OpenVPN is one of the most popular protocols for VPN connections. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. Also, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provide high security and anonymity.
Keenetic routers have built-in support for the OpenVPN client. For the OpenVPN connection, features such as TCP and UDP mode, TLS authentication, use of certificates and encryption keys are implemented to enhance the security of the VPN connection.
To configure an OpenVPN connection, it is necessary to install the 'OpenVPN client' system component. A detailed description of the server mode can be found in the article OpenVPN server. You can install the system component on the 'General system settings' page in the 'Updates and component options' section by clicking 'Component options'.
NOTE: Important! Keenetic routers use strict OpenVPN configuration requirements. Below are some basic requirements:
— The configuration must be in a single file.
— Certificates, keys, etc., should be included in this file.
— Configuration files with the .ovpn extension are usually compatible.
— If the ISP offers files for different routers or systems, in most cases, you can use a file for OpenWRT.
— In the configuration, you should use only the options listed in the document: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
— There should be no directives or unknown commands in the configuration that cannot be processed.
Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.
— The order of the options enabled certificates and keys does not matter.
— The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.
Important! The number of client connections is limited by the allocated service memory partition size of 24 Kbytes for storing VPN configurations. This is especially important for OpenVPN connections because the total size of their configurations must not exceed 24 Kbytes.
VPN providers can offer different variants for OpenVPN configurations. Below, we will review some of them.
Option 1. Download the configuration file from the site of the OpenVPN server you plan to connect to.
For example, on www.vpngate.net, select the server and click on 'OpenVPN Config file'.
Next, select one of the configurations of this server, for example, with the DDNS domain name and TCP 1781.
The configuration file with the .ovpn extension will be downloaded to your computer. Open it in any text editor (e.g. Notepad) and copy all the contents to the clipboard by pressing Ctrl-A and then Ctrl-C keys on the keyboard.
After that, go to the 'Other connections' page and click' Create connection' in the 'VPN Connections' section. In the 'VPN Connection Settings' window, select 'OpenVPN' in the 'Type (protocol)' field.
Then enter the name of the connection in the field 'Connection name', and in the field 'OpenVPN configuration', insert the copied configuration from the clipboard by pressing Ctrl-V. Save the settings.
To set up a work schedule or define the interface through which the connection will work, click on 'Show advanced settings'.
Once the connection is established, put the switch in the 'On' state.
The status of the connection will also be displayed on this page.
TIP: Tip: If you want to use this connection for accessing the Internet, assign the highest priority to it. You will find information about the priorities in the 'Connection priorities' article.
Option 2. On some sites with OpenVPN settings, in addition to the configuration file, there is a login and password specified, for example, on vpnbook.com.
In this case, before copying the content from the configuration file to the clipboard, it is necessary to delete the line:
CLI: auth-user-pass
and add a section by entering the required login and password values. For example:
CLI: <auth-user-pass>
vpnbook
r3d23xs
</auth-user-pass>
Option 3. Other ISPs, such as altvpn.com, provide certificates and keys as separate files. In this case, you need to:
3.1 Comment out the lines with the certificate and key file names with the symbol #:
CLI: #ca ca.crt
#cert xxxxxxxxxxxx.crt
#key xxxxxxxxxxxx.crt
3.2 At the end of the configuration file, add the certificate and key sections and insert the contents of the corresponding files:
CLI: <ca>
-----BEGIN CERTIFICATE-----
... <--insert the body of the certificate from the ca.crt file here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
... <--insert the body of the certificate from the xxxx.crt file here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
... <--insert the key body from the xxxx.key file here
-----END RSA PRIVATE KEY-----
</key>
Option 4. The privateinternetaccess.com provider has files ca.rsa.2048.crt and crl.rsa.2048.pem in its configuration, the contents of which should be inserted between the sections <crl-verify></crl-verify> and <ca></ca> respectively.
The OpenVPN configuration file will look like this:
CLI: client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
<auth-user-pass>
xxxxxx <--insert your login here
xxxxxx <--insert your password here
</auth-user-pass>
comp-lzo
verb 1
reneg-sec 0
disable-occ
<crl-verify>
-----BEGIN X509 CRL-----
... <--insert the key body from the crl.rsa.2048.pem file here
-----END X509 CRL-----
</crl-verify>
<ca>
-----BEGIN CERTIFICATE-----
... <--insert the body of the certificate from the file ca.rsa.2048.crt here
-----END CERTIFICATE-----
</ca>
TIP: Typical errors and solutions:
1. Error in the Keenetic log file:
OpenVPN0 auth-user-pass without inline credentials data is not supported
OpenVPN0 Exiting due to fatal error
This means that a line remains in the configuration file for online login/password entry, which is not supported by Keenetic. Delete or comment out any lines of this type:
auth-user-pass
2. Error in the Keenetic log file:
OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line X): block-outside-dns (2.4.4)
OpenVPN0 Exiting due to fatal error
For more information on the error and a solution, see the article 'Unrecognised option or missing or extra parameter(s) in configuration: block-outside-dns' error when establishing an OpenVPN connection.
3. Error when connecting to PrivateTunnel servers
An error is displayed when trying to connect:
OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line 3): client-ip (2.4.4)
Add a line to the OpenVPN client configuration file:
ignore-unknown-option client-ip block-ipv6
4. An error occurs when using the askpass /storage/key.txt option:
Error: private key password verification failed
This is a limitation of the current OpenVPN implementation in Keenetic. You can only use a key without a password or with a fixed password: 'password'.
5. After updating the router to KeeneticOS 3.9.1, a VPN tunnel to OpenVPN servers of some services can stop working. You can see the following messages in the log:
W [Dec 15 16:52:58] OpenVPN6: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
This is because the BF-CBC encryption format is deprecated and is not supported as of the OpenVPN 2.05 client. Please see this link for more information.
BF-CBC support is removed from the default configuration. In OpenVPN 2.5, only AES-256-GCM and AES-128-GCM ciphers are now accepted by default. This behaviour can be changed using the data-ciphers option, for example by specifying data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC in the settings, and data-ciphers-fallback BF-CBC can be specified to support very old hosts that do not support cipher matching (the '--cipher' mode).
When upgrading to a newer version of OpenVPN, the 'cipher BF-CBC' setting in the old configuration files will be converted to adding the BF-CBC to the data-ciphers set and data-ciphers-fallback mode will be enabled.
The directive will need to be changed to establish a tunnel successfully:
cipher AES-128-CBC to data-ciphers AES-128-CBC or data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
If it does not work, change the directive:
cipher AES-128-CBC to data-ciphers-fallback AES-128-CBC
For maximum cipher matching compatibility with the remote server, specify the directives:
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-128-CBC
or
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-CBC
Important! Encryption depends on the remote OpenVPN server. See the connection log before changing the cipher directive.
6. If the following key size error is detected in the log:
[E] Dec 16 19:01:38 OpenVPN0: Unrecognized option or missing or extra parameter(s) in configuration: (line 22): keysize (2.6_git)
[E] Dec 16 19:01:38 OpenVPN0: Exiting due to fatal error
[E] Dec 16 19:01:38 ndm: Service: "OpenVPN0": unexpectedly stopped.
You need to remove the keysize 256 option in the tunnel configuration, which is deprecated for the updated OpenVPN 2.6.0 client, then check the tunnel connection.
For more information on the 'keysize' option, follow this link.