OpenVPN server and client

OpenVPN is one of the most popular protocols for VPN connection. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. In addition, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provide high security and anonymity. 

Keenetic router features TCP and UDP mode for OpenVPN connection, TLS authentication, use of certificates and encryption keys to increase the security of VPN connection.

NOTE: Important! The Keenetic router that will host the OpenVPN server must be connected to the Internet with a global IP address, and when using the KeenDNS domain name, it must be configured in Direct access mode. If any of these conditions are not met, it will not be possible to connect to such a server from the Internet.

Installing the system component 'OpenVPN client' is necessary to configure the OpenVPN connection. With this component, you can use both the client and OpenVPN server in your Keenetic. A detailed description of the client mode may be found in the OpenVPN client article. You can install the system component on the 'General system settings' page in the 'Updates and components' section by clicking 'Component options'.

openvpn-comp-en.png

The OpenVPN mode (client or server) is mainly defined by its configuration file.

NOTE: Important! OpenVPN configuration requirements for use in Keenetic:
— The configuration must be in a single file.
— Certificates, keys, etc., should be included in this file.
— Configuration files with the .ovpn extension are usually suitable.
— In the configuration, you should use only the options listed in the document: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage.
— Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.
— The order of the options and the certificates and keys enabled do not matter.
— OpenSSL keys should be set without a password because there is no option to enter it in the Keenetic interface.
— The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.

Important! For Keenetic KN-1110, 1210, 1310, 1410, 1510, 1610, 1710, 1810 and 1910 models the number of client connections is limited by the allocated service size of the memory partition of 24 Kbytes for storing VPN configurations. This is especially relevant for OpenVPN connections, as the total size of their configurations should not exceed 24 Kbytes.
For modern Keenetic models with KN-XXXX index the size of the storage, where the startup-config configuration file and environment variables (including keys) are placed in compressed form, has been increased and ranges from 260 Kbytes to 2 Mbytes (depending on the model).

Let's consider an example of connecting OpenVPN of the 'site-to-site' type.

openvpn-site-to-site-en.png

We will connect the Keenetic#2 client (Home-segment 192.168.2.0/24, tunnel address: 10.1.0.2) to the server on Keenetic#1 (Home-segment 192.168.1.0/24, tunnel address: 10.1.0.1)

1. First, let's look at the simplest configuration using a shared secret key.

1.1 The minimum configuration of the OpenVPN server for Keenetic#1:

dev tun
ifconfig 10.1.0.1 10.1.0.2
cipher AES-128-CBC
<secret>
  <--insert the secret key here
</secret>
verb 3
route 192.168.2.0 255.255.255.0


1.2 The minimum configuration of the OpenVPN client for Keenetic#2:

dev tun
remote KEENETIC-1.mykeenetic.net <-- server's domain name or IP address
ifconfig 10.1.0.2 10.1.0.1
cipher AES-128-CBC
<secret>
  <--insert the secret key here
</secret>
verb 3
route 192.168.1.0 255.255.255.0
or
redirect-gateway def1 
or
route 0.0.0.0 0.0.0.0 <-- if it's neccessary to route all the traffic in the tunnel

 

1.3 Generate a shared secret key. To do this, download and install OpenVPN from here: https://openvpn.net/index.php/download/community-downloads.html
In this example, we will be using version 2.4.6-I602 for Windows.

After installing the software, restart the computer.
By default, the program will be installed in the C:\Program folder.
Run the Windows command line as an administrator. Go to C:\Program Files\OpenVPN\bin and run the command:

openvpn.exe --genkey --secret static.key


openvpn01-en.png

1.4 Open the generated static.key file with the shared secret key in any text editor (e.g. Notepad), copy its contents to the clipboard (Ctrl-A, Ctrl-C) and paste (Ctrl-V) into the appropriate locations of the client and server configuration files.

Examples of static-server.ovpn configuration files for Keenetic#1 and static-client.ovpn configuration files for Keenetic#2 with shared secret key are attached at the end of this article. There are other commented-out (starting with ';') OpenVPN settings in these files which may be used later if necessary. You can use these configuration files for verification by replacing the domain name KEENETIC-1.mykeenetic.net in static-client.ovpn with the domain name of your Keenetic#1 or its public IP address and a shared secret key to the one you generated in both files.

1.5 Go to the 'Other Connections' page in the web interface of the 1st Keenetic and click 'Create connection' in the 'VPN connections' section. In the 'VPN connection settings' window, select 'OpenVPN' in the 'Type (protocol)' field.
Then enter the connection's name in the 'Connection name' field and insert the contents of the static-server.ovpn configuration file in the 'OpenVPN configuration' field. Save the settings.

openvpn02-en.png

NOTE: Important! From KeeneticOS 3.4.1, the server only works when 'Connect via' - 'Any Internet connection' is specified.

1.6 In the same way, add an OpenVPN connection to the web interface of the second Keenetic, but with a static-client.ovpn configuration:

openvpn03-en.png

1.7 Additionally, on the Keenetic#1 (server) side, the following commands will need to be executed via the command-line interface (CLI) of the router:

interface OpenVPN0 no ip global
interface OpenVPN0 security-level private


To allow traffic between the Home and OpenVPN0 interfaces, which have a private security level, run the command:

no isolate-private


If you plan to use this server to connect the client to the Internet as well, run the command:

ip nat 10.1.0.2 255.255.255.255


and save the settings with the command:

system configuration save


openvpn-cli.png

1.8 Finally, it is necessary to open a port for an OpenVPN connection. The default port is UDP/1194. To do this, create a rule for the 'Provider' interface or for the interface used to access the Internet on the 'Firewall' page (in addition to the 'Provider', it can be PPPoE, L2TP or PPTP interfaces).

openvpn05-en.png

On the 'Firewall rule' window, select 'Allow' in the 'Action' field, 'UDP' in the 'Protocol' field, and 'Equals 1194' in the 'Destination port number' field.

openvpn06-en.png

This completes the configuration of the OpenVPN tunnel. Successful installation of the tunnel can be proved by the messages in the System log (on the 'Diagnostics' page):

openvpn-log-en.png

Try pinging both ends of the tunnel to check:

ping 10.1.0.1
ping 10.1.0.2


and then remote subnets:

ping 192.168.1.1
ping 192.168.2.1

 

TIP: Tip: In the second part of the example, for simplicity, we performed all the operations in one folder, although for security reasons, it is recommended to place the certification authority on a separate computer, isolated from the Internet, and store the secret key only on it; and carry the certificate on removable media. Similarly, the private keys of the server and OpenVPN clients should only be placed on the respective sides of the tunnel. Only certificates can be exchanged.

TIP: Note

1. OpenVPN clients connected to the server will be displayed on the Client Lists page in the Unregistered Clients list. If you have selected the 'No Internet access' policy on the 'Home segment' page in the 'Connection policy' section, don't forget to register OpenVPN clients if you need to provide them with Internet access as well.

2. The configuration of the OpenVPN interface is not saved in the startup-config file. For backup purposes, we recommend backing up the OpenVPN settings in a separate file.

3. If the OpenVPN client connection is to be used to access the Internet, assign the highest priority to the connection. For information about priorities, see the Connection Priorities article.

4. In some cases in the OpenVPN configuration it is necessary to specify login and password for authentication when connecting a VPN tunnel. To do this, a special auth-user-pass section must be added to the configuration file, specifying the login and password values. For example:
<auth-user-pass>
vpnclient     # login
r3d23xs87     # password
</auth-user-pass>​

TIP: Typical errors and solutions:

1. Error in Keenetic log:

OpenVPN0 auth-user-pass without inline credentials data is not supported
OpenVPN0 Exiting due to fatal error

This means that there is a line left in the configuration file for online login/password input, which is not supported in Keenetic. Delete or comment out all lines like:

auth-user-pass

2. Error message in Keenetic log:

OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line X): block-outside-dns (2.4.4)
OpenVPN0 Exiting due to fatal error

Detailed information about the error and its solution can be found in the 'Unrecognised option or missing or extra parameter(s) in configuration: block-outside-dns' error when establishing an OpenVPN connection article.

3. Error when connecting to PrivateTunnel servers

When trying to connect, an error is displayed:

OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line 3): client-ip (2.4.4)

Add a line to the OpenVPN client configuration file:

ignore-unknown-option client-ip block-ipv6

4. An error occurs when using the askpass option /storage/key.txt:

Error: private key password verification failed

This is a limitation of the current OpenVPN implementation in Keenetic. You can only use a key without a password or with a fixed password: 'password'.

5. After upgrading the router to KeeneticOS 3.9.1, the VPN tunnel to the OpenVPN server may not be installed. In the log, you can see the following messages:

W [Dec 15 16:52:58] OpenVPN6: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

The matter is in the obsolete BF-CBC encryption format, which is not supported since OpenVPN client version 2.5.0 (KeeneticOS 3.9 version uses OpenVPN client 2.6.0).

The directive will need to be changed for successful tunnel installation:
cipher AES-128-CBC to data-ciphers AES-128-CBC or data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

If it doesn't work, then change the directive:
cipher AES-128-CBC to data-ciphers-fallback AES-128-CBC

For maximum cipher matching compatibility with the remote server, specify the directives:
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-128-CBC

or

data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-CBC

Important! Encryption depends on the remote OpenVPN server. Before changing the cipher directive, see the connection log.

6. If the following key size error is recorded in the log:

[E] Dec 16 19:01:38 OpenVPN0: Unrecognized option or missing or extra parameter(s) in configuration: (line 22): keysize (2.6_git)
[E] Dec 16 19:01:38 OpenVPN0: Exiting due to fatal error
[E] Dec 16 19:01:38 ndm: Service: "OpenVPN0": unexpectedly stopped.

Then in the tunnel configuration, it is necessary to remove the directive of the option keysize 256, which is obsolete for the updated OpenVPN 2.6.0 client, and then check the tunnel connection.
Detailed information on the 'keysize' option can be found at the link.


We recommend that you read the following information:

 

Was this article helpful?

97 out of 166 found this helpful