Posted: Fri Dec 08, 2023 0:06 Post subject: OpenVPN Client do not connect
Hi all,
I'm trying to set up an OpenVPN Client with CiberGhost VPN, I know the config is correct but I'm getting an error about certificates files not found, I tried with "" and without like I received from VPN Provider. I have ready and tried to find same issue at this forum but no luck
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (none). OpenVPN ignores --cipher for cipher negotiations.
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: WARNING: cipher 'none' specified for --data-ciphers. This allows negotiation of NO encryption and tunnelled data WILL then be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 21:00:43 ROUTER daemon.notice openvpn[1488]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Dec 31 21:00:43 ROUTER daemon.notice openvpn[1488]: Options error: --cert fails with 'client.crt': No such file or directory (errno=2)
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: WARNING: cannot stat file 'client.key': No such file or directory (errno=2)
Dec 31 21:00:43 ROUTER daemon.notice openvpn[1488]: Options error: --key fails with 'client.key': No such file or directory (errno=2)
Dec 31 21:00:43 ROUTER daemon.err openvpn[1488]: Options error: Please correct these errors.
Dec 31 21:00:43 ROUTER daemon.warn openvpn[1488]: Use --help for more information.
Dec 31 21:00:43 ROUTER user.info : [openvpn] : Error on startup, returncode 1
Dec 31 21:01:31 ROUTER user.info : [openvpn] : OpenVPN daemon (Client) starting/restarting...
Dec 31 21:01:31 ROUTER user.info : [openvpn] : PBR via tunnel now using setroute_pbr(): iptables -A FORWARD -i wlan1.1 -o tun1 -j ACCEPT iptables -A FORWARD -i tun1 -o wlan1.1 -j ACCEPT
Dec 31 21:01:31 ROUTER user.info : [openvpn] : PBR is active but NO killwitch: iptables -A FORWARD -i wlan1.1 -o tun1 -j ACCEPT iptables -A FORWARD -i tun1 -o wlan1.1 -j ACCEPT
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (none). OpenVPN ignores --cipher for cipher negotiations.
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: WARNING: cipher 'none' specified for --data-ciphers. This allows negotiation of NO encryption and tunnelled data WILL then be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
Dec 31 21:01:31 ROUTER daemon.notice openvpn[1961]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Dec 31 21:01:31 ROUTER daemon.notice openvpn[1961]: Options error: --cert fails with 'client.crt': No such file or directory (errno=2)
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: WARNING: cannot stat file 'client.key': No such file or directory (errno=2)
Dec 31 21:01:31 ROUTER daemon.notice openvpn[1961]: Options error: --key fails with 'client.key': No such file or directory (errno=2)
Dec 31 21:01:31 ROUTER daemon.err openvpn[1961]: Options error: Please correct these errors.
Dec 31 21:01:31 ROUTER daemon.warn openvpn[1961]: Use --help for more information.
Dec 31 21:01:31 ROUTER user.info : [openvpn] : Error on startup, returncode 1
Dec 31 21:01:31 ROUTER user.info : [vpn modules] : vpn modules successfully unloaded
Dec 31 21:01:31 ROUTER user.info : [vpn modules] : nf_conntrack_proto_gre successfully loaded
Dec 31 21:01:31 ROUTER user.info : [vpn modules] : nf_nat_proto_gre successfully loaded
Dec 31 21:01:31 ROUTER user.info : [vpn modules] : nf_conntrack_pptp successfully loaded
Dec 31 21:01:31 ROUTER user.info : [vpn modules] : nf_nat_pptp successfully loaded
Dec 7 20:14:30 ROUTER user.info : [vpn modules] : vpn modules successfully unloaded
Dec 7 20:14:30 ROUTER user.info : [vpn modules] : nf_conntrack_proto_gre successfully loaded
Dec 7 20:14:30 ROUTER user.info : [vpn modules] : nf_nat_proto_gre successfully loaded
Dec 7 20:14:30 ROUTER user.info : [vpn modules] : nf_conntrack_pptp successfully loaded
Dec 7 20:14:30 ROUTER user.info : [vpn modules] : nf_nat_pptp successfully loaded
Here is the config from CiberGhost
Code:
client
remote 87-XXXXXXXXXXXX.net 443
dev tun
proto udp
auth-user-pass
OpenVPN Client Enable
CVE-2019-14899 Mitigation Enable
Server IP / Name : Port
87-1-XXXXXXXXXX.net:443 (Default: 1194)
Set Multiple Servers Disable
Tunnel Device TUN
Tunnel Protocol UDP
Encryption Cipher AES-256-CBC
Hash Algorithm SHA256
First Data Cipher None
Second Data Cipher Not Set
Third Data Cipher Not Set
User Pass Authentication Enable
Username
aaaaaaaaaa
Password
••••••••••
Advanced Options Enable
TLS Cipher None
Compression Disabled
NAT Enable
Inbound Firewall on TUN Enable
Killswitch Disabled
Watchdog Disable
Source Routing (PBR)
Route Selected Sources via VPN
Split DNS Disable
Policy based Routing
iptables -A FORWARD -i wlan1.1 -o tun1 -j ACCEPT
iptables -A FORWARD -i tun1 -o wlan1.1 -j ACCEPT
Tunnel MTU Setting 1500 (Default: 1400, 0 Not Set)
Tunnel UDP Fragment (Default: Disable)
Tunnel UDP MSS Fix Disable
Verify Server Certificate Disable
Additional Configuration
client
remote 87-XXXXXXXXXX.net 443
dev tun
proto udp
auth-user-pass
OpenVPN documentation is a sticky (first few threads) in this forum.
Have a look at the OpenVPN Client setup guide.
If you followed the guide and still have problems, post screenshots of Basic setup page, OpenVPN setup page and OpenVPN status page (whole page).
WireGuard is much faster and easier to setup so if your provider support it I would advise to use WireGuard
Hi egc,
Thank you for replying. I fugured out what was the issue, the PBR was active and causing an issue with option "Inbound Firewall on TUN", when I disable it the OpenVPN connect, now the challenge is to set only wlan1.1 to get via tun1
At PBR session I'm using this rule:
iptables -A FORWARD -i wlan1.1 -o tun1 -j ACCEPT
iptables -A FORWARD -i tun1 -o wlan1.1 -j ACCEPT
And my route table is like this:
Code:
Destination LAN NET Gateway Table Scope Metric IF Source
0.0.0.0/1 10.21.4.1 10 0 tun1
10.0.0.243 10.21.4.1 10 0 tun1
10.21.4.0/24 10 link 0 tun1 10.21.4.221
127.0.0.0/8 10 link 0 lo
128.0.0.0/1 10.21.4.1 10 0 tun1
154.47.16.148 192.168.10.1 10 0 WAN
154.47.16.241 192.168.10.1 10 0 WAN
192.168.0.0/24 10 link 0 LAN & WLAN 192.168.0.1
192.168.7.0/24 10 link 0 wlan1.1 192.168.7.1
192.168.10.0/24 10 link 0 WAN 192.168.10.13
0.0.0.0/1 10.21.4.1 default 0 tun1
default 192.168.10.1 default 0 WAN
10.0.0.243 10.21.4.1 default 0 tun1
10.21.4.0/24 default link 0 tun1 10.21.4.221
127.0.0.0/8 default link 0 lo
128.0.0.0/1 10.21.4.1 default 0 tun1
154.47.16.148 192.168.10.1 default 0 WAN
154.47.16.241 192.168.10.1 default 0 WAN
192.168.0.0/24 default link 0 LAN & WLAN 192.168.0.1
192.168.7.0/24 default link 0 wlan1.1 192.168.7.1
192.168.10.0/24 default link 0 WAN 192.168.10.13
2804:14c:f429:870b::/64 default 256 WAN
2000::/3 default 200 tun1
default fe80::2a32:c5ff:fec5:f700 default 1024 WAN
Note sure what is wrong with this IPTABLES rule now, when I connect to any WLAN I'm getting out via tun1 but I want only traffic from LAN 192.168.7.x/24 to use the VPN
Last edited by Alisconeglian on Fri Dec 08, 2023 14:39; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Fri Dec 08, 2023 14:58 Post subject:
You do not need and firewall/iptables, just carefully follow the instructions on page 7: Route selected sources via the VPN.
per the manual:
Quote:
You can specify a whole in-interface to use the VPN with CIDR notation e.g. 192.168.2.0/24 but it is easier to use the interface name (e.g. br1, wl0.1, wlan1.1 etc), the interface has to be unbridged to work:
iif br1
or
iif wl0.1
Thank you again, but still not working, all WLANs still getting traffic via tun1, interface wlan1.1 is not bridged.
I tried with interface as you said, also with network like said in help session
Quote:
OpenVPN Client
Policy-based Routing:
Add IPs / NETs in the following format 0.0.0.0/0 to force clients to use the tunnel as the default gateway. Enter one IP / NET per line.
IP Address / Netmask:
Must be set when using DHCP-Proxy mode and local TAP is not bridged
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Fri Dec 08, 2023 16:08 Post subject:
Alisconeglian wrote:
Thank you again, but still not working, all WLANs still getting traffic via tun1, interface wlan1.1 is not bridged.
I tried with interface as you said, also with network like said in help session
Quote:
OpenVPN Client
Policy-based Routing:
Add IPs / NETs in the following format 0.0.0.0/0 to force clients to use the tunnel as the default gateway. Enter one IP / NET per line.
IP Address / Netmask:
Must be set when using DHCP-Proxy mode and local TAP is not bridged
I've read both documents, the one about client and PBR but even with PBR set all WLANs traffic are being sent to tun1, to try work around it I have add to Aditional Configuration the option
pull-filter ignore "redirect-gateway"
From tshoot session I got these commands below and I can see the PBR with specific network there, I also did a traceroute but as I can see the first rule is the root cause of this issue and I don't know how to fix it. Any hint?
Code:
root@ROUTER:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@ROUTER:~# ip route show
0.0.0.0/1 via 10.20.4.1 dev tun1
default via 192.168.10.1 dev eth0
10.0.0.243 via 10.20.4.1 dev tun1
10.20.4.0/24 dev tun1 scope link src 10.20.4.178
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.20.4.1 dev tun1
154.47.16.240 via 192.168.10.1 dev eth0
192.168.0.0/24 dev br0 scope link src 192.168.0.1
192.168.7.0/24 dev wlan1.1 scope link src 192.168.7.1
192.168.10.0/24 dev eth0 scope link src 192.168.10.13
root@ROUTER:~# ip route show table 10
0.0.0.0/1 via 10.20.4.1 dev tun1
prohibit default
10.0.0.243 via 10.20.4.1 dev tun1
10.20.4.0/24 dev tun1 scope link src 10.20.4.178
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.20.4.1 dev tun1
154.47.16.240 via 192.168.10.1 dev eth0
192.168.0.0/24 dev br0 scope link src 192.168.0.1
192.168.7.0/24 dev wlan1.1 scope link src 192.168.7.1
192.168.10.0/24 dev eth0 scope link src 192.168.10.13
root@ROUTER:~# cat /tmp/openvpncl/policy_ips
192.168.7/24
Code:
root@ROUTER:~# traceroute -s 192.168.0.1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 192.168.0.1, 30 hops max, 46 byte packets
1 10.20.4.1 (10.20.4.1) 186.906 ms 187.419 ms 186.225 ms
2 154.47.16.252 (154.47.16.252) 187.224 ms 154.47.16.253 (154.47.16.253) 186.140 ms 186.315 ms
3 185.156.45.216 (185.156.45.216) 186.461 ms 186.421 ms^C
root@ROUTER:~# traceroute -s 192.168.7.1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8) from 192.168.7.1, 30 hops max, 46 byte packets
1 10.20.4.1 (10.20.4.1) 185.559 ms 185.770 ms 185.883 ms
2 154.47.16.252 (154.47.16.252) 186.079 ms