OpenVPN Server & Client for unRAID 6.2+ (6.1 are still supported)


peter_sm

Recommended Posts

Peter_sm, quick bug report - when I have ipp enabled, OpenVPN keeps using the ipp.txt file in the appdata share. So when I do server maintenance and have to shut the array down, OpenVPN prevents drives from unmounting - thus creating an unmount error loop and hanging the emhttp process. Therefore I cannot access the WebUI anymore and have to manually shutdown the server via SSH:

 

powerdown

 

So... from what I thought

 

1. Since ipp.txt isn't frequently accessed, it could be saved to the flash drive itself. Therefore array could be properly unmounted.

2. This brings the benefit that OpenVPN could still function while the array is down - therefore we can do maintenance from the outside world.

3. Which means that OpenVPN could also start itself up on system boot and kill itself on system shutdown.

 

4. Unless flash drive save isn't possible, then we'd have to resort to getting the unmount signal and killing the server. But this means that we can't fix our servers from the outside.

 

Since I'm out frequently, it would be a huge plus for me if it could function while the array's down and restart itself along with the server.

 

Hi ideaman924, I will move the ipp.txt to the plugin folder on the flash.  :) new release soon.

 

//Peter

Link to comment

Peter_sm, quick bug report - when I have ipp enabled, OpenVPN keeps using the ipp.txt file in the appdata share. So when I do server maintenance and have to shut the array down, OpenVPN prevents drives from unmounting - thus creating an unmount error loop and hanging the emhttp process. Therefore I cannot access the WebUI anymore and have to manually shutdown the server via SSH:

 

powerdown

 

So... from what I thought

 

1. Since ipp.txt isn't frequently accessed, it could be saved to the flash drive itself. Therefore array could be properly unmounted.

2. This brings the benefit that OpenVPN could still function while the array is down - therefore we can do maintenance from the outside world.

3. Which means that OpenVPN could also start itself up on system boot and kill itself on system shutdown.

 

4. Unless flash drive save isn't possible, then we'd have to resort to getting the unmount signal and killing the server. But this means that we can't fix our servers from the outside.

 

Since I'm out frequently, it would be a huge plus for me if it could function while the array's down and restart itself along with the server.

 

Hi ideaman924, I will move the ipp.txt to the plugin folder on the flash.  :) new release soon.

 

//Peter

 

Thanks for the quick update! And what about the reboot-restart scenario I showed on the top? Will that get added in a future release as well? Sorry if I sound pushy, but thanks for all your effort.

Link to comment

Thanks for the quick update! And what about the reboot-restart scenario I showed on the top? Will that get added in a future release as well? Sorry if I sound pushy, but thanks for all your effort.

OpenVPN server can start when array is coming online, it can also be set so it still be running when array stops! BUT of course the mount point where server files(ovpn, all certs) belong will be unmounted. I have not tested this by myself if it still can be running from memory when array stops.

 

//Peter

Link to comment

OpenVPN server can start when array is coming online, it can also be set so it still be running when array stops! BUT of course the mount point where server files(ovpn, all certs) belong will be unmounted. I have not tested this by myself if it still can be running from memory when array stops.

 

//Peter

 

So how about if we copy the server files to the flash config folder as well? I mean, some server owners might have difficulties (owing to their drives being smaller than 512MB or so) but then we can just provide a switch for those that have bigger USB flash drives (4GB or more). This way, the OVPN server starts at the same time as boot-up, not when the array is started. This way, we can start the array from the outside world and diagnose and troubleshoot server-side issues.

 

Just my two bucks worth but hey, it's a good idea, right?

Link to comment

OpenVPN server can start when array is coming online, it can also be set so it still be running when array stops! BUT of course the mount point where server files(ovpn, all certs) belong will be unmounted. I have not tested this by myself if it still can be running from memory when array stops.

 

//Peter

 

So how about if we copy the server files to the flash config folder as well? I mean, some server owners might have difficulties (owing to their drives being smaller than 512MB or so) but then we can just provide a switch for those that have bigger USB flash drives (4GB or more). This way, the OVPN server starts at the same time as boot-up, not when the array is started. This way, we can start the array from the outside world and diagnose and troubleshoot server-side issues.

 

Just my two bucks worth but hey, it's a good idea, right?

Hi,

It's up to you if you like to configure the OpenVPN settings path to /boot/*  8)

//Peter

Link to comment

OpenVPN server can start when array is coming online, it can also be set so it still be running when array stops! BUT of course the mount point where server files(ovpn, all certs) belong will be unmounted. I have not tested this by myself if it still can be running from memory when array stops.

 

//Peter

 

So how about if we copy the server files to the flash config folder as well? I mean, some server owners might have difficulties (owing to their drives being smaller than 512MB or so) but then we can just provide a switch for those that have bigger USB flash drives (4GB or more). This way, the OVPN server starts at the same time as boot-up, not when the array is started. This way, we can start the array from the outside world and diagnose and troubleshoot server-side issues.

 

Just my two bucks worth but hey, it's a good idea, right?

Hi,

It's up to you if you like to configure the OpenVPN settings path to /boot/*  8)

//Peter

 

But, like I said, auto-starting of OpenVPN only happens if array launches. I need it to launch on boot.

Link to comment

Hi,

Ok I understand, right now can you add this to your go file ?

/usr/local/emhttp/plugins/openvpnserver/scripts/rc.openvpnserver start

and set Start OpenVPN server during array mount to No

 

This shall enable the server to start before array shall startif you change installation to /boot.

 

 

But there is a way to start it before array is online, but this requires users to install only on the /boot or other disk that is mounted before the array is online.

 

//Peter

 

Link to comment

Hi Peter I'm new to this openvpn client plugin and just installed it via the "add plugin" tab. Then I went to the "Settings" tab and saw the icon for it, so I click on it to configure it. But when I try to "choose config file" the option doesn't open any dialog box so that I can choose the file that I generated from airvpn. Thanks for any help!

 

Link to comment

Hi peter (or anyone else who can help me),

 

I port forwarded port 1194 to my unraid's static ip, (192.168.3.111) but when I tried to connect using it a openvpn client it gives me a time out error. When I scan ports using a website it says that port 1194 is closed. And I am pretty sure that port forwarding is done correctly. (please check the attachments to make sure)

 

One interesting thing is that when i change the port openvpn server uses to 80, and run the server the website says that the port is open.

 

Thanks in advance for the help.

Screen_Shot_2016-08-16_at_11_33_33_PM.png.c3ec37a0472113b8d7a228b33c8ed102.png

Screen_Shot_2016-08-16_at_11_44.25_PM.png.60a7169047a6debcd521fc1df94667f1.png

Screen_Shot_2016-08-16_at_11_30.31_PM.png.aef541596cf3a55ccafb12b3d8ccef69.png

Link to comment

Hi,

 

Here is the file,

server 10.8.0.0 255.255.255.0
local 192.168.3.111
dev tun
port 1194
proto udp
dh /mnt/user/Automation/docker/apps/vpnserver/dh.pem
ca /mnt/user/Automation/docker/apps/vpnserver/ca.crt
cert /mnt/user/Automation/docker/apps/vpnserver/server.crt
key /mnt/user/Automation/docker/apps/vpnserver/server.key
ifconfig-pool-persist /boot/config/plugins/openvpnserver/ipp.txt
push "dhcp-option DNS 8.8.8.8"
tls-server
verb 3
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
tls-auth /mnt/user/Automation/docker/apps/vpnserver/ta.key 0
persist-key
persist-tun
keepalive 10 120
user nobody
group users
cipher aes-256-cbc
auth sha512
comp-lzo adaptive
push "route 192.168.3.0 255.255.255.0"
push "resolv-retry infinite"
status /var/log/openvpnserver-status.log 5
log-append /var/log/openvpnserver.log
status-version 2

 

and here is my clients file

 

remote (WAN IP)
cipher aes-256-cbc
auth sha512
client
dev tun
proto udp
port 1194
resolv-retry infinite
tls-client
nobind
persist-key
persist-tun
remote-cert-tls server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
comp-lzo adaptive
verb 3
route-delay 2
key-direction 1

 

I have tried with both tunnelblick on my mac connected to the same lan network as the server, and the iOS app connected to my carrier's network.

 

Thanks,

Link to comment

Yes I am using the inline file, I just cut out the certificate part in the last post. Here is the whole inline client file:

remote WANIP
cipher aes-256-cbc
auth sha512
client
dev tun
proto udp
port 1194
resolv-retry infinite
tls-client
nobind
persist-key
persist-tun
remote-cert-tls server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
comp-lzo adaptive
verb 3
route-delay 2
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIJAOeT5fx1t6eTMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTE2MDgxNTEzMjA0NVoXDTI2MDgxMzEzMjA0NVow
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDb/W+HZu9Gn2WaGiWfHuGlFjJ7OfCyWNPqVlhOImyrdnHpJ1qKyRLo
llK9NtdnQKrNm9RuuYpQfekEPbPfzjcED6lol0JhzAQdafevXTlZm7IO25P18meLuY/
OfFO2ab+vLvcBnscvZ/nnQ+GMEMEeqoDOpFsEDlPOXKoWJ5IjHJuTe4kzod1YWVp
6jQk5Mubjiounn66YbuRCxcyjoMfMNHaMdjzIMVNxThjpEulEaexlXF2i6BWbbj3
6jqU01R+47HxTpgJEwN+pE1p0aiG8aoKQDiSz0wcSom8bb2gcQ/9MIXUBx5MB5zv
DMz6+KtgIP1Fj9PtIvNbUZ9woRnRIfLTAgMBAAGjgYUwgYIwHQYDVR0OBBYEFKg3
ooJzBkeUk6YvSvVJRnJxEYGA1UdIwQ/MD2AFKg3ooJzBkeUk6YvSvVJRnJx
xMRjoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQYIJAOeT5fx1t6eTMAwGA1Ud
EwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQA5NbtkonV9
J8+N7ebQby/GBajcJCGTtRaXQwQ8E1IRx9qm4SJfnBV1dsAQge2P0k7hEx5+nsHM
dnloEL46ctTPRjB8EpAsgQVVWMVmzbJmb41vgLdknVIM4NDjBIpKo4wC1TAi0uAG
drCGNvhyIDLCL8jOuO5GxydAg2w0qlmJ7ImC+QKOvtwlT4lc1pRX9aDd2LeYa7Xf
Ginv2DUajYPmJUo2GoDmmIZVt0fBVuaysKNE5vdW+QLyjBVGcbmHxfr/Ax4wQ0oA
Xtwg5osmG/036ZLzWsHPXgyPr5fxRmz5h7keETAJcBU/M4Kdr6yIHrELLZl1cqtq
WqVGAD8stNJL
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDTzCCAjegAwIBAgIQR5lbeNuWIGFtwOLw5VuSiTANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0xNjA4MTUxMzIxMjZaFw0yNjA4MTMx
MzIxMjZaMBcxFTATBgNVBAMMDGtvaG1thZG95YTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALbUdPjCKS4by/ALYHDjeUHGj82eIP8utjKJL1pqu2o3
rJUs0zOeeeLaIQracuf4ieeBfnpk5ltyKilH/HypUCSMjACvvTn/v9DZudW07ESwG
64l0kGGe52WEcI4YeyJDkiC6gIELeK43eWJ86Ed4Jjd0CZYLu9+2cObJK8zQx4RP
I5buHwq+ytPC0gAGYsOtxBtXJkAQAlUUk4BncprosXl8zB68F7ThZj5XX2rcBujM
PD5EicsKLzBd1k8HWSFTwtaaQwFxpN7T/CwYzknSZDWKyz588haXZFFhbISmnHWV
2JV6aio374QPjvPIjX7eht/2yRXiOlFyGs8yiWMKtJMCAwEAAaOBlzCBlDAJBgNV
HRMEAjAAMB0GA1UdDgQWBBTnOad0NMiVV2E0VH713mk6cpMCUDBGBgNVHSMEPzA9
gBSoN6KCcwZHlJOmL0r1SUZyccTEY6EapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0Eg
Q0GCCQDnk+X8dbenkzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4Aw
DQYJKoZIhvcNAQELBQADggEBAEXf0TwPaVKUxbT7vqqyg8DwtetnBIytuRYeMA/+
/WHXHiJDwtEIeGMhzvNkQA00Or7CtXdBQ9GlEKnDS9++Q0Xd3Ko/cU9UA8/OFkTK
u4zqXW9dlrIoh3JCkAyX+O3Tqzt1S9cLwACJc+JZhmQWjX8xkmhcKNT2mUUW7kr9
uYBIPZ1xMbA1QiIolc2hRtZxVIHd7Hzg9SOaBggOQsLsZoBnedEoXWRtFCD4PWcY
tT77sDIqDQYvoAJOiep95wPcdHStFfxwtIwsiIu4zVEeQephLZlq53H03f+sW3g5
CEUbsMxiT1YGFELO0KkG+ebMz/3cBmhfXohxq7VMPvFN9E8=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC21HT4wikuG8vw
C2Bw43lBxo/NniD/LrYyiS9aartqN6yVLNMznnni2iEK2nLn+InngX56ZOZbcioh
/x8qVAkjIwAr705/7/Q2bnVtOxEsBuuJdJBhnudlhHCOGHsiQ5IguoCBC3iuN3li
fOhHeCY3dAmWC7vSvM0MeETyOW7h8KvsrTwtIABmLDrcQbVyZAEAJVFJOA
Z3Ka6LF5fMwevBe04WY+V19q3AbozDw+RInLCi8wXdZPB1khU8LWmkMBcaTe0/ws
GM5J0mQ1iss+fPIWl2RRYWyEppx1ldiVemoqN++ED47zyI1+3obf9skV4jpRchrP
MoljCrSTAgMBAAECggEBAKQjh0RRZBEeKXA/dnzC6/jOYAo0feE7OZ2TJe0hx1Ir
24gtrws3qqusM2AAEIsLyhsKWddeQKU2kHbnCT7CJVXjNWM8PBiF/5TihA/lqJwD
NnC4MmtB8vJj/XzEo792NHmnlnjEKLsX2KVACHUpe/3q8jRAIpJMw32ee/EsOwMf
V1wx3hqg06piBYc9StYHxdn+y0KjmCISB55jzsBJQQOKFYIRgz0oH3onWXcRyfOH
r5kZNzpHbDiYBA1hkC+Xz5uCrUaB8J8klolrZZMV6kjWOOfYK2+8tiEgr/Y5Au4oezc
+SqU1x7TEHcRMaXYVkba16f5LzOGdyLOGhZVtXUpa4ECgYEA7dJMoVqh9vU3Q2tm
icoyFj8UaYHwGWioE5UiyXZAf5AKs5pryiw4vM5Po5N0QTHFSw9yt1cLTLdw2qNA
dfTWmiVH4xLE9HbLcQ5VQEgTbyVNXEcHM8av8tpWLi7y0dcaf6Ijs9J1Dy0JlO+o
XvqrjuTgKAizXtwxnATB7nI9IMECgYEAxM4UiNiadQwHDUfY7ZRZn9Vxt+KT9xVJ
qZzkR/D9I2gTrcTHLxq2NUgykRLWxmjjlvPlEK3Ti+Z++muoZ/l0vArXqhBdCxyE
G9bmPtV4VyKb1xlCmWD3l83z0o/l/HdjdLqyg/E3Sl+R+K4g0QD46Tf6Ht3LGVLh
3903IAIIllMCgYEAiCKIwRiLfD1dsf0bABvytJWh4uGWLsLwM+63rLRHfe2Bg9jQNpV
d36G3/VNezpuIt+lq0jlhvOpwTmEvXMT9DG6IrTSiLZ2zeWuoUHuJQTdMxNsTDVQ
dx/2GhNHn9o6H0p9nbAntcj0P0KtqHbjr7LYP8zeT6xjWRq8vy2uAZudSEECgYAj
nwFMe5gJU3H7T2POLKnEKkf49oO9lxbMIl+XPeEzhWT6cMF0nysXnce5RmWlZ9q5
uc9eI3hEvCWDgfTrTNV6K6Q5XdjZaAHpYA4wlUbAzrzSQ/ov9MMbsOVO2UjRV3Ki
8B/bjc9qIL40+p9p9PkYjU8yQwa9wKitckbF/lg7jQKBgG8hvV/nsagP5Fe31Tir
3TiXIpQi7wdSaaHJtGPru6KBprgfPgVfDRb4l1riuLixFq7Px6tm8iYSiRUTpOgD
szuVitUgAL6i8sS2QYozgJdLIzOK2u9EGpKRAJAlfCOz4QgQNRYLW0oVgXriet3F
EYK9LC3v1P7hgAFhfRM6ZhOS
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0c5fd51289dc64fa6b787e58c3c98645
6622d546c59b2ca4e6d44d00893d6689
3679f2001b7f9ed1be81cf21c5bf494c
9b33a91772d1c0ecd5b7ca72a4383ed8
2217e80033de617036cbd231e01ed8cf
bc4c85db99072963f61387ef202a62e2
ba47e4c5d7ff3168fcd777431e8ce9bd
f7932709be01f5a7130627b8c8b4ac13
7e24c0d0f37b653fb56f02578ea3b518
076edc1d6242174148fde6b36962b36e
8dc51b38e93245aa395fb92ca624f
6f919ce7a5e48cd58a5ab6dbbad55063
006aaadeaf4eb560e0531ca2a70fc877
8583fe4e74c907b87d8426ae1571a228
f3b48f5f78f4b60ea1ef11e185fc327f
7004a46dd157d43c3e0090ddb39867ca
-----END OpenVPN Static key V1-----
</tls-auth>

 

Here are the server logs:

Wed Aug 17 15:21:23 2016 OpenVPN 2.3.11 x86_64-slackware-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [MH] [iPv6] built on May 10 2016
Wed Aug 17 15:21:23 2016 library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.03
Wed Aug 17 15:21:23 2016 Diffie-Hellman initialized with 2048 bit key
openvpn: symbol lookup error: openvpn: undefined symbol: SSL_CTX_get0_certificate

part 2 (server logs)

default via 192.168.3.1 dev eth0  metric 1 
127.0.0.0/8 dev lo  scope link 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.42.1 
192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.111 

 

and the clients logs from my iPhone:

 

Its a big long so here is pasebin link:

 

http://pastebin.com/8jdnYdpL

 

Otherwise my post is over 20000 words.

 

Thanks again

 

EDIT: I saw that my iOS app was associating my wan ip with a DDNS web address that i used before (which docent exits anymore) so I deleted the app and tried connecting again.

Here are the logs:

 

http://pastebin.com/S1DXBpgR

 

Link to comment

Hey Peter,

 

I was on vacation this weekend, and used OpenVPN to watch a movie in the car. I used my Nexus 5X with an LTE unlimited connection that went all the way up to 25Mbps, with ping speeds of 43 milliseconds. However, the connection to the server through OpenVPN was capped at 2Mbps, resulting in a choppy playback of any video, even ones that were only a few hundred megabytes.

 

My server has a Gigabit NIC, and my connection to the outside world is 100Mbps. Below is a diagram

 

Server <----1000Mbps Gigabit NIC ----> Home Router <---- 100Mbps --> Internet <--- 25Mbps ----> Nexus 5X LTE connection

 

However, OpenVPN speed is capped at 2Mbps.

 

Is there something wrong with my settings? I'm ready to sacrifice some encryption for better speeds. I need a balance between speed and encryption.

 

I've attached a screenshot of my settings.

 

Thanks,

Eric

openvpn-config.png.34da87ab16d564eebc7f38bd9ba6aa95.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.