OpenVPN 347_35 Merlin

[Builder71]

OpenVPN supports different authentication schemes. The one you describe implies username/password or static key authentication, which isn't as secure as the TLS key/cert authentication method. That one requires you to manually generate and provides certs that are signed by your CA key to your users.

Nope, I don't use username/password or static key.
I use TLS key/cert authentication.

If you click on the "Content modification of Keys & Certificates" link, you will find the router populates all this automagically.

I just put in my own keys and after that the "Export" button doesn't work properly anymore.
The logging shows it's still looking for some router generated certificate. (C=TW, ST=TW, L=Taipei, O=ASUS,)

Nov 26 20:19:10 openvpn[473]: TCP connection established with [AF_INET]10.0.0.236:51711
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 TLS: Initial packet from [AF_INET]10.0.0.236:51711, sid=4916638f 05c0bc38
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 TLS Error: TLS object -> incoming plaintext read error
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 TLS Error: TLS handshake failed
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 Fatal TLS error (check_tls_errors_co), restarting
Nov 26 20:19:10 openvpn[473]: 10.0.0.236:51711 SIGUSR1[soft,tls-error] received, client-instance restarting

So it seems TLS authentication works out of the box with the "Export" button.
How cool is that!

However if there are more users connecting to the VPN server, it seems better to me, to make your own (client) certificates.

Please correct me if I'm wrong.

 

[RMerlin]

Hi folks,

I have seen a strange issue, DNS are not pushed to client. If you change openvpn server config and save it it doesn't take effect until you restart openvpn

The VPN Details page doesn't properly restart the OpenVPN server (and doesn't re-generate the config file either) when you click on Apply. It will be fixed in the next release.

For now, the work around is indeed to stop the VPN server, then start it again.

 

[WaVeR]

Hi Merlin,

As usual, thanks for all the work that you provide to the community. Just FYI, I have seen also that if you change options related to: DNS, Routing on the OpenVPN page it doesn't take effect until you restart the router (dnsmasq and firewall doesn't restart to take effect after Openvpn change).

 

[RMerlin]

Hi Merlin,

As usual, thanks for all the work that you provide to the community. Just FYI, I have seen also that if you change options related to: DNS, Routing on the OpenVPN page it doesn't take effect until you restart the router (dnsmasq and firewall doesn't restart to take effect after Openvpn change).

None do, as I wrote in the post just above.

 

[Builder71]

One thing I also notice is a wrong placed "</ca>" inside the router exported client.ovpn file.
This happens if you put in your own keys and hit the export button to create a client.ovpn file.
If I use this .ovpn file with my laptop, the ovpn client software stops working and timed out because of this.

Besides that I think the export button should be greyed out after putting in your own keys.
This because it's still looking for Asus issuer certificate stuff.
Definite something I don't use for my own PKI.

 

[RMerlin]

One thing I also notice is a wrong placed "</ca>" inside the router exported client.ovpn file.
This happens if you put in your own keys and hit the export button to create a client.ovpn file.
If I use this .ovpn file with my laptop, the ovpn client software stops working and timed out because of this.

Asus's exporter does very little format validation. The workaround at this time is to ensure you have a carriage return at the end of the certificate that you pasted.

Besides that I think the export button should be greyed out after putting in your own keys.
This because it's still looking for Asus issuer certificate stuff.
Definite something I don't use for my own PKI.

The exporter will contain the certs/keys that you pasted on the webui. As I explained before, if you use your signed keys, then you have to provide them manually to your users.

 

[Builder71]

Asus's exporter does very little format validation. The workaround at this time is to ensure you have a carriage return at the end of the certificate that you pasted.



The exporter will contain the certs/keys that you pasted on the webui. As I explained before, if you use your signed keys, then you have to provide them manually to your users.

- Yep, I did that, a carriage return is needed.

- I'm not sure we understand each other on the second issue.

I follow this guide to create my own certs/keys.
I agree with you that, if you do this, you also should provide them yourself to the users. No argue here.

BUT, if you don't read this great forum and put in your own keys/certs using the GUI, the Export button is still there to use.
That simply does not work! At this point the router simply generates invalid stuff.
Looking for local issuer certificate: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client which I did not put inside the GUI.
I'm using totally different values with my own PKI.

There is no clue looking into help or a warning on the GUI, the Export button should not be used.
If ASUS puts a warning on the GUI not to use the export button, then I'm fine with that.

Just my view on this.

 

[RMerlin]

- Yep, I did that, a carriage return is needed.

- I'm not sure we understand each other on the second issue.

I follow this guide to create my own certs/keys.
I agree with you that, if you do this, you also should provide them yourself to the users. No argue here.

BUT, if you don't read this great forum and put in your own keys/certs using the GUI, the Export button is still there to use.
That simply does not work! At this point the router simply generates invalid stuff.
Looking for local issuer certificate: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client which I did not put inside the GUI.
I'm using totally different values with my own PKI.

There is no clue looking into help or a warning on the GUI, the Export button should not be used.
If ASUS puts a warning on the GUI not to use the export button, then I'm fine with that.

Just my view on this.

I suspect your certificates must not be properly saved and applied. Export simply sends the .ovpn file that gets generated at the same time settings are applied, so you might be affected by the issue where settings entered on the Details page aren't properly applied. If you stop and restart the server instance, after that the exported ovpn file should contain your manually entered keys.

I just tested it here myself, and my exported .ovpn file contains everything I had entered in it. I even decoded the x509 to confirm the content.

 

[Builder71]

I suspect your certificates must not be properly saved and applied. Export simply sends the .ovpn file that gets generated at the same time settings are applied, so you might be affected by the issue where settings entered on the Details page aren't properly applied. If you stop and restart the server instance, after that the exported ovpn file should contain your manually entered keys.

I just tested it here myself, and my exported .ovpn file contains everything I had entered in it. I even decoded the x509 to confirm the content.

Thx for testing.
After I put in my own keys I clicked OK.
Then click on apply on the main page.
I noticed this didn't work correctly so I rebooted the router.
After that I was able to make a OpenVPN connection with my own client certificates.

However the export button problem I see is persistent through reboots.
I did a reboot again and tested the export button.
Keeps looking for Asus stuff If I check the routers log.

Nov 30 19:31:35 openvpn[473]: TCP connection established with [AF_INET]10.0.0.236:54133
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 TLS: Initial packet from [AF_INET]10.0.0.236:54133, sid=54eeeddb 7c32d1e3
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 TLS Error: TLS object -> incoming plaintext read error
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 TLS Error: TLS handshake failed
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 Fatal TLS error (check_tls_errors_co), restarting
Nov 30 19:31:35 openvpn[473]: 10.0.0.236:54133 SIGUSR1[soft,tls-error] received, client-instance restarting

Scary you see different behaviour.

 

[RMerlin]

I think I know why now. Asus added code to automatically generate a key/cert pair for clients in addition to the server stuff, but they aren't exposing them to the webui, simply storing them in nvram. This content doesn't get generated unless one of these three field is empty:

Server CA
Server Key
Server CRT

At that point, it will automatically generate all of these, in addition to a keypair for clients to use. So if you enter your own CA, Key and Crt after having the FW initialize these automatically, you will end up with a .ovpn file that contains your own CA, but with the Asus-signed client key/cert (which explains the failed validation).

Since I always had all of these three fields populated on my test router, I never saw it generate that new client keypair.

I won't have time to rework the way this is working in time for the next point release due to lack of time, but in the mean time you can use either of these scenarios:

1) If you want to use all Asus-generated fields:
- Stop the OpenVPN server
- Clear CA, server key and server crt field on the Details page
- Re-enable it on the VPN page - all fields should be regenerated by the router

2) If you want to use your own client keypair:
- Remove the Asus-generated keypair:
nvram unset vpn_server1_client_crt
nvram unset vpn_server1_client_key
nvram commit

- Manually remove the <cert> <key> sections or fill them with your manually generated key/crt in the exported .ovpn

I haven't decided yet how I will rework this particular feature. This whole merging of two different yet similar OpenVPN implementations requires a lot of planning.

 

[Builder71]

Nice catch!

I'll play with this tomorrow to see if it works the same here.

I was perfectly happy with the previous OpenVPN implementation.
The "problem" now is ASUS added it as well.
I guess the only way forward for you is stick to the Asus implementation.
Unfortunately that needs some bugs to iron out.

 

[RMerlin]

Nice catch!

I'll play with this tomorrow to see if it works the same here.

I was perfectly happy with the previous OpenVPN implementation.
The "problem" now is ASUS added it as well.
I guess the only way forward for you is stick to the Asus implementation.
Unfortunately that needs some bugs to iron out.

374.35 is already an hybrid. I'm trying to keep the best changes Asus did, while retaining things they have removed, such as the ability to run two separate OpenVPN server instances. But yeah, it will require some debugging. There's already quite a few issues fixed on my end, just need to find the time to push out a point release as I won't have time for a full blown update for the next couple of weeks.

 

[Builder71]

...

2) If you want to use your own client keypair:
- Remove the Asus-generated keypair:
nvram unset vpn_server1_client_crt
nvram unset vpn_server1_client_key
nvram commit

- Manually remove the <cert> <key> sections or fill them with your manually generated key/crt in the exported .ovpn

I haven't decided yet how I will rework this particular feature. This whole merging of two different yet similar OpenVPN implementations requires a lot of planning.

OK, played a bit to get the second option going. However no luck.
I'm not sure what the nvram unset commands do.
I don't see any change and the folder admin@RT-N66U:/tmp/etc/openvpn/server1# still contains all files.

The client.ovpn file is still there with the wrong <cert></cert> and wrong <key></key> information.
I checked the files on the router and "ca.key" is different compared to the one I generated with easy-rsa.
Could that be a problem?

 

[Paxsat]

scusate ma sono newbie. io utilizzavo PPTP wan connessione per vedere le mie IPCAM.. ma vorrei capire come fare con openVPN. my ISP is 10.x.x.x private IP, my ipcam is 192.168.2.59:88. in precedenza utilizzavo portForwarding per girare la porta 9892 del mio indirizzo pubblico (dato dal pptp wan). ora openvpn crea una interfaccia tun11, dovrei girare la porta 9892 del tun11 sul 192.168.2.59:88. credevo leggendo la iptables che tutto il traffico sulla port (any) 9892 venivano girate al 192.168.2.59. come si deve fare? nel porforwarding non è possibile impostare "tun to lanip?" grazie

(google)
sorry but I'm newbie. I was using PPTP connection wan to see my IPCAM .. but I want to understand how to deal with openVPN. My ISP is 10.xxx private IP, my ipcam is 192.168.2.59:88. previously I used to turn the portforwarding port 9892 of my public address (given by the pptp wan). Now create a openvpn interface tun11, I should turn the port 9892 on the tun11 192.168.2.59:88. I thought reading the iptables that all traffic on the port (any) 9892 were shot to 192.168.2.59. how should you do? in porforwarding you can not set "tun to lanip?" thanks

 

[Builder71]

...

I checked the files on the router and "ca.key" is different compared to the one I generated with easy-rsa.
Could that be a problem?

I played a bit more with this.
If I use the OpenVPN easy-rsa tools (build-key.bat) it's not possible to generate client crt/key files if the ca.key file is not present.

Error opening CA private key keys/ca.key
616:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\b
ss_file.c:398:fopen('keys/ca.key','rb')
616:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:400
:
unable to load CA private key

If I grab the ca.key file from the router and put it inside the easy-rsa keys folder, you get a key mismatch.

CA certificate and CA private key do not match
6104:error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch:.\crypto\x509\x509_cmp.c:318:

So, I think if you use your own crt and key files with the router, the Export button simply can't work.
Because the router doesn't know your ca.key from the easy-rsa folder.

If I put my own ca.key inside the folder admin@RT-N66U:/tmp/etc/openvpn/server1# it still doesn't work.
Also if you turn off and turn on the OpenVPN server it directly creates it's own ca.key file. (Overwrites the file.)

It seems the router Export button never uses your own ca.crt and ca.key file.
But instead always something else hidden inside the router.
(The C=TW, ST=TW, L=Taipei, O=ASUS,... stuff.)

 

[RMerlin]

I played a bit more with this.
If I use the OpenVPN easy-rsa tools (build-key.bat) it's not possible to generate client crt/key files if the ca.key file is not present.

Error opening CA private key keys/ca.key
616:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\b
ss_file.c:398:fopen('keys/ca.key','rb')
616:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:400
:
unable to load CA private key

If I grab the ca.key file from the router and put it inside the easy-rsa keys folder, you get a key mismatch.

CA certificate and CA private key do not match
6104:error:0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch:.\crypto\x509\x509_cmp.c:318:

So, I think if you use your own crt and key files with the router, the Export button simply can't work.
Because the router doesn't know your ca.key from the easy-rsa folder.

If I put my own ca.key inside the folder admin@RT-N66U:/tmp/etc/openvpn/server1# it still doesn't work.
Also if you turn off and turn on the OpenVPN server it directly creates it's own ca.key file. (Overwrites the file.)

It seems the router Export button never uses your own ca.crt and ca.key file.
But instead always something else hidden inside the router.
(The C=TW, ST=TW, L=Taipei, O=ASUS,... stuff.)

You are confusing a lot of things there, starting with not understanding the relation between a CA, a Server and a Client keypair.

First, you have to decide if you want to have the router handle everything for you, or not. Cause you have to go ALL the way with either paths: either let the router generate everything for you, or generate everything yourself, including the CA (which is also created by easy-rsa - please read the tutorial linked in the Wiki on this). Once you do, you have to paste your own CA cert, Server cert and Server key on the webui, then apply the changes to have them saved, and used by the OpenVPN instance. Your client.ovpn will also be regeneratedrated at that point.

The CA key should not be needed for anything but signing the certs you hand out to your clients. That key isn't used by the server, and should in fact be saved in a secure location outside of your router. That key has nothing to do at all with the Export function, export merely paste the content of the ca certificate as seen on the webui.

The export function will export the saved client key/cert pairs generated automatically by the router. If you create your own keypair, then you must clear the two nvram value like I explained as these were generated using the router's own CA rather than your own. When you do that, the exported ovpn will contain "Paste your client cert" and "Paste your client key" in those two sections. When you generate your own keys, using your own CA, you have to paste these two manually from the client key/cert that you generated, and signed with your own CA key.

From the look of it, you are still trying to use a mixture of Asus generated key/cert with your own. It won't work, you have to go all the way with one, or the other. Not both.

 

[Builder71]

Thx for explaining, I'm trying to wrap my head around this.
No easy stuff and not my native language, looking for proper words to explain all the time.
My comments in red below.

You are confusing a lot of things there, starting with not understanding the relation between a CA, a Server and a Client keypair.

First, you have to decide if you want to have the router handle everything for you, or not. Cause you have to go ALL the way with either paths: either let the router generate everything for you, or generate everything yourself, including the CA (which is also created by easy-rsa - please read the tutorial linked in the Wiki on this). Once you do, you have to paste your own CA cert, Server cert and Server key on the webui, then apply the changes to have them saved, and used by the OpenVPN instance. Your client.ovpn will also be regeneratedrated at that point. This seems to be a problem because it doesn't happen.

The CA key should not be needed for anything but signing the certs you hand out to your clients. That key isn't used by the server, and should in fact be saved in a secure location outside of your router. That key has nothing to do at all with the Export function, export merely paste the content of the ca certificate as seen on the webui. Agree. But my router gives a funny ovpn file after pasting my own keys. It never regenerates stuff. How do I trigger the regenerating?

The export function will export the saved client key/cert pairs generated automatically by the router. If you create your own keypair, then you must clear the two nvram value like I explained as these were generated using the router's own CA rather than your own. When you do that, the exported ovpn will contain "Paste your client cert" and "Paste your client key" in those two sections. This never happens after the nvram commands. When you generate your own keys, using your own CA, you have to paste these two manually from the client key/cert that you generated, and signed with your own CA key. I agree, however the router gives a ovpn file with all fields filled.

From the look of it, you are still trying to use a mixture of Asus generated key/cert with your own. It won't work, you have to go all the way with one, or the other. Not both.
I know it doesn't work like that, more my playing to test what seems stuck.

The added pic ONLY happens when I clear all keys from the GUI.
Not if I change some or do whatever.