OpenVPN client

OpenVPN is one of the most popular protocols for VPN connection. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. In addition, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provides high security and anonymity.

OpenVPN-client support is integrated in Keenetic routers. To configure an OpenVPN connection, it is necessary to install the 'OpenVPN client' system component. With this component Keenetic can be used as a client and as an OpenVPN server. Detailed description of the server mode can be found in the article 'OpenVPN server'. You can install the system component on the 'General system settings' page in the 'Updates and component options' section by clicking 'Component options'.

openvpn-comp-en.png

NOTE: Important! The Keenetic uses strict OpenVPN configuration requirements. Below are some basic requirements:

— The configuration must be in a single file.
— Certificates, keys, etc. should be included in this file.
— Configuration files with .ovpn extension are usually compatible.
— If the ISP offers files for different routers or systems, in most cases you can use a file for OpenWRT.
— In the configuration you should use only the options listed in the document: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
— There should be no directives or unknown commands in the configuration that cannot be processed.
Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.
— The order of the options and the certificates and keys enabled do not matter.
— The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.

VPN providers can offer different variants for OpenVPN configurations. Below we will review some of them.

Option 1. Download the configuration file from the site of the OpenVPN server you plan to connect to.
For example, on www.vpngate.net, select the server and click on 'OpenVPN Config file'.

openvpn-c-02.png

Next, select one of the configurations of this server. For example, with the DDNS domain name and TCP 1781.

openvpn-c-03.png

The configuration file with the .ovpn extension will be downloaded to your computer. Open it in any text editor (e.g. Notepad) and copy all the contents to the clipboard by pressing Ctrl-A and then Ctrl-C keys on the keyboard.

After that go to the 'Other connections' page and in the 'VPN Connections' section click 'Create connection'. In the 'VPN Connection Settings' window, select 'OpenVPN' in the 'Type (protocol)' field.
Then enter the name of the connection in the field 'Connection name' and in the field 'OpenVPN configuration' insert the copied configuration from the clipboard by pressing Ctrl-V. Save the settings.

openvpn-03-en.png

To set up a work schedule or define the interface through which the connection will work, click on 'Show advanced settings'.

Once the connection is established, put the switch in the 'On' state.
The status of the connection will also be displayed on this page.

openvpn-04-en.png

TIP: Tip: If you want to use this connection for accessing the Internet, assign the highest priority to it. You will find information about the priorities in the 'Connection priorities' article.

Option 2. On some sites with OpenVPN settings, in addition to the configuration file, there is a login and password specified. For example, on vpnbook.com.

openvpn-c-06.png

In this case, before copying the content from the configuration file to clipboard, it is necessary to delete the line:

CLI: auth-user-pass

and add a section by entering the required login and password values. For example:

CLI: <auth-user-pass>
vpnbook
r3d23xs
</auth-user-pass>

openvpn-06-en.png

Option 3. Other ISPs, such as altvpn.com, provide certificates and keys as separate files. In this case you need to:

3.1 Comment out the lines with the certificate and key file names with the symbol #:

CLI: #ca ca.crt
#cert xxxxxxxxxxxx.crt
#key xxxxxxxxxxxx.crt

3.2 At the end of the configuration file, add the certificate and key sections and insert the contents of the corresponding files:

CLI: <ca>
-----BEGIN CERTIFICATE-----
...       <--insert the body of the certificate from the ca.crt file here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...       <--insert the body of the certificate from the xxxx.crt file here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...       <--insert the key body from the xxxx.key file here
-----END RSA PRIVATE KEY-----
</key>

Option 4. The privateinternetaccess.com provider has files ca.rsa.2048.crt and crl.rsa.2048.pem in its configuration, the contents of which should be inserted between the sections <crl-verify></crl-verify> and <ca></ca> respectively.

The OpenVPN configuration file will look like this:

CLI: client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
<auth-user-pass>
xxxxxx       <--insert your login here
xxxxxx       <--insert your password here
</auth-user-pass>​
comp-lzo
verb 1
reneg-sec 0
disable-occ

<crl-verify>
-----BEGIN X509 CRL-----
...       <--insert the key body from the crl.rsa.2048.pem file here
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
...       
<--insert the body of the certificate from the file ca.rsa.2048.crt here
-----END CERTIFICATE-----
</ca>

TIP: Typical errors and solutions:

1. auth-user-pass without inline credentials data is not supported

The configuration file contains a line for online login/password entry, which is not supported by Keenetic. Error in the Keenetic log file:

OpenVPN0 auth-user-pass without inline credentials data is not supported
OpenVPN0 Exiting due to fatal error

Delete or comment out all lines of this kind:

auth-user-pass

2. Block-outside-dns option error

The block-outside-dns option is configured on the OpenVPN server, which is correctly handled only in Windows. Error in the Keenetic log file:

OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line X): block-outside-dns (2.4.4)
OpenVPN0 Exiting due to fatal error

Add a line to the OpenVPN client configuration file:

pull-filter ignore "block-outside-dns"

3. Error when connecting to PrivateTunnel servers

An error is displayed when trying to connect:

OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line 3): client-ip (2.4.4)

Add a line to the OpenVPN client configuration file:

ignore-unknown-option client-ip block-ipv6

4. An error occurs when using the askpass /storage/key.txt option:

Error: private key password verification failed

This is a limitation of the current OpenVPN implementation in Keenetic. You can only use a key without a password or with a fixed password: 'password'.

 

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.