OpenVPN 347_35 Merlin

[paulb787]

Hey,

Just downloaded the new merlin firmware after spending hours working on getting openvpn to work. I see it is now like the stock FW where it will export a ovpn and use usernames and passwords. I AGREE!! SO MUCH NICER, and we can still run both openvpn and pptp!

My only problem is when I add a username and password to the list I want to use it doesn't work. The only thing working is admin/pass.

Is there anyway I can telnet into it and manually put the username and password into the file to work wirh openvpn? Where is the file if I can?

THANKS

 

[RMerlin]

Hey,

Just downloaded the new merlin firmware after spending hours working on getting openvpn to work. I see it is now like the stock FW where it will export a ovpn and use usernames and passwords. I AGREE!! SO MUCH NICER, and we can still run both openvpn and pptp!

My only problem is when I add a username and password to the list I want to use it doesn't work. The only thing working is admin/pass.

Is there anyway I can telnet into it and manually put the username and password into the file to work wirh openvpn? Where is the file if I can?

THANKS

PPTP or OpenVPN page?

 

[paulb787]

on the openvpn page.


THANK YOU

 

[RMerlin]

It seems it's because the password file isn't properly generated after applying changes. To force it to be created, run the following over SSH/Telnet:

service restart_chpass

It should properly generate /etc/passwd.openvpn then.

 

[paulb787]

Yes that worked. Man how did you learn this stuff. I wish I knew half of what you know. Thank you so much. I like it!

 

[mobileman88]

This version seems quite a bit more stable and faster. However, somehow after upgrading from 34_2, something strange seems to have happened :

1. Entware is no longer detected. Actually it is mounted. Previously in the USB screen and the default screen upon login, it shows my USB disk that is mounted, now it doesn't. Entware is still installed.

2. Openvpn settings no longer shows the configuration options which were available previously. How do I get them back? Or else, where do I install all my various options? I only see userid/passwords to set for openvpn, previously I had options to install the various key files, set IP addresses, authentication etc.
The VPN settings for Server1 and Server2 of OpenVPN shows it as ON and running. But I am unable to modify its parameters. Where should I do it?

 

[RMerlin]

The VPN settings for Server1 and Server2 of OpenVPN shows it as ON and running. But I am unable to modify its parameters. Where should I do it?

Tried the other tabs right next to it?

 

[mobileman88]

Tried the other tabs right next to it?

Yup, I tried the other tabs "VPN Settings" next to it. Only seems to show PPTP settings but not openvpn settings

 

[RMerlin]

Yup, I tried the other tabs "VPN Settings" next to it. Only seems to show PPTP settings but not openvpn settings

The first page must be on OpenVPN for the next one to display the OpenVPN settings. This is a leftover of Asus's webui where you must chose either PPTP or OpenVPN on the first page (as you can't run both).

I want to add a page chooser to the Details page eventually but didn't have time to, so for now just change the VPN mode on the first page first.

 

[mobileman88]

The first page must be on OpenVPN for the next one to display the OpenVPN settings. This is a leftover of Asus's webui where you must chose either PPTP or OpenVPN on the first page (as you can't run both).

I want to add a page chooser to the Details page eventually but didn't have time to, so for now just change the VPN mode on the first page first.

I did.. the "VPN Settings" page still shows PPTP. I reset to defaults and it shows. Then I restored my backup and it disappears so did my NAT settings. I upgraded from stock to 34_2, then reset to factory defaults before configuring 34_2 about 2 weeks ago. I then upgraded to 35_2 today.

 

[RMerlin]

Don't forget to hit Apply after you change it to OpenVPN. I have no problem switching back and forth between both Details pages here.

 

[Builder71]

Wow, what a change with OpenVPN!
GUI is different now, but not hard to understand.

The "Export ovpn file" button is very user friendly.

One question about this feature.
Below the button I read:

"... If you need a more advanced authenticaton method (such as using signed certs), please go to VPN details. You will need to manually prepare and provide signed certificates then."

OK, I don't want to use user names, never did.
When I turned on OpenVPN it seems to populate all the keys.
When I click on the Export button it generates the .ovpn file and it works great!
So what about the manually prepare stuff?

The key generation did go very fast, so how good are they?
If I look at the keys on the details pane, they look similar at the beginning of the key.
Is there a way to give the router a bit more time to generate more random keys?

 

[RMerlin]

Wow, what a change with OpenVPN!
GUI is different now, but not hard to understand.

The "Export ovpn file" button is very user friendly.

One question about this feature.
Below the button I read:

"... If you need a more advanced authenticaton method (such as using signed certs), please go to VPN details. You will need to manually prepare and provide signed certificates then."

OK, I don't want to use user names, never did.
When I turned on OpenVPN it seems to populate all the keys.
When I click on the Export button it generates the .ovpn file and it works great!
So what about the manually prepare stuff?

The key generation did go very fast, so how good are they?
If I look at the keys on the details pane, they look similar at the beginning of the key.
Is there a way to give the router a bit more time to generate more random keys?

When you use key based authentication, you have to manually generate them for each of your clients. That's why they aren't included in the exported ovpn, that file can only export what is common to both the server and the client.

The automatically generated server key is 1024-bits.

 

[mobileman88]

Don't forget to hit Apply after you change it to OpenVPN. I have no problem switching back and forth between both Details pages here.

The details pages never showed in my router with 35_2 until I did a factory reset. It is now showing. Also another thing to note, to replace any keys, I seem to have to clear all the keys, then paste in the new one. I cannot select the contents of the input box and replace it. It only seems to take effect this way. The OVPN speeds are quite decent suprisingly.

 

[RMerlin]

Also another thing to note, to replace any keys, I seem to have to clear all the keys, then paste in the new one. I cannot select the contents of the input box and replace it. It only seems to take effect this way. The OVPN speeds are quite decent suprisingly.

I just tested it here and I can't reproduce it. I was able to save a key, edit it for a different one, then save it again - when I went back, the new key was there.

Don't forget to click on the Apply button to save them - they aren't saved immediately when you press OK on the popup, only when you click Apply on the parent page.

Otherwise, I suspect this could be a browser-specific issue.

 

[mobileman88]

I just tested it here and I can't reproduce it. I was able to save a key, edit it for a different one, then save it again - when I went back, the new key was there.

Don't forget to click on the Apply button to save them - they aren't saved immediately when you press OK on the popup, only when you click Apply on the parent page.

Otherwise, I suspect this could be a browser-specific issue.

Did you edit all the keys before clicking "OK" then "Apply"? That does not work for me, however, clearing all makes it work. Also, it is strange that the static key popup dialog can only be seen when selecting static, it'd be easier to have all the keys to be entered from the same popup. To use static keys in my config, I got to set all the 4 keys, then go to "Static", add in the static key, Apply again then add in the HMAC direction before turning it on. Kind of prefer the previous 34_2 way.

 

[RMerlin]

Did you edit all the keys before clicking "OK" then "Apply"? That does not work for me, however, clearing all makes it work.

Still the same for me. I inserted numbers at the start of all keys, clicked OK, clicked Apply, then re-clicked on the link to edit them, and my numbers were there in all fields.

I'm using Chrome.

Also, it is strange that the static key popup dialog can only be seen when selecting static, it'd be easier to have all the keys to be entered from the same popup. To use static keys in my config, I got to set all the 4 keys, then go to "Static", add in the static key, Apply again then add in the HMAC direction before turning it on. Kind of prefer the previous 34_2 way.

That was done by Asus, who mistakenly thought that static keys could only be used when using "secret" for authentication instead of TLS. I have already reverted their change on the repo:

https://github.com/RMerl/asuswrt-merlin/issues/464

TLS will show all five fields, and static will only show the static key field now.

 

[Builder71]

When you use key based authentication, you have to manually generate them for each of your clients. That's why they aren't included in the exported ovpn, that file can only export what is common to both the server and the client.

The automatically generated server key is 1024-bits.

What I see this is not needed.

Previously you needed inside the C:\Program Files (x86)\OpenVPN\config\ folder:
- client.ovpn
- ca.crt
- client1.crt
- client1.key

With the new implementation you only need the router generated .ovpn file.
That just works!

If you look inside the new .ovpn file with notepad you find all keys:
- <ca> </ca>
- <cert> </cert>
- <key> </key>
So it seems all what is needed is inside the new .ovpn file.
Generated by the router.

What is there to generate manually?

 

[RMerlin]

What I see this is not needed.

Previously you needed inside the C:\Program Files (x86)\OpenVPN\config\ folder:
- client.ovpn
- ca.crt
- client1.crt
- client1.key

With the new implementation you only need the router generated .ovpn file.
That just works!

If you look inside the new .ovpn file with notepad you find all keys:
- <ca> </ca>
- <cert> </cert>
- <key> </key>
So it seems all what is needed is inside the new .ovpn file.
Generated by the router.

What is there to generate manually?

OpenVPN supports different authentication schemes. The one you describe implies username/password or static key authentication, which isn't as secure as the TLS key/cert authentication method. That one requires you to manually generate and provides certs that are signed by your CA key to your users.

 

[WaVeR]

Hi folks,

I have seen a strange issue, DNS are not pushed to client. If you change openvpn server config and save it it doesn't take effect until you restart openvpn