Jump to content
peter_sm

OpenVPN Server & Client for unRAID 6.2+ (6.1 are still supported)

885 posts in this topic Last Reply

Recommended Posts

On 6/30/2018 at 2:13 PM, Ashe said:

Hi Peter

Just a heads up that iOS seems to prefer a *.ovpn12 file now rather than the *.p12 file. No problem with renaming the generated *.p12 file and it then imports fine


Sent from my iPhone using Tapatalk

Thank you for this! I was getting completely stuck following the instructions in the readme that's generated with the cert.

Share this post


Link to post

Is there any way to push a user-specified DNS server?

 

I have a Pi-Hole running on my LAN and I'd like my connected devices to use it's DNS IP address instead.

 

This allows me to block ads on my connected iOS devices and for local name resolution - really useful.

Share this post


Link to post
21 hours ago, ThatDude said:

Is there any way to push a user-specified DNS server?

 

I have a Pi-Hole running on my LAN and I'd like my connected devices to use it's DNS IP address instead.

 

This allows me to block ads on my connected iOS devices and for local name resolution - really useful.

I figured out a workaround to set the DNS from the client side, open the ovpn file and add the following directives.

#ipv4
pull-filter ignore "dhcp-option DNS"
#ipv6
pull-filter ignore "dhcp-option DNS6"

# put prefered dns name here
dhcp-option DNS 192.168.0.200

 

 

Share this post


Link to post

Is it possible to separate configuration form, to be able to set different port and address for the server to operate on, and different port to be input into user configs? I have my OpenVpn server running on power 1194 internally, but it is visible outside on port 443 using a dynamic dns name. With current config it is impossible to automatically generate working configs for the clients.

Share this post


Link to post

I am now getting this error"

 

openvpn: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
 

Share this post


Link to post
8 hours ago, bhman79 said:

openvpn: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory

What version Unraid and what version plugin?

Share this post


Link to post
2 hours ago, trurl said:

What version Unraid and what version plugin?

Unraid 6.4.1

Plugin 

2019.02.09

Update of OpenVPN packages to 2.4.6-2

Share this post


Link to post
3 hours ago, trurl said:

What version Unraid and what version plugin?

I upgraded to the newest Unraid and it fixed the problem.  Thanks!

Share this post


Link to post

Hi @all,

 

how can i root a specific ip with a nordVPN ovp file?

I got set my jDownloader Docker to a specific IP but how can i edit my ovpn file to route only this ip?

or what a file must i edit?

Edited by Snickers

Share this post


Link to post

Hey all!

 

Is there an updated link for the client configuration guide?

 

I'm trying to get this setup so that all traffic from only 1 interface (I have two setup NOT bonded) will pass be routed through the vpn tunnel.

 

I'm now stuck on the first step of getting the plugin to connect.  I tried to go to the link on the first post for client config guide, but it doesn't take me anywhere.  Is there a new one?

 

Thanks!

Share this post


Link to post

Hi @all,

 

i use the openvpn Client with NordVPN. This works fine but how can i route to the internal IP from outside? Or how can i use the client for a specific Ip/Docker?

Share this post


Link to post

Every time I restart my Unraid server, the OpenVPN is unconnectable, I have to restart it manually. These are the logs before the restart:

Sat May 11 21:48:26 2019 OpenVPN 2.4.6 x86_64-slackware-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  7 2018
Sat May 11 21:48:26 2019 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Sat May 11 21:48:26 2019 Diffie-Hellman initialized with 2048 bit key
Sat May 11 21:48:26 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 11 21:48:26 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat May 11 21:48:26 2019 TUN/TAP device tun0 opened
Sat May 11 21:48:26 2019 TUN/TAP TX queue length set to 100
Sat May 11 21:48:26 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat May 11 21:48:26 2019 /usr/sbin/ip link set dev tun0 up mtu 1500
Sat May 11 21:48:26 2019 /usr/sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Sat May 11 21:48:26 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat May 11 21:48:26 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sat May 11 21:48:26 2019 TCP/UDP: Socket bind failed on local address [AF_INET]172.16.0.10:1194: Cannot assign requested address (errno=99)
Sat May 11 21:48:26 2019 Exiting due to fatal error
Sat May 11 21:48:26 2019 Closing TUN/TAP interface
Sat May 11 21:48:26 2019 /usr/sbin/ip addr del dev tun0 10.8.0.1/24

Any idea what this might be about?

 

Also, a request, can you make it possible to renew the CRL certificate? It expires after a year and it's not that easy to renew manually when you don't know what you're doing. I managed somehow but other people may not.

Share this post


Link to post
1 minute ago, Krzaku said:

I have to restart it manually.

Just for kicks, set OpenVPN to have a delay of 30 seconds before starting.  Does it make a difference?

Share this post


Link to post
4 minutes ago, Squid said:

Just for kicks, set OpenVPN to have a delay of 30 seconds before starting.  Does it make a difference?

There is no option for that in the plugin, I can only enable or disable autostart.

Share this post


Link to post
5 hours ago, Krzaku said:

There is no option for that in the plugin, I can only enable or disable autostart.

Ah.  Thought you were running the docker app.

Share this post


Link to post

I haven't a clue what you are talking about Extensions' page? where is that? How do you get their? Theirs no such page on the client! This really suks!

Share this post


Link to post
6 hours ago, megna22 said:

I haven't a clue what you are talking about Extensions' page? where is that? How do you get their? Theirs no such page on the client! This really suks!

If you're talking about this from the OP:

On 9/26/2014 at 11:37 AM, peter_sm said:

To install.

Install the plugins, go to the 'Extensions' page

 

Then that means the plugins tab.  (Or, simply go to the Apps tab instead -> even easier)

Share this post


Link to post
On 1/12/2017 at 3:56 PM, jonathanm said:

Yeah, I understand what you want, it's just a bad idea unless you know exactly what you are doing. The VPN service does not firewall the endpoint connection, so theoretically connecting to them allows other vpn users on the same network node free access to your system totally bypassing your router, since unraid doesn't have a built in firewall.

 

I personally would never risk it. Binhex's dockers go to great lengths to ensure isolation and security, to make sure VPN traffic doesn't leak out of the docker, or vice versa.

 

Network security is hard. Too many ways for things to go wrong, and not many ways to do it right.

Hmmm, on that note: if I connect to my VPN _per docker_ that means I'm multiplying my VPN overhead, depend on binhex' release schedule (not implying anything, just saying that I'm totally new to unRAID AND Docker so just throwing out there what's crossing my mind) and then there's the issue with not every application desirable being available as binhex vpn docker.

 

I've seen that you can use a docker like that as proxy for other dockers, but my line of thought is that I'm relying on the application within a docker to apply the proxy connection leaving possible (unknown) background processes un-routed through the proxy.

 

The beauty (but also a pain point in other ways) of VPNs on a classic desktop is after all a one-setup experience. Connect once, route everything or nothing.

 

Major application missing an obvious VPN path to me right now is jDownloader.

 

Theoretically I could just set up a VM, install my VPN's application in there, add the applications I want to the mix and have them all download to a share. Waaaaaaaaay less elegant, but at least a catch-all approach. The VM itself would obviously be configured with a firewall. Is that a lot of overhead? Sure is. Is that a great concern? Well.... 16 physical cores and 48GB of RAM say: we can do it. Despite all of that, I'd still favor the leanest approach for obvious reasons. Surely there's something I'm missing or something I misunderstood?

Share this post


Link to post

Hello,

 

My Windows 10 Pro client PC is connected via an USB cable to my smartphone that shares its Internet 4G connection. 

 

I connect to the OpenVPN server without any problem with an OpenVPN GUI client x64.

 

Ping the machines of my local network is ok.
But, all connections with my web browser fail. So I do not have access to the Unraid Web interface.

 

Of course I do not get a local IP and I do not know why !!!
My Gateway is 192.168.1.254.

 

Also, there is an error in the log of openvpn client :
- Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: remote-gateway (2.4.7)

 

Can you please help me ?

 

Bellow all my configuration:

WAN IP                         XXXX.XXXX.XXXX.XXXX
UNRAID SERVER IP               192.168.1.200
LAN GATEWAY                    192.168.1.254
OPENVPN / EASYRSA VERSION      2.4.6/Master


 

IPCONFIG on Windows 10 Pro 64 bits
----------------------------------

Configuration IP de Windows


Carte Ethernet Ethernet :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . : lan

Carte réseau sans fil Connexion au réseau local* 1 :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte réseau sans fil Connexion au réseau local* 2 :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte Ethernet Ethernet 2 :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: fe80::24fc:59a0:7f83:cdb4%17
   Adresse IPv4. . . . . . . . . . . . . .: 10.8.0.6
   Masque de sous-réseau. . . . . . . . . : 255.255.255.252
   Passerelle par défaut. . . . . . . . . :

Carte Ethernet Connexion réseau Bluetooth :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . :

Carte réseau sans fil Wi-Fi :

   Statut du média. . . . . . . . . . . . : Média déconnecté
   Suffixe DNS propre à la connexion. . . : lan

Carte Ethernet Ethernet 3 :

   Suffixe DNS propre à la connexion. . . :
   Adresse IPv6 de liaison locale. . . . .: fe80::b083:1d04:ebf4:7bb4%45
   Adresse IPv4. . . . . . . . . . . . . .: 192.168.42.32
   Masque de sous-réseau. . . . . . . . . : 255.255.255.0
   Passerelle par défaut. . . . . . . . . : 192.168.42.129


CLIENT SIDE LOG (OPENVPN CLIENT GUI on Windows 10 Pro 64 bits)
--------------------------------------------------------------

    Sun May 26 21:59:32 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
    Sun May 26 21:59:32 2019 Windows version 6.2 (Windows 8 or greater) 64bit
    Sun May 26 21:59:32 2019 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
    Enter Management Password:
    Sun May 26 21:59:32 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
    Sun May 26 21:59:32 2019 Need hold release from management interface, waiting...
    Sun May 26 21:59:32 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'state on'
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'log all on'
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'echo all on'
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'bytecount 5'
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'hold off'
    Sun May 26 21:59:32 2019 MANAGEMENT: CMD 'hold release'
    Sun May 26 21:59:32 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Sun May 26 21:59:32 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sun May 26 21:59:32 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
    Sun May 26 21:59:32 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Sun May 26 21:59:32 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXX.XXXX.XXXX.XXXX:1194
    Sun May 26 21:59:32 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Sun May 26 21:59:32 2019 UDP link local: (not bound)
    Sun May 26 21:59:32 2019 UDP link remote: [AF_INET]XXXX.XXXX.XXXX.XXXX:1194
    Sun May 26 21:59:32 2019 MANAGEMENT: >STATE:1558900772,WAIT,,,,,,
    Sun May 26 21:59:32 2019 MANAGEMENT: >STATE:1558900772,AUTH,,,,,,
    Sun May 26 21:59:32 2019 TLS: Initial packet from [AF_INET]XXXX.XXXX.XXXX.XXXX:1194, sid=e175b8f2 8b8e5482
    Sun May 26 21:59:32 2019 VERIFY OK: depth=1, CN=server
    Sun May 26 21:59:32 2019 VERIFY KU OK
    Sun May 26 21:59:32 2019 Validating certificate extended key usage
    Sun May 26 21:59:32 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Sun May 26 21:59:32 2019 VERIFY EKU OK
    Sun May 26 21:59:32 2019 VERIFY OK: depth=0, CN=server
    Sun May 26 21:59:33 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
    Sun May 26 21:59:33 2019 [server] Peer Connection Initiated with [AF_INET]XXXX.XXXX.XXXX.XXXX:1194
    Sun May 26 21:59:34 2019 MANAGEMENT: >STATE:1558900774,GET_CONFIG,,,,,,
    Sun May 26 21:59:34 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
---    Sun May 26 21:59:34 2019 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.254,redirect-gateway local def1,remote-gateway 192.168.1.200,resolv-retry infinite,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
---    Sun May 26 21:59:34 2019 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: remote-gateway (2.4.7)
---    Sun May 26 21:59:34 2019 Options error: option 'resolv-retry' cannot be used in this context ([PUSH-OPTIONS])
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: timers and/or timeouts modified
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: --ifconfig/up options modified
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: route options modified
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: peer-id set
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
    Sun May 26 21:59:34 2019 OPTIONS IMPORT: data channel crypto options modified
    Sun May 26 21:59:34 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Sun May 26 21:59:34 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
    Sun May 26 21:59:34 2019 interactive service msg_channel=920
    Sun May 26 21:59:34 2019 ROUTE_GATEWAY 192.168.42.129/255.255.255.0 I=45 HWADDR=02:7c:59:35:30:5f
    Sun May 26 21:59:34 2019 open_tun
    Sun May 26 21:59:34 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{D8BE8B5E-39EB-4160-B671-197B2CBA8E5B}.tap
    Sun May 26 21:59:34 2019 TAP-Windows Driver Version 9.21 
    Sun May 26 21:59:34 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {D8BE8B5E-39EB-4160-B671-197B2CBA8E5B} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
    Sun May 26 21:59:34 2019 Successful ARP Flush on interface [17] {D8BE8B5E-39EB-4160-B671-197B2CBA8E5B}
    Sun May 26 21:59:34 2019 MANAGEMENT: >STATE:1558900774,ASSIGN_IP,,10.8.0.6,,,,
    Sun May 26 21:59:36 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
    Sun May 26 21:59:36 2019 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
    Sun May 26 21:59:36 2019 Route addition via service succeeded
    Sun May 26 21:59:36 2019 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
    Sun May 26 21:59:36 2019 Route addition via service succeeded
    Sun May 26 21:59:36 2019 MANAGEMENT: >STATE:1558900776,ADD_ROUTES,,,,,,
    Sun May 26 21:59:36 2019 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
    Sun May 26 21:59:36 2019 Route addition via service succeeded
    Sun May 26 21:59:36 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sun May 26 21:59:36 2019 Initialization Sequence Completed
    Sun May 26 21:59:36 2019 MANAGEMENT: >STATE:1558900776,CONNECTED,SUCCESS,10.8.0.6,XXXX.XXXX.XXXX.XXXX,1194,,


DEFAUKLT CONFIG - CLIENT SIDE CONFIG (OPENVPN CLIENT GUI on Windows 10 Pro 64 bits)
-----------------------------------------------------------------------------------

remote XXXX.XXXX.XXXX.XXXX
tls-client
cipher AES-256-GCM
auth sha512
client
dev tun
proto udp
port 1194
nobind
persist-key
persist-tun
resolv-retry infinite
comp-lzo adaptive
verb 3
mute-replay-warnings
tls-version-min 1.2
remote-cert-tls server
remote-cert-eku "TLS Web Server Authentication"
route-delay 2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA38:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA


DEFAULT CONFIG - SERVER SIDE CONFIG
-----------------------------------

Dynamic DNS
OpenVPN server IP                       10.8.0.0
Netmask                                 255.255.255.0
Allow Client to Client                  no
Pushing DHCP options to clients         DNS local gateway
Port for the server                     1194
Tunnel Protocol                         UDP
Encryption Ciphers                      AES-256-GCM
Hash Algorithm                          SHA512
Control channel encryption (tls-crypt)  yes
ifconfig-pool-persist ipp.txt           yes    
Redirect-gateway                        redirect gateway def1
Topology subnet                         no
Push LAN subnet to the clients          yes
LZO Compression                         adaptive
TELNET management console               no
LOG settings                            3
OpenVPN Port-Share 

 

Edited by kormalan

Share this post


Link to post

Hi,

 

I changed from OpenVPN AS from Linuxservers to yours. At first, good job :)

Everything is working fine for me at the moment.

 

But I have one question, maybe I oversee something, but is it possible to force the client with the .ovpn file to enter a password?

 

Thank you :)

Share this post


Link to post
Hi,
 
I changed from OpenVPN AS from Linuxservers to yours. At first, good job
Everything is working fine for me at the moment.
 
But I have one question, maybe I oversee something, but is it possible to force the client with the .ovpn file to enter a password?
 
Thank you
Let me know if you get how too

Sent from my Pixel 2 XL using Tapatalk

Share this post


Link to post

Recently I've been getting this message from Tunnelblick about the comp-lzo option being deprecated. I know I can click the checkbox so that the warning doesn't appear again but is there a better fix for this? A way to use a better supported compression option?

 

517929417_ScreenShot2019-05-31at9_11_09AM.thumb.png.96b21e4b3f278d591c2c77c3110c2c06.png

Edited by Taddeusz

Share this post


Link to post
On 5/3/2019 at 12:48 PM, swtz said:

Hey all!

 

Is there an updated link for the client configuration guide?

 

I'm trying to get this setup so that all traffic from only 1 interface (I have two setup NOT bonded) will pass be routed through the vpn tunnel.

 

I'm now stuck on the first step of getting the plugin to connect.  I tried to go to the link on the first post for client config guide, but it doesn't take me anywhere.  Is there a new one?

 

Thanks!

 

Is there a working client config guide anywhere? Link is to the forum home page....

Edit: https://web.archive.org/web/20160807091818/http://lime-technology.com/forum/index.php?topic=19439.0

 

Very old, but it does still work if you have an idea what you're looking at.

 

Short version is that the one click install works, and ovpn files go in an openvpn directory you will need to create in the root of the flash drive.

 

Edited by Bureaucromancer

Share this post


Link to post
On 5/31/2019 at 10:16 AM, Taddeusz said:

Recently I've been getting this message from Tunnelblick about the comp-lzo option being deprecated. I know I can click the checkbox so that the warning doesn't appear again but is there a better fix for this? A way to use a better supported compression option?

 

517929417_ScreenShot2019-05-31at9_11_09AM.thumb.png.96b21e4b3f278d591c2c77c3110c2c06.png

 

I got rid of this warning by changing "comp-lzo" to "compress lzo" in my config file as noted in the link below:

https://github.com/Nyr/openvpn-install/issues/430

Share this post


Link to post

It would be nice to see an option to select compression type and/or syntax. By that I mean being able to select whether to use 'comp-lzo' or the 'compress' command. Then also if you choose to select the 'compress' command being able to select between 'lzo', 'lz4', or 'lz4-v2'. Understanding that 'comp-lzo' is deprecated I believe 'compress lzo' should be the default syntax.

 

Having a GUI like this means putting in enough functionality so that someone doesn't need to make manual edits like this unless it's something obscure.

Edited by Taddeusz

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.