Client vpn wont start

Zen · January 30, 2018, 7:25pm

Hello after 20 years with smeserver we decided to start with your great tool. Thanks for your superb work !

My actual problem is to connect my server to my nordnet provider and use our dedicated vpn ip
i try during this last days, open the firewall…but client dont want to start, openvpn server start without problem.

Is someone could help me to start client side?
wich part of the certificat need to be use?
regards

Nord vpn .conf is:

client
dev tun
proto udp
remote 185.128.25.93 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAL31R/YFmV/RMA0GCSqGSIb3DQEBCwUAMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQZnI4Ny5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTAeFw0xODAxMTExMjMyMDlaFw0yODAxMDkxMjMyMDlaMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQZnI4Ny5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOeNX4bt/pmU
GtckouBUSOIkoT1aa0pPtrZ0yR9TIoBIjA//Z/urpzq33uJneYbE+gjEfvPHSc99
sseJ5BlHPUg6Zr4g3RMp1/nel5xc9Rqd9j4FDVO+2mypJM9bf6yUsospnMSt6CRi
WwyWs+HGl8Qb+EIHqxwpaHVa+x/Wq1P8cEfdNqwox3PFdK8verlDqvICwawYXcnf
c0JxCmGT1cn0DbjOLVzorQ7HSC/1xG4ee0rYUPsx/7DKUZEzQnu+mXXs6yvnYlpy
dNqETHdpD3Zb3FwETaWbEc1chDpfgAhkejeOuGG2vfp97TJNW13FPEMyAIgrzP4n
VlSoZFZEPm0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTdbOYn9Z9fEBQ8Jkoyq/Ic
/xshSzCB0gYDVR0jBIHKMIHHgBTdbOYn9Z9fEBQ8Jkoyq/Ic/xshS6GBo6SBoDCB
nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEGZyODcu
bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
cnRAbm9yZHZwbi5jb22CCQC99Uf2BZlf0TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQAdOYUhbF3YYpXDjL69D7/6wnUxVoIqi4k3TScPk+6c1spDn+Nx
fwa8AqBjuQriAYfLAu7k4V6SO6erJU5CmarKrz8HMgYmhwsrfbO4FSqo34ic244R
uj4MqJUWG8LqJcCX3vP0NltBl4zBDcIMIRli6mbYjmRwIa7N4sINnPqqFKT89tC0
i7GWh8g4cQSi8pEKPgl5aow7lg2ockmOQOsHhWqDytqV8vWByiXkYK1ybtN2EnDe
.................................................................................
..................................................................................

-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
9bafe03c3395f4c395fa750ba5516836
a5bafbda3aef472ca56c8a9736c648f6
a077b53dedcf560d0d178dd6c565cfff
c89284f465d76088aa5b54a158ee3b43
aec6586497eb78c653a86e8b2367bee5
2915629301427e85b16800f3cc73ee13
4a03d7c5cd3817319f18a7a1e6176016
d76c4b3553ee4828f7653bc428c7ddc1
.................................................
...............................................
................................................

-----END OpenVPN Static key V1-----
</tls-auth>

NethServer Version: 7
Module: openvpn

EddieA · January 30, 2018, 8:55pm

Because of the way this was posted, it stripped off the tags which identify which certificate this is. If it the “cert”, then this is the one that identifies you to the server. “ca” is the public certificate of the server you are connecting to. I’m guessing, based on the “auth-user-pass”, that this should be the “ca”.

What errors are shown in the log.

Is this being run on the NS server or a client machine on your internal network as you may need to include additional iptable rules, via shorewall, for NATting and port forwarding.

Cheers.

danb35 · January 30, 2018, 9:37pm

I couldn’t get Neth to take my OpenVPN .conf file through the GUI, and when I thought I entered the correct parameters into the GUI manually it wouldn’t connect. I ended up copying the config file to /etc/openvpn/client on my Neth box (named, in my case, pfsense.conf), and then did systemctl enable --now openvpn-client@pfsense. That brought up the service, and it reconnects if there’s an interruption.

Zen · January 30, 2018, 9:56pm

Thanks for your help
This need to run directly in NS
i found the way to start it
systemctl start openvpn-client@MYVPN
but now i can’t direct my local lan inside the tunnel

EddieA · January 30, 2018, 10:13pm

Here’s my tunup script, which sorts out the NATting you need:

#!/bin/bash

ESMITH_DIR=/etc/e-smith/templates-custom/etc/shorewall

echo -e "# Masquerade the VPN tunnel" > $ESMITH_DIR/masq/30UKvpn
echo -e "$1" >> $ESMITH_DIR/masq/30UKvpn
echo -e "" >> $ESMITH_DIR/masq/30UKvpn

# Reload the firewall
/sbin/e-smith/signal-event firewall-adjust

Cheers.

Zen · January 30, 2018, 10:28pm

Hey Hey ! i write you behind my wall…
Thanks you so much for this big help
Cheers

Zen · January 30, 2018, 10:38pm

I done an error!!
nothing work for the moment

EddieA · January 30, 2018, 11:37pm

I think we need a little more details than just “It’s broken”.

Cheers.

Zen · January 30, 2018, 11:47pm

You’re totaly right sorry

this is the fault with tunup.sh
Job for openvpn-client@fr52.nordvpn.service failed because the control process e xited with error code. See "systemctl status openvpn-client@fr52.nordvpn.service " and “journalctl -xe” for details.

Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virFileReadAll:1409 : Failed to open file ‘/sys/class/net/tun0/operstate’: No such file or directory
Jan 31 00:43:52 server.firewall.3 libvirtd[1389]: 2018-01-30 23:43:52.990+0000: 1389: error : virNetDevGetLinkInfo:2419 : unable to read: /sys/class/net/tun0/operstate: No such file or directory
Jan 31 00:44:24 server.firewall.3 evebox[1363]: 2018-01-31 00:44:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60
Jan 31 00:45:24 server.firewall.3 evebox[1363]: 2018-01-31 00:45:24 (evefileprocessor.go:175) – Total: 0; last minute: 0; EOFs: 60

Zen · January 31, 2018, 12:01am

Ok custom template is not execute with tunup.sh and i don’t understand why

Zen · January 31, 2018, 12:48am

So this is my problem with tunup.sh

[root@server openvpn]# ./tunup.sh
-bash: ./tunup.sh: /bin/bash^M: bad interpreter: No such file or directory

I hope you will be agree to help a poor dummy …

danb35 · January 31, 2018, 2:12am

Looks like you edited the file on Windows before you put it onto your Neth server.

Zen · January 31, 2018, 3:08am

Its not clear…i use notepad++ as usual and then chmod so…
It’s more than 2 days spend just to connect a client vpn!
this is my last log

OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
WARNING: --ping should normally be used with --ping-restart or --ping-exit
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]82.102.18.107:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]82.102.18.107:1194
TLS: Initial packet from [AF_INET]82.102.18.107:1194, sid=1a9ac69d 821dd3d5
WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fr52.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=fr52.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
[fr52.nordvpn.com] Peer Connection Initiated with [AF_INET]82.102.18.107:1194
SENT CONTROL [fr52.nordvpn.com]: ‘PUSH_REQUEST’ (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242.211.137,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.146 255.255.255.0,peer-id 13,cipher AES-256-GCM’
Options error: option ‘redirect-gateway’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
Options error: option ‘dhcp-option’ cannot be used in this context ([PUSH-OPTIONS])
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Socket Buffers: R=[212992->425984] S=[212992->425984]
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1657
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM’
Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 250
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.8.8.146/24 broadcast 10.8.8.255
/etc/openvpn/tunup.sh tun0 1500 1585 10.8.8.146 255.255.255.0 init
WARNING: Failed running command (–up/–down): could not execute external program
Exiting due to fatal error

Zen · January 31, 2018, 6:26am

I finally found the right way for configuring a Nordvpn client in NS see below.
I just need to know how can i write a custon template for MASQUERADE, if someone could help it would be appreciate.

1. Access your NethServer via command line as root.
2. Create and access the directory where all our configuration files will be stored:
mkdir /etc/openvpn
cd /etc/openvpn
3. Download our configuration files and unzip them:
wget https://nordvpn.com/api/files/zip
unzip zip
rm -rf zip
4. Before connecting – you have to add additional rule to the routing table:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o tun0 -j MASQUERADE
This rule will route all traffic from 192.168.0.0/16 network via the VPN tunnel. If you use different addresses – change accordingly.

5. To connect to our service type in:
openvpn servername
For example:

openvpn de86.nordvpn.com.udp1194.ovpn
6. Type in your NordVPN username and password when asked.
7. The command line will type out this line if successfully connected:
Initialization Sequence Completed
Note: If the VPN cannot start for you and you are getting this output:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Then do the following:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
cat /dev/net/tun
If you receive the message:

cat: /dev/net/tun: File descriptor in bad state
That means your TUN/TAP device is ready for use.

Then repeat steps 5, 6 and 7.

Zen · January 31, 2018, 7:24am

Just need to write in etc/shorewall started this line at the end and all work as a charme

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o tun0 -j MASQUERADE

EddieA · January 31, 2018, 5:05pm

That’s exactly what I gave you in my tunup script. $1 is the device name, as created by openvpn. You probably need to also create an associated tundown script to remove the rule when openvpn is stopped.

The problem with permanently creating the rule, in shorewall, is that if the firewall is started, like at boot, before the tunnel is created, then it fails, because the tunnel device doesn’t exist.

Cheers.

EddieA · January 31, 2018, 7:16pm

You need to understand how the e-smith template system works and how often the shorewall files are (could be) updated and re-built.

Cheers.