OPEN VPN with Private internet access

openvpn

(Jeffery Bardin (Flockhammer)) #1

NethServer Version: NethServer release 7.3.1611 (Final)

I have been trying to set up an OpenVPN tunnel with PIA (www.privateinternetaccess.com) but have yet to get it to connect. I have the .ovpn files from the site for Linux but the upload fails. I have also tried to enter the information my self and still no luck. I was wondering if anyone has been able to get this to work and if so any suggestions that may help. The end goal is to send all traffic out the VPN.


(Markus Neuberger) #2

Are there any relevant errors in /var/log/messages or /var/log/openvpn/*?

You could post the anonymized ovpn file content without certificates just to check why the upload fails, I don’t use PIA so I can’t test.

7.5 is the actual version, if you really still use 7.3 I recommend to update.


(Eddie Atherton) #3

For outbound VPNs, I’ve found it easier to not use the NS UI because it normally doesn’t have all the required options, but just put the required config file in /etc/openvpn/client and then use:

systemctl <action> openvpn-client@<config>

Cheers.


(Jeffery Bardin (Flockhammer)) #4

I just updated but still getting the same error.

Here are the logs from /var/log/messages that have to do with the OpenVPN and the cert.

LOG

Jul 27 14:33:52 Wall esmith::event[30445]: —> Package nethserver-openvpn.noarch 0:1.6.8-1.ns7 will be updated
Jul 27 14:33:52 Wall esmith::event[30445]: —> Package nethserver-openvpn.noarch 0:1.6.13-1.ns7 will be an update
Jul 27 14:33:53 Wall esmith::event[30445]: —> Package openvpn.x86_64 0:2.4.5-1.el7 will be updated
Jul 27 14:33:53 Wall esmith::event[30445]: —> Package openvpn.x86_64 0:2.4.6-1.el7 will be an update
Jul 27 14:39:55 Wall yum[30450]: Updated: openvpn-2.4.6-1.el7.x86_64
Jul 27 14:40:47 Wall esmith::event[30445]: Updating : openvpn-2.4.6-1.el7.x86_64 227/847
Jul 27 14:41:25 Wall yum[30450]: Updated: nethserver-openvpn-1.6.13-1.ns7.noarch
Jul 27 14:42:01 Wall esmith::event[30445]: Updating : nethserver-openvpn-1.6.13-1.ns7.noarch 341/847
Jul 27 14:42:30 Wall esmith::event[30445]: Cleanup : nethserver-openvpn-1.6.8-1.ns7.noarch 447/847
Jul 27 14:42:30 Wall esmith::event[30445]: Cleanup : openvpn-2.4.5-1.el7.x86_64 481/847
Jul 27 14:44:50 Wall esmith::event[30445]: Verifying : openvpn-2.4.6-1.el7.x86_64 78/847
Jul 27 14:44:54 Wall esmith::event[30445]: Verifying : nethserver-openvpn-1.6.13-1.ns7.noarch 351/847
Jul 27 14:44:55 Wall esmith::event[30445]: Verifying : nethserver-openvpn-1.6.8-1.ns7.noarch 435/847
Jul 27 14:44:56 Wall esmith::event[30445]: Verifying : openvpn-2.4.5-1.el7.x86_64 763/847
Jul 27 14:45:25 Wall esmith::event[9310]: expanding /etc/openvpn/host-to-net.conf
Jul 27 14:45:26 Wall esmith::event[9310]: [INFO] service openvpn@host-to-net is disabled: skipped
Jul 27 14:45:32 Wall esmith::event[9776]: Event: nethserver-openvpn-update
Jul 27 14:45:33 Wall esmith::event[9776]: Action: /etc/e-smith/events/nethserver-openvpn-update/S00initialize-default-databases SUCCESS [0.64565]
Jul 27 14:45:33 Wall esmith::event[9776]: expanding /etc/openvpn/host-to-net.conf
Jul 27 14:45:34 Wall esmith::event[9776]: expanding /etc/openvpn/host-to-net.pool
Jul 27 14:45:34 Wall esmith::event[9776]: Action: /etc/e-smith/events/nethserver-openvpn-update/S20nethserver-vpn-conf SUCCESS [0.005925]
Jul 27 14:45:34 Wall esmith::event[9776]: Action: /etc/e-smith/events/nethserver-openvpn-update/S30nethserver-openvpn-crl SUCCESS [0.034172]
Jul 27 14:45:34 Wall esmith::event[9776]: Action: /etc/e-smith/events/nethserver-openvpn-update/S40nethserver-openvpn-net2net SUCCESS [0.284227]
Jul 27 14:45:34 Wall esmith::event[9776]: [INFO] service openvpn@host-to-net is disabled: skipped
Jul 27 14:45:34 Wall esmith::event[9776]: Event: nethserver-openvpn-update SUCCESS
Jul 27 14:45:46 Wall esmith::event[30445]: nethserver-openvpn.noarch 0:1.6.13-1.ns7
Jul 27 14:45:46 Wall esmith::event[30445]: openvpn.x86_64 0:2.4.6-1.el7
Jul 27 14:47:24 Wall esmith::event[11704]: Event: openvpn-tunnel-upload /tmp/phpH59Dtc
Jul 27 14:47:25 Wall esmith::event[11704]: malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before “client\ndev tun\npro…”) at /etc/e-smith/events/openvpn-tunnel-upload/S30nethserver-openvpn-upload-client line 37.
Jul 27 14:47:25 Wall esmith::event[11704]: Action: /etc/e-smith/events/openvpn-tunnel-upload/S30nethserver-openvpn-upload-client FAILED: 255 [0.263925]
Jul 27 14:47:25 Wall esmith::event[11706]: Event: nethserver-firewall-base-save openvpn-tunnel-upload
Jul 27 14:47:28 Wall esmith::event[11704]: Action: /etc/e-smith/events/openvpn-tunnel-upload/S80firewall-adjust SUCCESS [3.318866]
Jul 27 14:47:28 Wall esmith::event[11704]: Event: openvpn-tunnel-upload FAILED
Jul 27 14:47:40 Wall esmith::event[12058]: Event: openvpn-tunnel-upload /tmp/phpa29ueQ
Jul 27 14:47:40 Wall esmith::event[12058]: malformed JSON string, neither array, object, number, string or atom, at character offset 0 (before “client\ndev tun\npro…”) at /etc/e-smith/events/openvpn-tunnel-upload/S30nethserver-openvpn-upload-client line 37.
Jul 27 14:47:40 Wall esmith::event[12058]: Action: /etc/e-smith/events/openvpn-tunnel-upload/S30nethserver-openvpn-upload-client FAILED: 255 [0.266414]
Jul 27 14:47:40 Wall esmith::event[12060]: Event: nethserver-firewall-base-save openvpn-tunnel-upload
Jul 27 14:47:43 Wall esmith::event[12058]: Action: /etc/e-smith/events/openvpn-tunnel-upload/S80firewall-adjust SUCCESS [3.217038]
Jul 27 14:47:43 Wall esmith::event[12058]: Event: openvpn-tunnel-upload FAILED

CERT

client
dev tun
proto udp
remote 162.216.46.22 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass
compress lzo
verb 1
reneg-sec 0

-----BEGIN X509 CRL-----

-----END X509 CRL-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

disable-occ


(Eddie Atherton) #5

As I mentioned above, NS does not support all the options available to an OpenVPN client, so is unable to parse (correctly) the file you are using.

Use OpenVPN directly from systemctl.

Cheers.


(Dan) #6

That sounds like a bug, frankly. If Neth is unable to parse a perfectly-valid .ovpn file (and especially if it’s unable to state clearly what the problem is), it should be reported as a bug.


(Markus Neuberger) #7

The problem in this case is that Nethserver OpenVPN tunnels expect a json file and not an ovpn file. It’s working with a Nethserver openvpn tunnel because you download a json file and import it to the tunnel client.
I am afraid you have to manually setup your openvpn tunnel.

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-openvpn.html#tunnel-topology


(Dan) #8

That would be a very helpful thing to have documented. Like on the page itself. Or anywhere, for that matter, because it sure isn’t in the manual.

Or better yet, change it to expect an .ovpn file, since that’s what’s in near-universal use.


(Markus Neuberger) #9

@Flockhammer, maybe it’s possible to use the tunnel in roadwarrior mode, where ovpn is accepted:

http://docs.nethserver.org/en/v7/vpn.html#legacy-mode

I don’t know if it’s that simple. It looks like the download/export for tunnels was a nice feature and nobody complains about not having ovpn, maybe more info is used for such a Neth VPN tunnel than can be saved in a ovpn file. I am sure there’s a reason for choosing json, maybe @giacomo can help us.


(Giacomo Sanchietti) #10

Sadly it’s not! :frowning:
To support ovpn file upload, we need to implement a parser since I don’t know an existing command which does the job.
Also, much of OpenVPN config validation is done when the service starts.

It’s documented here: http://docs.nethserver.org/en/v7/vpn.html#tunnel-net2net
But probably it’s not enough clear, would you mind to open a PR for the manual?


(Nick Hudson) #11

I tried systemctl command and put the config file in client folder, while using nord. Eventually, I had to move to PureVPN’s dedicated linux app to avoid such problems of manual configurations.