OpenVPN server easy and fast

setup
openvpn

#83

How can I modify the script for the client config?

I would like to add ‘float’ in the client configs.
I can add manually to the *.config file, but if it can be self added to any config it would be better.
Can you please add custom field for server and client in Foris?


#84

Hi nneeoo

You have to enable OpenVPN in Luci -> System -> Startup for it to start when device is booted.


#85

Hi zurchpet.

Thanks for the info, I solved my problem. I Found some other reference to the same solution on the forum and I enabled the openvpn service in Luci. However I would expect that the UI for “easy setup of OpenVPN” would either automatically enable the service or will include a checkbox where I could decide whether I want the service to be enabled by default.


#86

I’m having troubles setting up OpenVPN.

I’ve used these two tutorials
https://www.turris.cz/doc/en/howto/openvpn_plugin
https://www.turris.cz/doc/en/public/configureopenvpnandroidclient
Trying to get a connection up on my Android phone.

Additionally, I have set up a DynDNS service for IPv4 and IPv6. It works, at least it is telling me my IP is getting updated.

However, I’ve been unable to get the phone to connect via the mobile network. It is always timing out.

I’ve tried manually modifying the CONF file by adding the IPv4 or the IPv6 adress as well as adding the DynDNS subdomain. Reason is that somehow in the config file there is always the local IP adress.

Is there anything I have to set up addationally? Anywhere where can I check what is going wrong? My provider is Unitymedia (Germany) and I’m no stranger to issues. They are using Dual Stack Light which is already causing problems with Netflix. Could it be that it is also causing issues with VPN?

Before you ask, OpenVPN is enabled during startup.


#87

Do you mind sharing your config? So we can see if there is something rotten in Denmark. What error does the OpenVPN app say?


#88

Does this help?

The OpenVPN App just says that it timed out. It takes an aweful long at “Waiting for server” and then it just says “OpenVPN Connection Timeout”.


#89

No not really. Can you post a cat /etc/config/openvpn and post the output (stripped out the sensitive parts).


#90

please check that the following file /etc/dhparam/dh-default.pem exists if you do not need to generate it or, for a faster solution, create a simlink to any of the existing ones, so create a symlink manually:
ln -sf /etc/dhparam/dh8192.pem /etc/dhparam/dh-default.pem
possibly lower (i.e., dh4096 or dh2048)


Právě vyšel Turris OS 3.8!
#91

This should be OK, then.

ls -l /etc/dhparam/
lrwxrwxrwx 1 root root 23 Apr 21 12:15 dh-default.pem -> /etc/ dhparam/dh2048.pem
-rw-r–r-- 1 root root 424 Apr 21 12:15 dh2048.pem
-rw-rw-r-- 1 root root 769 Mar 9 23:20 dh4096.pem
-rw-rw-r-- 1 root root 1464 Mar 9 23:20 dh8192.pem

I also checked the firewall and there is a rule “vpn_turris_rule”.


#92

To be honest. I do not know what would be sensitive parts in the output. I looked through the list several times but I did find nothing more than I already posted above.

config openvpn 'server_turris’
option enabled '1’
option port '1194’
option proto 'udp’
option dev 'tun_turris’
option ca '/etc/ssl/ca/openvpn/ca.crt’
option crl_verify '/etc/ssl/ca/openvpn/ca.crl’
option cert '/etc/ssl/ca/openvpn/01.crt’
option key '/etc/ssl/ca/openvpn/01.key’
option dh '/etc/dhparam/dh-default.pem’
option server '10.111.111.0 255.255.255.0’
option ifconfig_pool_persist '/tmp/ipp.txt’
option duplicate_cn '0’
option keepalive '10 120’
option comp_lzo 'yes’
option persist_key '1’
option persist_tun '1’
option status '/tmp/openvpn-status.log’
option verb '3’
option mute '20’
list push 'route 192.168.0.0 255.255.255.0’
list push 'redirect-gateway def1’
list push ‘dhcp-option DNS 10.111.111.1’

Apart from this there are also disabled “custom_config”, “sample_server” and “sample client”.


#94

I think the easiest way to to get a fast OpenVPN server is to shuffle the protocol in your VPN software application. To know more about VPN Protocol check this detailed comparison guide: https://www.reviewsdir.com/compare-vpn-protocols/ In my opinion, you really don’t need to go that technical.


#95

Hi fischoderaal,

do you have any update on this one? I have the same issues, the Foris created vpn just times out from android phone. I have public IP of the router in the client config.


#96

ad_2: I have this small script to generate .ovpn file. Assuming user has keys and cert files in ~/CA/openvpn/ .Also you have to put IP/Port variables.

[details=Summary]> #!/bin/bash

RemoteIP= ### your public ip
RemotePort= ### your openvpn port
ME=$( whoami ) ### assuming that not under su/sudo

export generated=$HOSTNAME_${ME}.ovpn

echo “Generating $generated for $ME”

echo “## Generated at $( date ) on $HOSTNAME for user: $ME” > $generated
echo "## BGN --------------------------- ">> $generated

echo “Starting with default stuff … android compatible”

echo “float”>> $generated
echo “client”>> $generated
echo “tls-client”>> $generated
echo “dev tun”>> $generated
echo “proto udp”>> $generated
echo “remote $RemoteIP $RemotePort”>> $generated
echo “comp-lzo adaptive”>> $generated
echo “keepalive 10 60”>> $generated
echo “verb 5”>> $generated
echo “nobind”>> $generated
echo “persist-key”>> $generated
echo “persist-tun”>> $generated
echo “auth SHA1”>> $generated
echo “cipher BF-CBC”>> $generated
echo “mssfix 0”>> $generated

echo "remote-cert-eku “TLS Web Server Authentication” ">> $generated

echo "Fetching TLS-AUTH"
echo “”>> $generated
sed -n ‘/BEGIN/,/END/p’ < ~/CA/openvpn/ta.key >> $generated
echo “”>> $generated

echo "Fetching CA"
echo “”>> $generated
sed -n ‘/BEGIN/,/END/p’ < ~/CA/openvpn/ca.crt >> $generated
echo “”>> $generated

echo "Fetching CERT"
echo “”>> $generated
sed -n ‘/BEGIN/,/END/p’ < ~/CA/openvpn/$ME.crt >> $generated
echo “”>> $generated

echo "Fetching KEY"
echo “”>> $generated
sed -n ‘/BEGIN/,/END/p’ < ~/CA/openvpn/$ME.key>> $generated
echo “”>> $generated

echo “auth-nocache”>> $generated
echo “resolv-retry infinite”>> $generated

echo "## END --------------------------- ">> $generated[/details]


#97

Thanks for that. Anyway I can just rename my config_file.conf to config_file.ovpn and it works as well :slight_smile:


#98

Hello Guys,

In case anyone have the same openvpn issue, that just somehow does not work from Android phone here is the solution:

I solved the issue with some test. It works from different locations (not in your own network where turris is) when using a PC. It turned out it does not work only from android phone and only from the official openvpn application. It works though even with the official one for some weird reason if I connect through wifi, but wont work via mobile internet.
But the real solutions is: it works in all cases with a different android app: the one called OpenVPN for Android, that is also suggested in the community documentation


#99

Hi

i was trying Foris auto OPENVPN setup and found issue. Setting “route all via VPN” worked as expected. But by setting “split tunneling” it stopped to work. Local site wasn’t reachable. Traffic reach server, but respond do not go back to client (RX increasing, TX 0 on VPN_TURRIS interface). After some time i found missing link local subnet in routing table.
Settings:

Aktuální nastavení
Síť:	10.111.111.0/24
Zařízení:	tun_turris
Protokol:	udp
Port:	1194
Přesměruj:	192.168.5.1/24

By simple static route 10.111.111.0/24 via vpn_turris it get fix.
Is it bug or some problem with my side?


#100

This I can confirm. I use this one, and have no problems.


#101

Any help is appreciated

    ##Server Config##
cat /etc/config/openvpn

config openvpn 'custom_config'
	option enabled '0'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option enabled '0'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh1024.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option compress 'lzo'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option enabled '0'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option compress 'lzo'
	option verb '3'

config openvpn 'server_turris'
	option enabled '1'
	option port '1194'
	option proto 'udp'
	option dev 'tun_turris'
	option ca '/etc/ssl/ca/openvpn/ca.crt'
	option crl_verify '/etc/ssl/ca/openvpn/ca.crl'
	option cert '/etc/ssl/ca/openvpn/01.crt'
	option key '/etc/ssl/ca/openvpn/01.key'
	option dh '/etc/dhparam/dh-default.pem'
	option server '10.111.111.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option duplicate_cn '0'
	option keepalive '10 120'
	option comp_lzo 'yes'
	option persist_key '1'
	option persist_tun '1'
	option status '/tmp/openvpn-status.log'
	option verb '3'
	option mute '20'
	list push 'route 10.0.10.0 255.255.255.0'

##dhparam##

ls -l /etc/dhparam/
lrwxrwxrwx    1 root     root            23 Nov 18 13:23 dh-default.pem -> /etc/dhparam/dh2048.pem
-rw-r--r--    1 root     root           424 Nov 18 13:23 dh2048.pem
-rw-r--r--    1 root     root           769 Sep 14 14:54 dh4096.pem
-rw-r--r--    1 root     root          1464 Sep 14 14:54 dh8192.pem



##Server log##
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: OpenVPN 2.4.4 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: Diffie-Hellman initialized with 2048 bit key
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: TUN/TAP device tun_turris opened
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: TUN/TAP TX queue length set to 100
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: /sbin/ifconfig tun_turris 10.111.111.1 pointopoint 10.111.111.2 mtu 1500
2017-11-19T20:27:09+02:00 notice netifd[]: Interface 'vpn_turris' is enabled
2017-11-19T20:27:09+02:00 notice netifd[]: Network device 'tun_turris' link is up
2017-11-19T20:27:09+02:00 notice netifd[]: Interface 'vpn_turris' has link connectivity 
2017-11-19T20:27:09+02:00 notice netifd[]: Interface 'vpn_turris' is setting up now
2017-11-19T20:27:09+02:00 notice netifd[]: Interface 'vpn_turris' is now up
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: /sbin/route add -net 10.111.111.0 netmask 255.255.255.0 gw 10.111.111.2
2017-11-19T20:27:09+02:00 warning openvpn(server_turris)[16393]: Could not determine IPv4/IPv6 protocol. Using AF_INET
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: UDPv4 link local (bound): [AF_INET][undef]:1194
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: UDPv4 link remote: [AF_UNSPEC]
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: MULTI: multi_init called, r=256 v=256
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: IFCONFIG POOL: base=10.111.111.4 size=62, ipv6=0
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: IFCONFIG POOL LIST
2017-11-19T20:27:09+02:00 notice openvpn(server_turris)[16393]: Initialization Sequence Completed
2017-11-19T20:27:09+02:00 notice firewall[]: Reloading firewall due to ifup of vpn_turris (tun_turris)
2017-11-19T20:27:28+02:00 notice openvpn(server_turris)[16393]: 15X.XXX.X.XXX:53614 TLS: Initial packet from [AF_INET]15X.XXX.X.XXX:53614, sid=055e6102 1f1bec02
2017-11-19T20:28:01+02:00 info /usr/sbin/cron[16686]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
2017-11-19T20:28:01+02:00 info /usr/sbin/cron[16687]: (root) CMD (nethist_stats.lua)
2017-11-19T20:28:28+02:00 err openvpn(server_turris)[16393]: 15X.XXX.X.XXX:53614 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2017-11-19T20:28:28+02:00 err openvpn(server_turris)[16393]: 15X.XXX.X.XXX:53614 TLS Error: TLS handshake failed

##Client log##
sudo openvpn --config ~/Downloads/turris.ovpn --verb 3
Sun Nov 19 22:32:19 2017 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Sun Nov 19 22:32:19 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sun Nov 19 22:32:19 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]21X.XXX.X.XXX:1194
Sun Nov 19 22:32:19 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Nov 19 22:32:19 2017 UDP link local: (not bound)
Sun Nov 19 22:32:19 2017 UDP link remote: [AF_INET]21X.XXX.X.XXX:1194
Sun Nov 19 22:33:19 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 19 22:33:19 2017 TLS Error: TLS handshake failed
Sun Nov 19 22:33:19 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Nov 19 22:33:19 2017 Restart pause, 5 second(s)
Sun Nov 19 22:33:24 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]21X.XXX.X.XXX:1194
Sun Nov 19 22:33:24 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Nov 19 22:33:24 2017 UDP link local: (not bound)
Sun Nov 19 22:33:24 2017 UDP link remote: [AF_INET]21X.XXX.X.XXX:1194
Sun Nov 19 22:34:25 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 19 22:34:25 2017 TLS Error: TLS handshake failed
Sun Nov 19 22:34:25 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Nov 19 22:34:25 2017 Restart pause, 5 second(s)
Sun Nov 19 22:34:30 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]21X.XXX.X.XXX:1194

#102

What is client config? (turris.ovpn)
It appears the first packet from the client is reaching the server, but it’s not clear whether the response packet from the server reaches the client.
Perhaps the client’s firewall is blocking the response from the server. Or if the client did receive the response, then it’s likely that the OpenVPN client config does not match up with the server in some way.
More detailed log messages will appear if you use ‘verb 4’ or ‘verb 5’.


#103

Hi, thank you for your reply.
I will increase verbosity and I will post again later today along with the client config.

My turris has lte modem-interface at which I am trying to establish the vpn connection.
After your answer I realized that while I am establishing a connection at the Ite interface, the response is probably going through the wan/wan6 interface and there might be a problem there.
Is there any configuration available on the server (or on turris) in order to use only the lte interface or to use the same incoming interface?
Edit: Just to add that I am also using mwan3