Hello after 20 years with smeserver we decided to start with your great tool. Thanks for your superb work !
My actual problem is to connect my server to my nordnet provider and use our dedicated vpn ip
i try during this last days, open the firewall…but client dont want to start, openvpn server start without problem.
Is someone could help me to start client side?
wich part of the certificat need to be use?
regards
Because of the way this was posted, it stripped off the tags which identify which certificate this is. If it the “cert”, then this is the one that identifies you to the server. “ca” is the public certificate of the server you are connecting to. I’m guessing, based on the “auth-user-pass”, that this should be the “ca”.
What errors are shown in the log.
Is this being run on the NS server or a client machine on your internal network as you may need to include additional iptable rules, via shorewall, for NATting and port forwarding.
I couldn’t get Neth to take my OpenVPN .conf file through the GUI, and when I thought I entered the correct parameters into the GUI manually it wouldn’t connect. I ended up copying the config file to /etc/openvpn/client on my Neth box (named, in my case, pfsense.conf), and then did systemctl enable --now openvpn-client@pfsense. That brought up the service, and it reconnects if there’s an interruption.
Thanks for your help
This need to run directly in NS
i found the way to start it
systemctl start openvpn-client@MYVPN
but now i can’t direct my local lan inside the tunnel
this is the fault with tunup.sh
Job for openvpn-client@fr52.nordvpn.service failed because the control process e xited with error code. See "systemctl status openvpn-client@fr52.nordvpn.service " and “journalctl -xe” for details.
Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virFileReadAll:1409 : Failed to open file ‘/sys/class/net/tun0/operstate’: No such file or directory
Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virNetDevGetLinkInfo:2419 : unable to read: /sys/class/net/tun0/operstate: No such file or directory
Jan 31 00:44:24 server.firewall.3 evebox[1363]: 2018-01-31 00:44:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60
Jan 31 00:45:24 server.firewall.3 evebox[1363]: 2018-01-31 00:45:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60
Its not clear…i use notepad++ as usual and then chmod so…
It’s more than 2 days spend just to connect a client vpn!
this is my last log
OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
WARNING: --ping should normally be used with --ping-restart or --ping-exit
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]82.102.18.107:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]82.102.18.107:1194
TLS: Initial packet from [AF_INET]82.102.18.107:1194, sid=1a9ac69d 821dd3d5
WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fr52.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fr52.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[fr52.nordvpn.com] Peer Connection Initiated with [AF_INET]82.102.18.107:1194
SENT CONTROL [fr52.nordvpn.com]: ‘PUSH_REQUEST’ (status=1)
PUSH: Received control message: ‘PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.146 255.255.255.0,peer-id 13,cipher AES-256-GCM’
Options error: option ‘redirect-gateway’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Socket Buffers: R=[212992->425984] S=[212992->425984]
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1657
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher ‘AES-256-GCM’
Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 250
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.8.8.146/24 broadcast 10.8.8.255
/etc/openvpn/tunup.sh tun0 1500 1585 10.8.8.146 255.255.255.0 init
WARNING: Failed running command (–up/–down): could not execute external program
Exiting due to fatal error
I finally found the right way for configuring a Nordvpn client in NS see below.
I just need to know how can i write a custon template for MASQUERADE, if someone could help it would be appreciate.
1. Access your NethServer via command line as root.
2. Create and access the directory where all our configuration files will be stored:
mkdir /etc/openvpn
cd /etc/openvpn
3. Download our configuration files and unzip them:
wget https://nordvpn.com/api/files/zip
unzip zip
rm -rf zip
4. Before connecting – you have to add additional rule to the routing table:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o tun0 -j MASQUERADE
This rule will route all traffic from 192.168.0.0/16 network via the VPN tunnel. If you use different addresses – change accordingly.
5. To connect to our service type in:
openvpn servername
For example:
openvpn de86.nordvpn.com.udp1194.ovpn
6. Type in your NordVPN username and password when asked.
7. The command line will type out this line if successfully connected:
Initialization Sequence Completed
Note: If the VPN cannot start for you and you are getting this output:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Then do the following:
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
cat /dev/net/tun
If you receive the message:
cat: /dev/net/tun: File descriptor in bad state
That means your TUN/TAP device is ready for use.
Then repeat steps 5, 6 and 7.
That’s exactly what I gave you in my tunup script. $1 is the device name, as created by openvpn. You probably need to also create an associated tundown script to remove the rule when openvpn is stopped.
The problem with permanently creating the rule, in shorewall, is that if the firewall is started, like at boot, before the tunnel is created, then it fails, because the tunnel device doesn’t exist.
