OpenWrt Forum Archive

Topic: OpenVPN using Webif interface / OpenVPN Tun - Sanity check

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
beakmyn
31 Oct 2007, 18:59

I read through and followed the guide for OpenVPN TUN Howto and I'm trying to apply that guide to kamikaze and the webif interface.

This is the error I have now

OpenVPN Status wrote:

error in OpenVPN configuration, unknown authtype

/etc/config/openvpn wrote:

config openvpn general
    option mode    'client'
    option proto "tcp"
    option port "443"
    option auth    'pem'
   
config openvpn client
    option ipaddr    '10.8.0.0'
    option auth "pem"

/etc/openvpn/server.conf wrote:

### network options
port 443
proto tcp
dev tun
### certificate and key files
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
### (optional) use a shared key to initialize TLS negotiation
tls-auth /etc/openvpn/shared.key
### VPN subnet
server 10.8.0.0 255.255.255.0
### (optional) make local network behind the VPN server accessible for the VPN clients
push "route 192.168.1.0 255.255.255.0"
### (optional) make the VPN server a gateway for the internet for the VPN clients
push "redirect-gateway"
### (optional) compression (might make your WRT sluggish or not, depending on the model and what you have running...)
comp-lzo
keepalive 10 120
status /tmp/openvpn.status

I've created all the certs and keys and place them in the directory.

/etc/firewall.user wrote:

### OpenVPN
## allow connections from outside
iptables -t nat -A prerouting_wan -p tcp --dport 443 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 443 -j ACCEPT

## allow input/forwarding for the VPN interfaces, see http://openvpn.net/faq.html#firewall
##   as of July 2007 the above FAQ misses the output rules for the TUN interfaces
## also needs ip_forward, see http://openvpn.net/faq.html#ip-forward and http://forum.openwrt.org/viewtopic.php?pid=20428#p20428
iptables -A INPUT   -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A OUTPUT  -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

So I'm not sure what's wrong but I think it has to do with the new /etc/config in kamikaze vs the current server.conf file. Can anybody help me out?

Post #2
alexsamad
31 Oct 2007, 21:19

Hi

Which doc are you talking about ? especially the one that talks about - /etc/config/openvpn

Have you tried running it at the command line and checking logread for any errors, you can bump up the logging by adding verb 9 into the config

Post #3
beakmyn
1 Nov 2007, 01:22

This is the doc http://wiki.openwrt.org/OpenVPNTunHowTo

It doesn't talk about /etc/config/openvpn but I did see info in the wiki with regards to /etc/config being the new way of doing things and using the webif interface to install and configure openvpn create a /etc/config/openvpn file.

I ran it by command line and it appears to run successfully (but I don't have a way to test it). So, it looks like the webif interface doesn't run it the same way, hence the error. I'll try re-running it in daemon mode and see if I can connect to tomorrow from work.

Here's a simple question what calls the items in /etc/init.d/* to run? There is a /etc/init.d/openvpn but it doesn't start automatically is the another file I need to modify? I ask this as I could use this and bypass the webif interface.



openvpn --config /etc/openvpn/server.conf wrote:

Wed Oct 31 20:16:40 2007 us=679364 OpenVPN 2.0.9 mipsel-linux [SSL] [LZO] [EPOLL] built on Sep 30 2007
Wed Oct 31 20:16:40 2007 us=960193 Diffie-Hellman initialized with 1024 bit key
Wed Oct 31 20:16:40 2007 us=981941 Control Channel Authentication: using '/etc/openvpn/shared.key' as a OpenVPN static key file
Wed Oct 31 20:16:40 2007 us=984172 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 31 20:16:40 2007 us=986286 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 31 20:16:40 2007 us=988706 TLS-Auth MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]
Wed Oct 31 20:16:41 2007 us=37856 TUN/TAP device tun0 opened
Wed Oct 31 20:16:41 2007 us=39884 TUN/TAP TX queue length set to 100
Wed Oct 31 20:16:41 2007 us=42048 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Oct 31 20:16:41 2007 us=135042 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Wed Oct 31 20:16:41 2007 us=247459 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Oct 31 20:16:41 2007 us=248432 Listening for incoming TCP connection on [undef]:443
Wed Oct 31 20:16:41 2007 us=249318 Socket Buffers: R=[43689->131072] S=[16384->131072]
Wed Oct 31 20:16:41 2007 us=250027 TCPv4_SERVER link local (bound): [undef]:443
Wed Oct 31 20:16:41 2007 us=250630 TCPv4_SERVER link remote: [undef]
Wed Oct 31 20:16:41 2007 us=251338 MULTI: multi_init called, r=256 v=256
Wed Oct 31 20:16:41 2007 us=252533 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Oct 31 20:16:41 2007 us=253240 Note: sys_epoll API is unavailable, falling back to poll/select API
Wed Oct 31 20:16:41 2007 us=254633 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Oct 31 20:16:41 2007 us=255771 Initialization Sequence Completed

(Last edited by beakmyn on 1 Nov 2007, 01:26)

Post #4
thepeople
1 Nov 2007, 04:14

There was a error in older versions of the webif that when the openvpn package was installed it overwrote the webif files, this has been fixed in new revisions.

Post #5
beakmyn
1 Nov 2007, 12:47
thepeople wrote:

There was a error in older versions of the webif that when the openvpn package was installed it overwrote the webif files, this has been fixed in new revisions.

Define older versions. My webif interface is 5 days old and the Openwrt install is 5 days old.


I've confirmed that if I 

openvpn --daemon --config /etc/openvpn/serv.conf

I can connect to the VPN from work however. I'll take the issue up in the webif forums as it appears to be related strictly to the webif interface, which from the X-wrt I don't think its implemented yet.



So, here is the big question. Right now I have OpenVPN set up and running on the WRT and I also have tinyproxy. I can connect to my home network using openvpn, yeh!

(Last edited by beakmyn on 1 Nov 2007, 18:20)

The discussion might have continued from here.