OpenVPN issue TLS server/client

Hi,

i have problems setting up an OpenVPN connection and i do need help about it.
The error message i get is:
Options error: specify only one of --tls-server, --tls-client, or --secret

My setup:
Port 1194
dev_type tun
nobind
float
persist_tun
persist_key
comp_lzo adaptive
proto udp
auth SHA1
cipher BF-CBC
keysize 128
tls_cipher TLS-RSA-WITH-AES-128-CBC-SHA
ns_cert_type server
remote de.vpnunlimitedapp.com
ca
cert
key

It seems that I have a double config somehow, but not sure where or how.

Has somebody a good idea?

Thanks

Seems that there is a bug:

"
Found a bug where a line containing “secet shared-secret.key” is being written to /var/etc/openvpn-pia_client.conf. Removing that line and then starting the openvpn service brought up tun0.

FYI: I’m using the latest version of LEDE from lede-project.org

Reply
Adam says:
November 13, 2017 at 8:49 am
That was a typo. The line in question is “secret shared-secret.key”. Removing the line from the config was needed in order for the openvpn service to start.
"

I had some issues with TLS when trying to get my vpn done …

1. you need specify where you have your “ta.key” file resp you have missing “tls_auth” option
2. “tls_cipher” better to remove that line (unless you have some other reason to have it)
3. you have to specify also “tls_server” (in server config) and “tls_client” (in client config) option and you might want also specify “tls_exit” (in server config).

Here is my setup (it is in CZ, but config files for server,clients are there so you can inspire)

EDIT: as it seems you have some vpn provider, you might want to use this quide (so you use config as is → from your vpn provider) Turris Documentation
the only stuff you usually need to do is copy ca,cert,ta,key files to correct places and reflect such path in your config. I know it is in CZ but code blocks are useful.

EDIT2: there is this quide How to Configure OpenVPN Client on Router - VPN Unlimited (some stuff you can skip for sure, if you have correspond LUCI app for openvpn installed, just jump into the config/setup part) Hope it will help. If you still have some issues, let me know in private message.

Also that provider has some config generators (as app, or as web-app). So you can tailor your config according to their needs (and later you can use it directly or use LUCI to prepare uci/luci syntax like config). And you can also make single ovpn profile having all necessary files (ca,cert,key,ta) inside (which is handy for openVPN 2.4.x based clients (you simply import that file, without any copying another files).Which i believe that vpnunlimetedapp generator can do for you.

Thanks, i got it now sorted out, but still have a problem.
What I did was to check in my opvn config file for entries. And it turns out, that there is a known Bug (already reported), that the system adds a line in the config file with “secret shared-secret.key”. That makes, that I have specified one option too many. By deleting the line, the VPN service starts. Unfortunately, after a reboot the line will appear again, but that will maybe fixed in a newer version.

And you are right, the generator is quite handy, as it will create a correct file for the ca, cert, key files. Even the manual is quite straight forward.

However, even when the VPN service starts now, I still get not connected to VPN Unlimited. My IP remains the same and the (new created) Interface shows no traffic.
The manuals does not point to some solution, does somebody got a good idea? Could it be that i need to change DHCP?

https://wiki.openwrt.org/doc/howto/vpn.openvpn might be handy (routing traffic section, resp. whole guide is quite handy)

You have to setup some new zone(or alter existing one). To include that new vpn interface in some zone. Based on “what you want to achieve” (single client tunnel, all traffic via tunnel, some traffic via tunnel) you have to deal with “traffic rules”(and very possibly with “custom rules”).

Ok, i invested now some days actually to get not OpenVPN up and running, but at least PPTP. Something is wrong (probably a forward or a route), but i don’t know how to proceed. Changed my VPN provider from VPN unlimited to Perfect-Privacy, VPN via PPTP is working on my old Asus router, but not on the Turris. So, any help is highly appreciated! Maybe someone can review my settings, that would be a huge help.

The Problem: I can get the PPTP to my VPN provider running, but no data is visible and my IP is still the local ISP IP. Somehow i can’t manage to route the traffic from all clients via the new VPN Interface to Internet.

root@turris:/# cat /etc/config/network

config interface 'loopback’
option ifname 'lo’
option proto 'static’
option ipaddr '127.0.0.1’
option netmask ‘255.0.0.0’

config globals 'globals’
option ula_prefix ‘fd33:49fd:25ae::/48’

config interface 'lan’
option ifname 'eth0 eth2’
option force_link '1’
option type 'bridge’
option proto 'static’
option ipaddr '192.168.1.1’
option netmask '255.255.255.0’
option ip6assign ‘60’

config interface 'wan’
option ifname 'eth1’
option proto ‘dhcp’

config interface 'wan6’
option ifname '@wan’
option proto ‘dhcpv6’

config switch
option name 'switch0’
option reset '1’
option enable_vlan ‘1’

config switch_vlan
option device 'switch0’
option vlan '1’
option ports ‘0 1 2 3 5’

config switch_vlan
option device 'switch0’
option vlan '2’
option ports ‘4 6’

config interface 'VPN_PPTP_PP’
option proto 'pptp’
option server 'hamburg.perfect-privacy.com’
option password 'my-password’
option username 'my-username’
option peerdns '0’
option dns '208.67.222.222 208.67.220.220’
option metric ‘10’

config defaults
option syn_flood '1’
option input 'ACCEPT’
option output 'ACCEPT’
option forward ‘REJECT’

config zone
option name 'lan’
option input 'ACCEPT’
option output 'ACCEPT’
option forward 'ACCEPT’
option network ‘lan’

config zone
option name 'wan’
option output 'ACCEPT’
option masq '1’
option mtu_fix '1’
option input 'ACCEPT’
option forward 'ACCEPT’
option network ‘VPN_PPTP_PP’

config rule
option name 'Allow-DHCP-Renew’
option src 'wan’
option proto 'udp’
option dest_port '68’
option target 'ACCEPT’
option family ‘ipv4’

config rule
option name 'Allow-Ping’
option src 'wan’
option proto 'icmp’
option icmp_type 'echo-request’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-IGMP’
option src 'wan’
option proto 'igmp’
option family 'ipv4’
option target ‘ACCEPT’

config rule
option name 'Allow-DHCPv6’
option src 'wan’
option proto 'udp’
option src_ip 'fe80::/10’
option src_port '547’
option dest_ip 'fe80::/10’
option dest_port '546’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-MLD’
option src 'wan’
option proto 'icmp’
option src_ip 'fe80::/10’
list icmp_type '130/0’
list icmp_type '131/0’
list icmp_type '132/0’
list icmp_type '143/0’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Input’
option src 'wan’
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
list icmp_type 'router-solicitation’
list icmp_type 'neighbour-solicitation’
list icmp_type 'router-advertisement’
list icmp_type 'neighbour-advertisement’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config rule
option name 'Allow-ICMPv6-Forward’
option src 'wan’
option dest '*'
option proto 'icmp’
list icmp_type 'echo-request’
list icmp_type 'echo-reply’
list icmp_type 'destination-unreachable’
list icmp_type 'packet-too-big’
list icmp_type 'time-exceeded’
list icmp_type 'bad-header’
list icmp_type 'unknown-header-type’
option limit '1000/sec’
option family 'ipv6’
option target ‘ACCEPT’

config include
option path ‘/etc/firewall.user’

config include
option path '/usr/share/firewall/turris’
option reload ‘1’

config include
option path '/etc/firewall.d/with_reload/firewall.include.sh’
option reload ‘1’

config include
option path '/etc/firewall.d/without_reload/firewall.include.sh’
option reload ‘0’

config rule
option src 'wan’
option dest 'lan’
option proto 'esp’
option target ‘ACCEPT’

config rule
option src 'wan’
option dest 'lan’
option dest_port '500’
option proto 'udp’
option target ‘ACCEPT’

config include 'miniupnpd’
option type 'script’
option path '/usr/share/miniupnpd/firewall.include’
option family 'any’
option reload ‘1’

config forwarding
option dest 'wan’
option src ‘lan’

root@turris:/etc# ifconfig
br-lan Link encap:Ethernet HWaddr D8:58:D7:00:21:E4
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::da58:d7ff:fe00:21e4/64 Scope:Link
inet6 addr: fd33:49fd:25ae::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1859 errors:0 dropped:0 overruns:0 frame:0
TX packets:1284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:175763 (171.6 KiB) TX bytes:609736 (595.4 KiB)

eth0 Link encap:Ethernet HWaddr D8:58:D7:00:21:E4
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:0 (0.0 B) TX bytes:19533 (19.0 KiB)
Interrupt:37

eth1 Link encap:Ethernet HWaddr D8:58:D7:00:21:E5
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:38

eth2 Link encap:Ethernet HWaddr D8:58:D7:00:21:E6
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:97 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:0 (0.0 B) TX bytes:19533 (19.0 KiB)
Interrupt:40

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1142 errors:0 dropped:0 overruns:0 frame:0
TX packets:1142 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:90214 (88.0 KiB) TX bytes:90214 (88.0 KiB)

wlan0 Link encap:Ethernet HWaddr 04:F0:21:24:15:55
inet6 addr: fe80::6f0:21ff:fe24:1555/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1889 errors:0 dropped:0 overruns:0 frame:0
TX packets:1524 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:208947 (204.0 KiB) TX bytes:668183 (652.5 KiB)

Nobody that can help me out here? By browsing through different forums i got the feeling, that a lot of users are struggling with that.
Yes, there is a lot of documentation out there, but its either written from a professional point of view or the routing part is missing. How to setup a VPN client connection (OpenVPN or PPTP) is straight forward and well documented, but the trouble shooting when you have problems not.

Long story short, the reason why i bought a turris was for a better VPN experience and right now i still can’t use it. Hope that somebody can help me with the config.