ca.crt file cut short when trying to enable OpenVPN client

[Xuntar]

Hi guys,

I'm a new user here and I seem to have some problems trying to activate the openvpn client. When I copy-paste the crt file I get from my vpn provider (about 690 lines), everything seems fine. Unfortunately, when I try to activate the client, it cuts off nearly everything in that file.
When I add it manually through ssh using vi, and then try to start the client using the GUI, it does the same thing.

Is this the normal behaviour? And if not, what can I do to make it work?

Thanks in advance!

 

[RMerlin]

Hi guys,

I'm a new user here and I seem to have some problems trying to activate the openvpn client. When I copy-paste the crt file I get from my vpn provider (about 690 lines), everything seems fine. Unfortunately, when I try to activate the client, it cuts off nearly everything in that file.
When I add it manually through ssh using vi, and then try to start the client using the GUI, it does the same thing.

Is this the normal behaviour? And if not, what can I do to make it work?

Thanks in advance!

Hi,

Have you followed the instructions at the top of the page where you enter your key? It most likely explains why it's getting truncated.

 

[Xuntar]

Hi Merlin,
Thanks for your reply.

The only thing I see at the top of the page is pasting the content including the 2 lines and now I also see (can't believe I didn't notice that yesterday) that it says: "Limit: 3499 characters per field".
My crt file has quite a bit more characters I'm afraid. Why is it limited like that and is there a way to override it?

I managed to get it working for now by using another vpn server with a shorter crt file, but I seem to be having another problem: I can only ping the vpn server I'm connected too. I can't seem to get internet access (through that vpn) working.
Firewall is set to automatic and I find no errors in the log. Is there any guide or checklist I should follow? I've read through most of the forum here but the only similar problem I found was related to the firewall...

Kind regards.

 

[RMerlin]

The only thing I see at the top of the page is pasting the content including the 2 lines and now I also see (can't believe I didn't notice that yesterday) that it says: "Limit: 3499 characters per field".
My crt file has quite a bit more characters I'm afraid. Why is it limited like that and is there a way to override it?

There's enough room there to paste a 4096 bit cert, which is more than enough. If your cert doesn't fit in there, then it's because you either are pasting other stuff than what's between the BEGIN/END lines, or you are for some reason using a certificate that is higher than 4096 bits, which is way, way overkill, especially on a low-powered router.

The size limitation is there for memory consumption reasons. The buffers have to be pre-allocated by the web server to process posted data, so I went with what was a reasonable limit to avoid wasting memory.

 

[Xuntar]

Thanks for the explanation. I can assure you I took the crt file that was given to me by my VPN provider, which is 41KB large (41376 characters, containing 30 different certificates). I'm not sure why they gave me that one, but I assume they just put all their server certificates in one file.

Fortunately, I found another crt file which contains the certificate for just one server which works perfectly well (it can connect to the server at least), but as I posted before: I can't seem to make a connection to the internet from behind the router.
Without the OpenVPN client everything works well, I setup everything according to the guidelines, the connection (and pinging) to the VPN server works as well, but trying to connect to anything else fails.

Do you have any idea what I might be doing wrong?

 

[RMerlin]

Fortunately, I found another crt file which contains the certificate for just one server which works perfectly well (it can connect to the server at least), but as I posted before: I can't seem to make a connection to the internet from behind the router.
Without the OpenVPN client everything works well, I setup everything according to the guidelines, the connection (and pinging) to the VPN server works as well, but trying to connect to anything else fails.

Do you have any idea what I might be doing wrong?

Could be a dozen reasons. It's impossible to tell just without having at least some basic information. Post info on what actual tunnel provider you are using, what settings you are using, and what's in the System Log during the connection...

 

[pachocco1]

Text edit of CA

Ok, Ill bite.

* Determine which server you intend to connect to.
* Open your "large VPN provider" crt file with a text editor.
* Find your server in the text.
* Identify the certificate information.
Starts with ----- BEGIN xxx ----
* Copy the certificate lines from:
----- BEGIN xxx ----
until
----- END xxx -----
* Paste only that information into the appropriate field in the router configuration.

 

[Xuntar]

Could be a dozen reasons. It's impossible to tell just without having at least some basic information. Post info on what actual tunnel provider you are using, what settings you are using, and what's in the System Log during the connection...

Ok, I wasn't sure exactly what information you needed, so here goes:

Dec  1 17:36:53 rc_service: httpd 303:notify_rc start_vpnclient1
Dec  1 17:36:53 kernel: tun: Universal TUN/TAP device driver, 1.6
Dec  1 17:36:53 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Dec  1 17:36:53 openvpn[1813]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 24 2013
Dec  1 17:36:53 openvpn[1813]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec  1 17:36:53 openvpn[1813]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec  1 17:36:53 openvpn[1813]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Dec  1 17:36:53 openvpn[1819]: UDPv4 link local: [undef]
Dec  1 17:36:53 openvpn[1819]: UDPv4 link remote: [AF_INET]9*.**.*3.***:443
Dec  1 17:36:53 openvpn[1819]: TLS: Initial packet from [AF_INET]9*.**.*3.***:443:443, sid=e74e123f f6831578
Dec  1 17:36:53 openvpn[1819]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Dec  1 17:37:00 openvpn[1819]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Dec  1 17:37:00 openvpn[1819]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Dec  1 17:37:01 openvpn[1819]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
Dec  1 17:37:01 openvpn[1819]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Dec  1 17:37:01 openvpn[1819]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  1 17:37:01 openvpn[1819]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  1 17:37:01 openvpn[1819]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  1 17:37:01 openvpn[1819]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  1 17:37:01 openvpn[1819]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec  1 17:37:01 openvpn[1819]: [server] Peer Connection Initiated with [AF_INET]9*.**.*3.***:443:443
Dec  1 17:37:03 openvpn[1819]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Dec  1 17:37:03 openvpn[1819]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 9.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 19.12.2.1 16.16.1.8'
Dec  1 17:37:03 openvpn[1819]: OPTIONS IMPORT: timers and/or timeouts modified
Dec  1 17:37:03 openvpn[1819]: OPTIONS IMPORT: --ifconfig/up options modified
Dec  1 17:37:03 openvpn[1819]: OPTIONS IMPORT: route options modified
Dec  1 17:37:03 openvpn[1819]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Dec  1 17:37:03 openvpn[1819]: TUN/TAP device tun11 opened
Dec  1 17:37:03 openvpn[1819]: TUN/TAP TX queue length set to 100
Dec  1 17:37:03 openvpn[1819]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip link set dev tun11 up mtu 1500
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip addr add dev tun11 local 19.12.2.1 peer 16.16.1.8
Dec  1 17:37:03 openvpn[1819]: updown.sh tun11 1500 1542 19.12.2.1 16.16.1.8 init
Dec  1 17:37:03 rc_service: service 1857:notify_rc updateresolv
Dec  1 17:37:03 dnsmasq[380]: read /etc/hosts - 5 addresses
Dec  1 17:37:03 dnsmasq[380]: using nameserver 435.680.690.130#53
Dec  1 17:37:03 dnsmasq[380]: using nameserver 435.680.691.2#53
Dec  1 17:37:03 dnsmasq[380]: using nameserver 8.8.4.4#53
Dec  1 17:37:03 dnsmasq[380]: using nameserver 8.8.8.8#53
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip route add 9*.**.*3.***/32 via 192.168.0.1
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip route add 0.0.0.0/1 via 19.12.2.1
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip route add 128.0.0.0/1 via 19.12.2.1
Dec  1 17:37:03 openvpn[1819]: /usr/sbin/ip route add 9.8.0.1/32 via 19.12.2.1
Dec  1 17:37:03 openvpn[1819]: Initialization Sequence Completed

I only changed the IP addresses in that file (all of those were filled in automatically except for the VPN server address of course).

I'm using Client 1, interface type TUN, protocol UDP, Firewall Automatic, Authorization Mode TLS, Poll interval 0, Redirect Internet Traffic No, DNS Configuration Strict (tried different ones, doesn't help), Encryption Default, Compression Adaptive, TLS Ren. Time -1, Connection Retry -1
Custom Config:

persist-key
persist-tun
tls-client
comp-lzo
verb 1

I'm using the TorGuard VPN provider and used their tutorials for Tomato as a guideline for filling in the configuration on my router.

I hope this will help. Thanks again!

Ps: Not sure if this is important, but my internet provider has provided me with a router I have to use to which my router (the RT-AC66U) is connected

 

[Xuntar]

Ok, Ill bite.

* Determine which server you intend to connect to.
* Open your "large VPN provider" crt file with a text editor.
* Find your server in the text.
* Identify the certificate information.
Starts with ----- BEGIN xxx ----
* Copy the certificate lines from:
----- BEGIN xxx ----
until
----- END xxx -----
* Paste only that information into the appropriate field in the router configuration.

That's probably the second thing I tried, but it only contains keys between multiple "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. So the "Find your server in the text" step is a bit hard ;-)
There is no way of knowing (I think) which key corresponds to which server, at least not in the file.

 

[RMerlin]

That's probably the second thing I tried, but it only contains keys between multiple "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. So the "Find your server in the text" step is a bit hard ;-)
There is no way of knowing (I think) which key corresponds to which server, at least not in the file.

This webpage lets you decode a PEM:

http://www.sslshopper.com/certificate-decoder.html

 

[RMerlin]

I'm using Client 1, interface type TUN, protocol UDP, Firewall Automatic, Authorization Mode TLS, Poll interval 0, Redirect Internet Traffic No, DNS Configuration Strict (tried different ones, doesn't help), Encryption Default, Compression Adaptive, TLS Ren. Time -1, Connection Retry -1

Try setting Redirect Internet to Yes, otherwise your traffic will not be redirected through the tunnel.

 

[Xuntar]

Try setting Redirect Internet to Yes, otherwise your traffic will not be redirected through the tunnel.

I've just tried this, but there is no difference between with or without that switch on. Pinging anything else but the VPN server times out...

 

[Xuntar]

Sorry to bother you guys again with this, but I'm still as stuck as before. Do you have any other ideas or is there any other logs/information I can deliver that might help you to help me solve my problem?