[RESOLVED] OpenVPN - ProtonVPN Client Problem

Hi there,

I wanted to Setup my Turris Omnia as a Client for the ProtonVPN and made a new OpenVPN Config in /etc/config/openvpn with all the Settings needed from the Original ProtonVPN Config who is working on my Desktop PC with Viscosity VPN Client.

But now when i press Start in the LUCI Panel i get an an Error in the Message Log.

Options error: No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass

But i have auth-user-pass defined in the Options with the userpass.txt… does anyone have a Idea what i have done wrong?

Thanks for your Help.

Original Config

client
dev tun
proto udp

remote ch.protonvpn.com 1194

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server
auth_user_pass /etc/openvpn/userpass.txt
pull
fast-io


<ca>
-----BEGIN CERTIFICATE-----
MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
MBMGA1UEChMMUHJvdG9uVlBOIEFHMRowGAYDVQQDExFQcm90b25WUE4gUm9vdCBD
QTAeFw0xNzAyMTUxNDM4MDBaFw0yNzAyMTUxNDM4MDBaMEAxCzAJBgNVBAYTAkNI
MRUwEwYDVQQKEwxQcm90b25WUE4gQUcxGjAYBgNVBAMTEVByb3RvblZQTiBSb290
IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+BsSsZg7+AuqTq7
vDbPzfygtl9f8fLJqO4amsyOXlI7pquL5IsEZhpWyJIIvYybqS4s1/T7BbvHPLVE
wlrq8A5DBIXcfuXrBbKoYkmpICGc2u1KYVGOZ9A+PH9z4Tr6OXFfXRnsbZToie8t
2Xjv/dZDdUDAqeW89I/mXg3k5x08m2nfGCQDm4gCanN1r5MT7ge56z0MkY3FFGCO
qRwspIEUzu1ZqGSTkG1eQiOYIrdOF5cc7n2APyvBIcfvp/W3cpTOEmEBJ7/14RnX
nHo0fcx61Inx/6ZxzKkW8BMdGGQF3tF6u2M0FjVN0lLH9S0ul1TgoOS56yEJ34hr
JSRTqHuar3t/xdCbKFZjyXFZFNsXVvgJu34CNLrHHTGJj9jiUfFnxWQYMo9UNUd4
a3PPG1HnbG7LAjlvj5JlJ5aqO5gshdnqb9uIQeR2CdzcCJgklwRGCyDT1pm7eoiv
WV19YBd81vKulLzgPavu3kRRe83yl29It2hwQ9FMs5w6ZV/X6ciTKo3etkX9nBD9
ZzJPsGQsBUy7CzO1jK4W01+u3ItmQS+1s4xtcFxdFY8o/q1zoqBlxpe5MQIWN6Qa
lryiET74gMHE/S5WrPlsq/gehxsdgc6GDUXG4dk8vn6OUMa6wb5wRO3VXGEc67IY
m4mDFTYiPvLaFOxtndlUWuCruKcCAwEAAaOBpzCBpDAMBgNVHRMEBTADAQH/MB0G
A1UdDgQWBBSDkIaYhLVZTwyLNTetNB2qV0gkVDBoBgNVHSMEYTBfgBSDkIaYhLVZ
TwyLNTetNB2qV0gkVKFEpEIwQDELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFByb3Rv
blZQTiBBRzEaMBgGA1UEAxMRUHJvdG9uVlBOIFJvb3QgQ0GCAQEwCwYDVR0PBAQD
AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQCYr7LpvnfZXBCxVIVc2ea1fjxQ6vkTj0zM
htFs3qfeXpMRf+g1NAh4vv1UIwLsczilMt87SjpJ25pZPyS3O+/VlI9ceZMvtGXd
MGfXhTDp//zRoL1cbzSHee9tQlmEm1tKFxB0wfWd/inGRjZxpJCTQh8oc7CTziHZ
ufS+Jkfpc4Rasr31fl7mHhJahF1j/ka/OOWmFbiHBNjzmNWPQInJm+0ygFqij5qs
51OEvubR8yh5Mdq4TNuWhFuTxpqoJ87VKaSOx/Aefca44Etwcj4gHb7LThidw/ky
zysZiWjyrbfX/31RX7QanKiMk2RDtgZaWi/lMfsl5O+6E2lJ1vo4xv9pW8225B5X
eAeXHCfjV/vrrCFqeCprNF6a3Tn/LX6VNy3jbeC+167QagBOaoDA01XPOx7Odhsb
Gd7cJ5VkgyycZgLnT9zrChgwjx59JQosFEG1DsaAgHfpEl/N3YPJh68N7fwN41Cj
zsk39v6iZdfuet/sP7oiP5/gLmA/CIPNhdIYxaojbLjFPkftVjVPn49RqwqzJJPR
N8BOyb94yhQ7KO4F3IcLT/y/dsWitY0ZH4lCnAVV/v2YjWAWS3OWyC8BFx/Jmc3W
DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
A1gTTlpi7A==
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
6acef03f62675b4b1bbd03e53b187727
423cea742242106cb2916a8a4c829756
3d22c7e5cef430b1103c6f66eb1fc5b3
75a672f158e2e2e936c3faa48b035a6d
e17beaac23b5f03b10b868d53d03521d
8ba115059da777a60cbfd7b2c9c57472
78a15b8f6e68a3ef7fd583ec9f398c8b
d4735dab40cbd1e3c62a822e97489186
c30a0b48c7c38ea32ceb056d3fa5a710
e10ccc7a0ddb363b08c3d2777a3395e1
0c0b6080f56309192ab5aacd4b45f55d
a61fc77af39bd81a19218a79762c3386
2df55785075f37d8c71dc8a42097ee43
344739a0dd48d03025b0450cf1fb5e8c
aeb893d9a96d1f15519bb3c4dcb40ee3
16672ea16c012664f8a9f11255518deb
-----END OpenVPN Static key V1-----
</tls-auth>

/etc/config/openvpn

    config openvpn 'protonvpn'
            option enabled '1'
            option auth_user_pass '/etc/openvpn/userpass.txt'
            option client '1'
            option proto 'udp'
            option resolv_retry 'infinite'
            option nobind '1'
            option cipher 'AES-256-CBC'
            option auth 'SHA512'
            option comp_lzo 'yes'
            option verb '3'
            option tun_mtu '1500'
            option tun_mtu_extra '32'
            option ping '15'
            option ping_restart '0'
            option ping_timer_rem '1'
            option reneg_sec '0'
            option port '1194'
            option pull '1'
            option fast_io '1'
            option ca '/etc/openvpn/ca.crt'
            option tls_auth '/etc/openvpn/tlsauth.key'
            list remote 'ch.protonvpn.com'
            option remote_cert_tls 'server'
            option remote_random '1'
            option dev 'tun0'
            option mssfix '1450'
            option persist_key '1'
            option persist_tun '1'

/var/log/messages

2017-07-22T19:02:56+02:00 err openvpn(protonvpn)[25087]: Options error: No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass
2017-07-22T19:02:56+02:00 warning openvpn(protonvpn)[25087]: Use --help for more information.
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
2017-07-22T19:02:56+02:00 warning openvpn(protonvpn)[25086]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.157.8:1194
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: UDP link local: (not bound)
2017-07-22T19:02:56+02:00 notice openvpn(protonvpn)[25086]: UDP link remote: [AF_INET]185.159.157.8:1194

You specified

auth_user_pass

Yes i have… what you wanna say me?

The error message states it should be:

auth-user-pass

You need to make “_” instead of “-” in the config file like all the other ones. It was also made by the LUCI Configurator.

Ever tried the alternative?

This guide also says it has to be a -

1 Like

When i change “auth_user_pass” to “auth-user-pass” i get an Error:

2017-07-22T20:04:43+02:00 warning []: Bad config 'openvpn': uci: Parse error (invalid character in name field) at line 4, byte 23

Your Guide Reference on the Normal OpenVPN Conf file and not the one used by Turris Omnia.

1 Like

Maybe your username or password includes a special character that has to be escaped? Especially since line 4 in the config isn’t changed by you…

Ohhhh ohhhh i got it… i missed a Config Entry.

key-direction 1

key_direction '1'

Now it makes the Connection.

So it looks like the Error Message was more a Warning… or just wrong.

2017-07-22T20:17:50+02:00 err openvpn(protonvpn)[7097]: Options error: No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass
2017-07-22T20:17:50+02:00 warning openvpn(protonvpn)[7097]: Use --help for more information.
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
2017-07-22T20:17:50+02:00 warning openvpn(protonvpn)[7096]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.159.157.8:1194
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: Socket Buffers: R=[163840->163840] S=[163840->163840]
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: UDP link local: (not bound)
2017-07-22T20:17:50+02:00 notice openvpn(protonvpn)[7096]: UDP link remote: [AF_INET]185.159.157.8:1194
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: TLS: Initial packet from [AF_INET]185.159.157.8:1194, sid=4c1ea32b 7dd79967
2017-07-22T20:17:52+02:00 warning openvpn(protonvpn)[7096]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: VERIFY KU OK
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: Validating certificate extended key usage
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: VERIFY EKU OK
2017-07-22T20:17:52+02:00 notice openvpn(protonvpn)[7096]: VERIFY OK: depth=0, CN=ch-05.protonvpn.com
2017-07-22T20:17:53+02:00 notice openvpn(protonvpn)[7096]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-07-22T20:17:53+02:00 notice openvpn(protonvpn)[7096]: [ch-05.protonvpn.com] Peer Connection Initiated with [AF_INET]185.159.157.8:1194
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: SENT CONTROL [ch-05.protonvpn.com]: 'PUSH_REQUEST' (status=1)
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.34 255.255.255.0,peer-id 35,cipher AES-256-GCM'
2017-07-22T20:17:54+02:00 err openvpn(protonvpn)[7096]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: explicit-exit-notify (2.4.3)
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: timers and/or timeouts modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: Socket Buffers: R=[163840->327680] S=[163840->327680]
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: --ifconfig/up options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: route options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: route-related options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: peer-id set
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: adjusting link_mtu to 1657
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: OPTIONS IMPORT: data channel crypto options modified
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: Data Channel: using negotiated cipher 'AES-256-GCM'
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: TUN/TAP device tun0 opened
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: TUN/TAP TX queue length set to 100
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: /sbin/ifconfig tun0 10.8.8.34 netmask 255.255.255.0 mtu 1500 broadcast 10.8.8.255
2017-07-22T20:17:54+02:00 notice netifd[]: Interface 'VPN_PROTONVPN' is enabled
2017-07-22T20:17:54+02:00 notice netifd[]: Network device 'tun0' link is up
2017-07-22T20:17:54+02:00 notice netifd[]: Interface 'VPN_PROTONVPN' has link connectivity
2017-07-22T20:17:54+02:00 notice netifd[]: Interface 'VPN_PROTONVPN' is setting up now
2017-07-22T20:17:54+02:00 notice netifd[]: Interface 'VPN_PROTONVPN' is now up
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: /sbin/route add -net 185.159.157.8 netmask 255.255.255.255 gw 85.195.229.1
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.8.1
2017-07-22T20:17:54+02:00 notice openvpn(protonvpn)[7096]: Initialization Sequence Completed
2017-07-22T20:17:54+02:00 notice firewall[]: Reloading firewall due to ifup of VPN_PROTONVPN (tun0)

Over Wifi

Over Lan

Can you give us further information about your configuration (interfaces, firewall, …) and how you reached such a tremendous speed via protonvpn?

It was kind of a Bug or Misconfiguration. So that not all Traffic was tunnled threw the VPN. I don’t know where exactly because i havn’t found it. But after e Reset of my Router and Reconfigure all i have no a normal Speed Rate for VPN.

1 Like