Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

OpenVPN Client:32 and 64-bit: Your Private and Secure Path to the Internet

Featured Replies

You mean: mullvad.net

 

In my opinion AFAIK having issues with splitting the VPN connection is not the VPN provider's (privateinternetaccess.com) fault but rather a function of OpenVPN Client/Server.

 

Agree 100%.  Until iptables is properly configured to create a firewall and the desired routes, having the openVPN client on unRAID is a major security risk for the unRAID server.  Most public/commercial VPN services do not have an adequate firewall or NAT service on the Internet side of the VPN so you are basically placing your unRAID server in a DMZ behind your hardware firewall (router).  A VPN provides anonymity with your ISP so they cannot filter or easily track your online activity, but is not very secure on the other end of the tunnel.  Security does vary with the provider, but unRAID itself is not hardened by default and is very susceptible to basic attacks.  Suggest an alternate method to use VPN with unRAID using extra hardware or wait until iptables can be properly configured to provide a firewall and proper routing on unRAID.

  • Replies 546
  • Views 164.7k
  • Created
  • Last Reply

You mean: mullvad.net

 

In my opinion AFAIK having issues with splitting the VPN connection is not the VPN provider's (privateinternetaccess.com) fault but rather a function of OpenVPN Client/Server.

 

Agree 100%.  Until iptables is properly configured to create a firewall and the desired routes, having the openVPN client on unRAID is a major security risk for the unRAID server.  Most public/commercial VPN services do not have an adequate firewall or NAT service on the Internet side of the VPN so you are basically placing your unRAID server in a DMZ behind your hardware firewall (router).  A VPN provides anonymity with your ISP so they cannot filter or easily track your online activity, but is not very secure on the other end of the tunnel.  Security does vary with the provider, but unRAID itself is not hardened by default and is very susceptible to basic attacks.  Suggest an alternate method to use VPN with unRAID using extra hardware or wait until iptables can be properly configured to provide a firewall and proper routing on unRAID.

 

Exactly right! The way I see it:

 

1. Communications and Security seem to always be at odds with one another. With a properly configured firewall on your network and not using OpenVPN Client for unRAID then you can assume some sense of security from outside attacks on your network including your unRAID box for the most part, but this approach does not provide anonymity from your ISP when your unRAID box connects to the end-point you selected, or the end point SB, SAB, CP etc select (hopefully using SSL connections at a minimum). With end-to-end encryption your ISP can't see what it is you are accessing but does know to whom you are connecting.

 

2. Connecting OpenVPN Client for unRAID to the VPN provider seems to provide anonymity from your ISP but will deem your network's firewall ineffective to provide security for you, and there is no mechanism built in to OpenVPN Client for unRAID that I know of at this point that can provide both anonymity and security. Perhaps someone can shed light on that.

 

Presently I can not trust OpenVPN Client for unRAID as my previous posts have suggested, there's a problem.

Good luck Mygoogoo as it sounds liked you are going to need it but if you do it get work please document it for the others and myself.

Yep thanks for the well wishes, don't really need it tho, but good luck goes to the users who put their trust an app / plugin that doesn't or hasn't yet met serious security scrutiny. Case in point->  If a plugin like OpenVPN Client for unRAID allows itself to falsely show it is connected to the VPN provider when using route-nopull, and then verified by independent user that the webGui shows the ISP instead of the VPN provider, that is a huge problem. I wonder what other issues lurk in the code?

 

I use unRAID, many people use unRAID, it's not a secure product by "nature", so let's make that best of this situation by brainstorming, and providing feedback, and have more knowledgeable folks than you and I to make this OpenVPN Client plugin, and perhaps the Server plugin more secure so some poor guy/gal doesn't make a huge mistake and expose themselves to a hacker or worse by trusting what may seem to be a flawed plugin. Even the people making this plugin available understand it is necessary to tweak iptables.

 

Secondly until the OpenVPN Client security shortfall has been addressed, and because the insecure nature of unRAID to begin with one can take precautions by firewalling or vpn'ing the unRAID segment of your network with another appliance. I do that by using a spare router with DD-WRT and OpenVPN.

 

If I read you correctly, I don't believe the goal here, on these unRAID forums, is to be dismissive to questions regarding the operation and security of a product that people seem to enjoy and put their hard earned money into. As an unRAID (lime-tech) paying customer I understand the product I purchased comes with a disclaimer of insecurity and that plugins, although wonderful to have, make the product very personal and appealing to whoever decides to use them, but these plugins may contain serious operational and security flaws that can adversely affect the operation and integrity of the software/hardware and cause "legal" issues to end users who rely on the false premise that unRAID with a VPN client or VPN server can both provide anonymity and security "while accessing, retrieving and storing content from the world wide web.  ::)

 

So let's get back on point. I like the idea of OpenVPN Client on unRAID, I want to use it, but it needs to be scrutinized further before being placed "in to production", though it seems to me people are using it not knowing the potential harm it can do to their unRAID box or their pocket-book. 

 

If you have a question or something substantive to contribute to this topic, then please provide your untapped wisdom.

I have DDWRT, does it have the possibility of sending only my unRAID server through the VPN client while allowing 1) internal traffic to unraid 2) all other devices to access normal internet?

 

Also, I think I may have found a glitch. If you have "automatically connect on array startup" set to YES it appears that you cannot access your main unraid configuration page (:80).. I could access unmenu and anything not on port 80.

I have DDWRT, does it have the possibility of sending only my unRAID server through the VPN client while allowing 1) internal traffic to unraid 2) all other devices to access normal internet?

 

Also, I think I may have found a glitch. If you have "automatically connect on array startup" set to YES it appears that you cannot access your main unraid configuration page (:80).. I could access unmenu and anything not on port 80.

 

1. I use a separate DD-WRT router just for unRAID and yes all traffic goes through the VPN.

 

2. Don't know if it's a glitch, maybe something for another forum, however if you have plugins in your unRAID and have set the array to connect at startup, you can check your unraid's display and see that downloads occur prior to unraid webGui being accessible. So yeah just wait for the downloads to complete first.

 

I have DDWRT, does it have the possibility of sending only my unRAID server through the VPN client while allowing 1) internal traffic to unraid 2) all other devices to access normal internet?

 

Also, I think I may have found a glitch. If you have "automatically connect on array startup" set to YES it appears that you cannot access your main unraid configuration page (:80).. I could access unmenu and anything not on port 80.

 

The easiest and simplest approach to this problem until the plugin can be made mature is to accomplish this with hardware.  Use a second router behind your first 'main' router and add another network card to unRAID.  Second router will need to have VPN client capability and suggest a router than can run Tomato or whatever open source software you like that has openVPN Client in it.  The second router should have a decent processor in it as the VPN encryption will choke and cap your speed with less capable hardware.

I haven't had a chance to read most of the emails but I have been using this plugin with PIA and it seems be working quite well. I have tried with a router (ASUS RTN16) using dd-wrt but it 'severly' limits the download speeds since the router processor isn't capable of decrypting large information on the fly.

 

Here are some details from my setup:

root@Tower:/boot/openvpn# more USEast.ovpn

client

dev tun

proto udp

remote us-east.privateinternetaccess.com 1194

resolv-retry infinite

nobind

persist-key

persist-remote-ip

persist-tun

ca ca.crt

tls-client

remote-cert-tls server

comp-lzo

verb 1

reneg-sec 0

 

auth-user-pass /boot/config/openvpn/password.txt

 

from the plugin settings:

Wed Sep 18 23:47:02 2013 OpenVPN 2.3.0 i486-slackware-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [iPv6] built on Jan 12 2013

Wed Sep 18 23:47:02 2013 WARNING: file '/boot/config/openvpn/password.txt' is group or others accessible

Wed Sep 18 23:47:02 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Wed Sep 18 23:47:02 2013 UDPv4 link local: [undef]

Wed Sep 18 23:47:02 2013 UDPv4 link remote: [AF_INET]216.155.yyy.xx:1194

Wed Sep 18 23:47:02 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Wed Sep 18 23:47:02 2013 [server] Peer Connection Initiated with [AF_INET]216.155.yyy.xx:1194

Wed Sep 18 23:47:05 2013 TUN/TAP device tun0 opened

Wed Sep 18 23:47:05 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Wed Sep 18 23:47:05 2013 /usr/sbin/ip link set dev tun0 up mtu 1500

Wed Sep 18 23:47:05 2013 /usr/sbin/ip addr add dev tun0 local 10.163.a.b peer 10.163.a.b

Wed Sep 18 23:47:05 2013 Initialization Sequence Completed

 

 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 

          inet addr:10.163.a.b  P-t-P:10.163.a.b  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:5455831 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2949937 errors:0 dropped:61 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:2882174331 (2.6 GiB)  TX bytes:757257462 (722.1 MiB)

 

Using iftop, I see the entire incoming bandwidth routed through the gateway provided by the VPN and not assigned by the cable company. Am I missing something from the discussion thread here?

 

htpcnewbie, the real issue is that while OpenVPN Client for unRAID is enabled and seems to work, one is unable to access unRAID webGui and other services remotely. As one example, one will not be able to access Plex Media Server to stream content unless it is being access from the local LAN, and this limits Plex's functionality as a whole. This essentially renders all other plugins useless if trying to access remotely.

 

And then there's the security issue. Read from about here:

 

http://lime-technology.com/forum/index.php?topic=19439.msg262674#msg262674

mygoogoo >> I haven't accessed the Unraid box outside my LAN network so I cannot speak for that. That being said, this plugin has been amazing and bandwidth throughputs for my Unraid box are excellent (maxes out my 50 Mbps line at almost 99.2% throughput). This feature is essential in today's world and the feature should be integrated into the mainstream UNRAID.

 

htpcnewbie, the real issue is that while OpenVPN Client for unRAID is enabled and seems to work, one is unable to access unRAID webGui and other services remotely. As one example, one will not be able to access Plex Media Server to stream content unless it is being access from the local LAN, and this limits Plex's functionality as a whole. This essentially renders all other plugins useless if trying to access remotely.

htpcnewbie, the real issue is that while OpenVPN Client for unRAID is enabled and seems to work, one is unable to access unRAID webGui and other services remotely. As one example, one will not be able to access Plex Media Server to stream content unless it is being access from the local LAN, and this limits Plex's functionality as a whole. This essentially renders all other plugins useless if trying to access remotely.

 

And then there's the security issue. Read from about here:

 

http://lime-technology.com/forum/index.php?topic=19439.msg262674#msg262674

 

You can access the gui remotely, but you must provide a static route in your router for the VPN subnet. Once I did this, I can hit any machine (and it's resource) on the LAN I wish. Here's my static route:

 

10.8.8.0	255.255.255.0	172.16.17.252	LAN & WLAN

 

Where 10.8.8.0 is my VPN subnet, 255.255.255.0 is the mask, 172.16.17.252 is my VPN server on unRAID and LAN & WAN are the affected interfaces.

 

Now, I am running the OpenVPN server plugin on unRAID as well, so perhaps there is a configuration difference there...

From what I'm seeing is that the VPN subnet continually changes. At last count I've had four different ip's assigned... 10.160.xx, 10.157.xx, 10.141.xx, 10.177.xx...

From what I'm seeing is that the VPN subnet continually changes. At last count I've had four different ip's assigned... 10.160.xx, 10.157.xx, 10.141.xx, 10.177.xx...

 

That's why I'm saying my config may be different, as I use the OpenVPN Server plugin on my unRAID server and therefore can control my subnet.

I got ya.

 

What I'm saying as a solution it would be impractical to apply this method for users with little experience in networking. So we need a practical solution(s) (as OpenVPN Client originally seemed to be) that can be generally applied for different types of users so they can access their unRAID resources remotely and not experience connectivity problems.

  • 4 weeks later...

Hey Guys,

 

Awesome plugin, with some great information in this thread!

 

Based on the posts here I now have this openvpn client working on my unraid box, connecting too the VPN provider privateinternetaccess.com.

 

However I am noticing something repeatedly coming up in the openvpn log.

 

Can anyone tell me what this means?

 

Wed Oct 16 04:54:29 2013 [server] Inactivity timeout (--ping-restart), restarting
Wed Oct 16 04:54:29 2013 SIGUSR1[soft,ping-restart] received, process restarting
Wed Oct 16 04:54:31 2013 UDPv4 link local: [undef]
Wed Oct 16 04:54:31 2013 UDPv4 link remote: [AF_INET]192.198.202.146:1194
Wed Oct 16 04:55:31 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Oct 16 05:00:41 2013 TLS Error: TLS handshake failed
Wed Oct 16 05:00:41 2013 SIGUSR1[soft,tls-error] received, process restarting
Wed Oct 16 05:00:43 2013 UDPv4 link local: [undef]
Wed Oct 16 05:00:43 2013 UDPv4 link remote: [AF_INET]209.188.5.234:1194
Wed Oct 16 05:01:43 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

 

It occurs every few days, repeating around 5-10 times.

 

Does this mean that openvpn isn't connected to my provider? If so is there a way to stop all internet access until it re-establishes a connection?

  • Author

Hey Guys,

 

..... If so is there a way to stop all internet access until it re-establishes a connection?

 

See if this is a way to go ....http://serverfault.com/questions/420336/how-do-you-prevent-a-vpn-from-exposing-your-ip-when-it-disconnects

 

//Peter

  • Author

Anyone using PIA ?

 

I just changed to this, and get these error when trying to login... anyone knows what is wrong ?

 

Sun Oct 20 11:50:55 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Oct 20 11:50:55 2013 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 20 11:50:55 2013 TLS Error: TLS handshake failed
Sun Oct 20 11:50:55 2013 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 20 11:50:57 2013 UDPv4 link local: [undef]
Sun Oct 20 11:50:57 2013 UDPv4 link remote: [AF_INET]93.115.82.54:1194
Sun Oct 20 11:50:57 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Sun Oct 20 11:50:57 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Oct 20 11:50:57 2013 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 20 11:50:57 2013 TLS Error: TLS handshake failed
Sun Oct 20 11:50:57 2013 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 20 11:50:59 2013 UDPv4 link local: [undef]
Sun Oct 20 11:50:59 2013 UDPv4 link remote: [AF_INET]93.115.84.122:1194
Sun Oct 20 11:51:00 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Sun Oct 20 11:51:00 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Oct 20 11:51:00 2013 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 20 11:51:00 2013 TLS Error: TLS handshake failed
Sun Oct 20 11:51:00 2013 SIGUSR1[soft,tls-error] received, process restarting
Sun Oct 20 11:51:02 2013 UDPv4 link local: [undef]
Sun Oct 20 11:51:02 2013 UDPv4 link remote: [AF_INET]93.115.84.124:1194
Sun Oct 20 11:51:02 2013 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
Sun Oct 20 11:51:02 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Oct 20 11:51:02 2013 TLS Error: TLS object -> incoming plaintext read error
Sun Oct 20 11:51:02 2013 TLS Error: TLS handshake failed
Sun Oct 20 11:51:02 2013 SIGUSR1[soft,tls-error] received, process restarting

 

  • Author

Found a bug, so the issue in the previous post is solved.

 

I was created a sub folder to /boot/openvpn where I put all my files from PIA

 

The plugin need to be changed where these files belong before connecting, the issue was that the ca.crt was not found, since default folder was /boot/openvpn

It was also a issue with space in the file name for the ovpn file.

 

These issue are now solved, and a new updated plugin will be available next week.

 

 

//Peter

  • 4 weeks later...

Trying to set this up on my server to connect to VyprVPN.  They don't specifically support Unraid (no surprise there) and their Linux how to page has a manual configuration that is not very helpful but I did find a list of config files under https://www.goldenfrog.com/support/vyprvpn/vpn-setup/ipad/openvpn-connect setup for ipads.  I get

Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: config (2.3.2)

Use --help for more information.

When I try to start the service via the GUI.

 

I attached the config file (renamed .txt in order to attach here).  It seems to look correct according to an example on the OpenVPN website for client config files.  Any help?

United_States_-_Los_Angeles.txt

  • Author

Can you try one thing? rename the file so there are no space in the name,and then try again, maybe I need to release the fix for the issue I have seen with space in the file name.

 

//Peter

Renamed.  This is the result:

Mon Nov 11 22:28:01 2013 OpenVPN 2.3.2 i486-slackware-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [iPv6] built on Jun 22 2013

Mon Nov 11 22:28:01 2013 WARNING: file '/boot/config/plugins/openvpn/password.txt' is group or others accessible

Mon Nov 11 22:28:01 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Mon Nov 11 22:28:01 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]

Mon Nov 11 22:28:06 2013 UDPv4 link local: [undef]

Mon Nov 11 22:28:06 2013 UDPv4 link remote: [AF_INET]216.168.2.151:1194

Mon Nov 11 22:28:06 2013 TLS: Initial packet from [AF_INET]216.168.2.151:1194, sid=33d8ab31 47efb67a

Mon Nov 11 22:28:06 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Mon Nov 11 22:28:06 2013 VERIFY OK: depth=1, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=GoldenFrog-Inc CA, [email protected]

Mon Nov 11 22:28:06 2013 VERIFY OK: depth=0, C=KY, ST=GrandCayman, L=GeorgeTown, O=GoldenFrog-Inc, CN=us1.vpn.giganews.com, [email protected]

Mon Nov 11 22:28:08 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Mon Nov 11 22:28:08 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Nov 11 22:28:08 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Mon Nov 11 22:28:08 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Nov 11 22:28:08 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Mon Nov 11 22:28:08 2013 [us1.vpn.giganews.com] Peer Connection Initiated with [AF_INET]216.168.2.151:1194

Mon Nov 11 22:28:11 2013 SENT CONTROL [us1.vpn.giganews.com]: 'PUSH_REQUEST' (status=1)

Mon Nov 11 22:28:11 2013 AUTH: Received control message: AUTH_FAILED

Mon Nov 11 22:28:11 2013 SIGTERM[soft,auth-failure] received, process exiting

 

Looks like I'll have to figure out why it's not connecting.

  • Author

There are an solution to fix VyprVPN in this thread.

 

//Peter

 

  • 1 month later...

Hello people, been trying to work this out, but cant what is making this not work. Connecting to PIA

 

root@Tower:~# /etc/rc.d/rc.openvpn start         

ca.crt

CAToronto.ovpn

Your ovpn file already have the option --> /boot/config/plugins/openvpn/password.txt

Your ovpn file already have the option --> persist-remote-ip

Your ovpn file already have the option --> status /tmp/openvpn/openvpn-status.log

Starting Openvpn Tunnel: wait .........

nohup: redirecting stderr to stdout

31108

Not connected!  tun0  don't established, check your account settings!!!

Stoping Openvpn Tunnel.....

... OK

31108

Writing to the plugin config file....

  • Author

Since the log show tun0, then you have not updated the plugin, can you please do that and try again?

 

FYI, I also use PIA, and have no issues.

 

 

//Peter

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.