VPN client

[Sergyk]

Hello folks.
I have router asus ac68u on the latest 386.14 Merlin's firmware.
When I try use ovpn file for vpn client I have this issue when I try to connect.

Jul 27 12:01:54 ovpn-client2[16743]: Using peer cipher 'AES-256-CBC'
Jul 27 12:06:48 ovpn-client2[16743]: TUN/TAP device tun12 opened
Jul 27 12:06:48 ovpn-client2[16743]: TUN/TAP TX queue length set to 1000
Jul 27 12:06:48 ovpn-client2[16743]: /usr/sbin/ip link set dev tun12 up mtu 1500
Jul 27 12:06:48 ovpn-client2[16743]: /usr/sbin/ip link set dev tun12 up
Jul 27 12:06:49 ovpn-client2[16743]: /usr/sbin/ip addr add dev tun12 10.8.7.3/24
Jul 27 12:06:49 ovpn-client2[16743]: ovpn-up 2 client tun12 1500 0 10.8.7.3 255.255.255.0 init
Jul 27 12:06:49 ovpn-client2[16743]: WARNING: Failed running command (--up/--down): could not execute external program
Jul 27 12:06:49 ovpn-client2[16743]: Exiting due to fatal error

This is config ovpn file

# udp/tcp
client
dev tun
proto udp
remote 0.ovpn.dmsrvc.com 2222
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA1
cipher AES-256-CBC
data-ciphers AES-256-CBC
explicit-exit-notify 1
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJAODLJrN5X1SXMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCENoYW5nZU1lMB4XDTIyMDMwNjAyMjgxOFoXDTMyMDMwMzAyMjgxOFowEzER
MA8GA1UEAwwIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDk7XcTAUjwzf1NXfcl311wVEy3UiZ6vps10paKQOLjJICYR0FYQuE8SxdG3d1P
Xc8OQiTjh1wp0two398rKuEWevizNQelEb1/2mbDYqmqSDizU76AXRkgqP0IsiR7
l2cn7fCXebfkAimc9ZMFQn/4bsBQcgElAMfzxhlkHGYbApr3MmLxIJuQfhscV1rK
RIctu9IFJLSZceKU5MY9ISZ53o9o1lOWYd3fY/eVwJDqAxAt7uIAb7/ri5NKBA/c
CnWIe1en358jeH9K0Q1xqufMGnDnJF3+h0xETRWwMNHYzQfMLf3O768bARU1ldui
d9QOI2FR/byO314qs0pI8zy1AgMBAAGjgYEwfzAdBgNVHQ4EFgQUmjsZ6pClWXfO
tYlf2FvgsUYRv54wQwYDVR0jBDwwOoAUmjsZ6pClWXfOtYlf2FvgsUYRv56hF6QV
MBMxETAPBgNVBAMMCENoYW5nZU1lggkA4Msms3lfVJcwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAD6UDpe+7JVQN8gZGztYP0Nh
9Rb1JEqdVGuNWjgea2gLqIyjgXJgoeF+KP9wjLe2rVteFRZt2EcaC/YEzIrtuwH7
QcVyPYRRPzB2QqyOvguOn4sNBWnELh5XPZDqxzQo0hh2T8+wHB8YULkrL1wl10ti
5V92lBHPO7Qb3vJKWu1rN1KVp9SlGQOcC6TMvvBnbxKDiaSfMuL1UVH3WPocxCcB
h9r0z+bU1t9sZrRGmsNSsUO1eF2+c6H7heF8jaTnO74Q8IFSXRKiqgbhjLu2cYdx
F0LRDUi+hWH1sY9jOo0IOjfphkwTlNChxpalMbKhE3zU8OBygRhynh6uC+0msjw=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIRANS0xnqAip0Fjp0HtKbPbPQwDQYJKoZIhvcNAQELBQAw
EzERMA8GA1UEAwwIQ2hhbmdlTWUwHhcNMjIwMzA2MDIyODE5WhcNMzIwMzAzMDIy
ODE5WjAYMRYwFAYDVQQDDA16YWJvcm9uYV9oZWxwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3sStBUT6b7em3WlG0Wm4nVzEv0hkIAqlxcjsoLImLLXo
fPaTG27pmuOjngA3KhaN+pxqcy8z8whx86TmZ3J7QP9hFM9xbRKgqUc2C9dAxVra
ubTTrkUAn1CF/ZVueRFNAOEnzd+xJo+c8x6bPRW2ovXQM3b4GkG9X9tNQqFbsDnK
qBtKWDXXsiyFqHXHoOKq/wcx+dKFkT4nJKyHjm/+3J4vUuPsrmxyvJ8mP0fYS5mo
NEzA67Hs6lwAM/tRGYNBM14R03MdoEXLVe7PE/GJPCwmWLtRMF2uF6YCpaJ/xmyX
qHOZmm7MjAKGCQWszd4Maz1iD4sHEv4fOksxV3fMfwIDAQABo4GUMIGRMAkGA1Ud
EwQCMAAwHQYDVR0OBBYEFIed29CkSXymIof77YQGIUiX38wqMEMGA1UdIwQ8MDqA
FJo7GeqQpVl3zrWJX9hb4LFGEb+eoRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJ
AODLJrN5X1SXMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkq
hkiG9w0BAQsFAAOCAQEA0noQMHGT/of0JHeymZZ69MEZ8IP7QrDQg67ClgY7vjfb
9Fahztjym9vgC/ueffF7pPD7iSHYRI++newKZCxHSWogHbZL9IVIr60Bx5wVo4Ab
3tDY3mWLwPq0oWC9G21OdcnCALK8jaXFvBAeyH0K9TmULpbORANh0c29vDE1NBFt
LIM2GMPmAfImm5rNbcAnEh1BaetWWOhdKn1358cz4/OlrrMFylivKtjPJljIBDU5
NztXW9+vm4i1bNGcD9k+p91GgTwiUbP4FXzZi5nGGjXb8lhtEmOYFp1Syl6ZCOCG
ExIkQaGCNHJmph9uB5+uwQjVr2OV0ZYYBA+GZPSMPw==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(removed.  -rm)
-----END PRIVATE KEY-----
</key>

Can anybody help me? Thanks

(Removed private key. -rm)

 

[Sergyk]

I always have the same issue

WARNING: Failed running command (--up/--down): could not execute external program
Jul 27 12:06:49 ovpn-client2[16743]: Exiting due to fatal error

 

[RMerlin]

Show the content of the client configuration on the webpage.

You can also try increasing the verbosity level to 6 on the webpage then trying again to start the client.

 

[eibgrad]

My first suggestion? You might NOT want to expose your *private* key from that config file!

P.S. And since you did already, it might be appropriate to regenerate your keys.

 

[RMerlin]

My first suggestion? You might NOT want to expose your *private* key from that config file!

Thanks for the heads up, I just edited his post to remove it.

 

[octopus]

Still need help?

Remove "block-outside-dns" from your config.

 

[eibgrad]

Remove "block-outside-dns" from your config.

Good guess, but if that was the case, the OP would have likely received the following in the syslog.

Aug 12 11:40:23 ovpn-client1[31254]: Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:27: block-outside-dns (2.6.10)

But he didn't because of the following additional directive.

ignore-unknown-option block-outside-dns

Still, it doesn't hurt to remove these directives if only for clarity's sake.

And while we're speaking of removing directives, the import feature usually dumps any directives deemed NOT necessary for the configuration of the OpenVPN client GUI, into the custom config field. That can sometimes create conflicts, and why I generally recommend users remove anything the import feature dumps into that field. 99% of the time it's NOT essential to the configuration, and more likely to create than solve problems.

What the OpenVPN client is apparently complaining about is a failure in the -- up script, which is written by the developer(s) and called by OpenVPN in response to the up event.

admin@lab-merlin1:/tmp/home/root# cat /tmp/etc/openvpn/client1/config.ovpn
...
up 'ovpn-up 1 client'
...

These are actually binaries and thus not readily available to the end-user for examination. When they do fail (which usually means have an exit value > 0), OpenVPN will refuse to continue and fail the connection entirely.

So something is amiss here, but it's not obvious what based solely on a dump of the VPN provider's OpenVPN client config file.

What might be useful is dumping the router's OpenVPN client config file (i.e., the result of the import).

cat /tmp/etc/openvpn/client2/config.ovpn

Note, the OpenVPN client must be active (even if failed) for this to work.

And since the OP is using OpenVPN client #2, I have to ask, is there a another OpenVPN client such as #1 active at the same time? I'm just speculating if perhaps in doing so you might have created a conflict within the up/down scripts.