Cannot connect OpenVPN on Asuswrt-Merlin

[TheStork]

Hi,

I am attempting to set up an OpenVPN server on my RT-AC87U (running wrt-merlin 378.50) and have got the keys and certificates up and running, but when trying to connect, the OpenVPN client app on iOS gives the following errors:

2015-02-22 21:00:34 VERIFY FAIL -- bad ns-cert-type in leaf certificate
2015-02-22 21:00:34 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2015-02-22 21:00:34 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]

On the router/server side, the log just shows the following, suggesting that at least one packet comes through (note: ip address replaced by x.x.x.x):

Feb 22 21:00:32 openvpn[26992]: x.x.x.x:45187 TLS: Initial packet from [AF_INET]x.x.x.x:45187, sid=5f53a171 b40b010b
Feb 22 21:01:32 openvpn[26992]: x.x.x.x:45187 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 22 21:01:32 openvpn[26992]: x.x.x.x:45187 TLS Error: TLS handshake failed
Feb 22 21:01:32 openvpn[26992]: x.x.x.x:45187 SIGUSR1[soft,tls-error] received, client-instance restarting

Any ideas? Apart from the VPN settings, keys and certificates on the router, do I need to do any tricks with the firewall / NAT / port forwarding?

Thanks in advance.

 

[SnakeByte]

Make sure "username/password auth only" is on.

If it isn't, the exporter adds these lines to the .opvn file:

<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>

which causes the issue you mention (since those placeholders obviously don't contain actual certificate information).

I'm not sure if we're supposed to manually generate these certs, or if the router is but is failing at it.

 

[TheStork]

Make sure "username/password auth only" is on.

If it isn't, the exporter adds these lines to the .opvn file:


which causes the issue you mention (since those placeholders obviously don't contain actual certificate information).

I'm not sure if we're supposed to manually generate these certs, or if the router is but is failing at it.

I've pasted in the client cert and key manually into the ovpn file generated by the router, as I spotted the placeholders you mentioned. I've then opened the edited ovpn file on my iOS device. The router does not generate the client's key or certificate so they would need to come e.g. from the CA (which I've done separately with easy-rsa on a laptop).

 

[Softail]

It's unclear from what you've said but if you've used easy-rsa to make the client cert, then you need to use it to make a server certificate as well and then copy that, it's key, the certificate authority you generated and the Diffie-Hellman parameters and paste them into the GUI and then export a new client configuration. Edit that to paste in the client cert and key that go with the ones you provided the server. All the certificates must belong to the same CA and use the same DH parameters.

 

[TheStork]

It's unclear from what you've said but if you've used easy-rsa to make the client cert, then you need to use it to make a server certificate as well and then copy that, it's key, the certificate authority you generated and the Diffie-Hellman parameters and paste them into the GUI and then export a new client configuration. Edit that to paste in the client cert and key that go with the ones you provided the server. All the certificates must belong to the same CA and use the same DH parameters.

That's indeed what I've done. I've based my set up steps on the merlin documentation (and the Tomato firmware OpenVPN article referred in it.
https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN

http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

As easy-rsa v3 is a bit different from the v2 used in the instructions in the Tomato article, I've followed the key and cert set-up steps from OpenVPN's site:

https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

 

[Softail]

Don't know then, working for me. This

2015-02-22 21:00:34 VERIFY FAIL -- bad ns-cert-type in leaf certificate

makes me suspect that the server cert is a client one or vice versa. You have to explicitly make a server certificate in easy-rsa.

 

[TheStork]

I got it working in the end, replacing the keys and certs generated with two changes to settings:

1. Changed the easy-rsa vars to the traditional "org" mode, rather than "cn_only" which is default in Easy-RSA 3.
2. set EASYRSA_NS_SUPPORT to "yes" in the vars file, to support the old deprecated ns-cert-type, which the new Easy-RSA 3 no longer supports by default. (It is now recommended to use remote-cert-tls instead but I'm not clear how that would be done).

I guess either the Asuswrt-Merlin OpenVPN config or the iOS OpenVPN Connect app require some of the parameters to still be in line with the default settings used in Easy-RSA 2.

Pretty much all of the guides of how to set up OpenVPN, especially those relating to vpn on Asus routers, appear to be from the days of Easy-RSA 2. Have others had similar trouble with keys and certs generated with Easy-RSA 3?