What's new

AC68U 384.6 not importing OpenVPN certs or saving them if manually entered

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I have uploaded the Torguard .ovpn file and followed all steps in this walk through

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

The VPN fails to start with a Options error: You must define CA file (--ca) or CA path (--capath). I manually enter the keys but they do not save. I also do not see a jffs/openvpn directory when I ssh to the router. I have flashed the router to start from scratch but get the same results.

Does the OpenVPN config, as generated by Torguard, work if you load it into a standalone PC client? You can download and install one from here:

https://openvpn.net/index.php/open-source/downloads.html

If it doesn't work in a standalone client it won't work in AsusWRT-Merlin.
 
You must do things in that order:

1) Upload the config file
2) Edit keys/certs
3) Apply to save them
4) Start the client

If you enter key/certs before uploading the config, they will be overwritten.
 
You must do things in that order:

1) Upload the config file
2) Edit keys/certs
3) Apply to save them
4) Start the client

If you enter key/certs before uploading the config, they will be overwritten.

I get the same results with this process as well. Options error: You must define CA file (--ca) or CA path (--capath). The Static Key and CA are not being saved in the gui config.
 
I have uploaded the Torguard .ovpn file and followed all steps in this walk through

https://x3mtek.com/torguard-openvpn-2-4-client-setup-for-asuswrt-merlin-firmware/

The VPN fails to start with a Options error: You must define CA file (--ca) or CA path (--capath). I manually enter the keys but they do not save. I also do not see a jffs/openvpn directory when I ssh to the router. I have flashed the router to start from scratch but get the same results.

Just took a look at a sample Torguard .ovpn file and it looks like this:

Code:
client
dev tun
remote chi.central.usa.torguardvpnaccess.com 443 udp
remote chi.central.usa.torguardvpnaccess.com 443 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJAKROjebUHo0gMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNVBAoT
CFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0ExETAP
BgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3JndWFy
ZC5uZXQwHhcNMTQwNDE3MTAwOTIzWhcNMjQwNDE0MTAwOTIzWjCBmzELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkZMMRAwDgYDVQQHEwdPcmxhbmRvMREwDwYDVQQKEwhU
b3JHdWFyZDEMMAoGA1UECxMDVlBOMRMwEQYDVQQDEwpURy1PVlBOLUNBMREwDwYD
VQQpEwhUb3JHdWFyZDEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AdG9yZ3VhcmQu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAws1hJzlbWKlm3DEO
XyQpmvtxwrsR4CIYMi8C6np5w74lTRYmGBcuuPqAT3ig2DnH9HNNFx1WWZbYO8pU
a1tdn7uYErJi4EP9/t2l3uXCNgoWYVdVP1j5EXIY1oacOv9srbNZHeWpxHIb1wZr
1i4sLsdaifOibgVZI91FATXGrVdFDaQb2OjyJrFW8b4xbC8pBJxQDzqPeu9mkVpu
OhBuU+dM+9h+8Bj0tpdAernEAt8CbHIywe9Rjm0JLrYmCPKuB5ldVgG3rYQWFa3X
YWjrWtr//nGM4f4WKOFc2PHWA2gI3JwdynTNLsB9NQi0N7hhR6lmtCMeqHlm0oAz
4Ad4gQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFJvAPA1gnlD/majxi+43jL0XDfqQ
MIHQBgNVHSMEgcgwgcWAFJvAPA1gnlD/majxi+43jL0XDfqQoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNV
BAoTCFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0Ex
ETAPBgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3Jn
dWFyZC5uZXSCCQCkTo3m1B6NIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQBRG46DnL/8EAPbi/eOQli5WO7lRHYyZJdlLUMlsnwkp6Ul6BMJq8q3UX3z
+pqDf3wzj94y/IpGQgE4l0fgAdwf/C7F533TSwU/vi+5PDWfwD2WmGqVmcmXn6Rp
9Fwr+oryRw8GfsVBLZHTkWF1RZrRAr8hWZhNySGFwSXlEIicvNy+9mlFhk2Nb46w
ioZKc1Lc7/okeXNWHPv6Dlm39TcNBpGX/xNoWBzqs1EtA1ZGvMcQHsKLfi3Nbaab
BYe08KWsfeZA+ih4BZ6y2E+x84NYHRebqijXTtHp35coyXllBL/+LBoZ86hKszEx
F3pjGU0+8NzvdPUbKndhzyPPnHF1
-----END CERTIFICATE-----
</ca>
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0

Looks pretty straightforward. You mention "keys" (plural) though in your original post. Torguard (in this sample file) is only using a Certificate Authority and then your username and password to validate you. You may want to try just configuring your router client from scratch, without uploading the .ovpn. You shouldn't need to worry about the "client", "dev tun", or "setenv CLIENT_CERT 0" items -- they're taken care of for you or irrelevant. "persist-key" and "persist-tun" go in the custom config box at the bottom. The rest of the config items should match up with drop-down box items or radio-button selections in the client config GUI. I'd suggest going with either the UDP or TCP Torguard server, not both.

The Certificate Authority to paste in and save (in this example) would look like this:

Code:
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJAKROjebUHo0gMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNVBAoT
CFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0ExETAP
BgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3JndWFy
ZC5uZXQwHhcNMTQwNDE3MTAwOTIzWhcNMjQwNDE0MTAwOTIzWjCBmzELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkZMMRAwDgYDVQQHEwdPcmxhbmRvMREwDwYDVQQKEwhU
b3JHdWFyZDEMMAoGA1UECxMDVlBOMRMwEQYDVQQDEwpURy1PVlBOLUNBMREwDwYD
VQQpEwhUb3JHdWFyZDEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AdG9yZ3VhcmQu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAws1hJzlbWKlm3DEO
XyQpmvtxwrsR4CIYMi8C6np5w74lTRYmGBcuuPqAT3ig2DnH9HNNFx1WWZbYO8pU
a1tdn7uYErJi4EP9/t2l3uXCNgoWYVdVP1j5EXIY1oacOv9srbNZHeWpxHIb1wZr
1i4sLsdaifOibgVZI91FATXGrVdFDaQb2OjyJrFW8b4xbC8pBJxQDzqPeu9mkVpu
OhBuU+dM+9h+8Bj0tpdAernEAt8CbHIywe9Rjm0JLrYmCPKuB5ldVgG3rYQWFa3X
YWjrWtr//nGM4f4WKOFc2PHWA2gI3JwdynTNLsB9NQi0N7hhR6lmtCMeqHlm0oAz
4Ad4gQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFJvAPA1gnlD/majxi+43jL0XDfqQ
MIHQBgNVHSMEgcgwgcWAFJvAPA1gnlD/majxi+43jL0XDfqQoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNV
BAoTCFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0Ex
ETAPBgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3Jn
dWFyZC5uZXSCCQCkTo3m1B6NIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQBRG46DnL/8EAPbi/eOQli5WO7lRHYyZJdlLUMlsnwkp6Ul6BMJq8q3UX3z
+pqDf3wzj94y/IpGQgE4l0fgAdwf/C7F533TSwU/vi+5PDWfwD2WmGqVmcmXn6Rp
9Fwr+oryRw8GfsVBLZHTkWF1RZrRAr8hWZhNySGFwSXlEIicvNy+9mlFhk2Nb46w
ioZKc1Lc7/okeXNWHPv6Dlm39TcNBpGX/xNoWBzqs1EtA1ZGvMcQHsKLfi3Nbaab
BYe08KWsfeZA+ih4BZ6y2E+x84NYHRebqijXTtHp35coyXllBL/+LBoZ86hKszEx
F3pjGU0+8NzvdPUbKndhzyPPnHF1
-----END CERTIFICATE-----

Be sure to get all the dashes in your copy and paste, but not the <ca> or </ca> and scroll down in that pop-up window to save it. That should do it, and hopefully get you connected.
 
Just took a look at a sample Torguard .ovpn file and it looks like this:

Code:
client
dev tun
remote chi.central.usa.torguardvpnaccess.com 443 udp
remote chi.central.usa.torguardvpnaccess.com 443 tcp
resolv-retry infinite
nobind
persist-key
persist-tun
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJAKROjebUHo0gMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNVBAoT
CFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0ExETAP
BgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3JndWFy
ZC5uZXQwHhcNMTQwNDE3MTAwOTIzWhcNMjQwNDE0MTAwOTIzWjCBmzELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkZMMRAwDgYDVQQHEwdPcmxhbmRvMREwDwYDVQQKEwhU
b3JHdWFyZDEMMAoGA1UECxMDVlBOMRMwEQYDVQQDEwpURy1PVlBOLUNBMREwDwYD
VQQpEwhUb3JHdWFyZDEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AdG9yZ3VhcmQu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAws1hJzlbWKlm3DEO
XyQpmvtxwrsR4CIYMi8C6np5w74lTRYmGBcuuPqAT3ig2DnH9HNNFx1WWZbYO8pU
a1tdn7uYErJi4EP9/t2l3uXCNgoWYVdVP1j5EXIY1oacOv9srbNZHeWpxHIb1wZr
1i4sLsdaifOibgVZI91FATXGrVdFDaQb2OjyJrFW8b4xbC8pBJxQDzqPeu9mkVpu
OhBuU+dM+9h+8Bj0tpdAernEAt8CbHIywe9Rjm0JLrYmCPKuB5ldVgG3rYQWFa3X
YWjrWtr//nGM4f4WKOFc2PHWA2gI3JwdynTNLsB9NQi0N7hhR6lmtCMeqHlm0oAz
4Ad4gQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFJvAPA1gnlD/majxi+43jL0XDfqQ
MIHQBgNVHSMEgcgwgcWAFJvAPA1gnlD/majxi+43jL0XDfqQoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNV
BAoTCFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0Ex
ETAPBgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3Jn
dWFyZC5uZXSCCQCkTo3m1B6NIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQBRG46DnL/8EAPbi/eOQli5WO7lRHYyZJdlLUMlsnwkp6Ul6BMJq8q3UX3z
+pqDf3wzj94y/IpGQgE4l0fgAdwf/C7F533TSwU/vi+5PDWfwD2WmGqVmcmXn6Rp
9Fwr+oryRw8GfsVBLZHTkWF1RZrRAr8hWZhNySGFwSXlEIicvNy+9mlFhk2Nb46w
ioZKc1Lc7/okeXNWHPv6Dlm39TcNBpGX/xNoWBzqs1EtA1ZGvMcQHsKLfi3Nbaab
BYe08KWsfeZA+ih4BZ6y2E+x84NYHRebqijXTtHp35coyXllBL/+LBoZ86hKszEx
F3pjGU0+8NzvdPUbKndhzyPPnHF1
-----END CERTIFICATE-----
</ca>
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0

Looks pretty straightforward. You mention "keys" (plural) though in your original post. Torguard (in this sample file) is only using a Certificate Authority and then your username and password to validate you. You may want to try just configuring your router client from scratch, without uploading the .ovpn. You shouldn't need to worry about the "client", "dev tun", or "setenv CLIENT_CERT 0" items -- they're taken care of for you or irrelevant. "persist-key" and "persist-tun" go in the custom config box at the bottom. The rest of the config items should match up with drop-down box items or radio-button selections in the client config GUI. I'd suggest going with either the UDP or TCP Torguard server, not both.

The Certificate Authority to paste in and save (in this example) would look like this:

Code:
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJAKROjebUHo0gMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNVBAoT
CFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0ExETAP
BgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3JndWFy
ZC5uZXQwHhcNMTQwNDE3MTAwOTIzWhcNMjQwNDE0MTAwOTIzWjCBmzELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkZMMRAwDgYDVQQHEwdPcmxhbmRvMREwDwYDVQQKEwhU
b3JHdWFyZDEMMAoGA1UECxMDVlBOMRMwEQYDVQQDEwpURy1PVlBOLUNBMREwDwYD
VQQpEwhUb3JHdWFyZDEkMCIGCSqGSIb3DQEJARYVc3lzYWRtaW5AdG9yZ3VhcmQu
bmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAws1hJzlbWKlm3DEO
XyQpmvtxwrsR4CIYMi8C6np5w74lTRYmGBcuuPqAT3ig2DnH9HNNFx1WWZbYO8pU
a1tdn7uYErJi4EP9/t2l3uXCNgoWYVdVP1j5EXIY1oacOv9srbNZHeWpxHIb1wZr
1i4sLsdaifOibgVZI91FATXGrVdFDaQb2OjyJrFW8b4xbC8pBJxQDzqPeu9mkVpu
OhBuU+dM+9h+8Bj0tpdAernEAt8CbHIywe9Rjm0JLrYmCPKuB5ldVgG3rYQWFa3X
YWjrWtr//nGM4f4WKOFc2PHWA2gI3JwdynTNLsB9NQi0N7hhR6lmtCMeqHlm0oAz
4Ad4gQIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFJvAPA1gnlD/majxi+43jL0XDfqQ
MIHQBgNVHSMEgcgwgcWAFJvAPA1gnlD/majxi+43jL0XDfqQoYGhpIGeMIGbMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCRkwxEDAOBgNVBAcTB09ybGFuZG8xETAPBgNV
BAoTCFRvckd1YXJkMQwwCgYDVQQLEwNWUE4xEzARBgNVBAMTClRHLU9WUE4tQ0Ex
ETAPBgNVBCkTCFRvckd1YXJkMSQwIgYJKoZIhvcNAQkBFhVzeXNhZG1pbkB0b3Jn
dWFyZC5uZXSCCQCkTo3m1B6NIDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUA
A4IBAQBRG46DnL/8EAPbi/eOQli5WO7lRHYyZJdlLUMlsnwkp6Ul6BMJq8q3UX3z
+pqDf3wzj94y/IpGQgE4l0fgAdwf/C7F533TSwU/vi+5PDWfwD2WmGqVmcmXn6Rp
9Fwr+oryRw8GfsVBLZHTkWF1RZrRAr8hWZhNySGFwSXlEIicvNy+9mlFhk2Nb46w
ioZKc1Lc7/okeXNWHPv6Dlm39TcNBpGX/xNoWBzqs1EtA1ZGvMcQHsKLfi3Nbaab
BYe08KWsfeZA+ih4BZ6y2E+x84NYHRebqijXTtHp35coyXllBL/+LBoZ86hKszEx
F3pjGU0+8NzvdPUbKndhzyPPnHF1
-----END CERTIFICATE-----

Be sure to get all the dashes in your copy and paste, but not the <ca> or </ca> and scroll down in that pop-up window to save it. That should do it, and hopefully get you connected.

Even without using the.ovpn file I get the same CA error. After I enter the CA in the gui and save and apply. When I go back to view the CA it is no longer there.
 
Even without using the.ovpn file I get the same CA error. After I enter the CA in the gui and save and apply. When I go back to view the CA it is no longer there.

It seems like a factory reset would be in order at this point. You could also try flashing back to stock firmware to verify that you can save a CA there. Either way, one or more factory resets wouldn't hurt.
 
@ArtG

Ahhh....you have no /jffs mounted so it can't save the certs (and a lot of other things that now need to go into jffs space)

Go to the Administration > System page and select the option to format JFFS on next boot, hit apply, then Reboot at the top of the page. After it reboots, wait a couple of minutes, then reboot again. Then give it another try.
 
@ArtG

Ahhh....you have no /jffs mounted so it can't save the certs (and a lot of other things that now need to go into jffs space)

Go to the Administration > System page and select the option to format JFFS on next boot, hit apply, then Reboot at the top of the page. After it reboots, wait a couple of minutes, then reboot again. Then give it another try.

I ran through this process twice and still cannot save the CA in the gui and the df output shows the same.

Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 34816 34816 0 100% /
devtmpfs 127744 0 127744 0% /dev
tmpfs 127848 400 127448 0% /tmp
 
I have to ask....is this a real AC68 or a converted TM-1900?

If the former..
.
post the output of
cat /proc/mtd

and upload your syslog to a file sharing site and PM a link so I can take a look at it.
 
I have to ask....is this a real AC68 or a converted TM-1900?

If the former..
.
post the output of
cat /proc/mtd

and upload your syslog to a file sharing site and PM a link so I can take a look at it.

It says it is a
RT-AC68U
802.11ac
Wireless-AC1900

@RT-AC68U-D360:/tmp/home/root# cat /proc/mtd
dev: size erasesize name
mtd0: 00080000 00020000 "boot"
mtd1: 00180000 00020000 "nvram"
mtd2: 03e00000 00020000 "linux"
mtd3: 03c62568 00020000 "rootfs"
mtd4: 03ec0000 00020000 "brcmnand"
mtd5: 00140000 00020000 "asus"


Syslog coming.
 
@ArtG

Got your syslog.....and have some bad news.
Code:
May  5 00:05:05 kernel: JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
May  5 00:05:05 kernel: Cowardly refusing to erase blocks on filesystem with no valid JFFS2 nodes
May  5 00:05:05 kernel: empty_blocks 445, bad_blocks 1, c->nr_blocks 502
May  5 00:05:05 kernel: nand_erase_nand: attempt to erase a bad block at page 0x0000ef40

It looks like you have a bad block that the code can't work around when formatting jffs and it just gives up (it looks like the code in general should try and handle it, but apparently in this case it can't).
So, three options....
(1) Someone would need to try and debug the mtd code and find out why it can't skip this block
(2) My LTS fork uses a slightly different code which MAY handle it correctly. You might be able to load my fork, format jffs, and then reload Merlin
(3) If it's still under warranty.....start a return.
 
I have had the router for 2 years so it may be out of warranty. Where can I get your LTS fork?
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top