (especially CR terminations used by Windows, as Linux terminates lines with just LF’s).

Also, you can check OpenVPN logs on RUT956 via command:

logread | grep openvpn

Kind Regards,

10

Yes, I tries al lot of things, but there has not been any real success.
It looks like there is (at least) an issue with the client key file, which appears as follows:

If I upload the Client-Key as it is in the original ovpn-file, I get immediately an error message when I press SAVE&APPLY → Failes to edit configuration
The header and footer look as follows:
-----BEGIN ENCRYPTED PRIVATE KEY-----
******** Data removed ********
-----END ENCRYPTED PRIVATE KEY-----

When I remove the word ENCRYPTED from header and footer, I can SAVE&APPLY the configuration without error message, but the VPN still refuses to work.

The log showa the following:
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (BF-CBC). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
Mon Aug 21 15:54:30 2023 daemon.notice openvpn(Bodmeli)[20861]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Aug 21 15:54:30 2023 daemon.notice openvpn(Bodmeli)[20861]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: WARNING: No server certificate verification method has been enabled. See XXX for more info.
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: OpenSSL: error:0D0680A8:lib(13):func(104):reason(168)
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: OpenSSL: error:0D06C03A:lib(13):func(108):reason(58)
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: OpenSSL: error:0907B00D:lib(9):func(123):reason(13)
Mon Aug 21 15:54:30 2023 daemon.warn openvpn(Bodmeli)[20861]: Cannot load private key file /etc/vuci-uploads/cbid.openvpn.Bodmeli.keyBodmeli.key
Mon Aug 21 15:54:30 2023 daemon.err openvpn(Bodmeli)[20861]: Error: private key password verification failed
Mon Aug 21 15:54:30 2023 daemon.notice openvpn(Bodmeli)[20861]: Exiting due to fatal error
Mon Aug 21 15:54:30 2023 daemon.info procd: Instance openvpn::Bodmeli s in a crash loop 6 crashes, 1 seconds since last crash
root@RUT956:~#

For some reason it says Cannot load private key file /etc/vuci-uploads/cbid.openvpn.Bodmeli.keyBodmeli.key, but the file esists and it has the right content.

I don’t know what to try next …

By the way 1: To edit the files I used Notepad++, so there shouldn’t any additional characters be addes.
By the way 2: The original ovpn-file works perfectly fine with the OpenVPN client for Windows
By the way 3: Because this thread has been automatically closed, I opened a new one: OpenVPN-Client on RUT956 - Error Message

Best regards
Fritz

11

Hello,

Are you using TLS-crypt and uploading the file? In ‘Additional HMAC authentication’ you can select ‘authentication and encryption (tls-crypt)’ which should then allow you to upload a key file.

If necessary, you can also input the private key decryption password at the bottom of the WebUI configuration window.

Kind Regards,

12

Thanks for your reply!
I tried again some settings as you suggested, but I just get some variations of error messages in the log.

This is how the .ovpn-file looks like:

client
dev tun
proto udp
remote XYXYXYXYXY.dyndns.org 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name DietPi_b288686a-bd16-4aeb-8387-9a74caaaca53 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
****** data removed ******
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****** data removed *******
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
****** data removed ******
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
****** data removed ******
-----END OpenVPN Static key V1-----
</tls-crypt>

It woud be great, if you could advice me how to configure the VPN client and which keys / certificates should be uploaded to which position on my RUT956 to apply this settings.

By the way, when I upload that .ovpn-file to the RUT956, I get the error message missing required option: TUN/TAP This does not make any sense to me, but I think I mentionned that earlier.

In case there is a setting in the .ovpn-file that is not supported by the RUT956, it might also be helpful to know which one it is …

Best regards
Fritz

13

Hello,

Please, try the following in the OpenVPN configurations:

  • Enable : Turn this on.
  • Enable OpenVPN config from file : If you’re configuring it manually and not uploading the entire .ovpn configuration, keep this off.
  • TUN/TAP : This should be set to TUN since you’re using tunnel mode.
  • Protocol : Keep this as UDP
  • Port : Keep this as 1194
  • LZO : Make sure these match on both, the server and RUT956
  • Authentication : Set this to “TLS/Password” since you’re using both TLS certificates and a username/password for authentication.
  • Encryption : As in the config file, AES-256-CBC
  • TLS cipher : All
  • Remote host/IP address : This should be the IP or hostname of your OpenVPN server.
  • Resolve retry : Keep this as “infinite”.
  • Remote network IP address and Netmask : Keep this or enter the remote network.
  • Authentication algorithm : SHA256
  • Additional HMAC authentication : Authentication and encryption (tls-crypt).
  • HMAC key : Your .ovpn file has an inline HMAC key, save it to a separate file and upload it here.
  • Use PKCS #12 format : Keep this off.
  • Username/Password : Enter your OpenVPN credentials here.
  • Certificate files from device : Keep this off.
  • Certificate authority : Upload your CA certificate here.
  • Client certificate : Upload your client certificate here.
  • Client key : Upload the client private key here.
  • Private key decryption password (optional) : Since your key is encrypted, provide the decryption password here.

An encrypted client key begins with:

"-----BEGIN ENCRYPTED PRIVATE KEY-----"

If you’re sure about the decryption password for the client key, you should input it in the ‘Private key decryption password’ field. If you’re not using a password or you’ve decrypted the key already, the key should begin with:

"-----BEGIN PRIVATE KEY-----"

Ensure no extra characters or spaces are present as mentioned previously. Notepad++ is ok, but always make sure it’s in UNIX format (Edit → EOL Conversion → UNIX Format).

If there are still errors, consider generating new keys and certificates.

Kind Regards,

14

Hi there!
Many thanks for your post.
During all the trials I did, it turned out that the RUT956 ssems to have troubles with the encrypted private key. So I created a new instance on the VPN server without password, and indeed, I could move forward by a few squares - but I am still not there!

This is the current log output:

Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Mon Aug 28 11:53:50 2023 daemon.warn openvpn(Bodmeli)[18063]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: TCP/UDP: Preserving recently used remote address: [AF_INET]92.107.60.66:1194
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: UDP link local: (not bound)
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: UDP link remote: [AF_INET]92.107.60.66:1194
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: TLS: Initial packet from [AF_INET]92.107.60.66:1194, sid=5d40d0e1 8cb3e254
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: VERIFY OK: depth=1, CN=Easy-RSA CA
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: VERIFY KU OK
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Validating certificate extended key usage
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: VERIFY EKU OK
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: VERIFY X509NAME OK: CN=DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: VERIFY OK: depth=0, CN=DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515
Mon Aug 28 11:53:50 2023 daemon.warn openvpn(Bodmeli)[18063]: WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1549’, remote=‘link-mtu 1569’
Mon Aug 28 11:53:50 2023 daemon.warn openvpn(Bodmeli)[18063]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA256’
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: [DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515] Peer Connection Initiated with [AF_INET]92.107.60.66:1194
Mon Aug 28 11:53:51 2023 daemon.notice openvpn(Bodmeli)[18063]: SENT CONTROL [DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515]: ‘PUSH_REQUEST’ (status=1)
Mon Aug 28 11:53:51 2023 daemon.notice openvpn(Bodmeli)[18063]: AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
Mon Aug 28 11:53:51 2023 daemon.notice openvpn(Bodmeli)[18063]: SIGTERM[soft,auth-failure] received, process exiting
root@RUT956:~#

I think the main problem is here:
Mon Aug 28 11:53:51 2023 daemon.notice openvpn(Bodmeli)[18063]: AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)

What can I do about this?
Thanks a lot for your help!
Fritz

15

Hello,

As you have mentioned, there are no matching ciphers. Please, check the configurations on both devices and ensure that you have matching ciphers. Right now:

Mon Aug 28 11:53:50 2023 daemon.warn openvpn(Bodmeli)[18063]: WARNING: ‘auth’ is used inconsistently, local=‘auth [null-digest]’, remote=‘auth SHA256’
Mon Aug 28 11:53:50 2023 daemon.notice openvpn(Bodmeli)[18063]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256

For testing purposes, I would suggest you enable as many ciphers on the server (and on RUT) as possible and see if the connection establishes.

Kind Regards,

16

Yesssss, the tunnel is up!
Thanks a lot for you support!

This is what the log says now:

root@RUT956:~# logread |grep openvpn
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: OpenVPN 2.5.3 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
Tue Aug 29 11:07:49 2023 daemon.warn openvpn(Bodmeli)[5028]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: TCP/UDP: Preserving recently used remote address: [AF_INET]92.107.60.66:1194
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: UDP link local: (not bound)
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: UDP link remote: [AF_INET]92.107.60.66:1194
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: TLS: Initial packet from [AF_INET]92.107.60.66:1194, sid=1fe887cc 9b2f208c
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: VERIFY KU OK
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: Validating certificate extended key usage
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: VERIFY EKU OK
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: VERIFY X509NAME OK: CN=DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515
Tue Aug 29 11:07:49 2023 daemon.notice openvpn(Bodmeli)[5028]: VERIFY OK: depth=0, CN=DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: [DietPi_fc4ea1a4-bf38-4dec-bbdb-9c883cac0515] Peer Connection Initiated with [AF_INET]92.107.60.66:1194
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DNS 8.8.8.8,block-outside-dns,redirect-gateway def1,route-gateway 10.198.101.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.198.101.2 255.255.255.0,peer-id 0,cipher AES-256-GCM’
Tue Aug 29 11:07:50 2023 daemon.err openvpn(Bodmeli)[5028]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.3)
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: timers and/or timeouts modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: route options modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: route-related options modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: peer-id set
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: OPTIONS IMPORT: data channel crypto options modified
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: Data Channel: using negotiated cipher ‘AES-256-GCM’
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_best_gw query: dst 0.0.0.0
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_best_gw result: via 0.0.0.0 dev wwan0
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: TUN/TAP device tun_c_Bodmeli opened
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: net_iface_mtu_set: mtu 1500 for tun_c_Bodmeli
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: net_iface_up: set tun_c_Bodmeli up
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: net_addr_v4_add: 10.198.101.2/24 dev tun_c_Bodmeli
Tue Aug 29 11:07:50 2023 daemon.notice openvpn(Bodmeli)[5028]: /etc/openvpn/updown.sh tun_c_Bodmeli 1500 1552 10.198.101.2 255.255.255.0 init
Tue Aug 29 11:07:51 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_add: 92.107.60.66/32 via 0.0.0.0 dev wwan0 table 0 metric -1
Tue Aug 29 11:07:51 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_add: 0.0.0.0/1 via 10.198.101.1 dev [NULL] table 0 metric -1
Tue Aug 29 11:07:51 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_add: 128.0.0.0/1 via 10.198.101.1 dev [NULL] table 0 metric -1
Tue Aug 29 11:07:51 2023 daemon.notice openvpn(Bodmeli)[5028]: net_route_v4_add: 192.168.1.0/24 via 10.198.101.1 dev [NULL] table 0 metric -1
Tue Aug 29 11:07:51 2023 daemon.notice openvpn(Bodmeli)[5028]: Initialization Sequence Completed
root@RUT956:~#

I would appreciate, if You could have a quick look over the log and check if it contains any “not-goods”.

There is one error left, may be you can help me on this:

Tue Aug 29 11:07:50 2023 daemon.err openvpn(Bodmeli)[5028]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.5.3)

And one more thing:
I can see the entire Subnet of the server from the RUT, which is as expected.
What do I have to change to have the same routing in the opposite direction, i.e. make the entire Subnet of the RUT visible from the server side?

Many thanks!!
Fritz

17

Hello,

Could you please add the following to the client configuration (to config file, or to ‘extra’ field if you are configuring via WebUI):

pull-filter ignore block-outside-dns

Regarding accessing RUT956 LAN, you need to specify the LAN network for this TLS client on the server. Please, take a look here.

Kind Regards

18

Hi there!

The tunnel works so far as it is supposed to do.
Now I am struggeling to make the tunnel work symmetrically, i.e. that I can not only see the server-subnet from the client, but also the client-subnet from the server. I added the necessary route on the server side and I can see (using tcpdump) that the packets addressed to the client network are sent into the tunnel, but nothing is coming back.

This is how the routing table on the RUT looks like:
root@RUT956:~# ip route
0.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli
*default dev wwan0 proto static scope link src 10.30.81.91 metric 4
10.30.81.91 dev wwan0 proto static scope link metric 4
10.198.101.0/24 dev tun_c_Bodmeli proto kernel scope link src 10.198.101.2
*92.107.60.66 dev wwan0
128.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli
192.168.1.0/24 via 10.198.101.1 dev tun_c_Bodmeli
192.168.2.0/24 dev br-lan proto static scope link metric 1
root@RUT956:~#

These are the original routes generated automatically by the RUT.

My questions:

  1. Do I need to add something more?
  2. Can I install tcpdump on the RUT to troubleshoot or could this mess up something on the RUT?

Thanks for your support!
Fritz

19

Hello,

Add the following to the server config:

client-config-dir /etc/openvpn/ccd

This tells the server where the client configurations are located.

Within the directory (In this example /etc/openvpn/ccd), create a file named after the client’s Common Name (CN) from their certificate. For example, if a client’s CN is client1, then you would create a file named client1 inside the ccd directory. In this file, you can specify options for this specific client. To associate a client with a specific network, you can use the iroute option:

iroute 192.168.10.0 255.255.255.0

This tells the server to associate the network 192.168.10.0/24 with client1. Basically, this means that the server will route traffic destined to 192.168.10.0/24 network via client1.

Kind Regards,

20

Hello!

The iroute-entry in fact did the trick!
Many thanks for your help!

Now I have to do some “finetuning” …
As it looks like, the RUT squeezes the entire traffic through the tunnel and not only the one addressed to the server side. May be you have some good ideas to get around this as well?

This is how the Routing Table on the RUT looks like:
*root@RUT956:~# ip route *
*0.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli *
*default dev wwan0 proto static scope link src 10.41.85.246 metric 4 *
*10.41.85.246 dev wwan0 proto static scope link metric 4 *
*10.198.101.0/24 dev tun_c_Bodmeli proto kernel scope link src 10.198.101.2 *
*92.107.60.66 dev wwan0 *
*128.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli *
*192.168.1.0/24 via 10.198.101.1 dev tun_c_Bodmeli *
*192.168.2.0/24 dev br-lan proto static scope link metric 1 *
root@RUT956:~#

For my taste, the system generated some unnecessary routes.
What do you think?

Best regards
Fritz

21

Hello,

You have the following routes:

*128.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli *
*0.0.0.0/1 via 10.198.101.1 dev tun_c_Bodmeli *

Essentially, this means that all traffic will be sent via OpenVPN server.
If you do not want to route everything via OpenVPN, remove this push route option from the server configuration. Ensure that you only push the route to the LAN network of the server (assuming you want to reach the server’s LAN from the client).

Kind Regards,