Hi

I have been trying to get a pair of WRT54GL routers to connect using a routed OpenVPN connection in dd-wrt v24 release version. There is a decent guide here which lists how to set it up using a static key, but I want to try and do it "properly" using public and private keys for both the server and client.

One box is set up as the server with the following config:

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site
echo "
proto udp
port 2000
mode server
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
log /tmp/openvpn.log
# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > A2B.conf

echo "
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
" > ca.crt

echo "
-----BEGIN RSA PRIVATE KEY-----
*snip*
-----END RSA PRIVATE KEY-----
" > server.key

echo "
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
" > server.crt

echo "
-----BEGIN DH PARAMETERS-----
*snip*
-----END DH PARAMETERS-----
" > dh1024.pem

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.252.0 netmask 255.255.255.0 gw 10.0.0.2

# Initiate the tunnel
sleep 15
/tmp/myvpn --config A2B.conf
Server Firewall config:
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Client is configured as follows:
# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn

# Config for Site-to-Site SiteA-SiteB
echo "
remote *REMOTESITE.COM*
proto udp
port 2000
dev tun0
verb 3
comp-lzo
keepalive 15 60
daemon
log /tmp/openvpn.log
# TLS Mode Options
tls-client
ca ca.crt
cert client.crt
key client.key
" > B2A.conf

echo "
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
" > ca.crt

echo "
-----BEGIN CERTIFICATE-----
*snip*
-----END CERTIFICATE-----
" > client.crt

echo "
-----BEGIN RSA PRIVATE KEY-----
*snip*
-----END RSA PRIVATE KEY-----
" > client.key

# Create interfaces
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up

# Create routes
route add -net 192.168.250.0 netmask 255.255.255.0 gw 10.0.0.1

# Initiate the tunnel
sleep 5
/tmp/myvpn --config B2A.conf
Client Firewall:
# Open firewall holes
iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Server initializes with no problem and should be ready for a connection, but client will not finish initializing, always comes up with an open cert error:
Sun May 25 00:13:15 2008 OpenVPN 2.0.9 mipsel-unknown-linux [SSL] [LZO] [EPOLL]
built on May 20 2008
Sun May 25 00:13:15 2008 WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun May 25 00:13:15 2008 Cannot load certificate file client.crt: error:0906D06
C:lib(9):func(109):reason(108): error:140AD009:lib(20):func(173):reason(9)
Sun May 25 00:13:15 2008 Exiting
I would like to get rid of the server cert verification method error, but I don't think that is the same as the following line which complains that it can't load the client certificate.

Could this be a permissions problem?
root@Lexington-WRT54GL:/tmp# ls -l
-rw-r--r-- 1 root root 1179 May 25 00:13 ca.crt
-rw-r--r-- 1 root root 1239 May 25 00:13 client.crt
-rw-r--r-- 1 root root 875 May 25 00:13 client.key
*snip*
-rw-r--r-- 1 root root 208 May 25 00:13 lex-remote.conf
lrwxrwxrwx 1 root root 17 Jan 1 1970 myvpn -> /usr/sbin/openvpn
-rw------- 1 root root 437 May 25 00:13 openvpn.log
*snip*
Very much hope someone can shed some light on this

James