[HOWTO] OSMC/Rasp Pi as OpenVPN client

Nice one!! Might have to give this a try!

Iā€™ve installed OpenVPN via apt-get. I have an /etc/init.d/openvpn and a proper configuration file for my server.

Everything is configured properly. Like above, I receive this error.

Mon May 4 15:37:39 2015 /sbin/ip route add 0.0.0.0/0 via (IP of VPN)
RTNETLINK answers: File exists

The default route fails to be established, and the VPN does not function unless I manually change the default route thereafter via:

$ /sbin/ip route change default via <ip-address> dev tun0

From what I can tell via my searching, the problem is in connman. I have only found the problem mentioned; no solutions. connman monkeys with the default route somehow before it should, and prevents it from being set by openvpn.

So, Iā€™m thinking one of two things is true:

  1. This is a bug in connman, or
  2. This is a default system misconfiguration by OSMC

Anyone have any insight?

OSMC doesnā€™t use init scripts, use system sudo service openvpn restart
Also sometimes it help to first start the client manually to see any errors openvpn --config /etc/openvpn/client.conf

Whether or not I use init.d, systemd or whatever doesnā€™t have any bearing on the error. Hereā€™s the output from systemd:

Sep 11 12:56:18 wight openvpn[273]: /sbin/ip route del 0.0.0.0/0
Sep 11 12:56:18 wight openvpn[273]: /sbin/ip route add 0.0.0.0/0 via 10.10.10.5
Sep 11 12:56:18 wight openvpn[273]: ERROR: Linux route add command failed: external program exited with error status: 2

The command always fails, Iā€™m almost certain, because connman does something w/ the default route which makes it impossible to remove. /sbin/ip route del 0.0.0.0/0 should delete it so /sbin/ip route add 0.0.0.0/0 via 10.10.10.5 can add it.

I have an identical configuration on another box running Rasbian (which does not use connman); there are no problems.

Iā€™ve got this rough tutorial for a openvpn client that Ive gotten to work,

sudo apt-get update

sudo apt-get install openvpn

cd /etc/openvpn

add .ovpn file to dir /etc/openvpn
Add lines to .ovpn for user/pass

sudo sed -i '/auth-user-pass/cauth-user-pass user.txt' *.ovpn

sudo nano user.txt

In this file create only two lines of text
username(your username)
password(your password)
press crtl+x to save the file then press y and enter.

Since the file we have created contains sensitive info we need to ensure that only the user that created the file can read and write to it. Type:

sudo chmod go-rwx user.txt

Rename ovpn file, vpn.conf
Start/Enable Service

sudo systemctl enable openvpn@vpn.service
sudo systemctl start openvpn@vpn.service

Check status:

Type:

curl http://checkip.dyndns.org

thinking of doing a AIO script based of this discussion and a server discussion here on the forum not that i use vpn for Kodi/OSMC but it seems to be popular a request

I was able to hack around the problem; I created a script in /etc/systemd/system/multi-user.target.wants:

[Unit]
Description=Change Default Route
Requisite=openvpn.service
After=openvpn.service

[Service]
Type=oneshot
ExecStart=/sbin/change-route

[Install]
WantedBy=mult-user.target

Which executes /sbin/change-route:

#!/bin/bash

COUNT=60
while [ $COUNT -gt 0 ]
do
  if [[ -n `/sbin/ip route | grep tun0` ]]
  then
	break
  fi
  sleep 1
  let COUNT-=1
done
IP=`/sbin/ip route | grep 'tun0  proto kernel' | cut -d ' ' -f12`
/sbin/ip route change default via $IP dev tun0

The script above waits (60s max) until device tun0 is created by OpenVPN. Once it is, it grabs the gateway address then changes the default route to use it.

This is not about running an OpenVPN server; this is about running an OpenVPN client.

From what I can gather, something is broken in OSMC prevents OpenVPN clients from working properly which needs addressing. I havenā€™t been able to pinpoint the problem, however.

My best guess is that connman is either bugged or misconfigured in OSMC. Iā€™m not sure why connman is needed by OSMC. Iā€™m curious why this tool was chosen instead of a more established one, like some other users on this thread. If I wanted to propose it be replaced with something else, where would I do that?

1 Like

not recommended, im sure @sam_nazarko can fill in why better then me

Itā€™s not recommended to replace it or to propose to replace it? Because if the latter is true, then thatā€™s a problem.

its not recommended to replace it on your system atmā€¦ as to the reasons why im gonna refer to Sam cause i dont remember the specifics

I wouldnā€™t do it as a user, but rather to propose it be replaced at the distribution level

You could propose it but your use case is somewhat niche and is unlikely to result in the change you are seeking here.
Hereā€™s why you wouldnā€™t want to attempt to change it as a user

One manā€™s shit is one manā€™s treasure.

ConnMan fully supports VPN configuration. The reason for choosing ConnMan over the legacy networking system is that while it worked for you, the large majority (99%) of our users do not wish to configure networking via a command line. ConnMan provides us with a stable DBus interface so we can make configuring connections simple and manageable from Kodi. It also has a very low footprint.

It is easy for you to copy over /etc/network/ files to remedy the situation, and thatā€™s what we expect from power users. We need to support the most common use case scenarios and make these as easy as possible for users to employ. ConnMan lets us do that.

With that said, I donā€™t anticipate a reason why we wonā€™t have GUI based VPN configuration eventually

Here. What would you consider as more established? NetworkManager is a lot more resource intensive and wouldnā€™t work any magic: weā€™d still need to develop our addon to support VPN via the GUI, and additionally, have to rewrite all of the networking code.

If you can provide a better description of the issue then we can have a look.

Edit:

You are likely being caught out by WISPR. To determine true network connectivity (and in the future, to allow login to WiFi networks that ask for a username and password), ConnMan will configure a route and try to connect to osmc.tv. If it receives HTTP-X-OSMC then it knows that it is really connected to the Internet, and not a web page asking for credentials.

I see you are using a legacy /etc/init.d/ script. The solution is to write a proper systemd unit (I am sure one already exists for OpenVPN) and add After=connman.service.

ConnMan assumes that as it is the network manager it is permitted to configure routes accordingly. Other network managers will do the same

Sam

An even more generic solution that would still work on OSMC would be to specify After=network.target in your OpenVPN service.

This is the established way in systemd of specifying that your service should start after the network manager (whatever it might be) is up and running. (network.target does not mean that the network connection is configured and up and running, only that the network manager daemon has started running)

Because our connman.service has Before=network.target it must finish starting before any service that specifies After=network.target is allowed to start, but because network.target is a well known, generic, network manager agnostic target name it should work on any systemd system.

Question guys, have openvpn successfully installed and tested on my Rasp Pi but when configuring the Kodi add-on my folder /usr/sbin seems to be empty (show hidden files and folder enabled in file lists)

Probably a small thing i overlook but hope somebody can point me in good direction

thanksā€¦

Sorry already solved, editing trough the context menu of the add-on did the trick

hi guys!

Is there any way to add visual feedback to OSMC while an openvpn connection is active? Maybe a tiny flag or text on any of the corners of the main menu (only) would doā€¦

Just a thoughtā€¦

Hi all, I am a total novice at Pi as only received it today. So any help would be appreciated.

When typing into Putty I get the response: openvpn: command not found.

Does that mean I have typed incorrectly into putty or the original configuration file.

Thanks, James

Did you actually install and configure openvpn or you thought it was preinstalled?

Ok, got past the putty problem, but now when I try to run openvpn i get the message:

An error has occurred whilst trying to connect OpenVPN
Unable to connect to OpenVPN management interface

Any suggestions please.