FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
350 views 1 comments
by anonymous

Hi Folks

SO .... where to begin ?

OpenVPN refuses to connect with an old hardware style RUT955 (Firmware R_00.06.07.7)  using the GUI to configure the VPN.

I am using a server generated OVPN file (IPFIRE release 155 firewall) and a P12 certificate for which I have the correct password

The GUI accepts the OVPN, P12 cert and password.  
I then [save] the configuration 
The GUI seems not to read the OVPN file as I am left with:



So, to prove my configuration is valid, I uploaded my .ovpn file and my P12 certificate to
/etc/openvpn/

from SSH I then ran openvpn --client --config {myconfig.ovpn}

It prompted me for the password and I put in the correct one.

The first thing I noticed was that when it processes the REMOTE line
(remote {hostname} 1194} It returns an IPV6 address - my firewall / ISP
only support IPV4 which causes a failure:
 

Sun May  2 08:31:07 2021 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]

Sun May  2 08:31:07 2021 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10

Enter Private Key Password:   

Sun May  2 08:31:14 2021 TCP/UDP: Preserving recently used remote address: [AF_INET6]MY IP V6:1194

Sun May  2 08:31:14 2021 Socket Buffers: R=[8388608->8388608] S=[8388608->8388608]

Sun May  2 08:31:14 2021 UDP link local: (not bound)

Sun May  2 08:31:14 2021 UDP link remote: [AF_INET6]IP:OBFUSCATED::1194

Sun May  2 08:31:14 2021 write UDP: Permission denied (code=13)

Sun May  2 08:31:16 2021 write UDP: Permission denied (code=13)

Sun May  2 08:31:20 2021 write UDP: Permission denied (code=13)

Sun May  2 08:31:29 2021 write UDP: Permission denied (code=13)

Sun May  2 08:31:46 2021 write UDP: Permission denied (code=13)

Sun May  2 08:31:49 2021 event_wait : Interrupted system call (code=4)

Sun May  2 08:31:49 2021 SIGINT[hard,] received, process exiting

I replace the remote line with my hard coded IPV4 address and the VPN connects immediately,
first time  - no issues - and I can browse content on the VPN protected networks.
But of course the GUI still shows "not available".

I can confirm that IPV6 is DISABLED in ALL the menu options I know about ! 

I cannot hard code the OVPN file V4 address as our ISP insists on DHCP so we have to use
Dynamic DNS.

For compIeteness, I edited the OVPN on the windows PC to use the hard coded IP.
I then deleted all the VPN config from the GUI.

This didn't fix the issue,but to my surprise, the P12 Password field self populated - I noted 
in an earlier forum post that the .PASS[word] file created by the GUI was not deleted    
when the VPN connection was removed. Housekeeping fix needed! 

Finally, I created the VPN profile manually , using the IPV4 address 

This populated the GUI correctly, but the VPN didn't start at all 

I checked the mobile connection page - USE ONLY IPV4 is ticked ! 

So - a few issues here guys - how can  I help you solve them please ?

my config file as generated by the firewall:

#OpenVPN Client conf

tls-client

client

nobind

dev tun

proto udp

tun-mtu 1345

remote MY_DYNAMIC_FQDN 1194

pkcs12 Teltonika.p12

cipher AES-256-CBC

auth SHA512

verb 3

remote-cert-tls server

verify-x509-name MY_DYNAMIC_FQDN name

mssfix

Regards 

BB





 

 
 

by anonymous

Follow up from the previous post above.

As half of our fleet will be affected by these issues (old style RUT955s in service)  , there is no way on earth
we can roll out 
Firmware R_00.06.07.7! 

So I factory reset the old style 955 and regressed via bootloader to R_00.06.07.5 (to completely wipe the box
and rebuild it to avoid any compounding errors)  .


When testing firmware on our previous builds,  we usually just picked one of each hardware build
and overwrote the firmware image as we would do in the production units. So the results reported
below may be different to the user experience of others as the upgrade was made from a different
starting point.

on selecting  "Enable OpenVPN config from file" and loading a P12 certificate and  password , we
see the same issue - we get the GUI screen saying "not available".


On populating the GUI screen manually, but uploading the P12 and password we have a working VPN again and 
the GUI populates with the correct data.

From this we conclude that the first GUI issue (population of config from a pre-defined file)  pre-dates
R_00.06.07.5, but the basic VPN functionality is working in R_00.06.07.5

In the name of completeness, we wiped again and used bootloader to reflash R_00.06.07.7 and
repeated the above tests. 
OpenVPN remained completely broken in R_00.06.07.7 - we could not
use it at all from the GUI - only by starting from the shell and manually uploading our config and
certificates via SCP. This is not practical, as we control the VPN by SMS when maintenance
access to the router is required.

We conclude therefore, that R00.06.07.7 from an OpenVPN perspective has actually
broken more than it fixed


Happy to help you test a beta release to get OpenVPN working - but for now, we have no option
but to retain R_00.06.07.5 in our fleet. If we cannot solve this I can see management insisting
we scrap Teltonika and select a different vendor (they are being  sweet talked by cradlepoint) 
and I wouldn't want to see that happen! 

Regards 

BB

 

1 Answer

0 votes
by anonymous
Hello,

I sincerely apologize that your query was not noticed until now. Have you tried to upgrade to our latest releases RUT9XX_R_00.08.06.3 or RUT9_R_00.07.00? We did significant changes over time.

Regards.