peter_sm Posted February 4, 2018 Author Share Posted February 4, 2018 3 hours ago, FryGuy said: Not creating the .p12 file for some reason. Any ideas why? Log output below ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Adding client: USER spawn ./easyrsa build-client-full USER nopass Generating a 2048 bit RSA private key .........+++ ................................................................+++ writing new private key to '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.key.XXXXwylxGo' ----- Using configuration from ./openssl-easyrsa.cnf Enter pass phrase for /mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'USER' Certificate is to be certified until Feb 2 01:32:01 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated spawn ./easyrsa export-p12 USER Usage: pkcs12 [options] where options are -export output PKCS12 file -chain add certificate chain -inkey file private key if not infile -certfile f add all certs in f -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's -name "name" use name as friendly name -caname "nm" use nm as CA friendly name (can be used more than once). -in infile input filename -out outfile output filename -noout don't output anything, just verify. -nomacver don't verify MAC. -nocerts don't output certificates. -clcerts only output client certificates. -cacerts only output CA certificates. -nokeys don't output private keys. -info give info about PKCS#12 structure. -des encrypt private keys with DES -des3 encrypt private keys with triple DES (default) -seed encrypt private keys with seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -nodes don't encrypt private keys -noiter don't use encryption iteration -nomaciter don't use MAC iteration -maciter use MAC iteration -nomac don't generate MAC -twopass separate MAC, encryption passwords -descert encrypt PKCS#12 certificates with triple DES (default RC2-40) -certpbe alg specify certificate PBE algorithm (default RC2-40) -keypbe alg specify private key PBE algorithm (default 3DES) -macalg alg digest algorithm used in MAC (default SHA1) -keyex set MS key exchange type -keysig set MS key signature type -password p set import/export password source -passin p input file pass phrase source -passout p output file pass phrase source -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator -CSP name Microsoft CSP name -LMK Add local machine keyset attribute to private key Easy-RSA error: Export of p12 failed: see above for related openssl errors. send: spawn id exp5 not open while executing "send "PASSWORD\r"" cp: cannot stat '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.p12': No such file or directory Update USER.ovpn to be used with IOS Creating a zip file for the client zip warning: name not matched: USER.p12 adding: USER.ovpn (deflated 33%) adding: README.txt (deflated 53%) Client files have been stored in this folder .. /mnt/cache/appdata/myVPNserver/clients/USER Looks like they have got bug in easyrsa 3.0.5. Branch 3.0.4 works fine. Try to 3.0.4 and test. unzip and rename to easy-rsa in your config folder EasyRSA-3.0.4.zip Quote Link to comment
DavyV97 Posted February 4, 2018 Share Posted February 4, 2018 On 3-2-2018 at 5:26 AM, peter_sm said: The ovpn files is not from my plug-in. I don’t know what you trying to do. Damn, I'm sorry, I copied the wrong file. This is the right one: remote xxxxxxx.xxxx.xxx cipher AES-256-CBC auth sha512 client dev tun proto udp port 1194 resolv-retry infinite tls-client nobind persist-key persist-tun remote-cert-tls server tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA comp-lzo adaptive verb 3 route-delay 2 <ca> Still the same problem as before, can connect/ping to the ip's but not the names. Quote Link to comment
peter_sm Posted February 4, 2018 Author Share Posted February 4, 2018 Damn, I'm sorry, I copied the wrong file. This is the right one: remote xxxxxxx.xxxx.xxx cipher AES-256-CBC auth sha512 client dev tun proto udp port 1194 resolv-retry infinite tls-client nobind persist-key persist-tun remote-cert-tls server tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA comp-lzo adaptive verb 3 route-delay 2 Still the same problem as before, can connect/ping to the ip's but not the names.Some links to read..... please let me know what you come up with, and google is your friend https://www.linuxquestions.org/questions/linux-general-1/openvpn-client-can%27t-ping-host-by-name-433612/ https://serverfault.com/questions/749099/openvpn-server-can-ping-via-ip-but-not-via-hostname Quote Link to comment
FryGuy Posted February 4, 2018 Share Posted February 4, 2018 13 hours ago, peter_sm said: Looks like they have got bug in easyrsa 3.0.5. Branch 3.0.4 works fine. Try to 3.0.4 and test. unzip and rename to easy-rsa in your config folder EasyRSA-3.0.4.zip Thank you. I'll give it a try. Quote Link to comment
FryGuy Posted February 4, 2018 Share Posted February 4, 2018 2 hours ago, FryGuy said: Thank you. I'll give it a try. Gave it a shot. I must be putting the files in a wrong location or something. /mnt/user/appdata/myVPNserver or cache location and replaced the current easy-rsa folder but unable to generate certs and keys and tells me easy rsa not downloaded. even downloaded the latest easy-rsa from interface and then replaced all the similar named files with the v3.0.4 ones still the same. what the hell am i doing wrong? Quote Link to comment
peter_sm Posted February 5, 2018 Author Share Posted February 5, 2018 9 hours ago, FryGuy said: Gave it a shot. I must be putting the files in a wrong location or something. /mnt/user/appdata/myVPNserver or cache location and replaced the current easy-rsa folder but unable to generate certs and keys and tells me easy rsa not downloaded. even downloaded the latest easy-rsa from interface and then replaced all the similar named files with the v3.0.4 ones still the same. what the hell am i doing wrong? OK, Try this , Install easyrsa again. edit easyrsa, on line 900 change ... original -out "$pkcs_out" "$pkcs_opts" || die "\ edit ( remow the quotation marks" -out "$pkcs_out" $pkcs_opts || die "\ But preferred is a inline file. //Peter Quote Link to comment
FryGuy Posted February 5, 2018 Share Posted February 5, 2018 (edited) 8 hours ago, peter_sm said: OK, Try this , Install easyrsa again. edit easyrsa, on line 900 change ... original -out "$pkcs_out" "$pkcs_opts" || die "\ edit ( remow the quotation marks" -out "$pkcs_out" $pkcs_opts || die "\ But preferred is a inline file. //Peter Fantastic, That fixed it! Thank you. Edited February 5, 2018 by FryGuy Quote Link to comment
Chad Kunsman Posted February 11, 2018 Share Posted February 11, 2018 When I try to generate the server certs and keys in the GUI, it works for a short while then stops. If I try to run the script from a terminal, it gets some errors after generating the cert shown here: cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/ca.crt': No such file or directory cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt': No such file or directory cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/private/server.key': No such file or directory chmod: cannot access '/mnt/user/appdata/openvpn/ca.crt': No such file or directory chmod: cannot access '/mnt/user/appdata/openvpn/server.crt': No such file or directory chmod: cannot access '/mnt/user/appdata/openvpn/server.key': No such file or directory Tried manipulating permissions. Set everything as 777. Not sure what's going on. Is there a log location I can check to get more info? Quote Link to comment
peter_sm Posted February 11, 2018 Author Share Posted February 11, 2018 Did a fresh install and all looks ok, can you try to install outside “user” Quote Link to comment
Chad Kunsman Posted February 11, 2018 Share Posted February 11, 2018 No joy. Switched over to /mnt/cache/appdata and nothing different. Even removed the plug-in and reinstalled. Of course also removed the openvpn directory between attempts so I could let it re-create it. Please note this has always been present at the top of the output after answering 'yes' to confirm generating a fresh PKI: /usr/bin/expect: error while loading shared libraries: libexpect5.45.3.so: cannot open shared object file: No such file or directory /usr/bin/expect: error while loading shared libraries: libexpect5.45.3.so: cannot open shared object file: No such file or directory Quote Link to comment
peter_sm Posted February 11, 2018 Author Share Posted February 11, 2018 Looks like your USB is broken , are you missing expect packages on /boot/packages ? Try to repair USBSkickat från min iPhone med Tapatalk Quote Link to comment
Chad Kunsman Posted February 11, 2018 Share Posted February 11, 2018 (edited) root@vault:/boot/packages# ls -lart total 3536 drwxrwxrwx 10 root root 16384 Feb 9 18:40 ../ -rwxrwxrwx 1 root root 2835436 Feb 9 18:40 tcl-8.6.8-x86_64-1.txz* -rwxrwxrwx 1 root root 298976 Feb 9 18:40 expect-5.45.3-x86_64-1.txz* -rwxrwxrwx 1 root root 414816 Feb 9 18:41 openvpn-2.4.4-x86_64-1.txz* drwxrwxrwx 2 root root 16384 Feb 9 18:41 ./ root@vault:/boot/packages# They are there. Any manual steps I can take to give it a nudge or at least force it to 'fail' if the USB is indeed broken? Also, I notice in the 'nerdpack' plugin, it shows that expect has an update available for it but I can't seem to install it. I wonder if there is a conflict between the nerd pack utils somehow. Edited February 11, 2018 by Chad Kunsman Quote Link to comment
peter_sm Posted February 11, 2018 Author Share Posted February 11, 2018 Try to install packages manually Skickat från min iPhone med Tapatalk Quote Link to comment
Chad Kunsman Posted February 11, 2018 Share Posted February 11, 2018 Okay I installed it manually. I had already uninstalled the server plugin. I also set it to 'off' in the nerd pack plugin, hopefully to stop conflicts. Then I reinstalled the server plugin. The install script said expect was already installed, which is good. And the TCL install script seemed more verbose than before. At this point, everything worked. I'm not sure exactly what step solved it, but best guess is that the nerd pack was somehow interfering with the expect installation, but not 100% on that. Thanks for your help! Quote Link to comment
peter_sm Posted March 3, 2018 Author Share Posted March 3, 2018 (edited) New version available. Have fun. 2018.03.03a Added support for Elliptic Curve crypto! After changing to EC or still using RSA you must.... Re-save settings on page "server config". Start to update with the default settings. RSA and EC have its own default settings. Create new server certs and clients. Added a drop box on "Cert and Misc Settings" for manually DL one of the available releases of easyrsa for manually install (Can be useful if default branch is broken) The list of TLS Ciphers is updated. Added -remote-cert-eku to server/client. The --remote-cert-eku ensures that a server will verify that the client certificate provided is truly a client certificate, and vice versa. Default settings are updated. Added cert/keys log to log page when generate the server cert/keys. Added a log file when creating new client in client folder. More settings for redirect-gateway in server settings. More info about EAsyRSA(Installed version, current version and commits date) Update of Tcl packages to tcl-8.6.8-x86_64-2 Update of expect packages to 5.45.4. 2018.03.03b Update of OpenVPN packages to 2.4.5 Added a link to OpenVPN Overview of changes. Edited March 3, 2018 by peter_sm Quote Link to comment
alkiax Posted March 7, 2018 Share Posted March 7, 2018 (edited) Is there a way to get pihole working with this? I have open vpn and pihole working seperately, but when I am on openvpn on my android pihole doesnt block anything. I tried push lan sub to the clients but it didnt stop ads on the phone. I see a few ways to do it editing the server.conf but cant seem to find it anywhere. Edited March 7, 2018 by alkiax 1 Quote Link to comment
Madhouse Posted March 15, 2018 Share Posted March 15, 2018 Hello.. Nice plugin, working fine with all traffic routed through but I'd like to only route traffic from specific IP's. I have enabled the 'route only specific ip adresses' but where to I add the IPs to route through openvpn client? Quote Link to comment
peter_sm Posted March 15, 2018 Author Share Posted March 15, 2018 3 hours ago, Madhouse said: Hello.. Nice plugin, working fine with all traffic routed through but I'd like to only route traffic from specific IP's. I have enabled the 'route only specific ip adresses' but where to I add the IPs to route through openvpn client? Look at first post :-) then --> More info about Client installation : //Peter Quote Link to comment
Madhouse Posted March 15, 2018 Share Posted March 15, 2018 52 minutes ago, peter_sm said: Look at first post :-) then --> More info about Client installation : //Peter ahh yes.. now i see. ThanksTo be able to use "Route specific IP through VPN tunnel" you first need to create this file webbadress.txt in /boot/openvpn Quote Link to comment
Madhouse Posted March 16, 2018 Share Posted March 16, 2018 11 hours ago, peter_sm said: Look at first post :-) then --> More info about Client installation : //Peter Sorry, but it is still not clear how to route specific dockers through openvpn. I've tried added the IP for the docker (which is running br0) but even though i have addd the ip adress to webbadress.txt all traffic seems to be routed through openvpn. any help would be greatly appreciated. Quote Link to comment
peter_sm Posted March 16, 2018 Author Share Posted March 16, 2018 1 hour ago, Madhouse said: Sorry, but it is still not clear how to route specific dockers through openvpn. I've tried added the IP for the docker (which is running br0) but even though i have addd the ip adress to webbadress.txt all traffic seems to be routed through openvpn. any help would be greatly appreciated. Hi, Don't know how to do that. What docker are you using? //Peter Quote Link to comment
Madhouse Posted March 16, 2018 Share Posted March 16, 2018 2 hours ago, peter_sm said: Hi, Don't know how to do that. What docker are you using? //Peter Maybe I've gotten it all wrong - my intentions was to run dockers like Radarr, Medusa and Transmission securely though openvpn, so that my own public IP was hidden. is that at all possible with this plugin? Quote Link to comment
peter_sm Posted March 16, 2018 Author Share Posted March 16, 2018 (edited) 32 minutes ago, Madhouse said: Maybe I've gotten it all wrong - my intentions was to run dockers like Radarr, Medusa and Transmission securely though openvpn, so that my own public IP was hidden. is that at all possible with this plugin? No, you can't .Better to look at docker with VPN , there is a transmission docker with VPN functionality. //Peter Edited March 16, 2018 by peter_sm Quote Link to comment
Madhouse Posted March 16, 2018 Share Posted March 16, 2018 Just now, peter_sm said: No, you can't .Better to look at docker with VPN , there is a transmission docker with VPN functionality. //Peter Thanks Peter - I'll do that. Quote Link to comment
huffsper Posted March 19, 2018 Share Posted March 19, 2018 Is it possible to run the OpenVPN server plugin completely independent from the array? All my disks are encrypted so I would like to be able to remote connect into the machine and decrypt it after it boots. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.