Openvpn firmware for testing

matt_akb · April 30, 2016, 3:02pm

After messing around for a while I restarted and then found out the issue was that the pop up was not occuring. Not sure why a reboot fixed that but it did.

Now that I’m getting the pop up for the username and password, the files load fine but I cannot connect the vpn. Here is the message in the UI:

<table style=“border: 0px; min-width: 400px; border-spacing: 5px; margin-left: 20px; color: #ffffff; font-family: arial, helvetica, verdana, sans-serif, ‘Microsoft YaHei’, 微软雅黑, ‘Heiti SC’, 宋体, STXihei, serif; font-size: 14px; line-height: normal; background-color: #295873;”>
<tbody>
<tr>
<td>OpenVpn is</td>
<td>not started</td>
</tr>
<tr>
<td style=“white-space: pre-wrap;”>Last log</td>
<td>OpenVPN 2.3.6 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 9 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 WARNING: file ‘/etc/openvpn/auth/2016045910.txt’ is group or others accessible Cannot load CA certificate file /etc/openvpn/cert/201604085850-ca.crt (no entries were read): error:02001002:lib(2):func(1):reason(2): error:2006D080:lib(32):func(109):reason(128) Exiting due to fatal error</td>
</tr>
</tbody>
</table>

alzhao · April 30, 2016, 3:14pm

Seems it is a bug of the UI, the path of the ca is not correct. You can remove all content of /etc/openvpn and try again or manually upload the ca to the router according to the path in your message.

fthuijs · April 30, 2016, 7:56pm

Hi,

I just downloaded the newest version of de openvpn version of the GL-AR150 firmware (2.18). Great that it’s available!

I have my own openvpn-server and I have protected my ovpn files with a password. Is there a possebility to enter my password when I want to make a connection?

This is the log message I got:

OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Error: private key password verification failed Exiting due to fatal error

fthuijs · April 30, 2016, 10:03pm

P.S. To be more clear: I’m refering to the PEM pass phrase one can give when generating keys. So not the ovpn files is password protectected, but the keys I generated.

alzhao · April 30, 2016, 10:19pm

I see. I don’t know how to make it interactive on the UI, as it is on the router, not on your pc.

Maybe you need ssh to the router and start the service manually.

you can check the file /etc/init.d/startvpn

the script should be quite simple.

fthuijs · May 1, 2016, 4:53am

I also think that it’s hard to make. I generated a key without a PEM password, and then it works OK. I will do some more testing to find out if everything is working fine. At the moment I can make a connection…

matt_akb · May 1, 2016, 4:57pm

Doing some more testing using alzhao’s instructions.

First ssh’d into router and removed all files in etc/openvpn.

Uploading another set of files and get the same errors. Also note that the username and password popup is instant now - that seemed to have been an error just requiring one reboot after flashing the new firmware. So no worries about that anymore, but wanted to note in case someone else stumbles on this thread.

This time I looked in the etc/openvpn folders to compare what the error might be.

The error message references these two files:

/etc/openvpn/cert/201605104110-ca.crt /etc/openvpn/auth/2016054123.txt

But they are not present in the cert folder:

root@GL-MT300N:/etc/openvpn# ls -l ./cert
-rw-r–r-- 1 1000 1000 1395 Mar 15 01:12 201605103553-ca.crt
-rw-r–r-- 1 1000 1000 577 Mar 15 01:12 201605103553-crl.pem

So copied the .crt file to get the correct name needed in the error message:

root@GL-MT300N:/etc/openvpn/cert# cp 201605103553-ca.crt 201605104110-ca.crt

Now I don't get that error message, but get a new one referencing the pem file:

OpenVpn is connecting ... Last log CRL: cannot read: /etc/openvpn/cert/201605104110-crl.pem TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134) TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, process restarting

So same change to this file:

root@GL-MT300N:/etc/openvpn/cert# cp 201605103553-crl.pem 201605104110-crl.pem

And Now I am connected:

OpenVpn is connected
IP Address: 10.192.1.6

matt_akb · May 1, 2016, 5:11pm

One more bug found, ovpn files with spaces do not seem to connect (many of the files from PIA have spaces in the names).

Error message recieved was this:

OpenVpn is not started Last log [Private Internet Access] Peer Connection Initiated with [AF_INET]31.168.172.137:1194 TUN/TAP device tun0 opened do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /sbin/ifconfig tun0 10.197.1.6 pointopoint 10.197.1.5 mtu 1500 Initialization Sequence Completed

Simply renaming to remove the spaces did the trick.

find -name "* *" -type f | rename 's/ /_/g'

alzhao · May 3, 2016, 12:24pm

@matt_akb, thanks for reporting bugs. We noticed that ( ) in file names have problem, but didn’t notice [space] have problem as well. We revise that. Also for the crl, cert file paths, we will investigate that. We already notices some problems.

hillz · May 7, 2016, 6:13pm

Hi Alzhao, is it possible to use Psiphon Psiphon | Uncensored Internet access for Windows and Mobile on openwrt ? There is psiphon for android but I can’t find it for other linux distros.

alzhao · May 9, 2016, 10:22am

@hillz, I don’t know. They have source code published but I don’t have time to check in details.

axebro · May 11, 2016, 9:43am

i have openvpn installed on other openwrt devices, will that interfere with the openvpn that’s installed on the gli gui?

this is basically the steps I use : https://www.digitalreplica.org/2014/10/pocket-internet-privacy-shield/

alzhao · May 11, 2016, 9:48am

I am not sure what you mean “interfere”.

This is two devices that does the same. Depends on how you use them. Will you use the together?

hillz · May 11, 2016, 9:54am

I really want to see the speedtest for when you connect to the internet directly with your dongle and the speedtest for when you use your dongle and openvpn running together in this firmware, can you please do that @alzhao ?

axebro · May 11, 2016, 9:55am

ah -i see it the openvpn-openssl package is installed. I was afraid that the GLI package is different from what I would have installed.

alzhao · May 11, 2016, 4:12pm

@hillz, do you want to test how OpenVPN encryption will reduce the network speed? Yes. I can do it.

I have 100Mbps network. When using cable without VPN, tested using speedtest.com, downloading speed 93.82Mbps, upload speed is 94.01Mbps.

I used VPN server from Astrill in my city. Here is what I got:

MT300A: 14.82Mbps download, 10.58Mbps upload.

MT300N: 10.59Mbps upload, 8.07 Mbps download

AR150: 11.02Mbps download, 8.85Mbps upload

AR300: 17.17Mbps download, 13.21Mbps upload

hillz · May 11, 2016, 5:45pm

Damn, that’s surprising how much slower it got when using openvpn, what about the average CPU load when you were testing it? What was the average cpu load at that time?

alzhao · May 12, 2016, 9:56am

I didn’t notice the CPU load.

hillz · May 12, 2016, 10:12am

FYI there’s another free VPN service, check out tcpvpn.com it’s free, each account is valid for 5 days, can someone test their service and report back how fast you get ?

dpr00 · May 12, 2016, 2:28pm

Updated to 2.18 first and also upgraded to 2.19. Downloaded zip file from PIA openvpn. Loaded all vpns. Entered username and password. It does nothing. It just says please wait when I start it. Am I missing something? I need this to work?