GL-AR150 with 2.13 Firmware.. openvpn app not working

Technical Support for Routers
1

hi,

when i try to install the luci openvpn app i get these errors:

Collected errors:

  • pkg_run_script: package “kmod-tun” postinst script returned status 255.
  • opkg_configure: kmod-tun.postinst returned 255.
  • pkg_run_script: package “liblzo” postinst script returned status 255.
  • opkg_configure: liblzo.postinst returned 255.
  • pkg_run_script: package “luci-app-openvpn” postinst script returned status 255.
  • opkg_configure: luci-app-openvpn.postinst returned 255.

how can i successfully install the openvpn app?

2

Install the package with SSH

(opkg install package-name)

3

it worked, thank you … :slight_smile:

so, if i am in “OpenVPN instances” now … is there a way to upload a openvpn config file(.ovpn)?

cheers

4

The easiest thing to do is to use WinSCP. WinSCP :: Official Site :: Download It is a file manager that can move files between the local PC and the router. You use the same connection info as Putty (ip address, user (root) and password). If also includes putty like tools, file editor, etc. Makes working on your router files a breeze.

Upload your keys to etc\openvpn

Upload your config to etc\config\

BTW, I am of the opinion that the VPN controls do not work correctly. If you disable the VPN instance either under services\openvpn or software startup, you might find that when you navigate away and return to the services\openvpn page your openvpn service is again running.

Please confirm this once you have VPN running. This is not a GLI issue. Its an OpenWrt issue.

Are you building a server or a client?

5

hi,

ja, winscp is running great… but i must be a bit stupid with the settings

i just want to add a client to connect to one of those servers: VPN Gate - Public Free VPN Cloud by Univ of Tsukuba, Japan

thanks for the help, man!

6

OpenVPN is not easy

It took some digging but I found some configs here. VPN Gate - Public Free VPN Cloud by Univ of Tsukuba, Japan

For the US you can get a VPN file here: VPN Gate - Public Free VPN Cloud by Univ of Tsukuba, Japan

The file looks simple once you strip the comments. Cut and paste the certificates including the hyphens to files called ca.crt, client.crt, client.key. Place them on the etc/openvpn folder. Call them with the following:

option ca ‘/etc/openvpn/ca.crt’
option cert ‘/etc/openvpn/client.crt’
option key ‘/etc/openvpn/client.key’

Refer to this wiki for proper notation for your openvpn file, and there is no ‘opvn’ extension on it in OpenWrt.

https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup

You also will need to ‘touch’ your network and firewall rules files. Network is to add a VPN interface.

Both are covered in the link, but the interface is in UCI (yuk). It should look something like this I think.

config interface ‘OpenVPN’
option proto ‘none’
option ifname ‘tun0’
I spent a lot of time hacking through this, but I also built a server so it was more difficult.

 

7

ok, i tried it this way:

  • took a new file from http://snip.ly/yvoL#http://www.vpngate.net/en/
  • stripped down the file
  • created in "http://192.168.8.1/cgi-bin/luci/;stok=d6cc874261bad713d90c32145c8da358/admin/services/openvpn" a new "client configuration for an ethernet bridge vpn)
  • edited it and tried to configure it accordingly as far as i could
  • opened and connected with winscp
  • edited /etc/config/openvpn to
config openvpn 'usa_vpn_client' option client '1' option verb '3' option persist_key '1' option nobind '1' option proto 'udp' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/client.crt' option key '/etc/openvpn/client.key' option dev 'tun' option persist_tun '1' option auth 'SHA1' option cipher 'AES-128-CBC' option resolv_retry 'infinite' option remote 'speedy101.opengw.net' option port '1194' which should be consistent with the entries in the ovpn file

client
verb 3
nobind
proto udp
remote speedy101.opengw.net 1194
dev tun
persist-key
persist-tun
auth SHA1
cipher AES-128-CBC
resolv-retry infinite

  • and added the 3 files (ca, cert and key) to the mentioned folder
  • went back to http://192.168.8.1/cgi-bin/luci/;stok=d6cc874261bad713d90c32145c8da358/admin/services/openvpn
  • enabled and saved the "usa_vpn_client"
  • pushed "start" -> NO LUCK
help? :)
8

Nothing jumps ut to me me regarding the above. Please post or attach your network and firewall. Have you made any changes to these?

Add these lines to your open VPN config. They will direct the openvpn messages to a file for easier review

option log ‘/tmp/openvpn.log’
option status ‘/tmp/openvpn-status.log’

9

@speedy,

I don’t use luci openvpn app. There are too much info need to configure. Second, I downloaed ovpn file from http://snip.ly/yvoL#http://www.vpngate.net/en/ and the server cannot be connected at all.

I have a openvpn firmware but it is for GL.iNet6416.

The general guidance:

Step 1: install openvpn-openssl, if you meet some post-install errors just ignore them
Step 2: modify some files, refer to this guide http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap
/etc/config/network, add the following
config interface 'VPN_client' 
    option proto 'none' 
    option ifname 'tun0'
/etc/config/firewall , add the following
config zone 
    option name 'VPN_client' 
    option input 'ACCEPT' 
    option forward 'REJECT' 
    option output 'ACCEPT' 
    option network 'VPN_client' 
    option masq '1' 
config forwarding 
    option dest 'VPN_client' 
    option src 'lan' 
config forwarding 
    option src 'VPN_client' 
    option dest 'lan'
After you have done this, do these:
/etc/init.d/network restart
/etc/init.d/firewall restart
Be sure to not having any error when doing this
Step 3 Add openvpn init scripts
/etc/init.d/startvpn , add this file with the following content
#!/bin/sh /etc/rc.common 
START=90 
STOP=10 
start(){ 
  /usr/sbin/openvpn /etc/openvpn/openvpn.ovpn & 
}
Make it executable
chmod +x /etc/init.d/startvpn
Then execute the following command, disable the old script and enable our script
/etc/init.d/startvpn enable
/etc/init.d/openvpn disable
Step 4: Test openvpn
Put your ovpn file as /etc/openvpn/openvpn.ovpn, modify the file by adding "daemon" as one line
 daemon
.....
execute
 /etc/init.d/startvpn start
You should be able to see openvpn is connecting. After a while, check using your browser
Step 5: Restart
 
You can restart your router to verify that openvpn auto start
Find Problems:
It may not work for the first try, mainly because of the openvpn configuration file format.
Try this using UART
 openvpn /etc/openvpn/openvpn.ovpn
to find out problems via the console log.
10

Further to my last post, here is how to connect to Finchvpn, which is a little different.

1. Download your openvpn config from Finch VPN

http://finchvpn.com/config/openvpn/linux , click the download for Linux, "Port 8484 over UDP", it is the first one

  1. Download any config for a server from the link. Also click the API KEY, which will display your password


  1. Use “Free Server 05” as an example, click and download, you will download a file named “FinchVPN_FREE_05_Texas_udp_8484_linux.ovpn” , edit this file with your editor

4. Now upload the FinchVPN_FREE_05_Texas_udp_8484_linux.ovpn to your router as /etc/openvpn/openvpn.ovpn, Hope you know how to build this file. You can use "scp" in Linux, "winscp" in Windows. You can can directly make a new file in the router directly using "vi" and paste the content of the file.

You will also need to create a file naming /etc/openvpn/login.conf, it contents will be very simple. The first line is your password, the 2nd line is your API KEY which you got in Step 4.

Reboot your router and it shoud connect.

11

in general: the vpn servers in http://www.vpngate.net/en/ do not live for very long … i would have now a finchvpn acocunt if this helps… (they should be a bit more stable over time; so let’s please play around with “<span style=“color: #000000; font-family: ‘Microsoft YaHei’, sans-serif; font-size: 14px; line-height: normal; widows: auto;”>FinchVPN_FREE_05_Texas_udp_8484_linux.ovpn” from now on</span>)

@RanzerZ:

  • no, i have not made any changes in network or firewall
  • i was actually expecting, since i was doing most of the entries in the UI, that this app would do any needed changes for me
  • i did not add these 2 entries so far .. because i have further questions before i get on on probably broken servers
@alzhao
  • well, i do not necessarily need to use "luci open vpn app", but this is the only openvpn i found to install on my AR150
  • do the changes from your first post also need to be done for the finchvpn post?
@RanzerZ and alzhao:
  • if there is another way to get vpn on my AR150: how do i do this?
  • like: can someone provide me all the files and locations i need, so i can just copy them via WinSCP and do step 3 and 4 from alzhao's finchvpn post?
frustrating for a greenhorn like me :(
12

There is only 1 file you need for openvpn, but you have 3 variations I have only used the first one.

openvpn-openssl, openvpn-nossl, openvpn-polarssl

The luciapp is optional, but if you have room, install it for the GUI. I do not use it to install, but its easy to see the status. I do not think the on/off controls work reliably.

The folders for files are \etc\config for the openvpn file and \etc\openvpn to store the keys.

You need to maintain the openvpn, netwrk and firewall at a minimum for openvpn to work.

There are two types of DEV, TAP and TUN. Most services use TUN. Use TAP if you need to connect to a server (like an office) where you need to access shared folders.

Above that it’s difficult to say any thing is the same across connections. You will save a lot of pain using a service like Finch which offers instructions for OpenWrt.

 

13

@speedy,

do the changes from your first post also need to be done for the finchvpn post? YES.

I actually have a firmware for OpenVpn, you can use that firmware directly. So you don’t need to make changes to network and firewall, just change the settings. Don’t use luci-app-openvpn. I have no idea how to set those parameters.

@RangerZ, thanks for the technical things. Actually most VPN providers didn’t provide configure for openwrt, even FinchVpn. I spent a lot of time on how to set this up.

14

@alzhao

  • what firmware is this? does it work with my ar150? and where could i get it?
@RangerZ
  • how do i uninstall the luci app with ssh?
  • and how do i install openvpn-openssl with ssh?
i will give another try tomorrow .. so trying to collect the answers now :)

thanks in advance :slight_smile:

15

opkg install openvpn-openssl

opkg uninstall luci-theme-openwrt

You do not need to uninstall the Luci App. I think it’s worth keeping to tell you the status of your open vpn, but that’s my preference.

I think if you have got this far you already have openvps-openssl installed.

16

hmm …

i do not have openvpn-openssl installed accodring http://192.168.8.1/cgi-bin/luci/;stok=27245c9f4ba019fa38a07deaced11818/admin/system/packages

but i have luci-app-openvpn git-15.265.75874-342af52-1 installed

 

so my plan is to:

  • leave luci-app-openvpn installed
  • install on top openvpn-openssl
  • and then start with the instructions from alzhao
any ideas why i should not try it this way? :)
17

hi guys, please help a noob like me

root@GL-iNet:~# opkg install openvpn-openssl
Installing openvpn-openssl (2.3.6-2) to root…
Downloading 404 Page not found - GL.iNet.
Collected errors:

  • satisfy_dependencies_for: Cannot satisfy the following dependencies for openvpn-openssl:
  • kernel (= 3.10.49-1-230c2cfcebfbfe3eba558e2db2ace614) *
  • opkg_install_cmd: Cannot install package openvpn-openssl.

root@GL-iNet:~# opkg info kernel
Package: kernel
Version: 3.10.49-1-c0ac7d085e37afe77c21b2da24b51975
Depends: libc
Status: install hold installed
Architecture: ar71xx
Installed-Time: 1440574871

18

ok… kind of did not work…

  • did alzhao's steps 1-3
  • did all finch vpn steps
  • continued with steps 4+5
i can see in http://192.168.8.1/cgi-bin/luci/;stok=78eb7e99bcd1232661f318d83ecbe3d6/admin/network/network that there is a vpn "running" (attachment 1)

but i also see that there is no internet connection (attachment 2)

 

ideas? :frowning:

19

hmm … maybe the settings are correct… but finch vpn sucks

looks like i had … for only 1 min though … the ip from texas …

 

is there another better free vpn to connect to USA? (is this here something? http://www.bestvpnserver.com/list-of-top-free-openvpn-servers/)

and how would i setup this one compared to finch?

20

To be clear, OpenVPN is hard, very hard if you are not a skilled network person. I probably have over 100 hrs into this over the last year reading and testing. I’m sure this is discouraging, but it is what it is. That said, my environment was more complex (server and client)

To diagnose ANY OpenVPN issues you MUST post the following files.

/etc/config/openvpn

/etc/config/network

/etc/config/dhcp

/tmp/openvpn-log.log => see below

In your openvpn file set the verb value to 3 or more (I use 4) add the following line

option log ‘/tmp/openvpn-log.log’

Install WinSCP on your client. Use this to login and learn how to navigate to the above files and folders.

Read this page: How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN

In addition to the above, post the delivered openvon.opvn file for linux from Finch for reference.

@ramasamy, upgrade your device to 2.13. If you are trying to connect to a different service, please start a new thread.

There are some pay services, including PIA, which do have preconfigured OpenVPN files.

Forums will only get you so far. In general this is NOT going to be your best resource for OpenVPN support. I would start with OpenVPN, then OpenWrt, then here. Also Google your service provider name and OpenWrt (ie: finch vpn openwrt) for blogs and other how toos. You must be prepared to spend some hours testing and learning the parameters. This in NOT plug and play.

Once you have openvpn-openssl and luci-app installed, this is really NOT a GLI issue. Not that we will not try to help, but it’s a narrow user set, and even narrower for those using OpenVPN. I am not using a public service, and my personal client\server config is not really going to be helpful.