I run most recent version of OSMC and had PIA VPN server set up as proxy though the GUI trusting that this meant OSMC has been connecting to internet via PIA servers and hiding my traffic.
Now, thanks to a letter from my ISP, I am not so sure anymore as to what GUI proxy setting does and reading various guides and threads on the subject, mainly from couple of years ago, I got completely confused on the subject.
Could someone please explain:
- has OSMC a build in module to set up a VPN client and is this the proxy GUI setting?
- or do I need to set up an additional service to do so? I read about openvpn, zomboided and connman
- if so is there a newish guide to such setup available? I only found some old ones which referred to non-existing download links / articles.
Thanks for help
Bart
Hi Bart,
Iāve currently got a ticket open with PIA, for vpn connection dropping and failing to reconnect which may explain your letter from your ISP. Iām waiting for them to advise on a fix for the client config, in the mean time Iāve setup a cron script, to check the connection. To try this you will either need a keyboard and access to the console or ssh. Iām translating this from raspbian to OSMC, so If I make a mistake can someone please advise. Also Iāve not had a connection drop since I invoked the script, so a test would be good and If someone has a better script I would appreciate it. (Striked through is no Longer required:)
nano or vi /home/osmc/checkvpn.sh
Cron script removed
chmod +x /home/osmc/checkvpn.sh
sudo su (iām running the cron script as root.)
crontab -e
Add the following:
removed
This will check if the openvpn is running every 5 min, and restart the service if its not. From reading the logs openvpn is existing on failing to reconnect. Again I have not had drop since Iāve activated this, So I will advise how well it works later. Also I will update if pia come up with a client fix.
As for my setup, console or ssh access required
sudo apt-get update
sudo apt-get install openvpn unzip
cd /etc/openvpn
sudo wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
sudo vi or nano /etc/openvpn/pass.txt
top line: pia username
2nd line: pia password
sudo cp āUK London.ovpnā vpn.conf
sudo vi or nano /etc/openvpn/vpn.conf
locate line: auth-user-pass
and change to: auth-user-pass /etc/openvpn/pass.txt
sudo systemctl enable openvpn.service
sudo systemctl start openvpn.service
check your public ip is now the one provided by ISP.
curl ipinfo.io/ip
now do a google search for whats my ip on non vpn routed client and compare ip to osmc.
Thanks Tom.
H Tom,
You can do away with your own script to check if openvpn is running. Systemd does it automatically with just one or two lines. If youāre interested, using sudo edit file /lib/systemd/system/openvpn@.service and in the [Service] section add:
Restart=always
RestartSec=5
The second line is optional. Then run:
sudo systemctl daemon-reload
and the new line(s) will take effect next time you start openvpn.
BTW, Restart=always doesnāt mean that you canāt stop openvpn yourself. It is also effective even if the openvpn service is disabled.
Hi dillthedog,
Iāve already tried this (although mine was set to RestartSec=30,) and I still got a failed to auth message and exit. Iām still waiting for PIA to advise why its fails to authenticate, when openvpn restarts itself. Iāll give the openvpn@.service edit another go, at the weekend when Iāve got more time. Iāll advise when I get an update from PIA.
Thanks Tom.
Hi Dilthedog,
Iāve found sometime this evening and I think thanks to your suggestion, this is resolved. I had another look at restart=always.
In the process I found I had 2 opevpn systemd unit files enabled:
openvpn.service
openvpn@vpn.service
Being as my conf file being loaded is called vpn.conf, I disabled openvpn.service:
sudo systemctl disable openvpn.
added your suggestion to /lib/systemd/system/openvpn@.service, being as openvpn@vpn.service is a symlink to this.
sudo systemctl daemon-reload
sudo reboot.
Now after checking syslog (Raspbian as stated earlier), Iāve got a much cleaner startup of openvpn.
I think the 2 conflicting systemd calls, was causing a confusion on reconnect and causing the auth fails.
Iām still using my cron file for now, just out of paranoia. Will do so until I get a connection drop and see what brings it back up, or for about a week and Iām happy(ish) its stable.
cron script slightly - modified: systemctl restart openvpn@vpn.service.
I canāt remember how ended up with this configuration, as I setup over 6 months ago and as far as I can tell it was working up till about a week ago. I think this is sorted now, but if you have any thoughts, I would appreciate the feedback. Also posted my findings in case others a facing a similar issue.
Thanks Tom.
Hi Tom,
My recommendation (NB itās not the only way) is that you should never enable openvpn@xxxx.service since there is the real risk of having openvpn@xxxx.service and openvpn@yyyy.service enabled at the same time.
Instead, make the file /etc/default/openvpn your āmaster switchā. There is an AUTOSTART=āxxxxxā line where you specify which vpn.conf file should run when openvpn.service runs. Using this file keeps things simple and in one location.
One other thing to note WRT openvpn and systemd is that openvpn does not need to be enabled for you to be able to run it manually. Hereās proof:
osmc@osmc:~$ sudo systemctl status openvpn
ā openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; disabled)
Active: inactive (dead)
osmc@osmc:~$ sudo systemctl start openvpn
osmc@osmc:~$ sudo systemctl status openvpn
ā openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; disabled)
Active: active (exited) since Mon 2017-04-24 21:00:48 CEST; 5s ago
Process: 648 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 648 (code=exited, status=0/SUCCESS)
Apr 24 21:00:48 osmc systemd[1]: Started OpenVPN service.
osmc@osmc:~$ ps -ef|grep [o]penvpn
nobody 650 1 0 21:00 ? 00:00:00 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf
I could also have started openvpn@server.service and achieved the same result, since in this case the /etc/default/openvpn contains the line AUTOSTART=āserverā, so starting openvpn.service has the same effect.
For me, the main use of enabling / disabling openvpn.service is so that it will / wont run at system startup.
Hi,
Ok thanks, Iāll give this a go.
Cheers Tom.
Dilthedog & Tom,
Itās been a long day in the office and itās nice to see youāve been developing the thread. From what I gathered openvpn is the way to go as youāve discussed the finer details of the service.
Would you care to share you thoughts on the more general questions I initially posted, it would be nice to understand the basics.
As to openvpn, I tried installing it using a guide from 2015 and failed getting the following:
> osmc@osmc:/etc/openvpn$ wget http://www.privateinternetaccess.com/openvpn/openvpn.zip
> converted 'http://www.privateinternetaccess.com/openvpn/openvpn.zip' (ANSI_X3.4-1968) -> 'http://www.privateinternetaccess.com/openvpn/openvpn.zip' (UTF-8)
> --2017-04-23 21:42:06-- http://www.privateinternetaccess.com/openvpn/openvpn.zip
> Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... 23.207.185.140
> Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|23.207.185.140|:80... connected.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://www.privateinternetaccess.com/openvpn/openvpn.zip [following]
> converted 'https://www.privateinternetaccess.com/openvpn/openvpn.zip' (ANSI_X3.4-1968) -> 'https://www.privateinternetaccess.com/openvpn/openvpn.zip' (UTF-8)
> --2017-04-23 21:42:07-- https://www.privateinternetaccess.com/openvpn/openvpn.zip
> Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|23.207.185.140|:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 15046 (15K) [application/zip]
> openvpn.zip: Permission denied
> Cannot write to 'openvpn.zip' (Permission denied).
I assume there is an issue with either local permissions or PIS links, sorry for ignorance, Iām a QS not programmer. Iād appreciate your thought on the above
Bart
you need sudo, as without you do not have permission to write to /etc/openvpn.
Thanks Tom.
Youāre right. Humble apologies. We techies do get carried away sometimes.
I donāt use PIA so I visited their site and see that they have a SOCKS5 proxy in NL. I assume this is what you used, since the Kodi GUI allows for the use of a proxy server under Settings > System > Internet accessā¦ The effect of using the proxy is that it will apear to others on the Internet that you are located in NL. But, a proxy such as PIAās will probably not encrypt your traffic, meaning that it can be inspected while in transit, for example by your ISP. Openvpn, on the other hand, does encrypt data in transit between you and the VPN server.
OSMC does not have openvpn installed by default, but it can be easily added.
It will take some configuration to get it working but this is not too difficult. You will need to use SSH and the command line, but I see you have already crossed that bridge.
There is a thread here where the ins and outs of getting openvpn to run at startup were discussed. The tl;dr is in post #28.
And Tom has already answered your last query! 
Edit: Just one other important point that I forgot to mention. You will need to configure each application individually to use the SOCKS proxy; it does not apply to the whole system. So, for example, a bittorrent client will not use the proxy unless it is configured to do so. By contrast, openvpn will send all external traffic through the VPN tunnel.
Just to provide an alternate solution that has worked out very well for me, I moved my openVPN implementation onto my router. In that way you can easily manage pretty sophisticated routing decisions about which devices and which specific traffic flows get sent through the VPN network and which donāt.
In my case, Iām using a guy thatās developed custom firmware that focuses primarily on stability, but the capabilities (e.g. openVPN version) are pretty current and itās been a solid implementation that lets me manage things through a web interface designed for the purpose, rather than having to manage conf files and system processes through ssh. You can even have 5 VPN tunnels active simultaneously and switch pretty easily between them. I havenāt tried to dynamically route traffic between different active VPN tunnels, as I havenāt needed to, but itās likely possible.
Been using nordvpn here, which has been pretty solid and no issues on the configuration side.
1 Like
Agreed. Merlinās firmware has a very good reputation. As long as the router has a more modern ARM-based processor, the performance should be good enough, bearing in mind that routers were not designed to do CPU-intensive cryptographic work. With the introduction of ARMv8 (as found on the Vero 4K), the processor can have AES hardware acceleration built in, so the performance should improve significantly.
Neurosisone,
Thank you for you idiot proof guide. I seem to be a bit too an idiot for it though, got unstuck at:
osmc@osmc:/etc/openvpn$ sudo openvpn -config ./UK London.ovpn
Options error: Iām trying to parse ā-configā as an --option parameter but I donāt see a leading āāā
Use --help for more information.
osmc@osmc:/etc/openvpn$ sudo openvpn -config./UK London.ovpn
Options error: Iām trying to parse ā-config./UKā as an --option parameter but I donāt see a leading āāā
Use --help for more information.
osmc@osmc:/etc/openvpn$ sudo openvpn config ./Sweden.ovpn
Options error: Iām trying to parse āconfigā as an --option parameter but I donāt see a leading āāā
I am assuming this is due to a syntax error, as you can se I tried different versions, even connecting to your chosen Swedish server.
Iād very much appreciate a lesson.
Bart
Use sudo openvpn --config ./UK London.ovpn
The font in his link has masked the double hyphen.
You are all vary nice people, amazing what difference one dash makes. However, now I run into:
osmc@osmc:/etc/openvpn$ sudo openvpn --config ./UK London.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: ./UK
Use --help for more information.
I assume Linuks can not deal with spaces in file names, right?
Please advise
sudo openvpn --config ./"UK London.ovpn"
You can rename the file and take out the UK part or make it all one word without the space osmc@osmc:/etc/openvpn$ sudo mv UK\ London.ovpn /etc/openvpn/London.ovpn
1 Like
Thank you all very much, I suppose I should read a Linux for Dummies as these are very basic things.
Iām finding command line quite fun though, reminds me of of working for an ISP in 1994 and having to set up all clientsā connection in command on our Unix server. Happy days
1 Like