OpenVPN Server & Client for unRAID 6.2+ (6.1 are still supported)


peter_sm

Recommended Posts

3 hours ago, FryGuy said:

Not creating the .p12 file for some reason. Any ideas why?

 

Log output below

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Adding client:  USER
spawn ./easyrsa build-client-full USER nopass
Generating a 2048 bit RSA private key
.........+++
................................................................+++
writing new private key to '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.key.XXXXwylxGo'
-----
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'USER'
Certificate is to be certified until Feb  2 01:32:01 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
spawn ./easyrsa export-p12 USER
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
-out outfile  output filename
-noout        don't output anything, just verify.
-nomacver     don't verify MAC.
-nocerts      don't output certificates.
-clcerts      only output client certificates.
-cacerts      only output CA certificates.
-nokeys       don't output private keys.
-info         give info about PKCS#12 structure.
-des          encrypt private keys with DES
-des3         encrypt private keys with triple DES (default)
-seed         encrypt private keys with seed
-aes128, -aes192, -aes256
              encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
              encrypt PEM output with cbc camellia
-nodes        don't encrypt private keys
-noiter       don't use encryption iteration
-nomaciter    don't use MAC iteration
-maciter      use MAC iteration
-nomac        don't generate MAC
-twopass      separate MAC, encryption passwords
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
-keypbe alg   specify private key PBE algorithm (default 3DES)
-macalg alg   digest algorithm used in MAC (default SHA1)
-keyex        set MS key exchange type
-keysig       set MS key signature type
-password p   set import/export password source
-passin p     input file pass phrase source
-passout p    output file pass phrase source
-engine e     use engine e, possibly a hardware device.
-rand file:file:...
              load the file (or the files in the directory) into
              the random number generator
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

Easy-RSA error:

Export of p12 failed: see above for related openssl errors.
send: spawn id exp5 not open
    while executing
"send "PASSWORD\r""
cp: cannot stat '/mnt/cache/appdata/myVPNserver/easy-rsa/easyrsa3/pki/private/USER.p12': No such file or directory
Update USER.ovpn to be used with IOS
Creating a zip file for the client
    zip warning: name not matched: USER.p12
  adding: USER.ovpn (deflated 33%)
  adding: README.txt (deflated 53%)
Client files have been stored in this folder ..
/mnt/cache/appdata/myVPNserver/clients/USER

 

Looks like they have got  bug in easyrsa 3.0.5. Branch 3.0.4 works fine. 

 

Try to 3.0.4 and test. unzip and rename to easy-rsa in your config folder

EasyRSA-3.0.4.zip

Link to comment
On 3-2-2018 at 5:26 AM, peter_sm said:

The ovpn files is not from my plug-in. I don’t know what you trying to do.

Damn, I'm sorry, I copied the wrong file. This is the right one:

remote xxxxxxx.xxxx.xxx
cipher AES-256-CBC
auth sha512
client
dev tun
proto udp
port 1194
resolv-retry infinite
tls-client
nobind
persist-key
persist-tun
remote-cert-tls server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
comp-lzo adaptive
verb 3
route-delay 2
<ca>
 

Still the same problem as before, can connect/ping to the ip's but not the names.

Link to comment
Damn, I'm sorry, I copied the wrong file. This is the right one:

remote xxxxxxx.xxxx.xxx

cipher AES-256-CBC

auth sha512

client

dev tun

proto udp

port 1194

resolv-retry infinite

tls-client

nobind

persist-key

persist-tun

remote-cert-tls server

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

comp-lzo adaptive

verb 3

route-delay 2

 

Still the same problem as before, can connect/ping to the ip's but not the names.

Some links to read..... please let me know what you come up with, and google is your friend

https://www.linuxquestions.org/questions/linux-general-1/openvpn-client-can%27t-ping-host-by-name-433612/

 

https://serverfault.com/questions/749099/openvpn-server-can-ping-via-ip-but-not-via-hostname

Link to comment
2 hours ago, FryGuy said:

 Thank you. I'll give it a try.

Gave it a shot. I must be putting the files in a wrong location or something. /mnt/user/appdata/myVPNserver  or cache location and replaced the current easy-rsa folder but unable to generate certs and keys and tells me easy rsa not downloaded.  even downloaded the latest easy-rsa from interface and then replaced all the similar named files with the v3.0.4 ones still the same. what the hell am i doing wrong?

Link to comment
9 hours ago, FryGuy said:

Gave it a shot. I must be putting the files in a wrong location or something. /mnt/user/appdata/myVPNserver  or cache location and replaced the current easy-rsa folder but unable to generate certs and keys and tells me easy rsa not downloaded.  even downloaded the latest easy-rsa from interface and then replaced all the similar named files with the v3.0.4 ones still the same. what the hell am i doing wrong?

OK, Try this ,

Install easyrsa again.

 

edit easyrsa,  on line 900 change ...

 

original

 -out "$pkcs_out" "$pkcs_opts" || die "\

 

edit ( remow the quotation marks"

 -out "$pkcs_out" $pkcs_opts || die "\

 

 

But preferred is a inline file.

 

//Peter

Link to comment
8 hours ago, peter_sm said:

OK, Try this ,

Install easyrsa again.

 

edit easyrsa,  on line 900 change ...

 

original

 -out "$pkcs_out" "$pkcs_opts" || die "\

 

edit ( remow the quotation marks"

 -out "$pkcs_out" $pkcs_opts || die "\

 

 

But preferred is a inline file.

 

//Peter

 

Fantastic, That fixed it!  Thank you.

Edited by FryGuy
Link to comment

When I try to generate the server certs and keys in the GUI, it works for a short while then stops. 

 

If I try to run the script from a terminal, it gets some errors after generating the cert shown here:

 

cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/ca.crt': No such file or directory
cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt': No such file or directory
cp: cannot stat '/mnt/user/appdata/openvpn/easy-rsa/easyrsa3/pki/private/server.key': No such file or directory
chmod: cannot access '/mnt/user/appdata/openvpn/ca.crt': No such file or directory
chmod: cannot access '/mnt/user/appdata/openvpn/server.crt': No such file or directory
chmod: cannot access '/mnt/user/appdata/openvpn/server.key': No such file or directory

 

Tried manipulating permissions. Set everything as 777. Not sure what's going on. 

 

Is there a log location I can check to get more info?

Link to comment

No joy.

 

Switched over to /mnt/cache/appdata and nothing different. Even removed the plug-in and reinstalled. Of course also removed the openvpn directory between attempts so I could let it re-create it.

 

Please note this has always been present at the top of the output after answering 'yes' to confirm generating a fresh PKI:

 

/usr/bin/expect: error while loading shared libraries: libexpect5.45.3.so: cannot open shared object file: No such file or directory
/usr/bin/expect: error while loading shared libraries: libexpect5.45.3.so: cannot open shared object file: No such file or directory

 

Link to comment

root@vault:/boot/packages# ls -lart
total 3536
drwxrwxrwx 10 root root   16384 Feb  9 18:40 ../
-rwxrwxrwx  1 root root 2835436 Feb  9 18:40 tcl-8.6.8-x86_64-1.txz*
-rwxrwxrwx  1 root root  298976 Feb  9 18:40 expect-5.45.3-x86_64-1.txz*
-rwxrwxrwx  1 root root  414816 Feb  9 18:41 openvpn-2.4.4-x86_64-1.txz*
drwxrwxrwx  2 root root   16384 Feb  9 18:41 ./
root@vault:/boot/packages#

 

 

They are there. Any manual steps I can take to give it a nudge or at least force it to 'fail' if the USB is indeed broken?

 

Also, I notice in the 'nerdpack' plugin, it shows that expect has an update available for it but I can't seem to install it.

 

I wonder if there is a conflict between the nerd pack utils somehow.

Edited by Chad Kunsman
Link to comment

Okay I installed it manually. I had already uninstalled the server plugin. I also set it to 'off' in the nerd pack plugin, hopefully to stop conflicts.

 

Then I reinstalled the server plugin. The install script said expect was already installed, which is good. And the TCL install script seemed more verbose than before.

 

At this point, everything worked.

 

I'm not sure exactly what step solved it, but best guess is that the nerd pack was somehow interfering with the expect installation, but not 100% on that.

 

Thanks for your help!

Link to comment
  • 3 weeks later...

New version available. Have fun.

 

2018.03.03a

  • Added support for Elliptic Curve crypto!
  • After changing to EC or still using RSA you must....
    • Re-save settings on page "server config".
    • Start to update with the default settings. RSA and EC have its own default settings.
    • Create new server certs and clients.
  • Added a drop box on "Cert and Misc Settings" for manually DL one of the available releases of easyrsa for manually install (Can be useful if default branch is broken)
  • The list of TLS Ciphers is updated.
  • Added -remote-cert-eku to server/client. The --remote-cert-eku ensures that a server will verify that the client certificate provided is truly a client certificate, and vice versa.
  • Default settings are updated.
  • Added cert/keys log to log page when generate the server cert/keys.
  • Added a log file when creating new client in client folder.
  • More settings for redirect-gateway in server settings.
  • More info about EAsyRSA(Installed version, current version and commits date)
  • Update of Tcl packages to tcl-8.6.8-x86_64-2
  • Update of expect packages to 5.45.4.

     

    2018.03.03b

  • Update of OpenVPN packages to 2.4.5
  • Added a link to OpenVPN Overview of changes.
Edited by peter_sm
Link to comment

Is there a way to get pihole working with this? I have open vpn and pihole working seperately, but when I am on openvpn on my android pihole doesnt block anything.  I tried push lan sub to the clients but it didnt stop ads on the phone. I see a few ways to do it editing the server.conf but cant seem to find it anywhere.

 

Edited by alkiax
  • Like 1
Link to comment
3 hours ago, Madhouse said:

Hello.. 

 

Nice plugin, working fine with all traffic routed through but I'd like to only route traffic from specific IP's. I have enabled the 'route only specific ip adresses' but where to I add the IPs to route through openvpn client? 

 

Look at first post :-) then -->  More info about Client installation :

 

//Peter

Link to comment
11 hours ago, peter_sm said:

Look at first post :-) then -->  More info about Client installation :

 

//Peter

 

Sorry, but it is still not clear how to route specific dockers through openvpn. I've tried added the IP for the docker (which is running br0) but even though i have addd the ip adress to webbadress.txt all traffic seems to be routed through openvpn. 

 

any help would be greatly appreciated. :)

Link to comment
1 hour ago, Madhouse said:

 

Sorry, but it is still not clear how to route specific dockers through openvpn. I've tried added the IP for the docker (which is running br0) but even though i have addd the ip adress to webbadress.txt all traffic seems to be routed through openvpn. 

 

any help would be greatly appreciated. :)

Hi,

 

Don't know how to do that.

 

What docker are you using?

 

//Peter 

Link to comment
2 hours ago, peter_sm said:

Hi,

 

Don't know how to do that.

 

What docker are you using?

 

//Peter 

Maybe I've gotten it all wrong - my intentions was to run dockers like Radarr, Medusa and Transmission securely though openvpn, so that my own public IP was hidden. 

is that at all possible with this plugin? 

Link to comment
32 minutes ago, Madhouse said:

Maybe I've gotten it all wrong - my intentions was to run dockers like Radarr, Medusa and Transmission securely though openvpn, so that my own public IP was hidden. 

is that at all possible with this plugin? 

No, you can't .Better to look at docker with VPN , there is a transmission docker with VPN functionality.

 

//Peter

Edited by peter_sm
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.