RT-AC59U V2 - OpenVPN server - connection via cert key

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

viallos

New Around Here
Hi

I'm using the latest firmware version : 3.0.0.4.386_21649-g7401a04 on RT-AC59U V2 and I tried to setup OpenVPN server to accept connections without passwords but thru client cert and key.

In advanced tab I specified:
Username / Password Auth. Only : No
Authorization Mode : TLS

I downloaded EasyRSA-3.0.8 and have done the following

easyrsa init-pki
easyrsa build-ca
easyrsa build-server-full server nopass
easyrsa build-client-full client1 nopass
easyrsa gen-dh

I have pasted all required keys and certs to Asus OpenVPN server via Content modification of Keys & Certification option.
Applied changes.

When I download the client.ovpn file it contains:
auth-user-pass
option, and when I use it it asks for username and password.

When I commented out
#auth-user-pass
in client.ovpn file it no longer asks for password but I'm getting:

Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: Auth Username/Password was not provided by peer
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: TLS handshake failed
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 SIGUSR1[soft,tls-error] received, client-instance restarting

Full log from Asus looks like below:

Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS: Initial packet from [AF_INET]192.168.50.150:49153 (via [AF_INET]xxxxxxxx), sid=9e1c211c cb158c3b
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC59U_V2, emailAddress=[email protected]
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=[email protected]
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_VER=2.5_rc2
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_PLAT=win
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_PROTO=6
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_NCP=2
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-128-CBC
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZ4=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZ4v2=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_LZO=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_COMP_STUB=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_COMP_STUBv2=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 peer info: IV_TCPNL=1
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: Auth Username/Password was not provided by peer
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 TLS Error: TLS handshake failed
Oct 19 00:39:15 vpnserver1[8098]: 192.168.50.150:49153 SIGUSR1[soft,tls-error] received, client-instance restarting

Is it possible to connect without username/password to this router on stock firmware?


Is there anything else that I need to set in router config?
On Basic setup page it has only one user - router admin account.
Do I need to add another client there with password prior to running command: easyrsa build-client-full client1 nopass
I just wonder if I add another user with password than I should create exact the same key/cert via command: easyrsa build-client-full client1 .... and set the same password that I created on basic config screen?

I just add that if I'm using standard setup with username and password via OpenVPN client for windows it is working fine.

But I want to configure serwer to accept connections without password as I would like to conect to this serwer my WAGO PFC that can't use interactive logon.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top