FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
4,699 views 6 comments
by anonymous
Hi

I have a OVPN file from a openvpn server.

In linux shell I can connect to my openvpn server, but i cant configure the RUT to connect to my openvpn

How can i import my ovpn file to RUT ?
by anonymous
I can't presently answer your question as I am fighting the same issue on a RUT955!

I'm guessing you're using IPFIRE or IPCOP as your linux server ?

I case you haven't found it, yet the router gui creates the equivalent of the ovpn
file in /var/etc/openvpn-{long-random-number}.conf

However, I've copied in my existing config to that file using vi and rebooted, but the 955 doesn't even think it
is enabled - despite setting the enable tick box in both the openvpn menu and the admin menu and rebooting
the 955.

I suggest if we find a solution we share it here ! If I get it working I will write up a howto for the Wiki

Regards

BB
by

2 Answers

0 votes
by
by anonymous
hi,

This shows a generic connection between rut beeing a vpn server and vpn client.

In this case i have a openvpn server that gives me a ovpn file.

If we make the connection using openvpn --config file.ovpn , it works,

but it ´s not easy to understand what hmi parameters the rut does no client ovpn
by

In this case i have a openvpn server that gives me a ovpn file.

What you mean "ovpn file"? Perhaps OpenVPN client config with certificates?

by anonymous

in the openvpn server you can download the OVPN file per client

in this case the connection setup is very easy 

a file is like this (xxx.xxx.xxx.xxx is my server, and the text "deleted by me" has the keys/certs):

# Default Cipher

cipher AES-256-CBC

setenv FORWARD_COMPATIBLE 1

client

server-poll-timeout 4

nobind

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 443 tcp

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 1194 udp

remote xxx.xxx.xxx.xxx 1194 udp

dev tun

dev-type tun

ns-cert-type server

setenv opt tls-version-min 1.0 or-highest

reneg-sec 604800

sndbuf 100000

rcvbuf 100000

auth-user-pass

comp-lzo no

verb 3

setenv PUSH_PEER_INFO

<ca>

-----BEGIN CERTIFICATE-----

DELETED by Me

-----END CERTIFICATE-----

</ca>

<cert>

-----BEGIN CERTIFICATE-----

DELETED by Me

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN PRIVATE KEY-----

DELETED by Me

-----END PRIVATE KEY-----

</key>

key-direction 1

<tls-auth>

 

-----BEGIN OpenVPN Static key V1-----

DELETED by Me

-----END OpenVPN Static key V1-----

</tls-auth>

by anonymous
Hi,

The problem with the examples is that they are written from the position of RUT peer to RUT peer.

In my own case, the linux firewall generates the ovpn conf file and a password protected PKCS12 certificate pack.

The challenge is how to unpick that pre-configured client configuration and align it with the RUT GUI

Regards

BB
0 votes
by anonymous

ok,

I have my own system working now in TUN mode to an IPFIRE linux firewall,

It turns out there are at least 2 faults in the RUT955 Web GUI, I dont know if they also affect your model.

The OVPN file is just a .conf file - you don't really need it - the router will build its own. but if you need to edit 
it its located in /var/etc/ on the router

The P12 certificate problem is twofold:

1)  That your certificates from your VPN server are in the .P12 or PKCS12 format which , as far as I can tell,
the Teltonika GUI cannot support..

2) Because there seems to be no file suffix naming convention in Linux  when you follow various OpenSSL
HowTo documents they often refer to a .pem but the Teltonica apparently needs that as a .crt - its EXACTLY
the same file, but with a different suffix like index.htm versus index.html


So to fix this,  I used a Linux PC with OpenSSL installed . If you don't have one move the files to the router
 and use the CLI (shell) 
 
 In the example  commands that follow  I will say that my firewall created a file called router.p12 .
But it might have called it router.pkcs12. Or indeed some other suffix

A pkcs12 file is like an onion - you have to get it back into its component layers to use in the Teltonika GUI.

Firstly use SCP (or a gui friendly app like WinSCP) to move the .p12 file to the router itself or to a linux PC
if you have one around

Access the device you uploaded the P12  file to, then navigate to the folder where the .P12 is 
located

Enter the following commands:

openssl pkcs12 -in router.p12 -clcerts -nokeys -nodes -out clientcert.crt

openssl pkcs12 -in router.p12 -nocerts -nodes -out client.key

openssl pkcs12 -in router.p12 -cacerts -nodes -out cacert.ca


the -out filename prefixes are not important but the .ca .key and .crt extensions are important.

in the same folder as your original router.p12 you now have the 3 extra files all extracted from your .p12
file

Use SCP or WinSCP or whatever means you need  to move the files back to the PC where you access
the Teltonika web gui (if necessary) 

Configure the teltonika OpenVPN as a TUN Client 

in my case , it only works with LZO compression OFF - still trying to work that out! frown

where it asks for the certificates and keys:

Certificate Authority - browse to and upload cacert.ca
Client Certificate - browse to and upload clientcert.crt
Client key - browse to and upload client.key

complete the rest of the fields as necessary the select [SAVE]

On my own RUT955 the VPN status still shows as disabled but go to the 
diagnostic page and try to ping a host in the remotely connected subnet 
it should respond as long as you have got the other routing parameters right.

Hope this helps - As I said it took me 3 evenings and was not helped by issues 
in the GUI software of the RUT955  - but now its working really well. 

Hope that sorts it for you ! (it did for me) 

Regards 

BB