VyOS OpenVPN must specify "tls cert-file" with NordVPN config

I’m quite new to setting up routers and VPN’s so please bear with me on this one.

My goal is to make a VyOS setup where if I’m connected to a certain segment of the network have all public network traffic routed over a VPN provider. I opted to use NordVPN as I already have a subscription to it, and they have a guide on setting up a similar thing in PfSense

I’m currently running into the issue where setting up the site-to-site mode in OpenVPN, VyOS complains that a tls cert-file and tls key-file are required, however I do not have access to these as NordVPN only provides a username and password.

I tried contacting NordVPN’s support, however they just told me to “install the NordVPN software” over my VyOS instance (which completely screws up every single other configuration on the system, so that’s a dead end for me).

My config is as follows:

interfaces {
    openvpn vtun0 {
        description "OpenVPN tunnel to NordVPN"
        local-address 10.1.4.1
        remote-address 10.2.4.1

        remote-host REDACTED
        remote-port 1194
        authentication {
            username REDACTED
            password REDACTED
        }
        shared-secret-key-file "/nordvpn/auth.key"
        mode site-to-site
        hash sha512
        persistent-tunnel
        protocol udp
        ipv6 {
            disable-forwarding
        }
        openvpn-option "allow-compression no"
        openvpn-option "persist-key"
        openvpn-option "persist-tun"
        openvpn-option "nobind"
        openvpn-option "cipher AES-256-CBC"
        openvpn-option "script-security 2"
        openvpn-option "route-method exe"
        openvpn-option "key-direction 1"
        openvpn-option "route-delay 2"
        openvpn-option "mssfix 1450"
        openvpn-option "keysize 256"
        openvpn-option "sndbuf 524288"
        openvpn-option "rcvbuf 524288"
        openvpn-option "fast-io"
        openvpn-option "verb 3"
        openvpn-option "auth-retry nointeract"
        openvpn-option "route-nopull"
        openvpn-option "tun-mtu 1532"
    }
  }
}

I found two other instances of people experiencing the same issue as I am:

• Translate OpenVPN config file - #4 by Viacheslav
• https://www.reddit.com/r/vyos/comments/j63ct1/vyos_nordvpn_openvpn_config_problem/

Could anyone point me at what I’m doing wrong?
Thanks

Hi @will2n1 , could you please tell me what the exact issue is? I’ve tested the same configuration you’ve provided on the VyOS 1.3 and it’s successfully committed:

set interfaces openvpn vtun0 authentication password 'test1'
set interfaces openvpn vtun0 authentication username 'test1'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 ipv6 disable-forwarding
set interfaces openvpn vtun0 local-address 10.1.4.1
set interfaces openvpn vtun0 mode 'site-to-site'
set interfaces openvpn vtun0 openvpn-option 'allow-compression no'
set interfaces openvpn vtun0 openvpn-option 'persist-key'
set interfaces openvpn vtun0 openvpn-option 'persist-tun'
set interfaces openvpn vtun0 openvpn-option 'cipher AES-256-CBC'
set interfaces openvpn vtun0 openvpn-option 'script-security 2'
set interfaces openvpn vtun0 openvpn-option 'route-method exe'
set interfaces openvpn vtun0 openvpn-option 'key-direction 1'
set interfaces openvpn vtun0 openvpn-option 'route-delay 2'
set interfaces openvpn vtun0 openvpn-option 'mssfix 1450'
set interfaces openvpn vtun0 openvpn-option 'keysize 256'
set interfaces openvpn vtun0 openvpn-option 'sndbuf 524288'
set interfaces openvpn vtun0 openvpn-option 'rcvbuf 524288'
set interfaces openvpn vtun0 openvpn-option 'fast-io'
set interfaces openvpn vtun0 openvpn-option 'verb 3'
set interfaces openvpn vtun0 openvpn-option 'auth-retry nointeract'
set interfaces openvpn vtun0 openvpn-option 'route-nopull'
set interfaces openvpn vtun0 openvpn-option 'tun-mtu 1532'
set interfaces openvpn vtun0 openvpn-option 'nobind'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-address '10.2.4.1'
set interfaces openvpn vtun0 remote-host '192.168.0.2'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 shared-secret-key-file '/config/auth/test1.key'

The only differences I think are user/pass/key fields and IP addresses. If the configuration is accepted but a connection is not being established, then please provide the logs for a more detailed view of your issue.

@e.khudiyev Apoligies, I uploaded the wrong version of the configuration as it would not commit and I was very tired when making this post; instead of the shared-secret-key-file it should be as follows:

tls {
    ca-cert-file "/nordvpn/ca.crt"
    auth-file "/nordvpn/auth.key"
}

Doing so results in the error:

Must specify "tls cert-file"

You can use a workaround touch included_conf.conf and include it as openvpn-option
An example in T3591
Just change it to your parameters