Tomato Shibby OpenVPN server: Android clients connect, but not Tomato OpenVPN client

Discussion in 'Tomato Firmware' started by fxfxfx, Feb 25, 2016.

  1. fxfxfx

    fxfxfx Connected Client Member


    I have a Linksys E900 (router A) with Tomato Shibby 1.28 running an OpenVPN server at a remote site abroad.

    Local Android and Windows clients connect as expected, without errors, and establish a functional VPN.

    My goal is to establish the VPN on/via a local Router B also running Tomato Shibby 1.28 as an OpenVPN client, instead of each client establishing the VPN connection to Router A individually.

    I have now spent 2½ days full-on trying to establish the OpenVPN client connection (on an ASUS RT-N12 D1 (router B) Tomato Shibby 1.28 router) with the same repetitive error message: Error: private key password verification failed.

    I verified that I have entered the correct password correctly. And I have also double-verified by using client certificates and keys, that were initially used and verified as working on android devices. Still, the elsewhere functional keys entered correctly into the WUI of the Tomato Shibby 1.28 OpenVPN client setup yields no connection.

    So it is not a typo. Not a firewall block or port forwarding issue. I have used identical client-conf on the router as on the mobile devices. Still, no luck. Even did a PPTP server setup at router A and connectied router B just fine to check (I got desperate). I also set up a remote VPS with Ubuntu and OpenVPN server and connected just fine with router B as OpenVPN client to the VPS and its VPN. So Router B OpenVPN client ->VPS OpenVPN Server works. I just can't get the connection from Router B OpenVPN client ->Router A OpenVPN Server working.

    SETTINGS for Tomato OpenVPN server (router A):

    Start with WAN: Enabled
    TUN interface
    UDP Protocol
    Port 1194
    Firewall: Auto
    Auth mode: TLS
    HMAC: incoming (0)

    Poll interval: 0
    Push LAN: Enabled
    Redirect internet: Enabled
    Respond to DNS: Enabled
    Advertise DNS: Enabled
    Cipher: AES-128-CBC
    Compression: Disabled
    TLS renegotiation time: -1
    Client-specific: Disabled
    Allow User/Pass auth: Disabled (this one is ALSO tested as ENABLED numerous times with the correct username and password entered correctly, as verified on android clients, but finally I became apathic and just disabled it in the stark face of defeat)
    Custom conf: None

    All five entries done correctly from easy-rsa on key signing linux machine. Working fine with all client keys/confs, except when used on Router B as OpenVPN client.

    OUTPUT from client-conf (from /etc/openvpn/easy-rsa/keys# cat client-conf.ovpn)
    remote xxx.x.xx.xx 1194

    ca ca.crt
    cert vpnclient.crt
    key vpnclient.key
    tls-auth ta.key 1

    dev tun
    proto udp
    key-direction 1

    resolv-retry infinite
    ns-cert-type server
    verb 3
    mute 20
    cipher AES-128-CBC

    Screen dumps below (with sensitive data removed crudely in mtPaint) for those visually inclined.







    Last edited: Feb 25, 2016
  2. eibgrad

    eibgrad Network Guru Member

    The message "Error: private key password verification failed." suggests you've added a password/passphrase to your private key. If so, you need to add the askpass directive and provide a file containing the password/passphrase as the argument.

    init script:

    echo 'password' > /tmp/password.txt

    (or just create it permanently in jffs if you have it enabled)

    OpenVPN client (Custom Configuration):

    askpass /tmp/password.txt

    NOTE: The username/password fields have nothing to do w/ password/passphrase protected private keys. That's a completely separate and unrelated layer of security the OpenVPN server may choose to implement.
    Malakai and fxfxfx like this.
  3. fxfxfx

    fxfxfx Connected Client Member

    Spot on. Worked immediately.

    Thank you, thank you, thank you, eibgrad, for taking the time to help out.

    I found a lot of posts on Error: private key password verification failed via google, of course. And basically tried them all. None worked, until now.

    Will update to [Solved].
  4. fxfxfx

    fxfxfx Connected Client Member

    Thanks for the clarification NOTE on the username/password fields, by the way. I was unsure if it was the right combo or if it related to the passphrase option when generating the certs and keys.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice