Skip to main content

User Manual

OpenVPN client

OpenVPN is one of the most popular protocols for VPN connections. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. Also, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provides high security and anonymity.

OpenVPN client and server support is integrated into Keenetic routers. To configure an OpenVPN connection, it is necessary to install the 'OpenVPN client and server' system component. A Keenetic router can be used both as a client and as an OpenVPN server with this component. A detailed description of the server mode can be found in the article 'OpenVPN server'. You can install the system component on the 'General system settings' page in the 'Updates and component options' section by clicking 'Component options'.

openvpn-client1-en.png

Important

Keenetic routers use strict OpenVPN configuration requirements. Below are some basic requirements:

  • The configuration must be in a single file.

  • Certificates, keys, etc., should be included in this file.

  • Configuration files with the .ovpn extension are usually compatible.

  • If the ISP offers files for different routers or systems, in most cases, you can use a file for OpenWRT.

  • In the configuration, you should use only the options listed in the document: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

  • There should be no directives or unknown commands in the configuration that cannot be processed.

    Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.

  • The order of the options, enabled certificates, and keys do not matter.

  • The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.

The number of client connections is limited by the allocated service memory partition size of 24 Kbytes for storing VPN configurations. This is especially important for OpenVPN connections because the total size of their configurations must not exceed 24 Kbytes.

VPN providers can offer different variants for OpenVPN configurations. Below we will review some of them.

  1. Download the configuration file from the site of the OpenVPN server you plan to connect to.

    For example, on www.vpngate.net, select the server and click on 'OpenVPN Config file'.

    openvpn-client2-en.png

    Next, select one of the configurations of this server, for example, with the DDNS domain name and TCP 1781.

    openvpn-client3-en.png

    The configuration file with the .ovpn extension will be downloaded to your computer. Open it in any text editor (e.g. Notepad) and copy all the contents to the clipboard by pressing Ctrl-A and then Ctrl-C keys on the keyboard.

    After that, go to the 'Other connections' page and click 'Create connection' in the 'VPN Connections' section. In the 'VPN Connection Settings' window, select 'OpenVPN' in the 'Type (protocol)' field.

    Then enter the name of the connection in the field 'Connection name' and in the field 'OpenVPN configuration' insert the copied configuration from the clipboard by pressing Ctrl-V. Save the settings.

    openvpn-client4-en.png

    To set up a work schedule or define the interface through which the connection will work, click on 'Show advanced settings'.

    Once the connection is established, put the switch in the 'On' state.The status of the connection will also be displayed on this page.

    openvpn-client5-en.png

    Tip

    If you want to use this connection for accessing the Internet, assign the highest priority to it. You will find information about the priorities in the 'Connection priorities' article.

  2. On some sites with OpenVPN settings, in addition to the configuration file, there is a login and password specified. For example, on vpnbook.com.

    openvpn-client6-en.png

    In this case, before copying the content from the configuration file to the clipboard, it is necessary to delete the line:

    auth-user-pass

    and add a section by entering the required login and password values. For example:

    <auth-user-pass>
vpnbook
r3d23xs
</auth-user-pass>
    openvpn-client7-en.png

  3. Other ISPs, such as altvpn.com, provide certificates and keys as separate files. In this case, you need to:

    1. Comment out the lines with the certificate and key file names with the symbol #:

      #ca ca.crt
#cert xxxxxxxxxxxx.crt
#key xxxxxxxxxxxx.crt

    2. At the end of the configuration file, add the certificate and key sections and insert the contents of the corresponding files:

      <ca>
-----BEGIN CERTIFICATE-----
...       <--insert the body of the certificate from the ca.crt
 file here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...       <--insert the body of the certificate from the xxxx.crt
 file here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...       <--insert the key body from the xxxx.key
 file here
-----END RSA PRIVATE KEY-----
</key>

  4. The privateinternetaccess.com provider has files ca.rsa.2048.crt and crl.rsa.2048.pem in its configuration, the contents of which should be inserted between the sections <crl-verify> </crl-verify> and <ca> </ca> respectively.

    The OpenVPN configuration file will look like this:

    client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
<auth-user-pass>
xxxxxx       <--insert your login here
xxxxxx       <--insert your password here
</auth-user-pass>
comp-lzo
verb 1
reneg-sec 0
disable-occ

<crl-verify>
-----BEGIN X509 CRL-----
...       <--insert the key body from the crl.rsa.2048.pem file here
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
...       <--insert the body of the certificate from the file ca.rsa.2048.crt here
-----END CERTIFICATE-----
</ca>

Typical errors and solutions:

  1. auth-user-pass without inline credentials data is not supported

    The configuration file contains a line for online login/password entry, which Keenetic does not support. Error in the Keenetic log file:

    OpenVPN0 auth-user-pass without inline credentials data is not supported
OpenVPN0 Exiting due to fatal error

    Delete or comment out all lines of this kind:

    auth-user-pass

  2. Block-outside-dns option error

    The block-outside-dns option is configured on the OpenVPN server, which is correctly handled only in Windows. Error in the Keenetic log file:

    OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line X): block-outside-dns (2.4.4)
OpenVPN0 Exiting due to fatal error

    Add a line to the OpenVPN client configuration file:

    pull-filter ignore "block-outside-dns"

  3. Error when connecting to PrivateTunnel servers

    An error is displayed when trying to connect:

    OpenVPN0 Unrecognized option or missing or extra parameter(s) in configuration: (line 3): client-ip (2.4.4)

    Add a line to the OpenVPN client configuration file:

    ignore-unknown-option client-ip block-ipv6

  4. An error occurs when using the askpass /storage/key.txt option:

    Error: private key password verification failed

    This is a limitation of the current OpenVPN implementation in Keenetic. You can only use a key without a password or with a fixed password: 'password'.

  5. After updating the router to KeeneticOS 3.9.1, the VPN tunnel to the OpenVPN servers for certain VPN suppliers may no longer be established. You can see the following messages in the system log:

    W [Dec 15 16:52:58] OpenVPN6: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
OpenVPN ignores --cipher for cipher negotiations.
Error: private key password verification failed

    The problem is the outdated encryption format BF-CBC, which is not supported starting from the OpenVPN 2.5.0 client version ( KeeneticOS 3.9 uses the OpenVPN 2.6.0 client version).

    Note

    The BF-CBC chipher is no longer supported in the default configuration. The OpenVPN 2.5.0 version supports AES-256-GCM and AES-128-GCM ciphers by default. You can change this behaviour using the data-ciphers option, for example, by specifying in the settings data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC. To support very old OpenVPN nodes that do not support cipher negotiation (mode "--cipher"), you can specify data-ciphers-fallback BF-CBC.

    When upgrading to a new version of OpenVPN, the setting "cipher BF-CBC" in older configuration files will be converted with appending BF-CBC to the data-ciphers set. In addition, the data-ciphers-fallback mode is turned on.

    To successfully install the tunnel, you will need to change the directive:

    cipher AES-128-CBC to data-ciphers AES-128-CBC or data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    If it doesn't work, then change the directive:

    cipher AES-128-CBC to data-ciphers-fallback AES-128-CBC

    For maximum cipher negotiation compatibility with the remote server, specify the following directives:

    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    data-ciphers-fallback AES-128-CBC

    or

    data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

    data-ciphers-fallback AES-256-CBC

    Important

    Encryption depends on the remote OpenVPN server. Before changing the directive cipher, please look at the system log.

  6. If the following key size error is recorded in the log:

    [E] Dec 16 19:01:38 OpenVPN0: Unrecognized option or missing or extra parameter(s) in configuration: (line 22): keysize (2.6_git)
[E] Dec 16 19:01:38 OpenVPN0: Exiting due to fatal error
[E] Dec 16 19:01:38 ndm: Service: "OpenVPN0": unexpectedly stopped.Error: private key password verification failed

    Then in the tunnel configuration, you need to remove the keysize 256 option directive, which is outdated for the updated client OpenVPN 2.6.0, and check the tunnel connection again.

    You can find detailed information for the "keysize" option by this link.

We recommend that you read the following information:

In this section: