openVPN can't load /etc/ssl/ca/openvpn/01.crt

I’ve had openVPN setup and working some time ago. Now I need it. However, it has silently broken since I tested it back then.

/var/log/messages contains this bit of text, explaining that six attempts to start were made, but all failed due to lack of a certificate.

2017-06-22T20:02:22+02:00 notice openvpn(server_turris)[5711]: OpenVPN 2.4.2 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2017-06-22T20:02:22+02:00 notice openvpn(server_turris)[5711]: library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.08
2017-06-22T20:02:22+02:00 notice openvpn(server_turris)[5711]: Diffie-Hellman initialized with 2048 bit key
2017-06-22T20:02:22+02:00 err openvpn(server_turris)[5711]: OpenSSL: error:02001002:lib(2):func(1):reason(2)
2017-06-22T20:02:22+02:00 err openvpn(server_turris)[5711]: OpenSSL: error:2006D080:lib(32):func(109):reason(128)
2017-06-22T20:02:22+02:00 err openvpn(server_turris)[5711]: OpenSSL: error:140AD002:lib(20):func(173):reason(2)
2017-06-22T20:02:22+02:00 err openvpn(server_turris)[5711]: Cannot load certificate file /etc/ssl/ca/openvpn/01.crt
2017-06-22T20:02:22+02:00 notice openvpn(server_turris)[5711]: Exiting due to fatal error
2017-06-22T20:02:22+02:00 info procd[]: Instance openvpn::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

Stock Turris OS v3.6.5, no hanky-panky or clever mods apart from an internal SSD holding a LXC Debian container with a prestashop/HomeAssistant install.

Foris tells me “No certificate authority”. Clicking “Generate CA” gives nothing but a small ‘wait’-animation and eventually timeout.
I’ve tried removing openvpn, reboot, reinstalling it and reboot to see if that helped. No cigar.

Reading about openvpn setup, I’m told initial CA generation is done using a helper tool named easy-rsa. No such tool available on turris, apparently.

Question: How do I get that certificate named 01.crt made?

Do not create more topics for the same issue!
If you want help from TO team write email to tech.support@turris.cz
OpenVPN fails - Cannot load certificate file /etc/ssl/ca/openvpn/01.crt

1 Like

Right. Duplicate attempted removed - fail. Then, reduced to point to this issue here. Afterall, I am in need of help to make software work :slight_smile:

Bump. I’m still stuck.

As an attempt to remedy the failing OpenSSL, would it be a valid approach (that is, not break any functionality needed by the router for its other functionality) to attempt a purge/reinstall of the OpenSSL package?

As an alternative, how about a complete factory reset + upgrade-procedure? Never tried that, so I’ll have to ask if there are any “don’t do that unless you’re really screwed!”-monsters lurking in the shadows.

Anyone?

Yep, same story here - but for me it never works, as I just start configure it using Foris. The service won’t start at all, with similar error.

From looking around on net it looks like, that some kind of incompatibility between OpenSSL and OpenVPN is quite common :confused:

2018-09-04 13:01:56 notice openvpn(server_turris)[15840]: OpenVPN 2.4.4 powerpc-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2018-09-04 13:01:56 notice openvpn(server_turris)[15840]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
2018-09-04 13:01:56 err openvpn(server_turris)[15840]: OpenSSL: error:02001002:lib(2):func(1):reason(2)
2018-09-04 13:01:56 err openvpn(server_turris)[15840]: OpenSSL: error:2006D080:lib(32):func(109):reason(128)
2018-09-04 13:01:56 err openvpn(server_turris)[15840]: Cannot open /etc/dhparam/dh-default.pem for DH parameters
2018-09-04 13:01:56 notice openvpn(server_turris)[15840]: Exiting due to fatal error

Ou, seems related.

Finally got around to resetting the router to factory and reinstall this and that.
It all worked out of the box, including my added SSD that just emerged as a device, selcetable for use as high-wear-storage. Nice.
And then on to installing that dreaded VPN package…
That worked too, and I’m now in the process of figuring out how to do routing from the VPN net to internal LAN from the clients I intend to add.

I have a couple of services I’d like to access, located on internal LAN.
Also, I’d like to avoid being the sitting duck in airports and hotels by VPNing home and entering the internet from there.

You can play with “topology” (subnet) in combination with “client-to-client” options on Openvpn server. Basic routing should be handled already by that foris-openvpn plugin. What usually is problem is to found out what needs to be changed in zones/forwarding/nat/snat …rules. Not every guide written for openwrt or some older TOS release is valid( edit: i mean valid as generic guide …, sometimes there is presumtion you have clear openwrt …or lede or that guide is just part of some bigger guide…)

just-some-notes

I tried several combinations before foris-openvpn-plugin with success and many fails depending how much i crippled the firewall/zones/interface configuration( many rollbacks, “thanks mighty schnapps” :slight_smile: … since that plugin is in foris i have like two times full reconfiguration of openvpn (second time just to test it after some major TOS update …).
…and my openvpn clients can access all my services in lan (yes i am routing all traffic and using subnet topology and c2c option)…
I have some posts on this forum related to openvpn setup (but for older tos version), but each thread has quite usefull links with generic info …, sometimes i am searching for my own posts :slight_smile: just because i can’t find again normally :slight_smile:

some-reading-here

Kterak jsem si rozchodil (aspon doufam) openVPN
ACCEPT vs DNAT (port forwarding) firewall rules
OpenVPN issue TLS server/client
OpenVPN and dns-resolve in LAN

https://community.openvpn.net/openvpn/wiki/Topology
https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#tab__logging
https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#tab__rules
https://docs.openvpn.net/connecting/site-to-site-routing-explained-in-detail/