Menu
What's new
By:
Filters Better Search

Slight hiccup moving Openvpn certs to jffs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

M

martinr

Part of the Furniture
As much for the experience as for need, I followed the wiki on reducing nvram size by moving Openvpn certs to jffs:

https://github.com/RMerl/asuswrt-merlin/wiki/reducing-nvram-for-openvpn-certs

It didn't work out, in that the server could not initialize, so I reverted back for a rethink.

I'd be very grateful if anyone who's already done this could cast their eyes over the screenshots of my jffs files and the corresponding entries in the custom config box to see if anything obvious pops up. (I did follow Para 4 in the Wiki and left a space in the otherwise empty Content Modification of Keys and Certificates boxes. I saved and applied the settings and even tried rebooting the router.) I've clearly done something silly.


Clipboard01.jpg




files2.jpg
 
Last edited:
I tried that procedure and could not get it to work for me. So, I took a slightly different approach that did work.

Using WinSCP I connected to the router, changed directory to /jffs and created a directory called "ov" and changed to that directory.

With the OpenVPN configuration opened to VPN Details/Advanced Settings I opened Content Modification of Keys and Certification I copied the visible cert content, switched to WinSCP where I created a file matching the value and pasted the cert content into the file, saved it and set file permissions to 755.
I ended up with four files:
ca.crt, dh.pem, server.crt and server.key

I then deleted the values from Content Modification of Keys and Certification leaving a (space) character in each block.

Under Custom Configuration I entered:

ca /jffs/ov/ca.crt
df /jffs/ov/dh.pem
cert /jffs/ov/server.crt
key /jffs/ov/server.key

I know there are likely more files you could move but this sure helped me keep the routers running longer!

Bill
 
Many thanks, Bill, for such a detailed and helpful explanation. If I'm not mistaken, I was introduced to WinSCP thanks to you in another topic, and I used it to move the files around. And whilst I want to become adept at using Linux commands, WinSCP makes such light work of it - and is far more forgiving!

I'll give your method a go and let you know. Nice to know I haven't necessarily made a silly blunder.
 
bbunge said:
I tried that procedure and could not get it to work for me. So, I took a slightly different approach that did work......

........Under Custom Configuration I entered:

ca /jffs/ov/ca.crt
df /jffs/ov/dh.pem
cert /jffs/ov/server.crt
key /jffs/ov/server.key

I know there are likely more files you could move but this sure helped me keep the routers running longer!

Bill
Click to expand...

Many thanks, Bill, it worked. However, for anyone coming to this in future, "df" should read "dh" i.e. df /jffs/ov/dh.pem

I set permissions to 755 and then I thought I'd see if that was critical, so I re-set them to the original rw-rw-rw i.e. 666 and found it didn't affect anything, so I've left them at that.
 
Ah, sorry for the typo. Glad you got it to work!

bb
 
A gotcha to beware of when moving keys and certs from jffs to nvram:

A couple of weeks ago, I moved moved my 4 OpenVPN files (ca.crt, server.crt, server.key and dh.pem) from nvram to jffs. Today I had the opportunity to set up the OpenVPN GUI client software on my laptop (previously, I'd only used the OpenVPN Connect app - on my iPhone).

I exported the config file from my router (OpenVPN Advanced Settings page) and got this message when I tried to connect using OpenVPN GUI on my Windows desktop:

cannot load CA certificate [[INLINE]] (no entries were read) (open ssl)

The last few lines of the config file looked like:
......
uth-user-pass
ns-cert-type server
<ca>
</ca>
resolv-retry infinite
nobind


There should have been some 20 lines containing the CA cert between the entries: <ca> and </ca>.

The solution is either to export the ovpn config file(s) before moving the files to jffs (i.e. have all your clients set up before moving the nvram entries, or to temporarily reinstate the CA Cert and then export the config file. Alternatively, the CA Cert can be copied into the config file using an editor such as Notepad++ whilst remembering to use the correct format.

i.e. Don't just export the .ovpn config file after moving the keys/certs to jffs unless you've taken steps to get the CA cert into the config file.
 
Last edited:
You must log in or register to reply here.

Similar threads

M
Script to Back Up & Restore Subsets of NVRAM Variable Settings.
Replies
16
Views
1K
Martinski
M
G
Configuring OpenVPN for Merlin
Replies
5
Views
3K
elorimer
E
garycnew
[SOLUTION] asus-wrapper-acme.sh Adds --dns Support for Let's Encrypt Wildcard SAN Certs to Integrated Asus acme.sh Implementation
2 3 4
Replies
65
Views
10K
Jeffrey Young
J
toaruScar
Tutorial Fix full /jffs without factory reset
Replies
10
Views
8K
lightloch
lightloch
garycnew
Tutorial [SOLUTION] OpenVPN Client Split Tunnel for BitTorrent Traffic
Replies
1
Views
4K
garycnew
garycnew
Similar threads
Thread starter Title Forum Replies Date
L slight bug in latest firmware version (GT-AXE16000_388.2_2) of merlin.. says there is a new version available id 2.2 and flashes it at the top Asuswrt-Merlin 5
IcySon55 RT-AX88U Pro - Internet doesn't recover if the modem has a hiccup and reconnects. Asuswrt-Merlin 23
R Best-practices for replacing ASUS RT-AX86U with ASUS RT-AX86U Pro (=moving everything from the existing router to a replacement one)? Asuswrt-Merlin 5
S RT-AC86U - No 5G after moving from stock firmware to Merlin 386.11 Asuswrt-Merlin 14

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 987 (members: 34, guests: 953)
Top