I am trying to solve an issue i’ve been having for a few days and hope someone can help before I throw my toys out of the pram. I am travelling soon and want my RUTX50 to tunnel all my traffic via my home router. The home router is set up as the server and if i use an openVPN app on my Android I can use the ovpn file from my home router to easily connect to home (although not to the devices behind it - I’m presuming a firewall issue to do with the incoming network).
The problem is when I use the ovpn file on the RUTX there’s no connection being made. I’ve tried a number of things but no dice. Going back to the start the ovpn file has this:
remote my.address.here 1024
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
-----BEGIN CERTIFICATE-----
certificate here
-----END CERTIFICATE-----
And here is the log response.
root@Teltonika-RUTX50:~# logread | grep openvpn
Fri Sep 8 10:22:52 2023 kern.info kernel: openvpn configuration has been changed
Fri Sep 8 10:22:53 2023 daemon.warn openvpn(home)[11155]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Fri Sep 8 10:22:53 2023 daemon.notice openvpn(home)[11155]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 8 10:22:53 2023 daemon.notice openvpn(home)[11155]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Fri Sep 8 10:22:53 2023 daemon.err openvpn(home)[11155]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Username:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Sep 8 10:22:53 2023 daemon.notice openvpn(home)[11155]: Exiting due to fatal error
Fri Sep 8 10:22:53 2023 daemon.info procd: Instance openvpn::home s in a crash loop 12 crashes, 0 seconds since last crash
root@Teltonika-RUTX50:~#
This is a warning, not an error. But you can try adding the following to your OpenVPN config (notice hyphens):
--allow-compression yes
This is an error. Try changing ‘auth-user-pass’ to:
auth-user-pass /etc/creds
Then, access the CLI of your RUTX50 (instructions here) with username ‘root’ and execute the following commands (replace ‘admin’ with your openvpn username, and ‘password1’ with your password. Please keep the ‘\n’ to separate those):
That was the post I was trying to follow but got completely lost in it tbh. I kind of expected the RUTX (as expensive as it was) to just be able to run the OpenVPN from a file like my phone.
Anyway I made the changes so that the opvn file looks like this…
remote address 1024
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
Added the creds file and got this log:
Fri Sep 8 11:18:46 2023 kern.info kernel: openvpn configuration has been changed
Fri Sep 8 11:18:48 2023 daemon.warn openvpn(home)[32414]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
Fri Sep 8 11:18:48 2023 daemon.warn openvpn(home)[32414]: WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using “–allow-compression yes” is strongly discouraged for common usage. See --compress in the manual page for more information
Fri Sep 8 11:18:48 2023 daemon.notice openvpn(home)[32414]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 8 11:18:48 2023 daemon.notice openvpn(home)[32414]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Fri Sep 8 11:18:48 2023 daemon.err openvpn(home)[32414]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Sep 8 11:18:48 2023 daemon.notice openvpn(home)[32414]: Exiting due to fatal error
Fri Sep 8 11:18:48 2023 daemon.info procd: Instance openvpn::home s in a crash loop 13 crashes, 0 seconds since last crash
root@Teltonika-RUTX50:~#
Which looks a bit similar to before.
Firstly, the configuration requires a username and a password. OpenVPN as a service (daemonized), it cannot prompt for interactive input, so credentials need to be provided in another manner. Thus you need to specify the file from where to read those values. Another option would be to use certificates.
Secondly, you posted:
–allow-compression yes
Could you please clarify whether the original file has ‘–’ or ‘--’ (double hyphen or an em dash)?
Thirdly, could you please check if username and password is the file? (cat reads from file):
If you are editing the file on your windows machine, make sure the config is in the unix format. For example, when editing openvpn configuration files with Notepad++, always make sure it’s in UNIX format (Edit → EOL Conversion → UNIX Format).
Some good info there, thanks. I’ll double check the allow-compression but I believe it was a double hyphen in the actual file. I’ll also check re the editing in notepad++. On the home router i did find extra stuff - mainly CA certificate, Server certificate, server key and Diffie Hellman parameters. Is this at all useful (it would need to be cut and pasted into something)? also have an option to switch off username and password authentication only? Likely to help / be safe) thanks again.
You can disable username/password authentication if you want, but then I would suggest using TLS certificates. Those can either be embedded into the config file, or uploaded separately. In RUTX50, when you upload a config file there is an option to upload authentication files separately as well. So if the certificates are embedded into the configuration file, there is no need to upload them separately. Certs can get a bit confusing.
Generally, the CA certificate will be the same file on both devices. Server cert, server key and DH will be on your server device (your home router). RUTX50 will have client cert and client key in .pem format.
Also, if you are curious, you can find more configuration examples and explanations on our wiki page here.
Checked the ovpn file and it is set to Unix. No matter what I do it keeps giving me similar errors.
Fri Sep 8 14:19:24 2023 daemon.notice openvpn(home)[26895]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 8 14:19:24 2023 daemon.notice openvpn(home)[26895]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Fri Sep 8 14:19:24 2023 daemon.err openvpn(home)[26895]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Sep 8 14:19:24 2023 daemon.notice openvpn(home)[26895]: Exiting due to fatal error
Fri Sep 8 14:19:29 2023 daemon.warn openvpn(home)[26910]: WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using “–allow-compression yes” is strongly discouraged for common usage. See --compress in the manual page for more information
Fri Sep 8 14:19:29 2023 daemon.notice openvpn(home)[26910]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 8 14:19:29 2023 daemon.notice openvpn(home)[26910]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Fri Sep 8 14:19:29 2023 daemon.err openvpn(home)[26910]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Sep 8 14:19:29 2023 daemon.notice openvpn(home)[26910]: Exiting due to fatal error
Fri Sep 8 14:19:29 2023 daemon.info procd: Instance openvpn::home s in a crash loop 6 crashes, 1 seconds since last crash
Fri Sep 8 14:19:31 2023 daemon.warn openvpn(home)[27002]: WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using “–allow-compression yes” is strongly discouraged for common usage. See --compress in the manual page for more information
Fri Sep 8 14:19:31 2023 daemon.notice openvpn(home)[27002]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Sep 8 14:19:31 2023 daemon.notice openvpn(home)[27002]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
Fri Sep 8 14:19:31 2023 daemon.err openvpn(home)[27002]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Auth Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Fri Sep 8 14:19:31 2023 daemon.notice openvpn(home)[27002]: Exiting due to fatal error
Fri Sep 8 14:19:31 2023 daemon.info procd: Instance openvpn::home s in a crash loop 7 crashes, 0 seconds since last crash
I’ve checked the /etc/creds and it exists and is fine, changed the attributes via chmod. I’ve not changed the ovpn since last time I posted and it has --allow-compression yes (2 hyphens) and tried --auth-user-pass /etc/creds (2 hyphens) and auth-user-pass /etc/creds with same results. Restarting the service gave me an error about not being able to delete a file as it didn’t exist (openvpn state) but just doing start gave me the errors above. I tried to follow the instructions in th elink you gave but the interface is pretty different and then you add in the fact the home router is not a RUTX it (and the head here today) got the better of me. Is there an easier VPN to set up or am I just missing something really simple? Thanks for your continued patience.
So I changed tack and used the pre shared key for OpenVPN seeing as I’ll only ever need one connection (my mobile router) to the home router. I did check my public facing IP address though. At home it is 86.x.x.x, the mobile router is 34.x.x.x. I expected when I used my laptop connected to the mobile router to return 86.x.x.x on whatsmyipaddress.com but it still showed 34.x.x.x. The main reason I was setting it up was to get the IP address to look like I’m at home. ANy ideas what is going on? Or have I just totally missed the point? Thanks in advance.
The router at home has no option for manual commands (that I can see) so I’ll need to add the redirect on the RUTX? Is that just the command line entry right there (and is def1 what I need to use or something else in its place)?
The home router does have the option set to redirect traffic to intranet and internet (the other option is just LAN).
Thanks again. If I can get this going I might not be in the doghouse!
Basically, the OpenVPN tunnel in your case is used only when accessing 10.0.0.1 server. All other traffic uses your regular mobile wan (qmimux0).
If you can’t change the configuration on the server, you can try adding the default gw option to the client config. Then, restart openvpn (you can simply turn it off/on) and check the routes again.
Another option would be to add routes to 0.0.0.0 manually via 10.0.0.1 (server).
To add the default gway is that a case of amending the openvpn file with the line you gave me before? The VPN won’t always be on so i do want to make sure the RUTX can still access the net when the VPN is off.
Did that and restarted. Connected again fine. Ping can now reach anything including the VPN home LAN. Issue is that it seems it has no DNS as can’t ping an address (rather than then numbered version).
Thought I’d also do a traceroute to check that the VPN address was in there and…
1 10.0.0.1 (10.0.0.1) 59.279 ms 80.596 ms 54.622 ms
2 * * *
3 * * *
4 hidden (hidden) 71.680 ms 79.488 ms hidden (hidden) 79.724 ms
5 213.121.192.80 (213.121.192.80) 83.578 ms 195.99.127.178 (195.99.127.178) 90.149 ms 213.121.192.72 (213.121.192.72) 110.121 ms
6 194.72.16.68 (194.72.16.68) 81.699 ms 109.159.252.88 (109.159.252.88) 87.199 ms 194.72.16.162 (194.72.16.162) 88.332 ms
7 109.159.253.219 (109.159.253.219) 85.548 ms 109.159.253.3 (109.159.253.3) 87.136 ms 109.159.253.189 (109.159.253.189) 81.425 ms
8 * * *
9 8.8.8.8 (8.8.8.8) 76.737 ms 82.017 ms 79.642 ms
So just the DNS issue to resolve I think. Thanks again for your patience with this.
And that appears to have sorted it out. Great thanks. I’ll need to take a look at the not secret key version at some point for multiple connections but for now that will do nicely. Thanks very much for your help - much appreciated.