RUT240 - OpenVPN Problem

I need to replace an old router
The config file on the old router is:

client
dev tun
proto udp
remote vpn-2024.xxxxx.de 62457
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert KFZ.crt
key KFZ.key
remote-cert-tls server
verb 3
cipher AES-256-GCM
auth SHA512
tls-ciphersuites TLS_AES_256_GCM_SHA384
tls-crypt vpn-2024-tls.key
auth-retry nointeract

I’ve tried two ways but neither works

1: authentication static key

VPNonTeltonika-KFZ1365×603 27.2 KB

Status: Disconnected
RX: 0 B
TX: 560 B

LOG:

Tue Apr 16 20:33:22 2024 daemon.warn openvpn(KFZ)[18348]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: OpenVPN 2.5.3 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: library versions: OpenSSL 3.0.12 24 Oct 2023, LZO 2.10
Tue Apr 16 20:33:22 2024 daemon.warn openvpn(KFZ)[18348]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 16 20:33:22 2024 daemon.notice openvpn(KFZ)[18348]: Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: TUN/TAP device tun_c_KFZ opened
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: do_ifconfig, ipv4=0, ipv6=0
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: /etc/openvpn/updown.sh tun_c_KFZ 1500 1572   init
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: Data Channel MTU parms [ L:1572 D:1450 EF:72 EB:398 ET:0 EL:3 ]
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1572,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA256,keysize 256,secret'
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.65.195.23:62457
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: UDP link local: (not bound)
Tue Apr 16 20:33:24 2024 daemon.notice openvpn(KFZ)[18348]: UDP link remote: [AF_INET]172.65.195.23:62457

2: authentication TLS

Error

Tue Apr 16 20:36:34 2024 daemon.err openvpn(KFZ)[19586]: Options error: If you use one of --cert or --key, you must use them both
Tue Apr 16 20:36:34 2024 daemon.warn openvpn(KFZ)[19586]: Use --help for more information.

3: add vpn configuration file & static key

Error

Tue Apr 16 20:37:39 2024 daemon.warn openvpn(KFZ)[19912]: Multiple --down scripts defined.  The previously configured script is overridden.
Tue Apr 16 20:37:39 2024 daemon.warn openvpn(KFZ)[19912]: Multiple --up scripts defined.  The previously configured script is overridden.
Tue Apr 16 20:37:39 2024 daemon.err openvpn(KFZ)[19912]: Cannot pre-load keyfile (vpn-2024-tls.key)
Tue Apr 16 20:37:39 2024 daemon.notice openvpn(KFZ)[19912]: Exiting due to fatal error

what is the problem ?

Hello,

The issue is most likely caused by mismatched configurations between the client and server. Please review and adjust your VPN configuration to ensure it aligns with the requirements of the VPN server you’re connecting to. Double-check all settings and ensure that certificates match as well.

Best Regards,

@Marija

i got only the information from the provider and have no access to the server.
on an other router it works fine.

i reconfigured the teltonika,log see blow.

i think the problem is: UDP link local: (not bound)
how can i bond the link?

or:

will i get an IP address from the server?
how can i see this (command in cli ??)

Log:

Config:

Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: Data Channel MTU parms [ L:1604 D:1450 EF:104 EB:403 ET:0 EL:3 ]
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,secret'
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,secret'
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.65.195.23:62457
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: UDP link local: (not bound)
Mon Apr 22 13:51:01 2024 daemon.notice openvpn(xxxxxxx)[24908]: UDP link remote: [AF_INET]172.65.195.23:62457
Mon Apr 22 13:53:03 2024 daemon.notice openvpn(xxxxxxx)[24908]: NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (0 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.

Teltonika-Bv2447×666 42.3 KB

Hello,

Can you please specify if you are talking about Teltonika router or no?

Best Regards,

@Marija

other router, no teltonika.

can you see whats the problem in the log file ?

@Marija

how can i example: add remote-cert-tls server ?

Hello,

When configuring an OpenVPN client with just a pre-shared key, there should be no need for the following files:

Additionally, it’s recommended to manually upload the necessary files via the WebUI.

For further guidance on configuring OpenVPN, you may find the information in this link helpful: OpenVPN Community Resources - How-To Guide.

Best Regards,

@Marija
System → Administration → Certificates

manually upload is not posible, i get an error:

Teltonika-error1010×302 14 KB

The File is an static key file:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----

Why i cant upload the file?

Hello,

Could you please confirm whether your device has the latest firmware version RUT2_R_00.07.06.10? If it does, we will proceed to analyze the issue further.

Best Regards,

@Marija

i tryed with RUT9_R_00.07.06.10 and RUT9_R_00.07.06.6
both the same problem.

here you can see my new openvpn configuration:

Authentication → TLS
Additional HMAC authentication → TLS

If i start the openvpn tunnel i get the following error:

Fri Apr 26 13:55:54 2024 daemon.err openvpn(frankent)[5095]: Options error: If you use one of --cert or --key, you must use them both
Fri Apr 26 13:55:54 2024 daemon.warn openvpn(frankent)[5095]: Use --help for more information.

what mean: If you use one of --cert or --key, you must use them both ???

i selected all 4 files ???

This should be the intended behaviour, you are not uploading a valid certificate. OpenVPN static keys should not be uploaded to System → Administration → Certificates as they are OpenVPN specific. You can not use them anywhere else meaning it would be pointless to have them in a central Certificate manager.

You could try to disable Certificate files from device and upload them directly to OpenVPN instance, might help.

@pwsh
what you mean with: You could try to disable Certificate files from device ??
i used the brows button for all 4 files and get the error also.

Fri Apr 26 15:17:47 2024 daemon.err openvpn(frankent)[15538]: Options error: If you use one of --cert or --key, you must use them both
Fri Apr 26 15:17:47 2024 daemon.warn openvpn(frankent)[15538]: Use --help for more information.

@Marija

if i test with an old firmware: * R_00.01.06.1 i can upload and start the vpn.
problem ist that the cipher AES-256-GCM is not supported.

i think your firmware 07.06.xx has some bugs.

how can we debug ?

In which folder will the files be uploaded to?
I want check if i can see all ?

@Marija

with firmware 07.05.4 and same configuration i get an other error:

Fri Apr 26 17:57:30 2024 daemon.err openvpn(test)[13043]: Options error: --nobind doesn't make sense unless used with --remote

@Marija

I downgraded to firmware 7.5.4

useed the option:
Enable OpenVPN config from file
Authentication: TLS
Additional HMAC authentication: TLS-CRYPT
selectet all 4 files

OK, Tunnel is connected

same configuration on firmware 7.6.6
if i store the configuration i get an message: additional HMAC authentication require HMAC authentification key

in the log: private-key-password-failure

i think in your firmware upper than 7.5.4 is an bug

Hello,

Regarding your question:

The certificates can be found in the /etc/certificates/ folder.

Regarding HMAC, if you wish to utilize this additional authentication method, it’s necessary to upload the key.

Please attempt to upload the HMAC key and inform me of the outcome.

Best Regards,

@Marija

Check my Screenshot!
I uploaded the key!

With Firmware 7.5.4 it works.
With Firmware 7.6.6 and 7.6.10 i get the error.

After upload the key file in Firmware 7.6.6 and 7.6.10 there is an Message: additional HMAC authentication require HMAC authentification password

But the key has no password

In Firmware 7.5.4 i can Upload the key and there is no Message. And it works.

You have an bug since Firmware 7.6.6 an higher.

I apologize for accidentally skipping your screenshot. I will conduct some tests and get back to you. Thank you for your patience.

Best Regards,