Has anyone been able to perform this firmware update on an Outdoor Gateway? I’d like to remove the cellular modem and install a HaLow radio. Also swap out the LoRa chip with one that has GPS on it.
I like the box and the board but want to do some custom stuff with it.
Hello, could you share your openvpn client configuration file ?
I’m trying to set-up OpenVpn on my SensCap M2 running OS 0.9.6-7.
The OpenVPN server is a freebox which is configured as OpenVPN TCP server with certificate authentication. config.ovpn file looks like this :
client
remote SERVER_IP 44875
proto tcp-client
nobind
dev-type tun
pull
dev tun0
redirect-gateway
auth-user-pass
auth-retry interact
cipher AES-256-CBC
remote-cert-tls server
verify-x509-name "C=FR, O=Freebox SA, CN=Freebox OpenVPN server a7beac99791055daf5bbe7fe697389e3"
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<extra-certs>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</extra-certs>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
I’ve upload the configuration and used “edit” to provide the auth-user-pass file’s content.
But when I click start, the status goes back to “Started NO” and there is no log for the VPN part so I do not know what’s wrong …
I’ve attached a terminal to the serial console but there is nothing related to openvpn, just plain kernel boot messages …
Any hints ?
Hi there,
And Welcome here…
So I recall an openVpn thing to Leave out the cert blocks and see if it starts the service, often it’s a goofy malformed cert options. I have had that happen on embedded only systems, where they released test code as custom and never added the cert options or something?
OK… So go try this stuff.. Some embedded systems fail unless ‘dev tun’ is used instead of tun0 or tun1’
Here is the full AI monty.. 
Checklist for OpenVPN on SensCap M2 (OS 0.9.6-7)ps | grep openvpn
If it’s not showing up, the service may not be starting at all due to a config error.
config.ovpn is correctly placed in the /etc/openvpn/ or the expected UI-configured location.openvpn --config /path/to/your/config.ovpn
This will often tell you exactly where the problem is — malformed certs, bad options, missing files, etc.
<ca>, <cert>, <key> blocksauth-user-pass input handling:.ovpn file as:auth-user-pass /etc/openvpn/credentials.txt
dev tun0 setup:dev tun is used instead of tun0. Try replacing:dev-type tun
dev tun0
with just:
dev tun
proto tcp-client
Just ensure the Freebox allows this specific TCP connection from the WAN.
Debugging Tip:Since OpenVPN logs aren’t showing up in the console:
logread | grep openvpn
or
cat /var/log/messages | grep openvpn
(Depending on log system used)
If logging is suppressed due to the OpenVPN service not starting at all, try launching manually as mentioned above to capture the errors.
Suggestion:If the Freebox OpenVPN server is working with other clients (Windows, Linux, etc.) — then the config is likely okay. The issue is probably:
<extra-certs> properly (try removing that block temporarily)auth-user-pass in UIGive that a go and come back let us know what you find 
HTH
GL 
PJ 
I saw this one?
Maybe test it first…
client
dev tun
proto tcp-client
remote YOUR_SERVER_IP 44875
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
# Authentication
auth-user-pass /etc/openvpn/credentials.txt
# Certificates
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
GL 
PJ 
Place these files in the OpenVPN config directory, typically /etc/openvpn/ or the M2 GUI-synced path:
client.conf ← (the config file above)ca.crt ← Your CA certificateclient.crt ← Your personal/client certificateclient.key ← Your private keycredentials.txt ← Your username + password (2 lines):yourusername
yourpassword
You must not use
<ca>,<cert>,<key>inline blocks in embedded Linux configs unless explicitly supported — they often break OpenVPN startup on resource-limited UIs like SensCap’s.
If you can SSH or use serial:
openvpn --config /etc/openvpn/client.conf
This will output real-time logs and show any certificate or auth errors directly.
Hi, thanks a lot for the detailed information. I’m sure it will help
But I’m facing a stupid issue :
Any hints on how to get a login shell using the serial console ?In my case, I only use UDP, which I now route through the forwarded packet tunnel. This already provides a level of security. However, I mainly use OpenVPN because on standard cellular networks there is no fixed IP address (due to CGNAT), except with professional plans that provide a static IP. OpenVPN allows me to create a tunnel that provides access through a private IP, which secures access and allows ping and remote connectivity.
It is important to correctly configure the private IP address of the OpenVPN server on the gateway, and not the server’s local LAN IP, so that UDP traffic is routed through the tunnel. If the ChirpStack LNS is hosted on a different local server, you must also forward UDP port 1700 from the OpenVPN server to the LNS to allow UDP traffic to pass from the OpenVPN server to the LNS. Additionally, remember to make the NAT rules persistent in case of an OpenVPN server reboot.
The ChirpStack LNS will receive the UDP uplinks, which are then translated into MQTT via the ChirpStack Gateway Bridge. MQTT is never used by the gateway itself, unless the gateway embeds a ChirpStack LNS, which is not the case for SenseCAP M2 gateways.
Gateway → UDP (packet forwarder)
ChirpStack Gateway Bridge → MQTT
MQTT = INTERNAL BACKEND ONLY
I found a very interesting DIY solution — or rather a recycling approach: a Raspberry Pi 3B+ or a Raspberry Pi 4 combined with this LoRaWAN module, which is actually a SenseCAP M1. This solution works perfectly with ChirpStack Gateway OS in concentrator mode.
The compatible image is the Raspberry Pi 2 (ARMv7) image.
This gateway can integrate an LNS for those who want it, which is not my case. It is strongly recommended to use the full version of the image, as it allows you to add GPS, OpenVPN, as well as a 4G USB modem (for example a Huawei HiLink model), etc.
Please note: ChirpStack Gateway OS runs, like the SenseCAP M2, on OpenWrt with LuCI. This means a few SSH commands are required, but with the help of AI tools, it is absolutely manageable.
For those who want to do more than just operate a gateway or an LNS, I would recommend installing a standard Raspberry Pi OS with Docker instead, so additional services can be deployed (such as Home Assistant or others).
This setup also works on a Raspberry Pi 2 (with a 40-pin connector), but performance is limited and not well suited for running an LNS.
There is also a dedicated SenseCAP image, which I have not tested:
There are very few older Helium gateways that allow this type of configuration, and they are often quite expensive, even though the Helium network itself no longer has real value. Today, these gateways are only worth their hardware value.
I was able to acquire three of them for €150, which is still a very good deal: Raspberry Pi 4 (8 GB), WM1303 or WM1302 concentrator, power supply, enclosure, and antenna.
In practice, around €85 per unit for second-hand hardware of this capability seems perfectly reasonable, especially if you do not need to run an LNS.
SENSE CAP M1 Hat + WM1302 for rpi3 or rpi 4 compatible rpi2 40 pins but not LNS
And Smart Mimic Finestra Board rpi with os chirpstack gateway
Passerelles réseau Smart Mimic Finestra Board-Embed SEMTECH SX1302 LoRaWAN
key client open vpn :
client
dev tun
proto tcp
remote 103.25.44.111 1194 // 103.25.44.111 IP fixe Public box 1194 port redirection vers open vpn server " redirection de port box "
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1 bypass-dhcp
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:b8:67:87:50:28:b2xxxxxxxxxxxxxxxxxxxxx
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=Easy-RSA CA
Validity
Not Before: Mar 24 15:15:49 2025 GMT
Not After : Jun 27 15:15:49 2027 GMT
Subject: CN=Sense-Cap-4G
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b6:de:f8:dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
e8:45:08:82:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
22:4b:1c:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:33:82:axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
96:xxxxxxxxxxxxxxxxxxx
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A6:43:99:3Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X509v3 Authority Key Identifier:
keyid:FF:5B:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DirName:/CN=Easy-RSA CA
serial:4C:71:D2:77xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
3x:45:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3x:c8:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0x:21:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
51:75:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----
Here’s a clean, natural English translation:
I recommend that you first test your OpenVPN server from an OpenVPN client on your PC to make sure it is working properly.
client
dev tun
proto tcp
remote 103.25.44.111 1194 // 103.25.44.111 IP fixe Public box 1194 port redirection vers open vpn server " redirection de port box "
resolv-retry infinite
nobind
persist-key
persist-tun
redirect-gateway def1 bypass-dhcp
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ba:b8:67:87:50:28:b2xxxxxxxxxxxxxxxxxxxxx
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=Easy-RSA CA
Validity
Not Before: Mar 24 15:15:49 2025 GMT
Not After : Jun 27 15:15:49 2027 GMT
Subject: CN=Sense-Cap-4G
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b6:de:f8:dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
e8:45:08:82:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:
22:4b:1c:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
18:33:82:axxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
96:xxxxxxxxxxxxxxxxxxx
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A6:43:99:3Cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X509v3 Authority Key Identifier:
keyid:FF:5B:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DirName:/CN=Easy-RSA CA
serial:4C:71:D2:77xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
3x:45:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
3x:c8:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0x:21:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
51:75:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
-----END OpenVPN Static key V1-----