I’ve got the problem connect to my custom OpenVPN server. Another VPNclient (original OVPN client for Windows, android) with this config and needed files worked perfectly.
CLIENT.OVPN
proto tcp-client
remote #.#.#.#
port 443
dev tap
nobind
persist-key
tls-client
ca ca.crt
cert client.crt
key client.key
ping 10
verb 3
ns-cert-type server
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
I UNDERSTEND THAT THESE OPTION MAY NOY WORK (why?).
Your device can not connect unless you specify auth-user-pass auth.cfg login and password are not requested and the connection is broken. If you specify an option, a login and password entry screen appears, but the connection also breaks.
Please make the necessary changes to the firmware. Or help me to properly configure if I was mistaken.
When i load config.zip (includ: auth.cfg, ca.crt, client.crt, client.key, client.ovpn) auth.cfg is ignored and system asks for credential (Pass-Q.JPG)
Client OVPN log (GL-MT300N)
Thu Mar 9 21:03:46 2017 daemon.info procd: - init complete -
Thu Mar 9 21:03:48 2017 daemon.notice openvpn[2280]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Mar 9 21:03:48 2017 daemon.notice openvpn[2280]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Thu Mar 9 21:03:48 2017 daemon.warn openvpn[2285]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Mar 9 21:05:11 2017 daemon.err openvpn[2285]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 9 21:05:11 2017 daemon.notice openvpn[2285]: Exiting due to fatal error
Thu Mar 9 21:05:11 2017 kern.info kernel: [ 81.310000] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Thu Mar 9 21:05:12 2017 user.notice mwan3: ifup interface wan (eth0.2)
Thu Mar 9 21:05:15 2017 user.notice firewall: Reloading firewall due to ifup of wan (eth0.2)
You have a private passphrase for your key which makes things complicated. After upload to the router all path info is changed so auth.cfg cannot be found.
Can you remove “askpass auth.cfg” line from the ovpn file and zip, upload again? the UI should prompt for your passphrase.
If still cannot help. After you upload the ovpn, ssh to the router, and go to this folder: /etc/openvpn
Your ovpn files is there. Edit it and fix the correct path of auth.cfg.
If things are complicated, can you please use a key that don’t require a private passphrase?
I guessed it and if i uploading auth.cfg (in zip or no) via the GUI (gl-inet) file is removed. If I make the correct changes to the config I get this entry in log:
Fri Mar 10 07:34:05 2017 daemon.notice openvpn[3127]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Fri Mar 10 07:34:05 2017 daemon.notice openvpn[3127]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Mar 10 07:34:05 2017 daemon.warn openvpn[3127]: WARNING: file '/etc/openvpn/cert/auth.cfg' is group or others accessible
Fri Mar 10 07:34:05 2017 daemon.warn openvpn[3128]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Mar 10 07:34:06 2017 daemon.err openvpn[3128]: Error: private key password verification failed
Fri Mar 10 07:34:06 2017 daemon.notice openvpn[3128]: Exiting due to fatal error
I tried to install Midnight Commander for convenience but got in trouble with SSH.
When creating a new .ovpn profile (Without “askpass” option and automatically added “daemon”) and attempting to connect to the log, the absolutely identical entry specified in item 2 is displayed (o_O) GUI not ask credential…
4, 5. edited in item 2, 3.
for me and many users very need this option, please help fix this problem or escalate above.
if i load default config to router and edit minimal settings and load test-config.zip wiht the option askpass “/etc/openvpn/auth.cfg”
Then I get freezzz openvpn deamon (ovpn-freezzz.jpg) and the absence of any records in the log.
The auth.cfg file does not exist in / etc / openvpn /
And if it is added there we get a known error in the log:
Fri Mar 10 11:53:08 2017 daemon.notice openvpn[4462]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Fri Mar 10 11:53:08 2017 daemon.notice openvpn[4462]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Mar 10 11:53:08 2017 daemon.warn openvpn[4462]: WARNING: file '/etc/openvpn/auth.cfg' is group or others accessible
Fri Mar 10 11:53:08 2017 daemon.warn openvpn[4463]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Fri Mar 10 11:53:09 2017 daemon.warn openvpn[4463]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Mar 10 11:53:10 2017 daemon.err openvpn[4463]: Error: private key password verification failed
Fri Mar 10 11:53:10 2017 daemon.notice openvpn[4463]: Exiting due to fatal error
Because this is your own openvpn server, can you please generate a test account for me to try? You can send the account and ovpn file to my email alzhao @ gl-inet.com
Welcome, I generated and checked the data to connect.
Please look at the mailbox, speed and connection time is limited for communication check available default gateway (ping).
If you want to use an OpenVPN with additional login and password authorization, then it’s not so simple, official documentation contradicts practice.
After debug it was possible to find out the correct set of options in the uploaded .ovpn config:
…
remote @.@.@.@
port @
proto tcp-client
dev tap
nobind
persist-key
tls-client
ping 10
verb 3 remote-cert-tls server
cipher AES-256-CBC
auth SHA1
ca ca.crt
cert client.crt
key client.key auth-user-pass askpass /etc/openvpn/auth-client.cfg
pull
route-method exe
route-delay 2
route 10.0.0.0 255.255.255.0 172.21.108.1 #route 192.168.1.0 255.255.255.0 192.168.1.1 #route 172.18.0.0 255.255.0.0 192.168.1.1 #route 10.20.0.0 255.255.0.0 192.168.1.1
dhcp-option DNS 10.0.0.10
redirect-gateway
…
And at the output of processing this is: after-load.JPG
…
All commented lines are deleted, new “cert” and “auth” folders are created and the keys and certificates are renamed and placed in the first, and “username” and “password” that you entered in the “VPN Authentication” window (for-cash-credent.JPG), in the second.
The file “auth-client.cfg” must contain only the password! And the path in option “askpass” to it must be specified completely! If you specify the path incorrectly, then you can fix it only by uploading the whole archive with the config again.
In the end I want to thank AlZhao for quick and qualified help, it was his tips that helped me.
This tested in v2.25 on gl-mt300n.
The problem is SOLVED, although it originated from nothing.
I am trying to connect to a openvpn in my Raspberry Pi as you suggested in an above post, @alzhao.
When I upload the zip file with:
ca.crt
hmac.key
OpenVPN-Client.crt
OpenVPN-Client.key
pi-vpn.ovpn
The UI didn’t ask me for the pass, if I add the line askpass [path-to-file] and the file with the pass (just pass, no username necessary), the UI ask me for username and password.
When I ssh into the router, I see what you mean about the router change the files, I tried to fix it by editing the /etc/openvpn/ovpn0/auth/usrpwd.txt but did not help. Then I tried to modified ovpn and adding the file in /etc/openvpn/ovpn0/pass.cfg but still does not work…
Now I leave the configuration as default, ovpn file:
client
dev tun
proto tcp
remote @.@.@.@ @
resolv-retry infinite
nobind
persist-key
persist-tun
askpass pass.cfg
ca ca.crt
cert OpenVPN-Client.crt
key OpenVPN-Client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-128-CBC
comp-lzo
verb 3
the log UI show me is: OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10 Error opening ‘Private Key’ auth file: pass.cfg: No such file or directory (errno=2) Exiting due to fatal error
VPN client failed to connect. This may be because of wrong configuration, unsupported parameters or terminated by the server. Please choose another VPN profile or abort the connection.*
Could anyone help me? sorry for this long post, just tried to be as clarify as possible
Log shows me:
OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Exiting due to fatal error
VPN client failed to connect. This may be because of wrong configuration, unsupported parameters or terminated by the server. Please choose another VPN profile or abort the connection.
Okey, If I upload just the ovpn file the UI ask me for the passphrase, as you show…but then the client does not have the certificate and:
OpenSSL: error:02001002:lib(2):func(1):reason(2)