Opened 3 years ago

Last modified 4 months ago

#3407 reopened

openvpncl static.key mode: Options error: specify only one of --tls-server, --tls-client, or --secret

Reported by: wenzhuo Owned by:
Keywords: Cc:


Background: I have been starting the openvpn client in rc_startup for a long time. But, starting from r23919, it looks that openvpn is less adaptive to the system clock change. If started in rc_startup (before the ntp clock sync), it just keeps sending packets times-tamped at seconds after the Unix epoch, and the openvpn server considers it a replay attack, and the connection cannot be established. So I am trying to start it using openvpncl instead.

Because of some "technical" and "non-technical" reasons, I have to use the static key mode as the preferable method.

However, the openvpn.conf file openvpncl generates has in it both "secret /tmp/openvpncl/static.key" and "tls-client", which is not allowed by openvpn. Here is error message:

Options error: specify only one of --tls-server, --tls-client, or --secret

Attachments (1)

screenshot-by-nimbus.png (57.0 KB) - added by wenzhuo 3 years ago.
OpenVPN Client configuration screenshot

Download all attachments as: .zip

Change History (7)

Changed 3 years ago by wenzhuo

Attachment: screenshot-by-nimbus.png added

OpenVPN Client configuration screenshot

comment:1 Changed 3 years ago by wenzhuo

OpenVPN Client configuration I intend to create:

OpenVPN Client configuration screenshot OpenVPN Client configuration screenshot

Last edited 3 years ago by wenzhuo (previous) (diff)

comment:2 Changed 3 years ago by Kong

Resolution: invalid
Status: newclosed
However, the openvpn.conf file openvpncl generates has in it both

openvpncl does not generate anything as this is a directory under /tmp, thus no idea what you are talking about.

You have not given your generated openvpn.conf, thus no chance to debug anything.

comment:3 Changed 3 years ago by wenzhuo

Resolution: invalid
Status: closedreopened

Steps to reproduce the problem

  1. configure openvpncl to use static key mode, as shown in the above screenshot.
  2. The resulting config file has both "sectet" and "tls-client" in it, which is a configutation error, see above for the error msg.

I'll attach the config file shortly.

comment:4 Changed 3 years ago by wenzhuo

root@DD-WRT:/jffs/openvpncl# cat openvpn.conf.orig
secret /tmp/openvpncl/static.key
management 16
management-log-cache 100
verb 3
mute 3
writepid /var/run/
resolv-retry infinite
script-security 2
dev tun1
proto udp
cipher bf-cbc
auth sha1
remote <openvpn srv> <port>
comp-lzo yes
redirect-private def1
tun-mtu 1500
mtu-disc yes

comment:5 Changed 3 years ago by BrainSlayer

Resolution: invalid
Status: reopenedclosed

you need to set hash algorithm to none

comment:6 Changed 4 months ago by lovec911

Resolution: invalid
Status: closedreopened

Changing the hash algorithm to none does not remove the keyword "client" from the resulting configuration file.

When a secret key (or in dd-wrt parlance - static key) is specified in the gui, the system correctly adds the "secret" keyword in the configuration, but it does not remove the "client" keyword.

You can only have one of secret or client in the configuration at a time as per the openvpn documentation and error message: "Options error: specify only one of --tls-server, --tls-client, or --secret"

Note: See TracTickets for help on using tickets.