Can't connect to OpenVPN Server

arch113 · February 6, 2024, 5:19pm

When I try to connect to my home VPN (OPNsense Firewall), doesnt seem to work, the indicator stays Yellow, and I get no network traffic.

Importing the same config to my laptop’s OpenVPN GUI works just fine.

Moedl:GL-AX1800
Firmware:4.5.0

Completely redid my OpenVPN server on my firewall from previous settings, and using different device. (OpenVPN Client not working - #10 by hansome)

New .ovpn config:
dev tun
persist-tun
persist-key
data-ciphers-fallback AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote home.net 1194 udp
lport 0
auth-user-pass /etc/openvpn/profiles/10073/auth/username_password.txt
pkcs12 HOME_VPN_first_last.p12
askpass /etc/openvpn/askpass.txt
tls-crypt HOME_VPN_first_last-tls.key
daemon

Works on my laptop just fine, its ask for username and password, then ask for password for a private key password, after that it connects just fine, cant get this router to connect, stays yellow.

System log from router:
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Option ‘sambasharelan’.dest_proto is unknown
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section ‘sambasharelan’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Option ‘glnas_ser’.dest_proto is unknown
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section ‘glnas_ser’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Option ‘webdav_wan’.dest_proto is unknown
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section ‘webdav_wan’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section @zone[2] (guest) has no device, network, subnet or extra options
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: Section @zone[3] (ovpnclient) has no device, network, subnet or extra options
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv4 filter table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv4 nat table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv4 mangle table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv4 filter table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DHCP-Renew’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-IGMP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-IPSec-ESP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-ISAKMP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘block_dns’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DHCP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DNS’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #15
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #16
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #17
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #18
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘ovpnclient’ → ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘lan’ → ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘guest’ → ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv4 nat table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv4 mangle table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘process_mark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘wan_in_conn_mark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘lan_in_conn_mark_restore’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘out_conn_mark_restore’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv6 filter table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv6 nat table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Clearing IPv6 mangle table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv6 filter table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DHCPv6’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-MLD’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-ICMPv6-Input’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-ICMPv6-Forward’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-IPSec-ESP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-ISAKMP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘block_dns’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DHCP’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘Allow-DNS’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #15
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #16
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #17
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule #18
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘ovpnclient’ → ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘lan’ → ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Forward ‘guest’ → ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv6 nat table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_lan_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_lan_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_wan_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_wan_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_guest_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_guest_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_ovpnclient_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_ovpnclient_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘prerouting_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘postrouting_rule’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Populating IPv6 mangle table
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘process_mark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘wan_in_conn_mark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find target ‘CONNMARK’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘lan_in_conn_mark_restore’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Rule ‘out_conn_mark_restore’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Warning: fw3_ipt_rule_append(): Can’t find match ‘connmark’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘lan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘wan’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘guest’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Zone ‘ovpnclient’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Set tcp_ecn to off
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Set tcp_syncookies to on
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Set tcp_window_scaling to on
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Running script ‘/etc/firewall.nat6’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Running script ‘/etc/firewall.swap_wan_in_conn_mark.sh’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Running script ‘/etc/firewall.vpn_server_policy.sh’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Running script ‘/var/etc/gls2s.include’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): ! Skipping due to path error: No such file or directory
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): * Running script ‘/usr/bin/gl_block.sh’
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): Failed to parse json data: unexpected character
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): uci: Entry not found
Tue Feb 6 11:12:06 2024 daemon.notice netifd: ovpnclient (25816): cat: can’t open ‘/tmp/run/ovpn_resolved_ip’: No such file or directory
Tue Feb 6 11:12:06 2024 user.notice root: openvpn process exit and try again 5 seconds later
Tue Feb 6 11:12:11 2024 daemon.notice netifd: Interface ‘ovpnclient’ is now down
Tue Feb 6 11:12:11 2024 daemon.notice netifd: Interface ‘ovpnclient’ is setting up now
Tue Feb 6 11:12:11 2024 daemon.err ovpnclient[26047]: Cannot pre-load keyfile (HOME_VPN_first_last-tls.key)
Tue Feb 6 11:12:11 2024 daemon.notice ovpnclient[26047]: Exiting due to fatal error
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @zone[1] (wan) cannot resolve device of network ‘wan6’
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @zone[2] (guest) cannot resolve device of network ‘guest’
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Option ‘ovpnclient’.masq6 is unknown
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘ovpnclient’ cannot resolve device of network ‘ovpnclient’
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘wan_in_conn_mark’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘lan_in_conn_mark_restore’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘out_conn_mark_restore’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘block_dns’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Option ‘sambasharewan’.dest_proto is unknown
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘sambasharewan’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Option ‘sambasharelan’.dest_proto is unknown
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘sambasharelan’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Option ‘glnas_ser’.dest_proto is unknown
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘glnas_ser’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Option ‘webdav_wan’.dest_proto is unknown
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section ‘webdav_wan’ does not specify a protocol, assuming TCP+UDP
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @defaults[0] requires unavailable target extension FLOWOFFLOAD, disabling
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @zone[2] (guest) has no device, network, subnet or extra options
Tue Feb 6 11:12:11 2024 daemon.notice netifd: ovpnclient (26048): Warning: Section @zone[3] (ovpnclient) has no device, network, subnet or extra options

admon · February 6, 2024, 5:38pm

I would assume that you need to embed the CA / cert file into your config instead of loading them from the file system. Could you try that?

arch113 · February 6, 2024, 6:34pm

I hate to ask… What do you mean embed he CA / cert?

admon · February 6, 2024, 6:43pm

Something like that, so the OVPN file is the only one you need.
You have to do that because of this:

The system isn’t able to find the key file because it was not uploaded. Since you can only upload 1 file (afaik), you have to embed all additional files into the opvn-file itself.

arch113 · February 6, 2024, 7:45pm

Different errors now…
Tue Feb 6 13:29:29 2024 daemon.notice ovpnclient[19960]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Feb 6 13:29:29 2024 daemon.notice ovpnclient[19960]: library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Tue Feb 6 13:29:29 2024 daemon.warn ovpnclient[19960]: WARNING: No server certificate verification method has been enabled. See How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN for more info.
Tue Feb 6 13:29:29 2024 daemon.warn ovpnclient[19960]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: OpenSSL: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: OpenSSL: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Tue Feb 6 13:29:29 2024 daemon.err ovpnclient[19960]: Cannot load inline certificate file
Tue Feb 6 13:29:29 2024 daemon.notice ovpnclient[19960]: Exiting due to fatal error

Here is new OVPN config:
dev tun
persist-tun
persist-key
data-ciphers-fallback AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote home.ddns.net 1194 udp
lport 0
auth-user-pass /etc/openvpn/profiles/10073/auth/username_password.txt
daemon

-----BEGIN CERTIFICATE----- snip -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- snip -----END PRIVATE KEY-----

admon · February 6, 2024, 8:00pm

The certificate must be exactly like in the link described.

<ca>
-----BEGIN CERTIFICATE-----
***Paste CA Cert Text Here***
 
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
***Paste Your Cert Text Here***
 
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
***Paste Your Cert Private Key Here***
 
-----END PRIVATE KEY-----
</key>

Exactly with the brackets and exactly with the cert content (so no additional or less line feeds)

Should look like this one: A sample OpenVPN client configuration file in the unified format · GitHub

The lines auth-user-pass, tls-crypt and pkcs12 should be removed from the config then.
It could be that you need to convert pkcs12 to pem before: command - Converting PKCS#12 certificate into PEM using OpenSSL - Stack Overflow

To be honest: I would simply go with wireguard…

arch113 · February 6, 2024, 9:29pm

So far I am not having any luck. Haven’t done the pkcs#12 to PEM yet.

I have the OpenVPN working on 2 laptops, 1 chrome book and a couple of Android phones, but this little router is kicking my butt.

I have never messed with Wireguard, I see I can enable it on my OpnSense, but have no idea how to get the client working on the device since its looking for a config file, and don’t see an option to get one from OpnSense.

admon · February 7, 2024, 6:02am

Pretty sure it’s needed.

Wireguard is pretty easy, you mostly just need the keys to generate a config:
https://www.wireguardconfig.com/

alzhao · February 7, 2024, 8:06am

Seems that these paramters not supported well so the router didn’t put the key in the correct path.

What you can do is:

Change your serer settings so that they do not need this parameter
Put in the key file to the router using scp, then modify this line to include the correct path. Must use absolute path.

This seems not correct as well. If the UI asked you to input the private key passphrase it will be put in /etc/openvpn/profiles/10073/auth/ as well.

arch113 · February 7, 2024, 7:07pm

Thank you, that was the problem, all I had to do was put the full path in from of the file name and it worked. And I moved the askpass file to the same dir as above and changed the path in config.

Been missing with this off and on for a bit for it to come down to file path