Confusion over VPN client setup

I run most recent version of OSMC and had PIA VPN server set up as proxy though the GUI trusting that this meant OSMC has been connecting to internet via PIA servers and hiding my traffic.

Now, thanks to a letter from my ISP, I am not so sure anymore as to what GUI proxy setting does and reading various guides and threads on the subject, mainly from couple of years ago, I got completely confused on the subject.

Could someone please explain:

  • has OSMC a build in module to set up a VPN client and is this the proxy GUI setting?
  • or do I need to set up an additional service to do so? I read about openvpn, zomboided and connman
  • if so is there a newish guide to such setup available? I only found some old ones which referred to non-existing download links / articles.

Thanks for help

Bart

Hi Bart,

Iā€™ve currently got a ticket open with PIA, for vpn connection dropping and failing to reconnect which may explain your letter from your ISP. Iā€™m waiting for them to advise on a fix for the client config, in the mean time Iā€™ve setup a cron script, to check the connection. To try this you will either need a keyboard and access to the console or ssh. Iā€™m translating this from raspbian to OSMC, so If I make a mistake can someone please advise. Also Iā€™ve not had a connection drop since I invoked the script, so a test would be good and If someone has a better script I would appreciate it. (Striked through is no Longer required:)

nano or vi /home/osmc/checkvpn.sh
Cron script removed
chmod +x /home/osmc/checkvpn.sh
sudo su (iā€™m running the cron script as root.)
crontab -e
Add the following:
removed
This will check if the openvpn is running every 5 min, and restart the service if its not. From reading the logs openvpn is existing on failing to reconnect. Again I have not had drop since Iā€™ve activated this, So I will advise how well it works later. Also I will update if pia come up with a client fix.

As for my setup, console or ssh access required

sudo apt-get update
sudo apt-get install openvpn unzip

cd /etc/openvpn
sudo wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
sudo vi or nano /etc/openvpn/pass.txt

top line: pia username
2nd line: pia password

sudo cp ā€œUK London.ovpnā€ vpn.conf
sudo vi or nano /etc/openvpn/vpn.conf

locate line: auth-user-pass
and change to: auth-user-pass /etc/openvpn/pass.txt

sudo systemctl enable openvpn.service
sudo systemctl start openvpn.service

check your public ip is now the one provided by ISP.

curl ipinfo.io/ip

now do a google search for whats my ip on non vpn routed client and compare ip to osmc.

Thanks Tom.

H Tom,

You can do away with your own script to check if openvpn is running. Systemd does it automatically with just one or two lines. If youā€™re interested, using sudo edit file /lib/systemd/system/openvpn@.service and in the [Service] section add:

Restart=always
RestartSec=5

The second line is optional. Then run:

sudo systemctl daemon-reload

and the new line(s) will take effect next time you start openvpn.

BTW, Restart=always doesnā€™t mean that you canā€™t stop openvpn yourself. It is also effective even if the openvpn service is disabled.

Hi dillthedog,

Iā€™ve already tried this (although mine was set to RestartSec=30,) and I still got a failed to auth message and exit. Iā€™m still waiting for PIA to advise why its fails to authenticate, when openvpn restarts itself. Iā€™ll give the openvpn@.service edit another go, at the weekend when Iā€™ve got more time. Iā€™ll advise when I get an update from PIA.

Thanks Tom.

Hi Dilthedog,

Iā€™ve found sometime this evening and I think thanks to your suggestion, this is resolved. I had another look at restart=always.

In the process I found I had 2 opevpn systemd unit files enabled:

openvpn.service
openvpn@vpn.service

Being as my conf file being loaded is called vpn.conf, I disabled openvpn.service:

sudo systemctl disable openvpn.

added your suggestion to /lib/systemd/system/openvpn@.service, being as openvpn@vpn.service is a symlink to this.

sudo systemctl daemon-reload
sudo reboot.

Now after checking syslog (Raspbian as stated earlier), Iā€™ve got a much cleaner startup of openvpn.

I think the 2 conflicting systemd calls, was causing a confusion on reconnect and causing the auth fails.

Iā€™m still using my cron file for now, just out of paranoia. Will do so until I get a connection drop and see what brings it back up, or for about a week and Iā€™m happy(ish) its stable.

cron script slightly - modified: systemctl restart openvpn@vpn.service.

I canā€™t remember how ended up with this configuration, as I setup over 6 months ago and as far as I can tell it was working up till about a week ago. I think this is sorted now, but if you have any thoughts, I would appreciate the feedback. Also posted my findings in case others a facing a similar issue.

Thanks Tom.

Hi Tom,

My recommendation (NB itā€™s not the only way) is that you should never enable openvpn@xxxx.service since there is the real risk of having openvpn@xxxx.service and openvpn@yyyy.service enabled at the same time.

Instead, make the file /etc/default/openvpn your ā€œmaster switchā€. There is an AUTOSTART=ā€œxxxxxā€ line where you specify which vpn.conf file should run when openvpn.service runs. Using this file keeps things simple and in one location.

One other thing to note WRT openvpn and systemd is that openvpn does not need to be enabled for you to be able to run it manually. Hereā€™s proof:

osmc@osmc:~$ sudo systemctl status openvpn
ā— openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; disabled)
   Active: inactive (dead)
osmc@osmc:~$ sudo systemctl start openvpn
osmc@osmc:~$ sudo systemctl status openvpn
ā— openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; disabled)
   Active: active (exited) since Mon 2017-04-24 21:00:48 CEST; 5s ago
  Process: 648 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 648 (code=exited, status=0/SUCCESS)

Apr 24 21:00:48 osmc systemd[1]: Started OpenVPN service.
osmc@osmc:~$ ps -ef|grep [o]penvpn
nobody     650     1  0 21:00 ?        00:00:00 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf

I could also have started openvpn@server.service and achieved the same result, since in this case the /etc/default/openvpn contains the line AUTOSTART=ā€œserverā€, so starting openvpn.service has the same effect.

For me, the main use of enabling / disabling openvpn.service is so that it will / wont run at system startup.

Hi,

Ok thanks, Iā€™ll give this a go.

Cheers Tom.

Dilthedog & Tom,

Itā€™s been a long day in the office and itā€™s nice to see youā€™ve been developing the thread. From what I gathered openvpn is the way to go as youā€™ve discussed the finer details of the service.

Would you care to share you thoughts on the more general questions I initially posted, it would be nice to understand the basics.

As to openvpn, I tried installing it using a guide from 2015 and failed getting the following:

>     osmc@osmc:/etc/openvpn$ wget http://www.privateinternetaccess.com/openvpn/openvpn.zip
>         converted 'http://www.privateinternetaccess.com/openvpn/openvpn.zip' (ANSI_X3.4-1968) -> 'http://www.privateinternetaccess.com/openvpn/openvpn.zip' (UTF-8)
>         --2017-04-23 21:42:06--  http://www.privateinternetaccess.com/openvpn/openvpn.zip
>         Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... 23.207.185.140
>         Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|23.207.185.140|:80... connected.
>         HTTP request sent, awaiting response... 301 Moved Permanently
>         Location: https://www.privateinternetaccess.com/openvpn/openvpn.zip [following]
>         converted 'https://www.privateinternetaccess.com/openvpn/openvpn.zip' (ANSI_X3.4-1968) -> 'https://www.privateinternetaccess.com/openvpn/openvpn.zip' (UTF-8)
>         --2017-04-23 21:42:07--  https://www.privateinternetaccess.com/openvpn/openvpn.zip
>         Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|23.207.185.140|:443... connected.
>         HTTP request sent, awaiting response... 200 OK
>         Length: 15046 (15K) [application/zip]
>         openvpn.zip: Permission denied

>         Cannot write to 'openvpn.zip' (Permission denied).

I assume there is an issue with either local permissions or PIS links, sorry for ignorance, Iā€™m a QS not programmer. Iā€™d appreciate your thought on the above

Bart

you need sudo, as without you do not have permission to write to /etc/openvpn.

Thanks Tom.

Youā€™re right. Humble apologies. We techies do get carried away sometimes.

I donā€™t use PIA so I visited their site and see that they have a SOCKS5 proxy in NL. I assume this is what you used, since the Kodi GUI allows for the use of a proxy server under Settings > System > Internet accessā€¦ The effect of using the proxy is that it will apear to others on the Internet that you are located in NL. But, a proxy such as PIAā€™s will probably not encrypt your traffic, meaning that it can be inspected while in transit, for example by your ISP. Openvpn, on the other hand, does encrypt data in transit between you and the VPN server.

OSMC does not have openvpn installed by default, but it can be easily added.

It will take some configuration to get it working but this is not too difficult. You will need to use SSH and the command line, but I see you have already crossed that bridge.

There is a thread here where the ins and outs of getting openvpn to run at startup were discussed. The tl;dr is in post #28.

And Tom has already answered your last query! :wink:

Edit: Just one other important point that I forgot to mention. You will need to configure each application individually to use the SOCKS proxy; it does not apply to the whole system. So, for example, a bittorrent client will not use the proxy unless it is configured to do so. By contrast, openvpn will send all external traffic through the VPN tunnel.

Just to provide an alternate solution that has worked out very well for me, I moved my openVPN implementation onto my router. In that way you can easily manage pretty sophisticated routing decisions about which devices and which specific traffic flows get sent through the VPN network and which donā€™t.

In my case, Iā€™m using a guy thatā€™s developed custom firmware that focuses primarily on stability, but the capabilities (e.g. openVPN version) are pretty current and itā€™s been a solid implementation that lets me manage things through a web interface designed for the purpose, rather than having to manage conf files and system processes through ssh. You can even have 5 VPN tunnels active simultaneously and switch pretty easily between them. I havenā€™t tried to dynamically route traffic between different active VPN tunnels, as I havenā€™t needed to, but itā€™s likely possible.

Been using nordvpn here, which has been pretty solid and no issues on the configuration side.

1 Like

Agreed. Merlinā€™s firmware has a very good reputation. As long as the router has a more modern ARM-based processor, the performance should be good enough, bearing in mind that routers were not designed to do CPU-intensive cryptographic work. With the introduction of ARMv8 (as found on the Vero 4K), the processor can have AES hardware acceleration built in, so the performance should improve significantly.

Bart my step-by-step instructions how I set my OSMC up. for PIA VPN and openvpn
https://www.backtrails.net/2017/04/30/openvpn-setup-for-private-internet-access-pia-vpn-raspberry-pi-3-osmc/

Neurosisone,

Thank you for you idiot proof guide. I seem to be a bit too an idiot for it though, got unstuck at:

osmc@osmc:/etc/openvpn$ sudo openvpn -config ./UK London.ovpn
Options error: Iā€™m trying to parse ā€œ-configā€ as an --option parameter but I donā€™t see a leading ā€˜ā€“ā€™
Use --help for more information.
osmc@osmc:/etc/openvpn$ sudo openvpn -config./UK London.ovpn
Options error: Iā€™m trying to parse ā€œ-config./UKā€ as an --option parameter but I donā€™t see a leading ā€˜ā€“ā€™
Use --help for more information.
osmc@osmc:/etc/openvpn$ sudo openvpn config ./Sweden.ovpn
Options error: Iā€™m trying to parse ā€œconfigā€ as an --option parameter but I donā€™t see a leading ā€˜ā€“ā€™

I am assuming this is due to a syntax error, as you can se I tried different versions, even connecting to your chosen Swedish server.

Iā€™d very much appreciate a lesson.

Bart

Use sudo openvpn --config ./UK London.ovpn

The font in his link has masked the double hyphen.

You are all vary nice people, amazing what difference one dash makes. However, now I run into:

osmc@osmc:/etc/openvpn$ sudo openvpn --config ./UK London.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: ./UK
Use --help for more information.

I assume Linuks can not deal with spaces in file names, right?
Please advise

It should be avoided.

sudo openvpn --config ./"UK London.ovpn"

You can rename the file and take out the UK part or make it all one word without the space osmc@osmc:/etc/openvpn$ sudo mv UK\ London.ovpn /etc/openvpn/London.ovpn

:slight_smile:

1 Like

Thank you all very much, I suppose I should read a Linux for Dummies as these are very basic things.

Iā€™m finding command line quite fun though, reminds me of of working for an ISP in 1994 and having to set up all clientsā€™ connection in command on our Unix server. Happy days

1 Like