OpenVPN Server & Client for unRAID 6.2+ (6.1 are still supported)


peter_sm

Recommended Posts

3 hours ago, vyreks said:
I get the same error as Nick and easy-rsa 3.0.4 only generates ta.key for me. Nothing else.


How did you install 3.0.4 ? Can you try to install master and comment out the line I show in a earlier post? Thanks.

EDIT

 

Work fine with above zip file

1: DL and unzip to your folder. (Path to store Server, Clients config files and the Easyrsa V3)

2: rename to easy-rsa

 


Generating a 2048 bit RSA private key
..........+++
...............................+++
writing new private key to '/mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/ca.key.XXXXiQQ53v'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/ca.crt

spawn ./easyrsa build-server-full server nopass
Generating a 2048 bit RSA private key
............................................................................................................................................................................+++
.......+++
writing new private key to '/mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/server.key.XXXXSS2Egv'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec 31 06:55:06 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................+..............................................+..................................................................................


DH parameters of size 2048 created at /mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/dh.pem
 ls -altr
total 672
drwxrwxrwx  8 root root    234 Dec 24 17:00 easy-rsa/
drwxrwxrwx 25 root root   4096 Jan  2 07:46 ../
-rw-r-----  1 root root   1089 Jan  2 07:47 openvpnserver.ovpn
-rw-rw-rw-  1 root root 652211 Jan  2 07:47 easy-rsa-3.0.4.zip
-r--------  1 root root   4547 Jan  2 07:55 server.crt
-r--------  1 root root   1172 Jan  2 07:55 ca.crt
-r--------  1 root root   1704 Jan  2 07:55 server.key
-r--------  1 root root    424 Jan  2 07:55 dh.pem
-r--------  1 root root    636 Jan  2 07:55 ta.key


Skickat från min iPhone med Tapatalk

Edited by peter_sm
Link to comment
  • 4 weeks later...
On 12/17/2017 at 10:46 PM, peter_sm said:

What is your default route interface ? eth0, br0 ? Verify this by the last iptables row(in red) on the log page. You should see your LAN with all settings set to defaults. I have an update to verify this much better in next release!

 

I'm trying to switch from the openvpn-as docker container to your plugin but haven't been able to connect to the server (getting "TLS key negotiation failed" error).  The one difference that I noticed is that the default route interface is br0, while the one that I was using successfully with the container was bond0 (as it's the interface listed first under unRAID/Info/Network).  Could this be the problem and, if so, how would I go about changing the interface used by openvpn server?

 

Fwiw, I'm using all default "Server config" settings with the exception of "Redirect-gateway" set to "redirect-gateway def1".  I'm also seeing the TLS error showing up in /var/log/openvpnserver.log which seems to confirm that traffic is being forwarded by the router correctly.

 

Thanks.

Link to comment

Hi

7 minutes ago, jm9843 said:

 

I'm trying to switch from the openvpn-as docker container to your plugin but haven't been able to connect to the server (getting "TLS key negotiation failed" error).  The one difference that I noticed is that the default route interface is br0, while the one that I was using successfully with the container was bond0 (as it's the interface listed first under unRAID/Info/Network).  Could this be the problem and, if so, how would I go about changing the interface used by openvpn server?

 

Fwiw, I'm using all default "Server config" settings with the exception of "Redirect-gateway" set to "redirect-gateway def1".  I'm also seeing the TLS error showing up in /var/log/openvpnserver.log which seems to confirm that traffic is being forwarded by the router correctly.

 

Thanks.

Is br0 you default interface ?

Do you have several network interface (eth0, eth1, bond0, bond1)

Can you try to remove bond and try ?

 

I have a new version soon to catch the right interface in a much better way!

 

//Peter

 

Link to comment
9 hours ago, peter_sm said:

Hi

Is br0 you default interface ?

Do you have several network interface (eth0, eth1, bond0, bond1)

Can you try to remove bond and try ?

 

I have a new version soon to catch the right interface in a much better way!

 

//Peter

 

 

If I'm thinking of it correctly, bond0 is the default interface (per Spaceinvader One's YouTube tutorial on the docker container).

 

Since I'm not sure how to go about removing interfaces and I don't want to break anything else, I'll likely wait and try your next version to see if it solves my TLS handshake problem.

Link to comment
 
If I'm thinking of it correctly, bond0 is the default interface (per Spaceinvader One's YouTube tutorial on the docker container).
 
Since I'm not sure how to go about removing interfaces and I don't want to break anything else, I'll likely wait and try your next version to see if it solves my TLS handshake problem.

Can you try to set all default settings ? On log page in bottom red text, is that your default interface ?
Link to comment
8 hours ago, peter_sm said:


Can you try to set all default settings ? On log page in bottom red text, is that your default interface ?

 

I got a chance to try this again with the same result.  To test, I uninstalled the plugin and deleted its appdata folder.  I then reinstalled the plugin and, per your suggestion, used the default settings (with the exception of specifying the Dynamic DNS address).  I still see results like so in the openvpn server log:

 

Thu Jan 25 01:16:05 2018 192.168.86.1:43312 TLS: Initial packet from [AF_INET]192.168.86.1:43312, sid=0773056c 1556308b
Thu Jan 25 01:17:05 2018 192.168.86.1:43312 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network co$
Thu Jan 25 01:17:05 2018 192.168.86.1:43312 TLS Error: TLS handshake failed
Thu Jan 25 01:17:05 2018 192.168.86.1:43312 SIGUSR1[soft,tls-error] received, client-instance restarting

 

On log page in bottom red text, I see br0 as the network interface (see screenshot).  However, if I look at unRAID System Info, it appears to show bond0 (see screenshot).  I'm unsure how to proceed.

Screenshot 2018-01-25 at 8.11.54 PM.png

Screenshot 2018-01-25 at 8.12.31 PM.png

Link to comment

Can you post result after you have run these commands
 

ifconfig

ip -4 route ls

 

Edit

It might be the issue with easyrsa!

 

Please try this version.

https://github.com/OpenVPN/easy-rsa/archive/v3.0.5.zip

 

 

1: DL and unzip to your folder. (Path to store Server, Clients config files and the Easyrsa V3)

2: rename to easy-rsa

 

I do have an solution on the easyrsa as well in my latest update that will go public this weekend.

 

Skickat från min iPhone med Tapatalk

 

 

 

Edited by peter_sm
Link to comment

New version available! 

 

New feature: Changed thew way to DL easyrsa, now it will DL the default branch instead of force DL the master branch.

 

The master branch is still broken. So update the plugin and install the server again.

FYI: The 3.0.5 is the default Branch  image.png.a7a02181429005a77a7c4458f5f1452d.png

//Peter

 

Edited by peter_sm
Link to comment

I seem to have difficulties starting the server, whenever I press the "Start OpenVPN Server" the site refreshes and status remains "OpenVPN Server is NOT RUNNING" Any help troubleshooting would be much appreciated!

 

EDIT: from log:

Options error: --server directive network/netmask combination is invalid
Use --help for more information.

 

Edit: Changing VPN ip to 10.8.0.0 helped

Edited by Inukinator
Added log
Link to comment

I've got to say this is a really good plugin, I really like it. 

I was just wondering if there is a setting to see the device names on the pc connected via the VPN.

 

I map my network drives using names, for instance '\\NAS\documents' and us RDP using the names and not the ip's.

However, currently the folder won't be recognized this way, only by using the ip.

I have been trying some different settings but I haven't had luck really.

Maybe this question has been asked earlier but I couldn't really find it.

Link to comment
13 hours ago, DavyV97 said:

I've got to say this is a really good plugin, I really like it. 

I was just wondering if there is a setting to see the device names on the pc connected via the VPN.

 

I map my network drives using names, for instance '\\NAS\documents' and us RDP using the names and not the ip's.

However, currently the folder won't be recognized this way, only by using the ip.

I have been trying some different settings but I haven't had luck really.

Maybe this question has been asked earlier but I couldn't really find it.

Du you have and see issue with the DNS?

On my iphone I can brows computers and share  on LAN by name.

 

 

What is your settings in openvpnserver.conf ? 

Link to comment

I have setup my vpn with tunnelbear works great, however plex.

 

from everything ive read and spent weeks trying to do is this in the config file

 

# PLEX over WAN route
route plex.tv 255.255.255.255 net_gateway
route my.plexapp.com 255.255.255.255 net_gateway
route myplex.tv 255.255.255.255 net_gateway

 

now this does exclude plex, well in a way, when i go in to plex, i see my actual ip at least, my ports are forwarded as they have always been, but still no outside connection for plex until i turn the vpn off. my network settings while connected look as so and the connection log from openvpn is also below. also plex logs i have no idea which one, way too many and none with the right timestamp

 

i am just stumped.

 

default via 172.18.12.9 dev tun5 
34.248.236.84 via 192.168.1.1 dev br0 
34.252.129.181 via 192.168.1.1 dev br0 
34.252.160.54 via 192.168.1.1 dev br0 
34.253.32.64 via 192.168.1.1 dev br0 
52.17.222.85 via 192.168.1.1 dev br0 
52.212.88.40 via 192.168.1.1 dev br0 
54.77.197.74 via 192.168.1.1 dev br0 
54.171.208.164 via 192.168.1.1 dev br0 
159.89.101.187 via 192.168.1.1 dev br0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.18.12.1 via 172.18.12.9 dev tun5 
172.18.12.9 dev tun5 proto kernel scope link src 172.18.12.10 
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.9 metric 213 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
 

Protocol Route Gateway Metric Delete
IPv4 default 172.18.12.9 1  
IPv4 34.248.236.84 192.168.1.1 1  
IPv4 34.252.129.181 192.168.1.1 1  
IPv4 34.252.160.54 192.168.1.1 1  
IPv4 34.253.32.64 192.168.1.1 1  
IPv4 52.17.222.85 192.168.1.1 1  
IPv4 52.212.88.40 192.168.1.1 1  
IPv4 54.77.197.74 192.168.1.1 1  
IPv4 54.171.208.164 192.168.1.1 1  
IPv4 159.89.101.187 192.168.1.1 1  
IPv4 172.17.0.0/16 docker0 1  
IPv4 172.18.12.1 172.18.12.9 1  
IPv4 172.18.12.9 tun5 1  
IPv4 192.168.1.0/24 br0 213  
IPv4 192.168.122.0/24 virbr0 1  
 
IPv6 2000::/3 tun5 1024  
IPv6 fde4:8dba:82e2::/64 tun5 256

 

 

Link to comment
1 hour ago, shortsyoungster said:

Hey, are there any reports of this working on 6.4? Ever since I updated I haven't been able to connect.

Works flawless  :-)

 

What server config do you have? 

What error log do you see?

What client are you using ?

 

Its' have been a major issue on iOS client, but now there is a update!

It's have been an issue with easyrsa project, latest plugin DL now the correct version that are default branch.

 

//Peter

Link to comment
On 28-1-2018 at 8:00 AM, peter_sm said:

Du you have and see issue with the DNS?

On my iphone I can brows computers and share  on LAN by name.

 

 

What is your settings in openvpnserver.conf ? 

So these are the settings I get when connecting the vpn on my laptop (see attached file).

Where can I find the openvpnserver.conf file?

 

ipconfig.PNG

Link to comment
1 hour ago, peter_sm said:


You find it here
/boot/config/plugins/openvpnserver

Post also
Openvpnserver.ovpn in configuration path you set in the gui

The config file:

# openvpnserver plugin configuration file
NETWORK=10.8.0.0
NETMASK=255.255.255.0
SERVER_PORT=1194
CANONICAL=xxxxx.xxxxx.xxx
PROTOCOL=udp
CIPHER="cipher AES-256-CBC"
CLIENT="Enable"
HASH_ALGO="auth sha512"
GATEWAY="redirect-gateway def1"
SUBNET="topology subnet"
LAN_SUBNET="Disable"
COMP_LZO="comp-lzo adaptive"
IPP="ipp.txt"
DHCP_1="dhcp-option DNS"
TELNET_CONSOLE="No"
VERB="verb 3"
IP_PORT_SHARE=""
TLSENCRYPT="tls-crypt"
 

.ovpn file (parts of): 

# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=xxxxxxx.xxxx.xxx
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=xxxxxx.xxxxxx.xxx:943
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
 

And:

# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc.
setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote xxxx.xxxx.xxx
port 1194
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
 

Link to comment
21 hours ago, peter_sm said:

Works flawless  :-)

 

What server config do you have? 

What error log do you see?

What client are you using ?

 

Its' have been a major issue on iOS client, but now there is a update!

It's have been an issue with easyrsa project, latest plugin DL now the correct version that are default branch.

 

//Peter

Hi, The error I get is as follows:

2018-02-02 20:59:28 MANAGEMENT: >STATE:1517633968,WAIT,,,,,,

2018-02-02 20:59:28 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

I have tried connecting from tunnel blick and the android clients.

I attached my network and server configs.

Thanks in advance!

Screen Shot 2018-02-02 at 9.02.31 PM.png

network.cfg

Link to comment
10 minutes ago, shortsyoungster said:

Hi, The error I get is as follows:


2018-02-02 20:59:28 MANAGEMENT: >STATE:1517633968,WAIT,,,,,,

2018-02-02 20:59:28 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

I have tried connecting from tunnel blick and the android clients.

I attached my network and server configs.

Thanks in advance!

Screen Shot 2018-02-02 at 9.02.31 PM.png

network.cfg

Never seen this error, please check openvpn suport forum or try google

http://www.letmegooglethat.com/?q=please+ensure+that+--tun-mtu+or+--link-mtu+is+equal+on+both+peers+--+this+condition+could+also+indicate+a+possible+active+attack+on+the+TCP+link

Link to comment

Not creating the .p12 file for some reason. Any ideas why?

 

Log output below

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Adding client:  USER
spawn ./easyrsa build-client-full USER nopass
Generating a 2048 bit RSA private key
.........+++
................................................................+++
writing new private key to '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.key.XXXXwylxGo'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'USER'
Certificate is to be certified until Feb  2 01:32:01 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
spawn ./easyrsa export-p12 USER
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
-out outfile  output filename
-noout        don't output anything, just verify.
-nomacver     don't verify MAC.
-nocerts      don't output certificates.
-clcerts      only output client certificates.
-cacerts      only output CA certificates.
-nokeys       don't output private keys.
-info         give info about PKCS#12 structure.
-des          encrypt private keys with DES
-des3         encrypt private keys with triple DES (default)
-seed         encrypt private keys with seed
-aes128, -aes192, -aes256
              encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
              encrypt PEM output with cbc camellia
-nodes        don't encrypt private keys
-noiter       don't use encryption iteration
-nomaciter    don't use MAC iteration
-maciter      use MAC iteration
-nomac        don't generate MAC
-twopass      separate MAC, encryption passwords
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
-keypbe alg   specify private key PBE algorithm (default 3DES)
-macalg alg   digest algorithm used in MAC (default SHA1)
-keyex        set MS key exchange type
-keysig       set MS key signature type
-password p   set import/export password source
-passin p     input file pass phrase source
-passout p    output file pass phrase source
-engine e     use engine e, possibly a hardware device.
-rand file:file:...
              load the file (or the files in the directory) into
              the random number generator
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

Easy-RSA error:

Export of p12 failed: see above for related openssl errors.
send: spawn id exp5 not open
    while executing
"send "PASSWORD\r""
cp: cannot stat '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.p12': No such file or directory
Update USER.ovpn to be used with IOS
Creating a zip file for the client
    zip warning: name not matched: USER.p12
  adding: USER.ovpn (deflated 33%)
  adding: README.txt (deflated 53%)
Client files have been stored in this folder ..
/mnt/cache/appdata/myVPNserver/clients/USER

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.