Openvpn not started

caryl-gervereau · 2018-05-11T09:08:42.846Z

Hello, just a little up just to know if you find something ?
Thks in advance and have a good week-end.

alzhao · 2018-05-11T09:11:59.382Z

I replied your message. Can you send the original ovpn file? Now it break them up and I may misunderstand.

caryl-gervereau · 2018-06-24T09:51:45.385Z

2 months later nothing works, no answer from you and no idea ? Am I the only one ?

glitch · 2018-06-24T14:41:52.351Z

caryl-gervereau:

2 months later nothing works, no answer from you and no idea ? Am I the only one ?

Yes mate, you’re the only one - the problem is with your OVPN file. Have you contacted your provider for help?

Johnex · 2018-06-24T14:46:09.636Z

@glitch is right @caryl-gervereau. Set up a test OpenVPN server on your own pc, and try to connect with the router, you will see it will work without issues. One common thing is using the TAP vs TUN openvpn setting.

You should probably have TUN for most configs, and that works great, i use it every day.

caryl-gervereau · 2018-06-25T06:58:41.943Z

Thank you for this information.
the problem is that this.ovpn file works perfectly on MacOS (With Tunnelblick) on iOS (iPhone and iPad)…and I’m well in TUN…

It just doesn’t work on the mini router…it’s weird.
For information the file passwords in the cache. Maybe I need to disable it on the mini router…I’m testing…

caryl-gervereau · 2018-06-25T07:56:03.330Z

Thanks again for your help.

I paste you the.ovpn file that I have in case you would see an important error knowing that the file works perfectly with all the devices. (I just deleted the certificate and IP ;-)))

Many thanks in advance

client
nobind
dev tun
redirect-gateway def1
<key>
-----BEGIN PRIVATE KEY-----
The certificate
-----END PRIVATE KEY-----
</key>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
        Validity
            Not Before: Sep  6 09:58:48 2017 GMT
            Not After : Sep  4 09:58:48 2027 GMT
        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=jcpuech/name=EasyRSA/emailAddress=me@myhost.mydomain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    The Modulus
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                The Key idendifier
            X509v3 Authority Key Identifier: 
                keyid: The Key ID
                DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston CA/name=EasyRSA/emailAddress=me@myhost.mydomain
                serial: The Serial number

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:jcpuech
    Signature Algorithm: sha256WithRSAEncryption
         The signature
-----BEGIN CERTIFICATE-----
The certificate
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
The certificate
-----END CERTIFICATE-----
</ca>
<dh>
-----BEGIN DH PARAMETERS-----
The DH parameters
-----END DH PARAMETERS-----
</dh>

# hardening
remote-cert-tls server

tls-version-min 1.2

cipher AES-256-CBC
auth SHA256

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
The Static key V1
-----END OpenVPN Static key V1-----
</tls-auth>
<connection>
  remote XXX.XXX.XXX.XX 1194 udp
</connection>
<connection>
  remote XXX.XXX.XXX.XX 443 tcp-client
</connection>

Johnex · 2018-06-25T09:08:56.521Z

My config is like this:

client
dev tun
proto tcp-client
remote DYNDNS_ADDRESS 443
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass /etc/openvpn/auth/2018893555.txt
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
Y9u88kYQUdPyNimnkMBO92nMtqZNAI58WFlQ2QBtblc4a3aaRVh9cQPrdnyHcbtJ
wg9w2nSc8t3FfRcwtXGtR699WMt3WH4ZmtKROhUdOtyCGokIMBMihjJOnSvSTWaF
sepkZbufWBxSAuqLtbK7hp5rGK1PnvUyJ3oVEUbBlHRyjitdKm9uybiqGGQryDx7
AIVpvrWFPYRTW9682VI3awgJ13gzx1KmBcjClyM8vRNWPYGxTD2N79qVoQhQd2N1
ty9tiGvsMFoIxXkjfdRgOSaVN1ESoZOY94Am8TaPHhKl5goYQsopi84UnBBm7p9e
C0U9aSWSVFMstdzYr1NmREwgOn1oi0QQ648P97lu8BX9wtte62Jj9v4lFUAidsrf
P2nNm4c8OPAAErWSNl01yYBMGBblTT2u5Wxn5AjGDL3Db3hQFT2nPzefLaFIpPa8
B4TVhYXsDHbm0FTHECtGbBLEYnwJW7smgO6pIc1wwW90UNx8PZiSDamwGI2RfIP0
5Bz0M7EPNEEzpslLeTelYWdFuTpAY2hVk4mOlZjajWwo1AgLyAXwP0sIEN4JHkNb
4eppp0wYHsMopRzJbPHVOOVF9A3wSnqxPjHtYVNHFQd0Aj6RoIpMNUQarNRUEPQd
dQRuKyEKIwUaD0SJG7AJO03kHNDWOodlJNggnkE5t6Ut8R66L7IJOsq8vqeg6JeL
uCUrehnEcLOJ9f0muWtG1drBLSngfOyvK0PYMTlXQ0sohloKdQT4mNM9qWYDsoXo
zwLPDbAO9zqH0q2gVuonfUfuLG2FDgeVwrCOkUTtdfVhoIsMokub8fIXU7BshSy2
zJWeHOLgHa9P3qJ7ZQdTcOzIQ1jYCpUkOdjaHVCksmT61QBVBYRWxuqEgnh76YOH
jS0PaU4FMl2N0Um6wyW9UqxPI09JDNY6CBmOkJn5llxLJ1Zd7GY4oWR3z58fXiyL
2mdkFOYoBl4L1B9k84t2ZfH6EdroLA2CJnI5H38NfWl4I1K1ETwJdRvLiOZXrhpe
oxuEMBhGwm7DTTmUxEjgAsJHIgxNQF9jyLhlOUZshK3520g0BfcaWkFwXP9NaMLM
D9OYZEK=
-----END CERTIFICATE-----
</ca>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
8cd1471744b160539a5a38ee1d5bf5fa
f4e0293d682ac7d11e9a12e111863d63
36604319de544021e5a29d3a8dc66bfa
a4762f8295de68c3157d924ebd022b57
b1be3ad6e2f2421309614d29811ee683
ea915096577dd0e91e169fbc7a72dd66
4b16b09a91aec0f5c4f80ad9a97d6de7
0c1251a9161bfb0768a2e5ba167c6cdc
41a633fe88bf815573c03bb57b49fcba
d98c1aa68d8356a5ece6cff274f66bde
db5b99f26dfee74276d65a50892a8f8b
3d46c2141440249ec62b26442a418fc0
0d21f74f48fc576dbdd9492726e200a7
77d6f34746224d6120db3a55fd0635e6
c325a48f265f2b8bf5881c5e3c83764c
992b85fae95f1a19c2ad273ae08e110c
-----END OpenVPN Static key V1-----
</tls-crypt>
resolv-retry infinite
nobind
daemon

I think whats wrong is you need to only copy the base64 blob sections from your cert like i have above ONLY. The plaintext is causing the parser to remove those lines and then failing to load the config.

You can convert any cert files to base64 with the openvpn tools.

If you SSH into the router and check the ovpn in /etc/openvpn/YOUROPVNNAME , i think you will see that those plain text sections have been removed. You can compare the uploaded to the original and see what was “incorrect” in the original.

caryl-gervereau · 2018-06-27T05:14:02.003Z

Johnex:

I think whats wrong is you need to only copy the base64 blob sections from your cert like i have above ONLY. The plaintext is causing the parser to remove those lines and then failing to load the config.

You can convert any cert files to base64 with the openvpn tools.

If you SSH into the router and check the ovpn in /etc/openvpn/YOUROPVNNAME , i think you will see that those plain text sections have been removed. You can compare the uploaded to the original and see what was “incorrect” in the original.

Thank you for offering me solutions.
I will try to make these changes but I’m really not comfortable with SSH…it won’t be easy.

Frankly I am very disappointed by GLI.
It’s a shame their firmware doesn’t interpret the.ovpn file correctly when all other devices do!

Thank tou very much !

glitch · 2018-06-27T06:52:05.246Z

Nothing to do with GL - , most routers use (slightly) different ovpn files.
Go to your supplier and ask them for the correct file!

caryl-gervereau · 2018-06-27T07:07:28.147Z

Thank you.
I’m my own supplier and I’m going to have to take a full ssh and .ovpn training just to get your router to work. I know how to see if the cost of online training is as expensive as an asus router that works perfectly with my.ovpn file.
It’s gonna be fun!

Johnex · 2018-06-27T08:18:13.580Z

No offense but it’s not really a GL-iNet issue but an issue with the way you made your config. Asus routers and other systems spit out a “proper” ovpn file that is ready to go, upload and it works.

If you change your ovpn file as i wrote last, it will work for you too. You don’t need to SSH anything, you change your opvn config file to what it should have been in the first place. When you are done upload it with the GL interface.

OpenVPN is a massive system, you can’t expect GL-iNet to implement ALL the ways to load the config files. They have implemented the best and latest way (recommended way).

caryl-gervereau · 2018-06-27T09:40:45.591Z

Thank you so much for taking the time to look at my file.
I’ll make the changes right now!
(no offense either I have always been delighted with the quality of your support for over 4 years and 3 routers ;-))

caryl-gervereau · 2018-06-27T10:11:39.448Z

I tried to transform my file like yours but obviously it still doesn’t work…it’s driving me crazy!
Could you change it for me by simply leaving the IP address empty?
I think I’ll save 2 months of research, 50 forums, and half a day? Please ???

Johnex · 2018-06-27T10:45:32.371Z

Click on my name on the left, send me a private message and we can look at it

caryl-gervereau · 2018-06-27T11:30:11.592Z

Thank you very much…I did it and I prey !

Johnex · 2018-06-30T19:05:56.952Z

This has been solved via PM.
Basically he had plaintext inside the block, where there should only be a base64 encoded certificate block.

alzhao · 2018-07-01T18:11:14.358Z

Thanks very much for your effort and kind to help, @Johnex

00001010v · 2018-11-25T15:50:23.120Z

Hello, Johnex!

I have the same problem as @caryl-gervereau

Would you like to post the commands to encode the files into Base64 format?

Thank you!

Johnex · 2018-11-28T11:41:21.043Z

If the files are not in base64 already, blocks that look like so:

Then you can do this:

openssl x509 -inform DER -in yourdownloaded.crt -out outcert.pem -text