Certificate based Openvpn (beta firmware panel) not possible?

Hi all,

today i got my new slate. On my older glinet device not running the new beta web panel i was able to upload a ovpn file (produced by my pivpn vpn server, which is key based login).

You generate a new user, which gives you an ovpn file with certificates in it:
pivpn -a
Enter a Name for the Client: glitest
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Enter the password for the Client:
Enter the password again to verify:
spawn ./build-key-pass glitest
Generating a 2048 bit RSA private key

On the new (beta) panel on the slate i am able to upload to ovpn BUT i’m required to add username and password. Which for me makes it impossible to use openvpn anymore.

Is anyone successful on using key based login ovpn files on the new beta webpanel ?

–added later:
To add yo my own post. Running from the command line makes it work, with the same config file.
Seems to be web panel related… Anyone thoughts ?

openvpn --config /etc/openvpn/thuis.ovpn --askpass
Wed Sep 5 17:55:48 2018 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Sep 5 17:55:48 2018 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Enter Private Key Password:

thanks !

I see. This maybe a bug I will investigate.

That would be great thanks !

Can you please check if you have “askpass” as a line in your ovpn file?

That is not the case. But on the GL-AR300M the same file works out of the box.
On the slate it is not. I can check with the askpass option. But please be aware of the fact that i can’t even import the ovpn file without providing a username / pass within the GUI.

Do you have a try on latest firmware?

i used:

gl-ar750s-3.002 (the default) and the testing version which was online tuesday.
I noticed there is a new version which is from 06-09 but release notes don’t mention a related change.

You can import the ovpn with the ask pass. It will import, if you just add something in the required username and password field. If you empty the username afterwards and have a correct path with ask password like

askpassword /etc/openvpn/pass.txt (with the pass in it of course). You can get it to connect but it is far from working as easy as it does on my other AR300M. There the password request pops up during import and it just works.

Can you pm your ovpn file to me for a check?

dev tun
proto tcp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name openvpn name
cipher AES-256-CBC
auth SHA256
askpass /etc/openvpn/askpass.txt
compress lzo
verb 1

Rest is auto generated certificate.

Sorry about it. It’s a bug.

askpass – only password needed.
auth-user-pass – both username and password needed.

I notice that the path is wrong. Will fix it further release.

You can fix it temporarily. Please ssh to the router, and write your password to /etc/openvpn/askpass.txt.

As said i did that. Then it works. Indeed it is a bug, glad to have it confirmed.