RUT36X_R_00.07.04.3 openvpn

Teltonika Networks
1

Hi,

With a pc connected to the internet, I would like to join the lan network of a rut360.
I have installed Openvpn server on the rut. The staut is active.
Here is the router conf:

Enable : on
Enable OpenVPN config from file : off
TUN/TAP : TUN (tunnel)
Protocol : UDP
Port :1194
LZO : None
Authentication : TLS
Encryption : AES-256-GCM 256
TLS cipher : All
Client to client : Off
Keep alive : 10 120
Virtual network IP address : 172.16.50.0
Virtual network netmask : 255.255.255.0
Push option :
Allow duplicate certificates : off
Authentication algorithm : SHA1
Additional HMAC authentication : None
Use PKCS #12 format : off
Certificate files from device : off
Certificate authority : ca.crt (1.2 KB)
Server certificate : server.crt (4.6 KB)
Server key : server.key (1.7 KB)
Diffie Hellman parameters

I followed your example to create the ovpn file.
https://wiki.teltonika-networks.com/view/OpenVPN_client_on_Windows

client
dev tun_c_ovpn
proto udp
remote 188.xx.1yy.1xx 1194
resolv-retry infinite
keepalive 5 10
nobind
persist-key
persist-tun
verb 3

-----BEGIN CERTIFICATE-----
Copy certificate authority (ca)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE----- Copy certificate server.crt -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- Copy certificate server.key -----END PRIVATE KEY-----

I asked several questions when creating the ovpn file:

  • proto UDP or TCP
  • In my example, AES-256-GCM 256.

Perhaps you should add :

  • cipher AES-256-CBC
  • tls-cipher TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
  • auth SHA256

Another thing, I’ve extracted static.key, but I don’t know how or where to use it.

best regards

2

Hello,

You can keep UDP as protocol in the configuration, and it needs to match on both sides.

Since you are using TLS authentication, in the client configuration, you need to put:

  • CA (same on both, server and client)

  • Client cert

  • Client key

Also, make sure that your RUT360 server has a public IP address. I can see in the client config that the IP (remote 188.xx.1yy.1xx 1194) starts with 188. On your RUT360, navigate to Network → Interfaces and check what IP address does your WAN (or mob1s1a1 if you are using mobile) interface has. Is it the ‘188.xx.1yy.1xx’ IP address? If not, what are the first 2 octets of the IP address (first half)?

Kind Regards,

3

Hi,

the rut’s ip address is fixed.
I can manage the router with this address, and port 10009.

in the ovpn file, should i specify encryption ? AES-256-CBC

Best regards

4

Hello,

It is not necessary to explicitly define an encryption in the client configuration, unless you want to force this specific encryption. The OpenVPN client should adopt the encryption offered by the server.

Kind Regards,

5

hi,
the ssl connection still doesn’t work.
I’ve retrieved the static.key file. Is this file useful for connecting using ssl?

How can I go about finding the problem?

In private, do you want the address, login and password?

Thank you
Best regards

6

Hello,

The forum is public and there is no way for us to share information privately. Thus, you cannot send me any files.

If you are having issues with OpenVPN, could you please share your server and client configurations?

Additionally, access the command line of RUT360 (instructions here) with username ‘root’ and execute the following command to see OpenVPN logs:

logread | grep openvpn

Please hide any sensitive information from the logs, such as public IP addresses, and post these logs here.

Kind Regards,

8

the rut configuration is indicated at the beginning of our exchange.
I’m attaching the logs retrieved from the router.

log
root@RUT360:~# logread | grep openvpn
Fri Sep 22 12:21:20 2023 daemon.notice openvpn(mco)[7053]: TCP/UDP: Closing socket
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: MULTI: multi_create_instance called
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: Re-using SSL/TLS context
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: Local Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server’
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: Expected Remote Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client’
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: TCP connection established with [AF_INET]2xx.yy.24z.ww7:17908
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: TCPv4_SERVER link local: (not bound)
Fri Sep 22 12:21:25 2023 daemon.notice openvpn(mco)[7053]: TCPv4_SERVER link remote: [AF_INET]2xx.yy.24z.ww7:17908
Fri Sep 22 12:21:26 2023 daemon.notice openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 TLS: Initial packet from [AF_INET]2xx.yy.24z.ww7:17908, sid=2227b700 01d8f6d7
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=server, serial=293644171084180109276112189617069509874
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 OpenSSL: error:1417C086:lib(20):func(380):reason(134)
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 TLS_ERROR: BIO read tls_read_plaintext error
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 TLS Error: TLS object → incoming plaintext read error
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 TLS Error: TLS handshake failed
Fri Sep 22 12:21:27 2023 daemon.err openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 Fatal TLS error (check_tls_errors_co), restarting
Fri Sep 22 12:21:27 2023 daemon.notice openvpn(mco)[7053]: 2xx.yy.24z.ww7:17908 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Sep 22 12:21:27 2023 daemon.notice openvpn(mco)[7053]: TCP/UDP: Closing socket
root@RUT360:~#

best regards

9

Hello,

Please, ensure that both configurations are using either UDP (proto udp) or TCP (proto TCP). This needs to be identical in both configurations - on the server, and on the client.

The second thing is that the certificates in the client configuration can be wrong. Make sure you use correct certificates in the client configuration. You can generate certificates on RUT360 in System → Administration → Certificates → File type: simple → generate. Then, these certificates will be available in the certificates manager tab above. Make sure you use the client.cert and client.key in the client configurations.

Kind Regards,

10

Hi,

I repeated the procedure to generate the TLS certificates.
I have several questions about the vars.bat file

During the new installation of openvpn I have 2 vars files :

  • the first one “C:\Program Files\OpenVPN\easy-rsa”
  • the second one “C:\Program Files\OpenVPN\easy-rsa\pki”

which one should I modify ? or both ?
Should I rename the vars file to vars.bat?

In front of each line of the vars file there are #.
should I delete them or keep them ?

#set_var EASYRSA_REQ_COUNTRY “FR”
#set_var EASYRSA_REQ_PROVINCE “74”
#set_var EASYRSA_REQ_CITY “ACY”
#set_var EASYRSA_REQ_ORG “hsm”
#set_var EASYRSA_REQ_EMAIL “mco@hsm.hsm”
#set_var EASYRSA_REQ_OU “hsm.hsm”

Thanks

Best regards

11

Hello,

As far as I know, vars file is used to generate certificates. If you have generated certificates on RUT360, you do not need to generate new certs. When you generate certs on RUT360, there should be 6 certificates generated (those important to us in this case) in System → Administration → Certificates → Certificates manager tab:

  • ca.cert.pem - download and use this same file on both, OpenVPN server (RUT) and client - this is Certificate Authority file.
  • server.cert.pem - download and upload to RUT360 OpenVPN server as server certificate.
  • server.key.pem - download and upload to RUT360 OpenVPN server as server key.
  • client.cert.pem - download and use in OpenVPN client configuration file as client certificate.
  • client.key.pem - download and use in OpenVPN client configuration file as client key.
  • dh.pem - download and upload to RUT360 OpenVPN server as Diffie Hellman parameters file.

Kind Regards,