peter_sm Posted December 26, 2017 Author Share Posted December 26, 2017 Easyrsa if fixed in 3.0.4 https://github.com/OpenVPN/easy-rsa/archive/v3.0.4.zip However my plugin DL the master branch, so need to wait for they to update the master branch. You can DL the above zip file your openvpn folder and unzip it, then rename the folder to easyrsa and you are good to go. //Peter Quote Link to comment
vyreks Posted January 2, 2018 Share Posted January 2, 2018 I get the same error as Nick and easy-rsa 3.0.4 only generates ta.key for me. Nothing else. Quote Link to comment
peter_sm Posted January 2, 2018 Author Share Posted January 2, 2018 (edited) 3 hours ago, vyreks said: I get the same error as Nick and easy-rsa 3.0.4 only generates ta.key for me. Nothing else. How did you install 3.0.4 ? Can you try to install master and comment out the line I show in a earlier post? Thanks. EDIT Work fine with above zip file 1: DL and unzip to your folder. (Path to store Server, Clients config files and the Easyrsa V3) 2: rename to easy-rsa Generating a 2048 bit RSA private key ..........+++ ...............................+++ writing new private key to '/mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/ca.key.XXXXiQQ53v' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/ca.crt spawn ./easyrsa build-server-full server nopass Generating a 2048 bit RSA private key ............................................................................................................................................................................+++ .......+++ writing new private key to '/mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/server.key.XXXXSS2Egv' ----- Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Dec 31 06:55:06 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .......................................................................................................+..............................................+.................................................................................. DH parameters of size 2048 created at /mnt/disks/SSD1/appdata/myVPNserver_1/easy-rsa/easyrsa3/pki/dh.pem ls -altr total 672 drwxrwxrwx 8 root root 234 Dec 24 17:00 easy-rsa/ drwxrwxrwx 25 root root 4096 Jan 2 07:46 ../ -rw-r----- 1 root root 1089 Jan 2 07:47 openvpnserver.ovpn -rw-rw-rw- 1 root root 652211 Jan 2 07:47 easy-rsa-3.0.4.zip -r-------- 1 root root 4547 Jan 2 07:55 server.crt -r-------- 1 root root 1172 Jan 2 07:55 ca.crt -r-------- 1 root root 1704 Jan 2 07:55 server.key -r-------- 1 root root 424 Jan 2 07:55 dh.pem -r-------- 1 root root 636 Jan 2 07:55 ta.key Skickat från min iPhone med Tapatalk Edited January 2, 2018 by peter_sm Quote Link to comment
vyreks Posted January 2, 2018 Share Posted January 2, 2018 Okay this is weird. After ~12h of doing nothing, I tried again and it generated just fine. I hate technology. Thanks for tips anyway. 1 Quote Link to comment
pwm Posted January 2, 2018 Share Posted January 2, 2018 Problems with newly booted machines with lack of entropy for pseudo-random data, resulting in some part of the program hanging waiting for /dev/random to produce enough data? Quote Link to comment
jm9843 Posted January 25, 2018 Share Posted January 25, 2018 On 12/17/2017 at 10:46 PM, peter_sm said: What is your default route interface ? eth0, br0 ? Verify this by the last iptables row(in red) on the log page. You should see your LAN with all settings set to defaults. I have an update to verify this much better in next release! I'm trying to switch from the openvpn-as docker container to your plugin but haven't been able to connect to the server (getting "TLS key negotiation failed" error). The one difference that I noticed is that the default route interface is br0, while the one that I was using successfully with the container was bond0 (as it's the interface listed first under unRAID/Info/Network). Could this be the problem and, if so, how would I go about changing the interface used by openvpn server? Fwiw, I'm using all default "Server config" settings with the exception of "Redirect-gateway" set to "redirect-gateway def1". I'm also seeing the TLS error showing up in /var/log/openvpnserver.log which seems to confirm that traffic is being forwarded by the router correctly. Thanks. Quote Link to comment
peter_sm Posted January 25, 2018 Author Share Posted January 25, 2018 Hi 7 minutes ago, jm9843 said: I'm trying to switch from the openvpn-as docker container to your plugin but haven't been able to connect to the server (getting "TLS key negotiation failed" error). The one difference that I noticed is that the default route interface is br0, while the one that I was using successfully with the container was bond0 (as it's the interface listed first under unRAID/Info/Network). Could this be the problem and, if so, how would I go about changing the interface used by openvpn server? Fwiw, I'm using all default "Server config" settings with the exception of "Redirect-gateway" set to "redirect-gateway def1". I'm also seeing the TLS error showing up in /var/log/openvpnserver.log which seems to confirm that traffic is being forwarded by the router correctly. Thanks. Is br0 you default interface ? Do you have several network interface (eth0, eth1, bond0, bond1) Can you try to remove bond and try ? I have a new version soon to catch the right interface in a much better way! //Peter Quote Link to comment
jm9843 Posted January 25, 2018 Share Posted January 25, 2018 9 hours ago, peter_sm said: Hi Is br0 you default interface ? Do you have several network interface (eth0, eth1, bond0, bond1) Can you try to remove bond and try ? I have a new version soon to catch the right interface in a much better way! //Peter If I'm thinking of it correctly, bond0 is the default interface (per Spaceinvader One's YouTube tutorial on the docker container). Since I'm not sure how to go about removing interfaces and I don't want to break anything else, I'll likely wait and try your next version to see if it solves my TLS handshake problem. Quote Link to comment
peter_sm Posted January 25, 2018 Author Share Posted January 25, 2018 If I'm thinking of it correctly, bond0 is the default interface (per Spaceinvader One's YouTube tutorial on the docker container). Since I'm not sure how to go about removing interfaces and I don't want to break anything else, I'll likely wait and try your next version to see if it solves my TLS handshake problem.Can you try to set all default settings ? On log page in bottom red text, is that your default interface ? Quote Link to comment
jm9843 Posted January 26, 2018 Share Posted January 26, 2018 8 hours ago, peter_sm said: Can you try to set all default settings ? On log page in bottom red text, is that your default interface ? I got a chance to try this again with the same result. To test, I uninstalled the plugin and deleted its appdata folder. I then reinstalled the plugin and, per your suggestion, used the default settings (with the exception of specifying the Dynamic DNS address). I still see results like so in the openvpn server log: Thu Jan 25 01:16:05 2018 192.168.86.1:43312 TLS: Initial packet from [AF_INET]192.168.86.1:43312, sid=0773056c 1556308b Thu Jan 25 01:17:05 2018 192.168.86.1:43312 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network co$ Thu Jan 25 01:17:05 2018 192.168.86.1:43312 TLS Error: TLS handshake failed Thu Jan 25 01:17:05 2018 192.168.86.1:43312 SIGUSR1[soft,tls-error] received, client-instance restarting On log page in bottom red text, I see br0 as the network interface (see screenshot). However, if I look at unRAID System Info, it appears to show bond0 (see screenshot). I'm unsure how to proceed. Quote Link to comment
peter_sm Posted January 26, 2018 Author Share Posted January 26, 2018 (edited) Can you post result after you have run these commands ifconfig ip -4 route ls Edit It might be the issue with easyrsa! Please try this version. https://github.com/OpenVPN/easy-rsa/archive/v3.0.5.zip 1: DL and unzip to your folder. (Path to store Server, Clients config files and the Easyrsa V3) 2: rename to easy-rsa I do have an solution on the easyrsa as well in my latest update that will go public this weekend. Skickat från min iPhone med Tapatalk Edited January 26, 2018 by peter_sm Quote Link to comment
peter_sm Posted January 27, 2018 Author Share Posted January 27, 2018 (edited) New version available! New feature: Changed thew way to DL easyrsa, now it will DL the default branch instead of force DL the master branch. The master branch is still broken. So update the plugin and install the server again. FYI: The 3.0.5 is the default Branch //Peter Edited January 27, 2018 by peter_sm Quote Link to comment
Inukinator Posted January 27, 2018 Share Posted January 27, 2018 (edited) I seem to have difficulties starting the server, whenever I press the "Start OpenVPN Server" the site refreshes and status remains "OpenVPN Server is NOT RUNNING" Any help troubleshooting would be much appreciated! EDIT: from log: Options error: --server directive network/netmask combination is invalid Use --help for more information. Edit: Changing VPN ip to 10.8.0.0 helped Edited January 27, 2018 by Inukinator Added log Quote Link to comment
DavyV97 Posted January 27, 2018 Share Posted January 27, 2018 I've got to say this is a really good plugin, I really like it. I was just wondering if there is a setting to see the device names on the pc connected via the VPN. I map my network drives using names, for instance '\\NAS\documents' and us RDP using the names and not the ip's. However, currently the folder won't be recognized this way, only by using the ip. I have been trying some different settings but I haven't had luck really. Maybe this question has been asked earlier but I couldn't really find it. Quote Link to comment
peter_sm Posted January 28, 2018 Author Share Posted January 28, 2018 13 hours ago, DavyV97 said: I've got to say this is a really good plugin, I really like it. I was just wondering if there is a setting to see the device names on the pc connected via the VPN. I map my network drives using names, for instance '\\NAS\documents' and us RDP using the names and not the ip's. However, currently the folder won't be recognized this way, only by using the ip. I have been trying some different settings but I haven't had luck really. Maybe this question has been asked earlier but I couldn't really find it. Du you have and see issue with the DNS? On my iphone I can brows computers and share on LAN by name. What is your settings in openvpnserver.conf ? Quote Link to comment
purplechris Posted January 31, 2018 Share Posted January 31, 2018 I have setup my vpn with tunnelbear works great, however plex. from everything ive read and spent weeks trying to do is this in the config file # PLEX over WAN route route plex.tv 255.255.255.255 net_gateway route my.plexapp.com 255.255.255.255 net_gateway route myplex.tv 255.255.255.255 net_gateway now this does exclude plex, well in a way, when i go in to plex, i see my actual ip at least, my ports are forwarded as they have always been, but still no outside connection for plex until i turn the vpn off. my network settings while connected look as so and the connection log from openvpn is also below. also plex logs i have no idea which one, way too many and none with the right timestamp i am just stumped. default via 172.18.12.9 dev tun5 34.248.236.84 via 192.168.1.1 dev br0 34.252.129.181 via 192.168.1.1 dev br0 34.252.160.54 via 192.168.1.1 dev br0 34.253.32.64 via 192.168.1.1 dev br0 52.17.222.85 via 192.168.1.1 dev br0 52.212.88.40 via 192.168.1.1 dev br0 54.77.197.74 via 192.168.1.1 dev br0 54.171.208.164 via 192.168.1.1 dev br0 159.89.101.187 via 192.168.1.1 dev br0 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 172.18.12.1 via 172.18.12.9 dev tun5 172.18.12.9 dev tun5 proto kernel scope link src 172.18.12.10 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.9 metric 213 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown Protocol Route Gateway Metric Delete IPv4 default 172.18.12.9 1 IPv4 34.248.236.84 192.168.1.1 1 IPv4 34.252.129.181 192.168.1.1 1 IPv4 34.252.160.54 192.168.1.1 1 IPv4 34.253.32.64 192.168.1.1 1 IPv4 52.17.222.85 192.168.1.1 1 IPv4 52.212.88.40 192.168.1.1 1 IPv4 54.77.197.74 192.168.1.1 1 IPv4 54.171.208.164 192.168.1.1 1 IPv4 159.89.101.187 192.168.1.1 1 IPv4 172.17.0.0/16 docker0 1 IPv4 172.18.12.1 172.18.12.9 1 IPv4 172.18.12.9 tun5 1 IPv4 192.168.1.0/24 br0 213 IPv4 192.168.122.0/24 virbr0 1 IPv6 2000::/3 tun5 1024 IPv6 fde4:8dba:82e2::/64 tun5 256 Quote Link to comment
shortsyoungster Posted February 2, 2018 Share Posted February 2, 2018 Hey, are there any reports of this working on 6.4? Ever since I updated I haven't been able to connect. Quote Link to comment
peter_sm Posted February 2, 2018 Author Share Posted February 2, 2018 1 hour ago, shortsyoungster said: Hey, are there any reports of this working on 6.4? Ever since I updated I haven't been able to connect. Works flawless :-) What server config do you have? What error log do you see? What client are you using ? Its' have been a major issue on iOS client, but now there is a update! It's have been an issue with easyrsa project, latest plugin DL now the correct version that are default branch. //Peter Quote Link to comment
DavyV97 Posted February 2, 2018 Share Posted February 2, 2018 On 28-1-2018 at 8:00 AM, peter_sm said: Du you have and see issue with the DNS? On my iphone I can brows computers and share on LAN by name. What is your settings in openvpnserver.conf ? So these are the settings I get when connecting the vpn on my laptop (see attached file). Where can I find the openvpnserver.conf file? Quote Link to comment
peter_sm Posted February 2, 2018 Author Share Posted February 2, 2018 So these are the settings I get when connecting the vpn on my laptop (see attached file). Where can I find the openvpnserver.conf file? You find it here /boot/config/plugins/openvpnserverPost alsoOpenvpnserver.ovpn in configuration path you set in the gui Quote Link to comment
DavyV97 Posted February 2, 2018 Share Posted February 2, 2018 1 hour ago, peter_sm said: You find it here /boot/config/plugins/openvpnserver Post also Openvpnserver.ovpn in configuration path you set in the gui The config file: # openvpnserver plugin configuration file NETWORK=10.8.0.0 NETMASK=255.255.255.0 SERVER_PORT=1194 CANONICAL=xxxxx.xxxxx.xxx PROTOCOL=udp CIPHER="cipher AES-256-CBC" CLIENT="Enable" HASH_ALGO="auth sha512" GATEWAY="redirect-gateway def1" SUBNET="topology subnet" LAN_SUBNET="Disable" COMP_LZO="comp-lzo adaptive" IPP="ipp.txt" DHCP_1="dhcp-option DNS" TELNET_CONSOLE="No" VERB="verb 3" IP_PORT_SHARE="" TLSENCRYPT="tls-crypt" .ovpn file (parts of): # Define the profile name of this particular configuration file # OVPN_ACCESS_SERVER_PROFILE=xxxxxxx.xxxx.xxx # OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True # OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True # OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True # OVPN_ACCESS_SERVER_WSHOST=xxxxxx.xxxxxx.xxx:943 # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START And: # OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP # OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1 # OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN Technologies, Inc. setenv FORWARD_COMPATIBLE 1 client proto udp nobind remote xxxx.xxxx.xxx port 1194 dev tun dev-type tun ns-cert-type server setenv opt tls-version-min 1.0 or-highest reneg-sec 604800 sndbuf 100000 rcvbuf 100000 auth-user-pass # NOTE: LZO commands are pushed by the Access Server at connect time. # NOTE: The below line doesn't disable LZO. comp-lzo no verb 3 setenv PUSH_PEER_INFO Quote Link to comment
peter_sm Posted February 3, 2018 Author Share Posted February 3, 2018 The ovpn files is not from my plug-in. I don’t know what you trying to do. Quote Link to comment
shortsyoungster Posted February 3, 2018 Share Posted February 3, 2018 21 hours ago, peter_sm said: Works flawless :-) What server config do you have? What error log do you see? What client are you using ? Its' have been a major issue on iOS client, but now there is a update! It's have been an issue with easyrsa project, latest plugin DL now the correct version that are default branch. //Peter Hi, The error I get is as follows: 2018-02-02 20:59:28 MANAGEMENT: >STATE:1517633968,WAIT,,,,,, 2018-02-02 20:59:28 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] I have tried connecting from tunnel blick and the android clients. I attached my network and server configs. Thanks in advance! network.cfg Quote Link to comment
peter_sm Posted February 3, 2018 Author Share Posted February 3, 2018 10 minutes ago, shortsyoungster said: Hi, The error I get is as follows: 2018-02-02 20:59:28 MANAGEMENT: >STATE:1517633968,WAIT,,,,,, 2018-02-02 20:59:28 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...] I have tried connecting from tunnel blick and the android clients. I attached my network and server configs. Thanks in advance! network.cfg Never seen this error, please check openvpn suport forum or try google http://www.letmegooglethat.com/?q=please+ensure+that+--tun-mtu+or+--link-mtu+is+equal+on+both+peers+--+this+condition+could+also+indicate+a+possible+active+attack+on+the+TCP+link Quote Link to comment
FryGuy Posted February 4, 2018 Share Posted February 4, 2018 Not creating the .p12 file for some reason. Any ideas why? Log output below ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Adding client: USER spawn ./easyrsa build-client-full USER nopass Generating a 2048 bit RSA private key .........+++ ................................................................+++ writing new private key to '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.key.XXXXwylxGo' ----- Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'USER' Certificate is to be certified until Feb 2 01:32:01 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated spawn ./easyrsa export-p12 USER Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name -caname "nm" use nm as CA friendly name (can be used more than once). -in infile input filename -out outfile output filename -noout don't output anything, just verify. -nomacver don't verify MAC. -nocerts don't output certificates. -clcerts only output client certificates. -cacerts only output CA certificates. -nokeys don't output private keys. -info give info about PKCS#12 structure. -des encrypt private keys with DES -des3 encrypt private keys with triple DES (default) -seed encrypt private keys with seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nodes don't encrypt private keys -noiter don't use encryption iteration -nomaciter don't use MAC iteration -maciter use MAC iteration -nomac don't generate MAC -twopass separate MAC, encryption passwords -descert encrypt PKCS#12 certificates with triple DES (default RC2-40) -certpbe alg specify certificate PBE algorithm (default RC2-40) -keypbe alg specify private key PBE algorithm (default 3DES) -macalg alg digest algorithm used in MAC (default SHA1) -keyex set MS key exchange type -keysig set MS key signature type -password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator -CSP name Microsoft CSP name -LMK Add local machine keyset attribute to private key Easy-RSA error: Export of p12 failed: see above for related openssl errors. send: spawn id exp5 not open while executing "send "PASSWORD\r"" cp: cannot stat '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.p12': No such file or directory Update USER.ovpn to be used with IOS Creating a zip file for the client zip warning: name not matched: USER.p12 adding: USER.ovpn (deflated 33%) adding: README.txt (deflated 53%) Client files have been stored in this folder .. /mnt/cache/appdata/myVPNserver/clients/USER Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.