Skip to main content

Manuale Utente (Inglese)

OpenVPN client and server

OpenVPN is one of the most popular protocols for VPN connection. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. In addition, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provides high security and anonymity.

Keenetic router features TCP and UDP mode for OpenVPN connection, TLS authentication, use of certificates and encryption keys to increase the security of VPN connection.

Importante

Keenetic router that will host the OpenVPN server must be connected to the Internet with a public IP address, and when using the KeenDNS domain name, it must be configured in Direct access mode. If any of these conditions are not met, it will not be possible to connect to such a server from the Internet.

Installing the system component 'OpenVPN client and server' is necessary to configure the OpenVPN connection. With this component, you can use both client and OpenVPN server in your Keenetic. You can install the system component on the 'General System Settings' page in the 'KeeneticOS Update and Component Options' section by clicking 'Component options'.

openvpn-server1-en.png

The OpenVPN mode (client or server) is mainly defined by its configuration file.

Importante

OpenVPN configuration requirements for use in Keenetic:

  • The configuration must be in a single file.

  • Certificates, keys, etc., should be included in this file.

  • In the configuration, you should use only the options listed in the document: OpenVPN 2.4 ManPage.

  • Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.

  • The order of the options and the certificates and keys enabled do not matter.

  • OpenSSL keys must be set without a password because Keenetic's interface does not have an option to enter it.

  • The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.

For KN-1110, 1210, 1310, 1410, 1510, 1610, 1710, 1810 and 1910 models the number of client connections is limited by the allocated service memory partition size of 24 Kbytes for storing VPN configurations. This is especially important for OpenVPN connections because the total size of their configurations must not exceed 24 Kbytes. For modern Keenetic models with KN-XXXX index the size of the storage, where the startup-config configuration file and environment variables (including keys) are placed in compressed form, has been increased and ranges from 260 Kbytes to 2 Mbytes (depending on the model).

Let's consider an example of connecting OpenVPN of the 'site-to-site' type.

openvpn-server2-en.png

We will connect the Keenetic#2 client (Home-segment 192.168.2.0/24, tunnel address: 10.1.0.2) to the server on Keenetic#1 (Home-segment 192.168.1.0/24, tunnel address: 10.1.0.1)

  • First, let's look at the simplest configuration using a shared secret key.

    1. The minimum configuration of the OpenVPN server for Keenetic#1:

      dev tun
ifconfig 10.1.0.1 10.1.0.2
cipher AES-128-CBC
<secret>
  <--insert the secret key here
</secret>
verb 3
route 192.168.2.0 255.255.255.0

    2. The minimum configuration of the OpenVPN client for Keenetic#2:

      dev tun
remote KEENETIC-1.mykeenetic.net <-- server's domain name or IP address
ifconfig 10.1.0.2 10.1.0.1
cipher AES-128-CBC
<secret>
  <--insert the secret key here
</secret>
verb 3
route 192.168.1.0 255.255.255.0
or
redirect-gateway def1
or
route 0.0.0.0 0.0.0.0 <-- if it's neccessary to route all the traffic in the tunnel

    3. Generate a shared secret key. To do this, download and install OpenVPN from here: openvpn.net/downloads.html

      In this example, we will be using version 2.4.6-I602 for Windows.

      After installing the software, restart the computer.

      By default, the program will be installed in the C:\Program folder.

      Run the Windows command line as an administrator. Go to C:\Program Files\OpenVPN\bin and run the command:

      openvpn.exe --genkey --secret static.key
      openvpn-server3-en.png

    4. Open the generated static.key file with the shared secret key in any text editor (e.g. Notepad), copy its contents to the clipboard (Ctrl-A, Ctrl-C) and paste (Ctrl-V) into the appropriate locations of the client and server configuration files.

      Examples of static-server.ovpn configuration files for Keenetic#1 and static-client.ovpn configuration files for Keenetic#2 with shared secret key are attached at the end of this article. There are other commented out (starting with ';') OpenVPN settings in these files which may be used later if necessary. You can use these configuration files for verification by replacing the domain name KEENETIC-1.mykeenetic.ru in static-client.ovpn with the domain name of your Keenetic#1 or its public IP address and a shared secret key to the one you generated in both files.

    5. Go to the 'Other connections' page in the web interface of the Keenetic#1 and click 'Create connection' in the 'VPN connections' section. In the 'VPN Connection Settings' window, select 'OpenVPN' in the 'Type (protocol)' field.

      Then enter the name of the connection in the 'Connection name' field and insert the contents of the static-server.ovpn configuration file in the 'OpenVPN configuration' field. Save the settings.

      openvpn-server4-en.png

      Importante

      From KeeneticOS 3.4.1 the server only works when 'Connect via' — 'Any Internet connection' is specified.

    6. In the same way, add an OpenVPN connection to the web interface of the Keenetic#2, but with a static-client.ovpn configuration:

      openvpn-server5-en.png

    7. Additionally, on the Keenetic#1 (server) side, the following commands will need to be executed via the command-line interface (CLI) of the router:

      interface OpenVPN0 no ip global
interface OpenVPN0 security-level private

      To allow traffic between the Home and OpenVPN0 interfaces, which have a private security level, run the command:

      no isolate-private

      If you plan to use this server to connect the client to the Internet as well, run the command:

      ip nat 10.1.0.2 255.255.255.255

      and save the settings with the command:

      system configuration save
      openvpn-server6-en.png

    8. Finally, it is necessary to open a port for OpenVPN connection. The default port is UDP/1194. To do this, create a rule for the 'ISP' interface or for the interface used to access the Internet on the 'Firewall' page (in addition to the 'ISP', it can be PPPoE, L2TP or PPTP interfaces).

      openvpn-server7-en.png

      On the 'Firewall rule' window, select 'Allow' in the 'Action' field, 'UDP' in the 'Protocol' field, and 'Equals 1194' in the 'Destination port number' field.

      After creating the connection, set the switch to Enabled.

      openvpn-server-05-en.png

      This completes the configuration of the OpenVPN tunnel. On the 'Other Connections' page will displays the connection status and statistics.

      Try pinging both ends of the tunnel to check:

      ping 10.1.0.1
ping 10.1.0.2

      and then remote subnets:

      ping 192.168.1.1
ping 192.168.2.1

Nota

  1. OpenVPN clients connected to the server will be displayed on the 'Client lists' page in the 'Unregistered clients' list. If you have selected the 'No Internet access' policy on the 'My networks and Wi-Fi' page in the 'Internet Traffic Handling Rules' section, don't forget to register OpenVPN clients if you need to provide them with Internet access as well.

  2. The configuration of the OpenVPN interface is not saved in the startup-config file. For backup purposes, we recommend backing up the OpenVPN settings in a separate file.

  3. If the client connection OpenVPN needs to be used to access the Internet, assign this connection the highest priority. You will find information about priorities in the article "Connection priorities".

  4. In some cases in the OpenVPN configuration it is necessary to specify login and password for authentication when connecting a VPN tunnel. To do this, a special auth-user-pass section must be added to the configuration file, specifying the login and password values. For example:

    <auth-user-pass>
vpnclient     # login
r3d23xs87     # password
</auth-user-pass>

  5. An example of creating keys and certificates on Windows to connect to an OpenVPN server is shown in the article 'OpenVPN configuration using two-way TLS authentication'.

Errori e soluzioni comuni:

  1. auth-user-pass senza dati di credenziali in linea non è supportato

    Il file di configurazione contiene una riga per l'inserimento online di login/password, che Keenetic non supporta. Errore nel file di registro Keenetic:

    OpenVPN0 auth-user-pass without inline credentials data is not supported
OpenVPN0 Exiting due to fatal error

    Eliminare o commentare tutte le righe di questo tipo:

    auth-user-pass

  2. Errore dell'opzione Block-outside-dns

    L'opzione block-outside-dns è configurata sul server OpenVPN, che viene gestita correttamente solo in Windows. Errore nel file di registro Keenetic:

    OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line X): block-outside-dns (2.4.4)
OpenVPN0 Exiting due to fatal error

    Aggiungere una riga al file di configurazione del client OpenVPN:

    pull-filter ignore \"block-outside-dns\"

  3. Errore durante la connessione ai server PrivateTunnel

    Quando si tenta di connettersi viene visualizzato un errore:

    OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line 3): client-ip (2.4.4)

    Aggiungere una riga al file di configurazione del client OpenVPN:

    ignore-unknown-option client-ip block-ipv6

  4. Si verifica un errore quando si utilizza l'opzione askpass /storage/key.txt:

    Error: private key password verification failed

    Questa è una limitazione dell'attuale implementazione di OpenVPN in Keenetic. È possibile utilizzare solo una chiave senza password o con una password fissa: 'password'.

  5. Dopo l'aggiornamento del router a KeeneticOS 3.9.1, il tunnel VPN verso i server OpenVPN di alcuni fornitori VPN potrebbe non essere più stabilito. Nel registro di sistema è possibile visualizzare i seguenti messaggi:

    W [Dec 15 16:52:58] OpenVPN6: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
OpenVPN ignores --cipher for cipher negotiations.
Error: private key password verification failed

    Il problema è il formato di crittografia obsoleto BF-CBC, che non è supportato a partire dalla versione client OpenVPN 2.5.0KeeneticOS 3.9 utilizza la versione client OpenVPN 2.6.0).

    Nota

    Il cifrario BF-CBC non è più supportato nella configurazione predefinita. La versione OpenVPN 2.5.0 supporta i cifrari AES-256-GCM e AES-128-GCM per impostazione predefinita. È possibile modificare questo comportamento utilizzando l'opzione data-ciphers, ad esempio, specificando nelle impostazioni data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC. Per supportare nodi OpenVPN molto vecchi che non supportano la negoziazione del cifrario (modalità \"--cipher\"), è possibile specificare data-ciphers-fallback BF-CBC.

    Quando si esegue l'aggiornamento a una nuova versione di OpenVPN, l'impostazione \"cipher BF-CBC\" nei file di configurazione precedenti verrà convertita aggiungendo BF-CBC al set data-ciphers. Inoltre, la modalità data-ciphers-fallback viene attivata.

    Per installare correttamente il tunnel, sarà necessario modificare la direttiva:

    cipher AES-128-CBC in data-ciphers AES-128-CBC o data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    Se non funziona, modificare la direttiva:

    cipher AES-128-CBC in data-ciphers-fallback AES-128-CBC

    Per la massima compatibilità di negoziazione del cifrario con il server remoto, specificare le seguenti direttive:

    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    data-ciphers-fallback AES-128-CBC

    o

    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    data-ciphers-fallback AES-256-CBC

    Importante

    La crittografia dipende dal server OpenVPN remoto. Prima di modificare la direttiva cipher, controllare il registro di sistema.

  6. Se nel registro viene registrato il seguente errore relativo alla dimensione della chiave:

    [E] Dec 16 19:01:38 OpenVPN0: Unrecognized option or missing or extra parameter(s) in configuration: (line 22): keysize (2.6_git)
[E] Dec 16 19:01:38 OpenVPN0: Exiting due to fatal error
[E] Dec 16 19:01:38 ndm: Service: "OpenVPN0": unexpectedly stopped.Error: private key password verification failed

    Quindi, nella configurazione del tunnel, è necessario rimuovere la direttiva dell'opzione keysize 256, che è obsoleta per il client aggiornato OpenVPN 2.6.0, e controllare di nuovo la connessione del tunnel.

    È possibile trovare informazioni dettagliate per l'opzione \"keysize\" a questo link.

Si consiglia di leggere le seguenti informazioni:

In questa sezione: