Problem connecting GL-MT300N (mango v2.25) to custom OpenVPN server.

I’ve got the problem connect to my custom OpenVPN server. Another VPNclient (original OVPN client for Windows, android) with this config and needed files worked perfectly.

CLIENT.OVPN

proto tcp-client remote #.#.#.# port 443 dev tap nobind persist-key tls-client ca ca.crt cert client.crt key client.key ping 10 verb 3 ns-cert-type server cipher AES-256-CBC auth SHA1 pull auth-user-pass auth.cfg
I UNDERSTEND THAT THESE OPTION MAY NOY WORK (why?).
route-method exe route-delay 2 route 10.0.0.0 255.255.255.0 172.21.108.1 route 192.168.1.0 255.255.255.0 192.168.1.1 route 172.18.0.0 255.255.0.0 192.168.1.1 route 10.20.0.0 255.255.0.0 192.168.1.1 dhcp-option DNS 10.0.0.10 redirect-gateway
Your device can not connect unless you specify auth-user-pass auth.cfg login and password are not requested and the connection is broken. If you specify an option, a login and password entry screen appears, but the connection also breaks.

Please make the necessary changes to the firmware. Or help me to properly configure if I was mistaken.

Please post the log here. When you connect to your openvpn server, the log will be shown in the UI.

Ok, i have LOG.

When i load config.zip (includ: auth.cfg, ca.crt, client.crt, client.key, client.ovpn) auth.cfg is ignored and system asks for credential (Pass-Q.JPG)

Client OVPN log (GL-MT300N)

Thu Mar 9 21:03:46 2017 daemon.info procd: - init complete -
Thu Mar 9 21:03:48 2017 daemon.notice openvpn[2280]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6]
Thu Mar 9 21:03:48 2017 daemon.notice openvpn[2280]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Thu Mar 9 21:03:48 2017 daemon.warn openvpn[2285]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Mar 9 21:05:11 2017 daemon.err openvpn[2285]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Thu Mar 9 21:05:11 2017 daemon.notice openvpn[2285]: Exiting due to fatal error
Thu Mar 9 21:05:11 2017 kern.info kernel: [ 81.310000] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Thu Mar 9 21:05:12 2017 user.notice mwan3: ifup interface wan (eth0.2)
Thu Mar 9 21:05:15 2017 user.notice firewall: Reloading firewall due to ifup of wan (eth0.2)

Server OVPN log is clear.

 

I found that in OpenVPN version 2.3 I can not use key “ns-cert-type server” and “auth-user-pass” -i fixed it.

remote-cert-tls server askpass auth.cfg
But I got strange GUI freezzz (strange-freezzz.JPG) without new entries in log.

If reboot i have this in log

Fri Mar 10 04:11:14 2017 daemon.notice openvpn[2261]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Fri Mar 10 04:11:14 2017 daemon.notice openvpn[2261]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Fri Mar 10 04:11:14 2017 daemon.warn openvpn[2261]: WARNING: cannot stat file 'auth.cfg': No such file or directory (errno=2) Fri Mar 10 04:11:14 2017 daemon.err openvpn[2261]: Error opening 'Private Key' auth file: auth.cfg: No such file or directory (errno=2) Fri Mar 10 04:11:14 2017 daemon.notice openvpn[2261]: Exiting due to fatal error
auth.cfg is ignored and system NO asks for credential

I see the problem. Are you using Raspberry Pi?

You have a private passphrase for your key which makes things complicated. After upload to the router all path info is changed so auth.cfg cannot be found.

Can you remove “askpass auth.cfg” line from the ovpn file and zip, upload again? the UI should prompt for your passphrase.

If still cannot help. After you upload the ovpn, ssh to the router, and go to this folder: /etc/openvpn

Your ovpn files is there. Edit it and fix the correct path of auth.cfg.

If things are complicated, can you please use a key that don’t require a private passphrase?

  1. No.

  2. I guessed it and if i uploading auth.cfg (in zip or no) via the GUI (gl-inet) file is removed. If I make the correct changes to the config I get this entry in log:

Fri Mar 10 07:34:05 2017 daemon.notice openvpn[3127]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Fri Mar 10 07:34:05 2017 daemon.notice openvpn[3127]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Fri Mar 10 07:34:05 2017 daemon.warn openvpn[3127]: WARNING: file '/etc/openvpn/cert/auth.cfg' is group or others accessible Fri Mar 10 07:34:05 2017 daemon.warn openvpn[3128]: WARNING: --ping should normally be used with --ping-restart or --ping-exit Fri Mar 10 07:34:06 2017 daemon.err openvpn[3128]: Error: private key password verification failed Fri Mar 10 07:34:06 2017 daemon.notice openvpn[3128]: Exiting due to fatal error
I tried to install Midnight Commander for convenience but got in trouble with SSH.
  1. When creating a new .ovpn profile (Without “askpass” option and automatically added “daemon”) and attempting to connect to the log, the absolutely identical entry specified in item 2 is displayed (o_O) GUI not ask credential…

4, 5. edited in item 2, 3.

  1. for me and many users very need this option, please help fix this problem or escalate above.

if i load default config to router and edit minimal settings and load test-config.zip wiht the option askpass "/etc/openvpn/auth.cfg"
Then I get freezzz openvpn deamon (ovpn-freezzz.jpg) and the absence of any records in the log.

The auth.cfg file does not exist in / etc / openvpn /
And if it is added there we get a known error in the log:

Fri Mar 10 11:53:08 2017 daemon.notice openvpn[4462]: OpenVPN 2.3.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] Fri Mar 10 11:53:08 2017 daemon.notice openvpn[4462]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Fri Mar 10 11:53:08 2017 daemon.warn openvpn[4462]: WARNING: file '/etc/openvpn/auth.cfg' is group or others accessible Fri Mar 10 11:53:08 2017 daemon.warn openvpn[4463]: WARNING: --ping should normally be used with --ping-restart or --ping-exit Fri Mar 10 11:53:09 2017 daemon.warn openvpn[4463]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Mar 10 11:53:10 2017 daemon.err openvpn[4463]: Error: private key password verification failed Fri Mar 10 11:53:10 2017 daemon.notice openvpn[4463]: Exiting due to fatal error

Because this is your own openvpn server, can you please generate a test account for me to try? You can send the account and ovpn file to my email alzhao @ gl-inet.com

Welcome, I generated and checked the data to connect.
Please look at the mailbox, speed and connection time is limited for communication check available default gateway (ping).

 

Didn’t receive the email yet. Can you resend?

I send now.

If you want to use an OpenVPN with additional login and password authorization, then it’s not so simple, official documentation contradicts practice.
After debug it was possible to find out the correct set of options in the uploaded .ovpn config:

remote @.@.@.@
port @
proto tcp-client
dev tap
nobind
persist-key
tls-client
ping 10
verb 3
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
ca ca.crt
cert client.crt
key client.key
auth-user-pass
askpass /etc/openvpn/auth-client.cfg
pull
route-method exe
route-delay 2
route 10.0.0.0 255.255.255.0 172.21.108.1
#route 192.168.1.0 255.255.255.0 192.168.1.1
#route 172.18.0.0 255.255.0.0 192.168.1.1
#route 10.20.0.0 255.255.0.0 192.168.1.1
dhcp-option DNS 10.0.0.10
redirect-gateway

And at the output of processing this is: after-load.JPG

All commented lines are deleted, new “cert” and “auth” folders are created and the keys and certificates are renamed and placed in the first, and “username” and “password” that you entered in the “VPN Authentication” window (for-cash-credent.JPG), in the second.

The file “auth-client.cfg” must contain only the password! And the path in option “askpass” to it must be specified completely! If you specify the path incorrectly, then you can fix it only by uploading the whole archive with the config again.

In the end I want to thank AlZhao for quick and qualified help, it was his tips that helped me.

This tested in v2.25 on gl-mt300n.

The problem is SOLVED, although it originated from nothing.

Hi all, I reopen the post…

I am trying to connect to a openvpn in my Raspberry Pi as you suggested in an above post, @alzhao.

When I upload the zip file with:
ca.crt
hmac.key
OpenVPN-Client.crt
OpenVPN-Client.key
pi-vpn.ovpn

The UI didn’t ask me for the pass, if I add the line askpass [path-to-file] and the file with the pass (just pass, no username necessary), the UI ask me for username and password.

When I ssh into the router, I see what you mean about the router change the files, I tried to fix it by editing the /etc/openvpn/ovpn0/auth/usrpwd.txt but did not help. Then I tried to modified ovpn and adding the file in /etc/openvpn/ovpn0/pass.cfg but still does not work…

Now I leave the configuration as default, ovpn file:
client
dev tun
proto tcp
remote @.@.@.@ @
resolv-retry infinite
nobind
persist-key
persist-tun
askpass pass.cfg
ca ca.crt
cert OpenVPN-Client.crt
key OpenVPN-Client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-128-CBC
comp-lzo
verb 3

directory in router:
/etc/openvpn/ovpn0/newclientid
/etc/openvpn/ovpn0/cert
/etc/openvpn/ovpn0/cert/201907172604-hmac.key
/etc/openvpn/ovpn0/cert/201907172603-OpenVPN-Client.key
/etc/openvpn/ovpn0/cert/201907172603-OpenVPN-Client.crt
/etc/openvpn/ovpn0/cert/201907172603-ca.crt
/etc/openvpn/ovpn0/needauth
/etc/openvpn/ovpn0/pi2-vpn.ovpn
/etc/openvpn/ovpn0/pass.cfg
/etc/openvpn/ovpn0/auth
/etc/openvpn/ovpn0/auth/usrpwd.txt

the log UI show me is:
OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
Error opening ‘Private Key’ auth file: pass.cfg: No such file or directory (errno=2)
Exiting due to fatal error

  • VPN client failed to connect. This may be because of wrong configuration, unsupported parameters or terminated by the server. Please choose another VPN profile or abort the connection.*

Could anyone help me? sorry for this long post, just tried to be as clarify as possible

Just change

askpass pass.cfg

To

askpass

And the UI will ask for passphrase.

Hi @alzhao, thank you for the quick response… it still doesn’t work…

file.ovpn:
client
dev tun
proto tcp
remote @.@.@.@ @
resolv-retry infinite
nobind
persist-key
persist-tun
askpass
ca ca.crt
cert OpenVPN-Client.crt
key OpenVPN-Client.key
ns-cert-type server
tls-auth hmac.key 1
cipher AES-128-CBC
comp-lzo
verb 3

When I upload the zip file with this ovpn file the UI ask me for username and password (but my vpn server just need password, there is no username)
screenshot

Log shows me:
OpenVPN 2.4.5 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can’t ask for ‘Enter Private Key Password:’. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Exiting due to fatal error
VPN client failed to connect. This may be because of wrong configuration, unsupported parameters or terminated by the server. Please choose another VPN profile or abort the connection.

can you pls double check?

I save the text in ovpn and upload The UI shows me correct input like below.

Okey, If I upload just the ovpn file the UI ask me for the passphrase, as you show…but then the client does not have the certificate and:
OpenSSL: error:02001002:lib(2):func(1):reason(2)

OpenSSL: error:2006D080:lib(32):func(109):reason(128)

OpenSSL: error:140AD002:lib(20):func(173):reason(2)

Cannot load certificate file OpenVPN-Client.crt

Exiting due to fatal error

But if I upload a zip file with
ca.crt
hmac.key
OpenVPN-Client.crt
OpenVPN-Client.key
pi-vpn.ovpn

Can you pm me your zip to check?

1 Like

Sure, pm sended, thanks :slight_smile:

Hi, txitxo0
Thanks for your feedback.We have fixed the bug in 3.026-0719 firmware.
You can download the firmware from https://fw.gl-inet.com/firmware/mt300n/testing/openwrt-mt300n-3.026-0719.bin and test it.