Solved OpenVPN custom configuration not loading

Argh123

Occasional Visitor
I have 2 issues with the VPN.
1. I can connect and go online however can only access my desktop that's on the ethernet port. I cannot access my desktop on the WLAN. I am guessing I need to route via the config? Both is selected on the VPN Server settings.

2. I saw a post to block the admin account and added a custom configuration but it does not work.

Custom config:
script-security 2
client-connect /jffs/scripts/ovpn-client-connect.sh

Ovpn-client-connect.sh has this:
[username=="admin"] && exit 1

All users have execute right to the .sh

I get this error: "WARNING: Failed running command (--client-connect): could not execute external program"


On the SSH connection I tried this: dos2unix /jffs/scripts/ovpn-client-connect.sh it still does not work. I am unsure what the issue is. If I removed the custom config. The VPN works.

Hoping someone has an idea why it does not work?
 

eibgrad

Part of the Furniture
Beware, it is VERY common for personal firewalls on target devices to be the problem! Particularly if it's Windows. By default, Windows will NOT allow access by any other private network other than the one on which it's running. And so when it sees the IP network on the OpenVPN server's tunnel (e.g., 10.8.0.0/24), it rejects it. Not unless you add that IP network to its firewall.

IOW, the fact that one desktop is on the ethernet port (and is accessible), while the other is on wireless (and NOT accessible) may be a red herring.
 

eibgrad

Part of the Furniture
Ovpn-client-connect.sh has this:
[username=="admin"] && exit 1

If that is literally all you have in the script, it's insufficient. You need to add the shebang as well. And your syntax is not correct either.

Code:
#!/bin/sh
[ "$username" == 'admin' ] && exit 1

Notice the space after [ and before ]. And mark it executable as well.

Code:
chmod +x /jffs/scripts/ovpn-client-connect.sh

BTW, I have no idea if that is sufficient to prevent the access. I'm only referring to the issues of syntax and file permissions. Usually if a script returns non-zero, OpenVPN considers it a failure and responds in the syslog accordingly.
 

Argh123

Occasional Visitor
Thank you. I'll try this. Let you know.

On the WiFi. I could not access anything on the WiFi network. Desktop, TV etc. Couldn't even ping it. That's why I assumed I need to route it.
I can test it once I get the .sh to work as I can add the routes in there.
 

elorimer

Very Senior Member
This wouldn't be why it doesn't work, but testing for "admin" should be for whatever the name you use to log in to the webgui of the router. It wouldn't be a bad idea to move off the default name.
 

Argh123

Occasional Visitor
If that is literally all you have in the script, it's insufficient. You need to add the shebang as well. And your syntax is not correct either.

Code:
#!/bin/sh
[ "$username" == 'admin' ] && exit 1

Notice the space after [ and before ]. And mark it executable as well.

Code:
chmod +x /jffs/scripts/ovpn-client-connect.sh

BTW, I have no idea if that is sufficient to prevent the access. I'm only referring to the issues of syntax and file permissions. Usually if a script returns non-zero, OpenVPN considers it a failure and responds in the syslog accordingly.
Thank you. Your script helped me track down the issue. In the end, I figured out it was the .sh itself.

In case, anyone else has this issue, this is how I resolved it.

Since I created the file in Windows, I had to run the command below. I am guessing if you create it within the terminal, you won't have this issue.
Code:
dos2unix /jffs/scripts/ovpn-client-connect.sh

It then needed the permissions:
Code:
chmod +x /jffs/scripts/ovpn-client-connect.sh

This was the ovpn-client-connect.sh
Bash:
#!/bin/sh
if [ "$username" == 'admin' ]; then
        exit 1
fi

This wouldn't be why it doesn't work, but testing for "admin" should be for whatever the name you use to log in to the webgui of the router. It wouldn't be a bad idea to move off the default name.
Thank you. The username is already changed.

The above resolved the issue in blocking the admin account from using the VPN.

Still got the weird issue when I connect to the VPN, I cannot see devices that are on the WiFi.
 

elorimer

Very Senior Member
The [ ] formulation already gives you the if test, doesn't it?
 

elorimer

Very Senior Member
Usually if a script returns non-zero, OpenVPN considers it a failure and responds in the syslog accordingly.
Yes, you get this in the log when that script works:
Code:
Jan 29 18:47:54 RT-AC86U ovpn-server1[3213]: 192.168.50.106:60779 TLS: Username/Password authentication succeeded for username 'youradminname' 
...
Jan 29 18:47:54 RT-AC86U ovpn-server1[3213]: client/192.168.50.106:60779 WARNING: Failed running command (--client-connect): external program exited with error status: 1
...
Jan 29 18:47:55 RT-AC86U ovpn-server1[3213]: client/192.168.50.106:60779 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Jan 29 18:47:56 RT-AC86U ovpn-server1[3213]: client/192.168.50.106:60779 Connection reset, restarting [0]
 

elorimer

Very Senior Member
I tried it without the IF; Then FI and it does not work.
The [ $username == "youradminname" ] && exit 1 structure works for me.
 

Argh123

Occasional Visitor
The WiFi. I narrowed down the issue. It was nothing to do with Asus Router.

The VPN doesn't forward ping to WiFi for some reason which is what I was using to test it. Once I tried remote desktop it worked.

The other test was me browsing to my WiFi camera, which wasn't working as well. It looks like this is due to the fact, the IP of the VPN is different range so it is auto blocking it.

To be 100% sure, I created a nginx on my laptop and via the WiFi I could browse no problem.
 

eibgrad

Part of the Furniture
The other test was me browsing to my WiFi camera, which wasn't working as well. It looks like this is due to the fact, the IP of the VPN is different range so it is auto blocking it.

You might find the following helpful.

 

Argh123

Occasional Visitor
You might find the following helpful.

This helped me track down what it was. I entered the command I can see the connection is coming from router in the nginx logs. But the WiFi camera still would not show. This was because I blocked the WiFi camera from being able to go online in the Router so in the iptables there is a
Code:
-A FORWARD -s 192.168.1.100/32 -i br0 -j DROP
Now I need to figure out how iptables work and see if I can allow from the VPN.
 

Argh123

Occasional Visitor
The WiFi camera issue is resolved. It was the firewall on the ASUS Router.
This is how I resolved it.

Code:
nano /jffs/scripts/nat-start
In there I entered:
Code:
#!/bin/sh
iptables -I FORWARD 1 -i br0 -s IP-OF-WIFI-CAMERA -d VPN-SUBNET/24 -j ACCEPT

This added the allow above the internet block. All it is doing is allowing the VPN subnet to the WiFi Camera.

Thank you for your help. It pointed me in the correct direction.

Only issue, I found is that if the firewall service restarts on the ASUS router for any reason, it wipes the iptables config. Either I need to add it manually or reboot the router. Is there a way I can save it permanently?
 
Last edited:

eibgrad

Part of the Furniture
Only use the nat-start script for rules that change the NAT table. Use the firewall-start script for anything else, like the FILTER table (the default). To do otherwise risks corrupting the firewall. That's probably why you're losing the rule.
 

Argh123

Occasional Visitor
Only use the nat-start script for rules that change the NAT table. Use the firewall-start script for anything else, like the FILTER table (the default). To do otherwise risks corrupting the firewall. That's probably why you're losing the rule.
Thank you. I added it to firewall-start and after a firewall restart the rules are there.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top