PDA

Bekijk de volledige versie : [Howto] Install and configure basic OpenVPN server for Oleg firmware



ecaddict
20-09-2011, 16:00
Introduction/Installing
OpenVPN is one of the most useful tools that can be installed on the router (sad that it's not part of the firmware itself, also not part of the excellent raas tutorial that I've re-used) (http://wl500g.info/showthread.php?t=23684).
OpenVPN is a complex topic and unfortunately I'm not in a position to introduce you to all aspects. Basically the server running on the router allows you to access the router (and other machines on the router's LAN) from a remote machine over the internet like you would do it locally (you have to have OpenVPN client installed and properly configured on the remote machine though). Thus in short you can access the router e.g. from your relatives/friends, from public WiFi hotspots or from your workplace (unless restricted).

While installing OpenVPN is quite straightforward, it's not just ipkg install but you have to generate keys and set up the firewall properly etc.

This tutorial helps you in that. In fact it's sufficient to run only a script that does everything for you (questions will be asked though):

#!/bin/sh
#written by ecaddict, distributed (conveyed) under GPL version 3 or any later version

PORT=${1:-563}
VSNM=${2}
CONFIG="/opt/etc/openvpn/server${VSNM}.conf"
STARTS="/opt/etc/init.d/S20openvpn${VSNM}"
RSAVAR="/opt/share/easy-rsa/vars"
CKDIR="/mnt/protected"
#user editable part end

CONFD="${CONFIG%\/*}"
CONFF="${CONFIG##*/}"
INITD="${STARTS%\/*}"
INITF="${STARTS##*/}"
VARSD="${RSAVAR%\/*}"
VARSF="${RSAVAR##*/}"
VKDIR="${CONFD}/easy-rsa/keys${VSNM}"
TUNIF="tun0"

ipkg install openssl lzo net-tools easy-rsa psmisc openvpn

export EASY_RSA=${VARSD}
#creating certificates (if needed)
if [ ! -d "${VKDIR}" ]; then
if [ -d "${VARSD}" ]; then
cd ${VARSD} && [ ! -f ${VARSF}.old ] && cp ${VARSF} ${VARSF}.old
echo -e "\033[1;32mSeveral questions will be asked that will be reflected in the keys\033[0m"
echo -e "for private use your answer does not matter. \nSave previously generated keys from ${VARSD}/keys (if any)."
echo -e "\033[1;32mType the number of clients you need keys for and press Enter\033[0m to continue."
echo -e "Guess your number of clients well as it takes time both to generate and generate keys again."
read CKEYN; CKEYN=${CKEYN:-1}; [ "${CKEYN}" -gt 9 ] && CKEYN=9
./clean-all
source ${RSAVAR}
echo -e "\033[1;32mGenerating CA key\033[0m"
./build-ca
echo -e "\033[1;32mGenerating Diffie-Hellman parameters\033[0m"
./build-dh
echo -e "\033[1;32mGenerating Server key \033[0m" && ./build-key-server server
I=0; while [ ${I} -lt "${CKEYN}" ]; do
let "I+=1"
echo -e "\033[1;32mGenerating keys for client ${I}\033[0m" && ./pkitool --interact --inter client0${I}
done
mkdir -p ${VKDIR}
mv ./keys/server* "${VKDIR}"
mv ./keys/ca* "${VKDIR}"
mv ./keys/dh1024.pem "${VKDIR}"
mv ./keys/client* "${VKDIR}" #temporally
else
echo -e "\033[1;31mDirectory ${VARSD} does not exist\033[0m"
exit 1
fi
else
echo -e "\033[1;33mThe directory ${VKDIR} exists, no keys are generated.\033[0m"
fi

cd ${CONFD} && [ ! -f ${CONFF}.old ] && mv ${CONFF} ${CONFF}.old
cat > ${CONFF} << __EOF__
port ${PORT}
proto tcp
dev tun
ca ${VKDIR}/ca.crt
cert ${VKDIR}/server.crt
key ${VKDIR}/server.key
dh ${VKDIR}/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
__EOF__

tar -cvzf ${CKDIR}/vpnkeys${VSNM}.tar.gz ${VKDIR}/ca.crt ${VKDIR}/client0?.crt ${VKDIR}/client0?.key

cd ${INITD} && [ ! -f old.${INITF} ] && mv ${INITF} old.${INITF}
cat > ${INITF} << __EOF__
#!/bin/sh
#
# Startup script for openvpn as standalone server
#
PREFIX="/opt"
PORT=${PORT}
NAME=openvpn
PFILE="/opt/var/run/vpnserver${VSNM}.pid"
OPTS="--daemon --cd /opt/etc/openvpn --log-append /opt/var/log/openvpn.log --config ${CONFF} --writepid \${PFILE}"

# Make sure IP forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make device if not present (not devfs)
if ( [ ! -c /dev/net/tun ] ) then
# Make /dev/net directory if needed
if ( [ ! -d /dev/net ] ) then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
fi

# Make sure the tunnel driver is loaded
if ( !(lsmod | grep -q "^tun") ); then
insmod tun
fi

if [ -z "\$1" ] ; then
case \`echo "\$0" | sed 's:^.*/\(.*\):\1:g'\` in
S??*) rc="start" ;;
K??*) rc="stop" ;;
*) rc="usage" ;;
esac
else
rc="\$1"
fi

case "\$rc" in
start)
echo "Starting: \$NAME"
\${PREFIX}/sbin/\${NAME} \$OPTS
iptables -I INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
;;
stop)
if [ -f \${PFILE} ] ; then
kill \`cat \${PFILE}\` >/dev/null 2>&1
rm -f \${PFILE}
iptables -D INPUT -i \`nvram get wan_ifname\` -p tcp --dport \$PORT -j ACCEPT
else
killall "\$NAME"
fi
;;
restart)
"\$0" stop
sleep 1
"\$0" start
;;
*)
echo "Usage: \$0 (start|stop|restart|usage)"
;;
esac

__EOF__

[ -n "$2" ] && TUNIF="tun+"
if [ -z "`sed -n 's/-i '${TUNIF}' -j ACCEPT/&/p' /usr/local/sbin/post-firewall`" ]; then
cat >> /usr/local/sbin/post-firewall << __EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
__EOF__
iptables -I INPUT -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -i ${TUNIF} -j ACCEPT
iptables -I FORWARD -o ${TUNIF} -j ACCEPT
iptables -I OUTPUT -o ${TUNIF} -j ACCEPT
flashfs save && flashfs commit && flashfs enable
fi

chmod u+x ${INITF}
${STARTS} start



The script will ask how many client keys should be generated (max 9) and typical questions for the keys like your location etc. Answer as you wish but you have to answer with y (yes) to the sign the certificate and commit questions.

There are the following typical options for the server port for OpenVPN:
1194 or 443 or 563
While 1194 is the well known port for OpenVPN, some restrictive firewalls don't allow this port so you may need to use 563 that's typically allowed (and also the script uses) or 443 (https port). If you plan to use port 443, it means that you cannot use it with the lighttpd which is not nice.

If you wish to use some other port start the script with the port ./install.sh <port>.
If you plan to start multiple server instances not only have to give different port but also different number or names to them like ./install.sh <port> <number/name>.

You can download the OpenVPN client from http://openvpn.net/index.php/open-source/downloads.html
Learn more about OpenVPN:
http://linux.die.net/man/8/openvpn
http://openvpn.net/index.php/open-source/documentation/howto.html

The generated client keys are copied to /mnt/protected/
On Windows you need the following keys (taken from the router):
C:\Program Files\OpenVPN\config\ca.crt
C:\Program Files\OpenVPN\config\client.crt
C:\Program Files\OpenVPN\config\client.key

If you use port 563/443 then you probably have to set the proxy as well in the client to proxy IP and typically 8080 port.
(Note: if your proxy uses NTLM authentication you have to run as admin openvpn.exe as the GUI has some issue and --config for the .ovpn file containing
http-proxy yourproxyIP 8080 stdin ntlm; alternatively use cntlm http://cntlm.sourceforge.net/)

Here are some snapshots from the example run I've made:
8285
8286
8287

You can download and run the script from here: 8371

If you're fine with the default parameters (single server, port: 563), you can paste the following line to your terminal (single line install).

cd /tmp && wget -O install.tar.gz "http://wl500g.info/attachment.php?attachmentid=8371&d=1318414980" && tar xvzf install.tar.gz && ./install.sh

By default the starter script is
/opt/etc/init.d/S20openvpn

The config file is:
/opt/etc/openvpn/server.conf

The keys are located in:
/opt/etc/openvpn/easy-rsa/keys/

ecaddict
20-09-2011, 16:01
Accessing Samba share and SWAT (Samba Web Administration Tool) via OpenVPN

For this you have to change some configuration files. Maybe I'll script it later on but it's really simple.

/opt/etc/samba/smb.conf
Make sure that in the [global] section you allow 10.8.0.0 that is you have to have something like this for host allow


hosts allow = 192.168.1. 10.8.0.0/24

After restarting Samba with either /opt/etc/init.d/S80samba or restarting the router you can access the share.

Browsing does not work (so you have to know the name of your share), the reasons are beyond the depth of this tutorial.

So in windows you can use map network drive e.g. for mnt share
\\10.8.0.1\mnt
or
\\192.168.1.1\mnt (especially with Samba3)
(the second works if route was successfully pushed via OpenVPN client, which e.g. with Windows 7 may require "Run as administrator" for OpenVPN client).

In Total Commander you can just change to the share e.g. (Samba is not too fast if you don't have a fast network connection it but works)
cd \\10.8.0.1\mnt

Accessing SWAT requires some more change, you have to edit the file:
/opt/etc/xinetd.d/swat

making sure that it contains 10.8.0.0/24 so it contains a line something like this:

only_from = localhost 192.168.1.0/24 10.8.0.0/24

After xinetd (/opt/etc/init.d/S10xinetd) or router restart you can access SWAT from your web browser via:
http://10.8.0.1:901 (http://10.8.0.1:901)
or
http://192.168.1.1:901 (especially with Samba3)

seb101
29-08-2012, 16:11
Hey
Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
It's running Oleg 1.9.2.7-10



./install.sh
Package openssl (0.9.7m-6) installed in root is up to date.
Package lzo (2.03-1) installed in root is up to date.
Package net-tools (1.60-6) installed in root is up to date.
Package easy-rsa (2.0rc1SAN-3) installed in root is up to date.
Package psmisc (22.13-1) installed in root is up to date.
Package openvpn (2.2.0-1) installed in root is up to date.
Nothing to be done
Several questions will be asked that will be reflected in the keys
for private use your answer does not matter.
Save previously generated keys from /opt/share/easy-rsa/keys (if any).
Type the number of clients you need keys for and press Enter to continue.
Guess your number of clients well as it takes time both to generate and generate keys again.
1
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
./install.sh: ./install.sh: 55: source: not found
Generating CA key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating Diffie-Hellman parameters
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
Generating Server key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating keys for client 1
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
cannot stat `./keys/server*': No such file or directory
cannot stat `./keys/ca*': No such file or directory
cannot stat `./keys/dh1024.pem': No such file or directory
cannot stat `./keys/client*': No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/client0?.key: No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/client0?.crt: No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/ca.crt: No such file or directory
tar: Error exit delayed from previous errors
Starting: openvpn



easy-rsa vars : /opt/share/easy-rsa


# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="/opt/share/easy-rsa"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
#export PKCS11TOOL="pkcs11-tool" - uncommented as i don't have it, is it even avaliable and required? (README said it can be uncommented)
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`/opt/share/easy_rsa/openssl.cnf` <--- changed this to openssl.cnf from whichopensslcnf (tested both) as README said

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="/opt/etc/openvpn/easy_rsa/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"


any idea what is wrong with my config ?

Nix_o_lay
12-11-2012, 18:43
Hey
Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
It's running Oleg 1.9.2.7-10




easy-rsa vars : /opt/share/easy-rsa


any idea what is wrong with my config ?

replace this line within script:


source ${RSAVAR}

with this:


. ${RSAVAR}

It worked for me.

zubarev
05-12-2012, 10:56
Thanku for manual, vpn tunnel working, but client connected via vpn to router haven't access to internet, onclient dhcp server 10.8.0.1, dns and gateway the same 10.8.0.1, can't ping any site by name and by ip, on router i can normally ping by names and ip

oldgringo
26-05-2013, 15:43
I am currently on the latest released fw (5066) on my rtn-16. From time to time (twice a month) I got similar error messages in a log:
May 26 00:00:05 kernel: SQUASHFS error: sb_bread failed reading block 0x6d
May 26 00:00:05 kernel: SQUASHFS error: Unable to read page, block d13d, size e18d
May 26 00:05:02 kernel: SQUASHFS error: Unable to read fragment cache entry [5a7be]

The only help is a hard restart of the router.

I tried newer fws from 5100 (from wpte's nightly builds - thanks for that ;)) but got router restarts after starting openvpn. It seems to me that the latest changes in tun (since 5099) caused this. Could somebody confirm that? Is there any solution for that?

oldgringo
27-05-2013, 17:33
Here is another syslog with more details:

May 27 04:03:44 kernel: WARNING: at fs/squashfs/uncomp.c:146 sqlzma_un()
May 27 04:03:44 kernel: Call Trace:
May 27 04:03:44 kernel: [<80265a88>] dump_stack+0x8/0x34
May 27 04:03:44 kernel: [<800e64d8>] sqlzma_un+0x140/0x258
May 27 04:03:44 kernel: [<800e12a8>] squashfs_read_data+0x4d0/0x7fc
May 27 04:03:44 kernel: [<800e17a8>] squashfs_cache_get+0x1d4/0x350
May 27 04:03:44 kernel: [<800e5fec>] squashfs_readpage+0x348/0x56c
May 27 04:03:44 kernel: [<8005967c>] __do_page_cache_readahead+0x25c/0x270
May 27 04:03:44 kernel: [<80059a00>] do_page_cache_readahead+0x5c/0x7c
May 27 04:03:44 kernel: [<80052ec8>] filemap_fault+0x2fc/0x46c
May 27 04:03:44 kernel: [<8005fa9c>] __do_fault.isra.46+0x7c/0x4e8
May 27 04:03:44 kernel: [<80062e44>] handle_mm_fault+0x10c/0x8e4
May 27 04:03:44 kernel: [<80012284>] do_page_fault+0x134/0x360
May 27 04:03:44 kernel: [<800082a0>] ret_from_exception+0x0/0xc
May 27 04:03:44 kernel: SQUASHFS error: sb_bread failed reading block 0x201
May 27 04:03:44 kernel: SQUASHFS error: Unable to read fragment cache entry [775bb]

Might be this error is caused by faulty power source? It's the original one, almost 3 years old.

wpte
01-06-2013, 10:32
That's a kernel oops.
Looks like there's a problem with loading the firmware file, or reading from it.

What firmware do you use, and which version?
You could try to flash a more recent version or reflash your firmware.

oldgringo
02-06-2013, 20:38
I have tried newer versions but how you can read in my previous post, there is some problem with openvpn again. And as I already mentioned I am on the latest official release v5066 from the repository. I had already downloaded and reflashed fw a few times (also from your "Nightly" web storage), but it's very hard to analyse this problem because it's occurrence is very rare - once a month.

oldgringo
05-06-2013, 00:00
I have tested a few more versions and I found that version 5097 is still working correctly with openvpn but 5100 not. Maybe changes in 5099 are the case?

wpte
06-06-2013, 22:15
I have tested a few more versions and I found that version 5097 is still working correctly with openvpn but 5100 not. Maybe changes in 5099 are the case?

Could be, although I find the warning messages you get a bit weird.

You should report your findings to lly.
The forum thread: http://wl500g.info/showthread.php?18004-New-oleg-firmware-version&p=260281 (I think lly watches it)

or add an issue to the google code project: https://code.google.com/p/wl500g/issues/entry

I mean, if you're sure it's not working after some revisions about there...

I haven't used openvpn for a long time on my router, so I didn't notice anything.

oldgringo
17-06-2013, 22:19
I found a reason of this weird problem - chipset overheating. I've mounted big heatsink with small cooler and everything seems to be OK.
But openvpn in v5099 and newer is still the issue, router is restarting everytime some client connects.

oldgringo
27-07-2013, 09:54
When I deactivated fastnat then connection became stable.

wpte
28-07-2013, 09:31
When I deactivated fastnat then connection became stable.

Well yes, it should be, otherwise openvpn won't work.

oldgringo
29-07-2013, 18:20
But up to version r5097 openvpn works also with fastnat set (no matter of value 1 or 2).

wpte
30-07-2013, 20:57
But up to version r5097 openvpn works also with fastnat set (no matter of value 1 or 2).

1 or 2?
you mean 0 = off and 1 = on?

According to lly, the proper way to turn it off is by doing:

nvram unset misc_fastnat_x

0 should turn it off though;)

oldgringo
03-08-2013, 13:17
No, I mean:


nvram set misc_fastnat_x=1
nvram commit

for activating of fastnat without url filter (fastest mode)


nvram set misc_fastnat_x=2
nvram commit

for activating of fastnat including url filter (slower, but still active).

By using


nvram unset misc_fastnat_x
nvram commit

fastnat is completely dectivated.

wpte
03-08-2013, 19:57
hmm... didn't know about the url-filterless option.
Anyway, with fastnat enabled openvpn shouldn't even work. At least, it doesn't for me.
Are you using TAP instead of TUN?

theMIROn
04-08-2013, 00:50
nvram set misc_fastnat_x=2
nvram commit

for activating of fastnat including url filter (slower, but still active).
not true nowadays, I've fixed fastnat & urlfiler coexistance to have almost no perfomance penalty and no control from userspace (values 1 or 2 or etc), it works automagically.


hmm... didn't know about the url-filterless option.
Anyway, with fastnat enabled openvpn shouldn't even work. At least, it doesn't for me.
Are you using TAP instead of TUN?
forget it about urlfilter since r5013,
fastnat control can be done via /proc/sys/net/netfilter/nf_conntrack_fastnat, 0 disabled, 1 enabled
fastnat state can be viewed via /proc/sys/net/netfilter/nf_conntrack_fastnat_http, 0 normal, 1 urlfiler-compatible mode
also, you can exclude any connection from being fastnated by iptables "-j MARK --set-mark" or "-j CONNMARK --set/and/or/xor-(x)mark"
issue you've faced with is new due recent tun driver kernel chages, and we need some time to handle it.

oldgringo
13-08-2013, 11:49
You're right, since r5099 I can't handle some connections on routers connected through openvpn. It seems that tun interface is somehow broken.

ekze
16-08-2013, 16:17
I've got the same problem.
Tried replacing the line suggested in the post above - didn't help.



install.sh
Package openssl (0.9.7m-6) installed in /opt/ is up to date.
Package lzo (2.03-1) installed in /opt/ is up to date.
Package net-tools (1.60-6) installed in /opt/ is up to date.
Package easy-rsa (2.0rc1SAN-3) installed in /opt/ is up to date.
Package psmisc (22.13-1) installed in /opt/ is up to date.
Package openvpn (2.2.0-1) installed in /opt/ is up to date.
Nothing to be done
Successfully terminated.
Several questions will be asked that will be reflected in the keys
for private use your answer does not matter.
Save previously generated keys from /opt/share/easy-rsa/keys (if any).
Type the number of clients you need keys for and press Enter to continue.
Guess your number of clients well as it takes time both to generate and generate keys again.
3
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/share/easy-rsa/keys
Generating CA key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating Diffie-Hellman parameters
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
Generating Server key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating keys for client 1
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating keys for client 2
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating keys for client 3
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
cannot stat `./keys/server*': No such file or directory
cannot stat `./keys/ca*': No such file or directory
cannot stat `./keys/dh1024.pem': No such file or directory
cannot stat `./keys/client*': No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/ca.crt: No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/client0?.crt: No such file or directory
tar: /opt/etc/openvpn/easy-rsa/keys/client0?.key: No such file or directory
tar: error exit delayed from previous errors
Starting: openvpn

Anyone knows what is causing this and how to fix it?

aegisrtcw
26-09-2013, 12:40
I've got the same problem.
Tried replacing the line suggested in the post above - didn't help.
Anyone knows what is causing this and how to fix it?
Try

cp /opt/share/easy-rsa/* /opt/etc/openvpn/easy-rsa

MaTTejko
13-05-2014, 13:21
Can you please help me. I am trying to install OpenVPN server but I am getting this error. I have already replaced string "source ${RSAVAR}" with ". ${RSAVAR} ". but still that error.

I am having Oleg 1.9.2.7-10.

Matej



[admin@WL-0018F33B6971 /tmp]$ ./install.sh
Package openssl (0.9.7m-6) installed in /opt/ is up to date.
Package lzo (2.03-1) installed in /opt/ is up to date.
Package net-tools (1.60-6) installed in /opt/ is up to date.
Package easy-rsa (2.0rc1SAN-3) installed in /opt/ is up to date.
Package psmisc (22.13-1) installed in /opt/ is up to date.
Package openvpn (2.2.0-1) installed in /opt/ is up to date.
Nothing to be done
Successfully terminated.
Several questions will be asked that will be reflected in the keys
for private use your answer does not matter.
Save previously generated keys from /opt/share/easy-rsa/keys (if any).
Type the number of clients you need keys for and press Enter to continue.
Guess your number of clients well as it takes time both to generate and generate keys again.
1
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
NOTE: If you run ./clean-all, I will be doing a rm -rf on /opt/share/easy-rsa/keys
Generating CA key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating Diffie-Hellman parameters
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
Generating Server key
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
Generating keys for client 1
Please edit the vars script to reflect your configuration,
then source it with "source ./vars".
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run "./clean-all".
Finally, you can run this tool (pkitool) to build certificates/keys.
mv: unable to rename `./keys/server*': No such file or directory
mv: unable to rename `./keys/ca*': No such file or directory
mv: unable to rename `./keys/dh1024.pem': No such file or directory
mv: unable to rename `./keys/client*': No such file or directory
tar: /mnt/protected/vpnkeys.tar.gz: No such file or directory
Starting: openvpn

seff
21-10-2014, 10:53
Hey
Im trying to install OpenVPN on my asus wl-500gp (v1) with attached usb-hdd but im stuck on generating keys from easy-rsa.
It's running Oleg 1.9.2.7-10

easy-rsa vars : /opt/share/easy-rsa

any idea what is wrong with my config ?

Hi Matej,
this is going to fix it:

1)
Yes, replace source ${RSAVAR}" with ". ${RSAVAR} in the script. This is because 'source' is not recognized by /bin/sh shell (it is in BASH).
and move the sourcing command one line above before cleaning:

change these two lines:
./clean-all
. ${RSAVAR}

to:
. ${RSAVAR}
./clean-all

2)
Do not execute cp /opt/share/easy-rsa/* /opt/etc/openvpn/easy-rsa
if you have already done so, then remove it
rm -r /opt/etc/openvpn/easy-rsa

3)
run the script agaion

Now it will work.
J.

ffrr
05-05-2015, 07:42
I followed the HowTo, and I created the connection between my router and pc
but I can't ping 10.8.0.2 from my router.
Can someone give me a hint. Where did I do it wrong?