I have this issue since several Turris releases (3.9 - 3.10.3). I tried to setup OpenVPN using foris, but having the same loading screen for months now. It’s not going away with new Turris updates or reboots. I posted this in an other thread but got not help (thread was closed) by Pepe with the comment I should run the command below or wait for the next Turris release. Both did not work!
In general what you can do is uninstall openvpn packages you have installed and reinstall them again.
In FORIS , section Updater, untick Openvpn, wait for next run of updater. Once done, tick it again and wait for next run of updater and try to generate new CA.
If that will still won’t work. You can go to shell (ssh) and use “opkg” to remove it manually (with “force” option).
and before you do anything, use “schnapps” to create backup snapshot, so you can easily return back if you mess it.
Deinstall and Reinstall of OpenVPN Package via Foris --> No success. The OpenVPN options disappaers in Foris and after reinstall I can click it but get again the CA generation loading screen
Deinstall all packages with “vpn” in name using opkg remove --force-depends and deleted openvpn config in /etc/config/ and reinstall of the OpenVPN package in Foris after reboot. --> No success. I see the CA generation loading screen again.
Any other ideas? Is there an other old config file which could lead to this behavior?
Would you please check if you have any files in /etc/dhparam?
The following command should do it:
ls -l /etc/dhparam
or if you can check /var/log/messages there should be something or you can generate diagnostics in Foris, send them to tech.support@turris.cz, and I’ll check why it doesn’t work for you.
Mám ten samý problém - zatím jsem neobjevil, že by někde ve foru bylo řeěení. Nebo se pletu? Jak dopadl zakladatel tohoto vlákna po půl roce? Díky, Jakub
Uninstall the OpenVPN package via “Updater” menu item
Delete files in the folder /etc/ssl/ca/openvpn/
Reboot
Reinstall OpenVPN package
Do not reboot but wait for the process openssl dhparam -out /etc/dhparam/dh2048.pem.new 2048 to finish (can be seen when logged into the router via SSH in top)
Reboot
Result:
The folder /etc/ssl/ca/openvpn/ is empty
In the webinterface, the status for OpenVPN is still “Generating certificate authority”
You should also delete “/etc/dhparam” not only “/etc/ssl/ca/openvpn” …
Generate cert.authority has more steps. Dhparam, CA.cert/key/crl and optionally user files creation.
Just guessing ,…If you reboot it just after dhparam step you are possibly (as you have “ca” folder empty) waiting for ca generation which is very possibly not taking action after that reboot. Somewhere is indicated that generation of ca was started, but not finished, so foris is just passing such info. (so you can generate it manually …
… or , go back to Foris-openvpn plugin and delete whole CA again (and check via ssh, that it is really gone, eventually manually remove any residual files), regenerate it again.
It really takes 10-30 mins to finish and sometimes it might get frozen. After dhparam you will see in “top”(htop) openssl another/next process creating the essential files for you. if you start creating user files, you will see another one. Once done all smoothly, you will have files at … dhparam (/etc/dhparam) , ca (/etc/ssl/ca/openvpn) uci-config( /etc/config/openvpn) , …
As workaround you can do that “dhparam” “ca” stuff manually (using: openssl, easyrsa) and create openvpn uci config (there should be a template already or some receipts files). Also you have to manually take care of “zone” and “firewall” setup for your openvpn instance.
If you used updater to reinstall openvpn, there should be snapshot created, so you don’t need to wipe the openvpn installation, just rollback using schnapps to desired snapshot and start again.
Delete the folder /etc/dhparam (rm -r /etc/dhparam)
Delete the folder /etc/ssl/ca/openvpn (rm -r /etc/ssl/ca/openvpn)
Start the tool “htop” in the SSH session
Install OpenVPN via Web-UI (“Updater” -> check “OpenVPN” -> “Save Changes”) and stay in that web menu (do not change to “OPENVPN” menu yet)
In the SSH session (in htop) you should see a process openssl dhparam -out /etc/dhparam/dh2048.pem.new - wait for it to finish/disappear (should take about 30 minutes)
Click on “OPENVPN” in the Web-UI and start further configuration (Generate CA, etc. etc.)
I understand that some steps might not be truly necessary but this is how it worked for me.
Hope it helps!
Further more a bug that I noticed: if you change the transport protocol to be TCP instead of UDP, it seams that the software does not correctly create the appropriate firewall rule for accepting connections on the configured TCP port.
I had to adapt the firewall settings via luci to make OpenVPN work with a custom setting for port and protocol.
