I've got openvpn-openssl installed as a VPN server on a Buffalo WZR-HP-G300NH running LEDE 17.01.4 with all opkg updates. It's been stable and working well for years, through various improvements in cipher strength and various versions of OpenWRT all the way back to Attitude Adjustment through to the latest LEDE.
I want to set up a TP-Link TL-WR810N to do the same in another location. Accordingly, I've put LEDE 17.01.4 on the WR810N, upgraded all the included packages, and installed openvpn-openssl.
I figured the easiest approach would be to copy the existing working configuration, including all certs and keys, to the WR810N, and alter /etc/config/openvpn to reflect the new subnets and addresses. (Yeah, copying the certs & keys might not be the most secure approach, but I wanted to test it first with known working certs & keys. Once it does, then I'll spin up new certs and keys for this box).
I'm running into problems. logread -e openvpn on the Buffalo shows the expected messages from the service starting up. However, the same logread -e openvpn on the TP-Link shows not only the usual service startup messages but also these three lines, repeating every five seconds, before any client even tries to connect:
daemon.warn openvpn(ovpnauth)[9411]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
daemon.err openvpn(ovpnauth)[9411]: Options error: You must define TUN/TAP device (--dev)
daemon.warn openvpn(ovpnauth)[9411]: Use --help for more information.Several hours' worth of Googling suggests that this may be related to recent enhancements to OpenVPN, to improve security, with both client and server negotiating the best possible encryption. Great, strong encryption is good. But why am I seeing those log messages on only one installation and not the other? Shouldn't I see them on both or neither?
As best as I can determine, the cryptographic functions are identical between the two installations; the only difference is in the subnets and routing. So why should I see a repeating sequence of NCP errors on one installation but not the other?
I'm stumped. I've stared at this for hours, and I suspect I might be missing something obvious. Can anyone enlighten me?
Here are the relevant /etc/config/openvpn files, their generated /tmp/etc/*.conf files, and the resulting tun interfaces.
Buffalo WZR-HP-G300NH
/etc/config/openvpn
config openvpn 'routed_udp'
option local 'x.x.x.x' (public IP address - redacted)
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option duplicate_cn '1'
option server '192.168.30.0 255.255.255.0'
option topology 'subnet'
list push 'topology subnet'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route 192.168.20.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.20.1'
list push 'dhcp-option DOMAIN lan'
option client_to_client '1'
option keepalive '10 120'
option cipher 'AES-256-GCM'
option compress 'lzo'
option verb '3'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-udp-status.log'
option mute '20'
option enabled '1'
config openvpn 'routed_tcp'
option local 'x.x.x.x' (public IP address - redacted)
option port '443'
option proto 'tcp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option duplicate_cn '1'
option server '192.168.40.0 255.255.255.0'
option topology 'subnet'
list push 'topology subnet'
list push 'redirect-gateway def1 bypass-dhcp'
list push 'route 192.168.20.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.20.1'
list push 'dhcp-option DOMAIN lan'
option client_to_client '1'
option keepalive '10 120'
option cipher 'AES-256-GCM'
option compress 'lzo'
option verb '3'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-tcp-status.log'
option mute '20'
option enabled '1'/tmp/etc/openvpn-routed_tcp.conf
client-to-client
duplicate-cn
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
cipher AES-256-GCM
compress lzo
dev tun
dh /etc/openvpn/dh4096.pem
keepalive 10 120
key /etc/openvpn/server.key
local x.x.x.x (public IP address - redacted)
mute 20
port 443
proto tcp
push "topology subnet"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 192.168.20.1"
push "dhcp-option DOMAIN lan"
server 192.168.40.0 255.255.255.0
status /tmp/openvpn-tcp-status.log
tls-auth /etc/openvpn/ta.key 0
topology subnet
user nobody
verb 3/tmp/etc/openvpn-routed_udp.conf
client-to-client
duplicate-cn
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
cipher AES-256-GCM
compress lzo
dev tun
dh /etc/openvpn/dh4096.pem
keepalive 10 120
key /etc/openvpn/server.key
local x.x.x.x (public IP address - redacted)
mute 20
port 1194
proto udp
push "topology subnet"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 192.168.20.1"
push "dhcp-option DOMAIN lan"
server 192.168.30.0 255.255.255.0
status /tmp/openvpn-udp-status.log
tls-auth /etc/openvpn/ta.key 0
topology subnet
user nobody
verb 3ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.40.1 P-t-P:192.168.40.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.30.1 P-t-P:192.168.30.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)TP-Link TL-WR810N
/etc/config/openvpn
config openvpn 'routed_udp'
option local '0.0.0.0' (on a dynamic IP address - separate script to update DDNS)
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option duplicate_cn '1'
option server '192.168.30.0 255.255.255.0'
option topology 'subnet'
list push 'topology subnet'
list push 'route 192.168.69.0 255.255.255.248'
option client_to_client '1'
option keepalive '10 120'
option cipher 'AES-256-GCM'
option compress 'lzo'
option verb '3'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-udp-status.log'
option mute '20'
option enabled '1'
config openvpn 'routed_tcp'
option local '0.0.0.0' (on a dynamic IP address - separate script to update DDNS)
option port '443'
option proto 'tcp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh4096.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option duplicate_cn '1'
option server '192.168.40.0 255.255.255.0'
option topology 'subnet'
list push 'topology subnet'
list push 'route 192.168.69.0 255.255.255.248'
option client_to_client '1'
option keepalive '10 120'
option cipher 'AES-256-GCM'
option compress 'lzo'
option verb '3'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-tcp-status.log'
option mute '20'
option enabled '1'(The above installation is intended for inbound connections only, with no redirection of Internet traffic. It is intended to permit encrypted connections to a tiny subnet containing six devices, hence the difference in the various "push" directives.)
/tmp/etc/openvpn-routed_tcp.conf
client-to-client
duplicate-cn
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
cipher AES-256-GCM
compress lzo
dev tun
dh /etc/openvpn/dh4096.pem
keepalive 10 120
key /etc/openvpn/server.key
local 0.0.0.0 (on a dynamic IP address - separate script to update DDNS)
mute 20
port 443
proto tcp
push "topology subnet"
push "route 192.168.69.0 255.255.255.248"
server 192.168.40.0 255.255.255.0
status /tmp/openvpn-tcp-status.log
tls-auth /etc/openvpn/ta.key 0
topology subnet
user nobody
verb 3/tmp/etc/openvpn-routed_udp.conf
client-to-client
duplicate-cn
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
cipher AES-256-GCM
compress lzo
dev tun
dh /etc/openvpn/dh4096.pem
keepalive 10 120
key /etc/openvpn/server.key
local 0.0.0.0 (on a dynamic IP address - separate script to update DDNS)
mute 20
port 1194
proto udp
push "topology subnet"
push "route 192.168.69.0 255.255.255.248"
server 192.168.30.0 255.255.255.0
status /tmp/openvpn-udp-status.log
tls-auth /etc/openvpn/ta.key 0
topology subnet
user nobody
verb 3ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.40.1 P-t-P:192.168.40.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.30.1 P-t-P:192.168.30.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)(Last edited by 600cc on 28 Feb 2018, 23:55)