[HowTo] Permanent NordVPN tunnel on OSMC


#1

I will describe the method I used to permanently have a connection with NordVPN on my Vero4K, but this should work on any OSMC box.
This method determines the best reachable NordVPN server in or near your country and then connects with it during startup of your machine. When the tunnel is closed for any reason, it will be automatically re-connected, again by first determining the best reachable NordVPN server available. NordVPN’s DNS servers are used by default and DNS queries are sent through the VPN Tunnel to prevent DNS leaking.
All this functionality is actually provided by openpyn and this how-to will describe how to install it on OSMC.

In my opinion, this is the most family-friendly solution, as the VPN is managed completely automatically and transparantly without the need for users to manually start tinkering in an openvpn manager inside Kodi. Only disadvantage that I see is that you also don’t have a status of the connection inside Kodi…

Installation

  • Open a SSH connection to your OSMC box
  • Install dependencies sudo apt install openvpn unzip wget python3-setuptools python3-pip psmisc
  • Install python wheel, required for openpyn install sudo python3 -m pip install wheel --upgrade
  • Install openpyn: sudo python3 -m pip install openpyn --upgrade
  • Execute the openpyn initialization. This will request your NordVPN credentials and store them, download the ovpn configfiles and install a systemd service): sudo openpyn --init
  • For fast ping tests of the NordVPN servers you will require a version of ping that supports -n and -i: sudo apt install iputils-ping
  • Enable the system service to start on boot: sudo systemctl enable openpyn
  • Start the VPN: sudo systemctl start openpyn

Support for downloading torrents
However, if you will be downloading torrents on your OSMC box, you will need to connect to a NordVPN server that actually allows that to prevent being kicked from the server and losing your connection all the time:
Edit /etc/systemd/system/openpyn.service and change the line

ExecStart=/usr/local/bin/openpyn --silent

into

ExecStart=/usr/local/bin/openpyn --p2p --silent

Disable NordVPN DNS
Openpyn also automatically will start using the NordVPN DNS servers, through the tunnel, to prevent DNS leaking. This is a good thing, and you should skip this step if you don’t have an internal DNS server in your network. However if you do have an internal DNS server in your network, you will no longer be able to resolve host-names of your internal network.
In that case, make sure your internal DNS servers forwards external requests to NordVPN DNS servers, preferable also through a NordVPN tunnel, set up on your DNS server itself and change /etc/systemd/system/openpyn.service to include the --skip-dns-patch option to prevent openpyn to manage your DNS resolving:

change

ExecStart=/usr/local/bin/openpyn --silent

into

ExecStart=/usr/local/bin/openpyn be --skip-dns-patch --silent

(of-course, if you already added the --p2p option, you should also leave that option there)

KILLSWITCH
Openpyn also has experimental support for a killswitch, meaning that it won’t allow any traffic going out in the case the tunnel goes down. This can be enabled by adding the -f option to the ExecStart line. I don’t use this option myself, so I cannot give any more details about it. See https://github.com/jotyGill/openpyn-nordvpn for more information about the kill switch and how to allow a few ports to be accessed from outside (kodi webinterface etc… )

Add extra static routes
At this point, all internet traffic should go through the tunnel and any traffic to your internal network (NAS? etc… ) should still stay internal. This is, if you only have one subnet, which is the same as your OSMC box is sitting in.
If you however have multiple subnets (for example a different subnet for wired and for wireless) you will need to add an extra static route so that traffic for the other subnet is not sent down through the tunnel to be lost forever…
I did this by adding an ExecStartPost and ExecStopPost entry in the /etc/systemd/system/openpyn.service-file:

ExecStart=/usr/local/bin/openpyn be --silent
ExecStartPost=/sbin/ip route add 192.168.1.0/24 via 192.168.0.1 dev eth0
ExecStop=/usr/local/bin/openpyn --kill
ExecStopPost=/sbin/ip route del 192.168.1.0/24 via 192.168.0.1 dev eth0

Ofcourse:

  • change 192.168.1.0/24 into the required subnet,
  • 192.168.0.1 into your default gateway and
  • change eth0 into the interface your network is connected at.

Check VPN status and logging
You can check the IP you are using now with curl ipinfo.io/ip, which should be different than the IP your ISP gave you.
The status of the VPN set up by openpyn can be checked using systemctl status openpyn and the openvpn logging can be found by running journalctl -u openpyn.

Updating VPN config-files
Once in a while you probably will need to update the NordVPN ovpn configfiles. This can be done with openpyn --update.
This could be added to a crontab, however crontab also is not installed by default on an OSMC. You are free to experiment with that :slight_smile:


#2

Hey @ chojin

Thanks for your article!
I just tried to set up the vpn (NordVPN) on my Vero4k+, but somehow struggle to check if it actually worked.
How can I check if the VPN is actually up and running?

Btw, I’m so not Linux user! All I do is copy/paste into putty.
So, if there is a question for me to answer, keep that in mind please :slight_smile:


#3

Hi,

curl ipinfo.io/ip.

Copy the above into your putty session, when the vero is connected to the VPN. It should be different from the public IP provided by your ISP.

Thanks Tom.


#4

Thanks for your reply.
It seems like it didn’t quite work out. Still have my normal ISP IP.
Any advice on how I can get the VPN running (ideally automatically on startup)?


#5

With the output of systemctl status openpyn and/or journalctl -u openpyn, you should be able to determine if the service is running correctly. And if not, why:

The first few lines of the systemctl command output should be something like this:

openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-10-02 22:21:02 CEST; 1 weeks 1 days ago

If it mentions “disabled” on the “Loaded:”-line, you should enable it with the command systemctl enable openpyn which means that systemd will try to start the service automatically during boot of the device.
If the “Active:”-line tells you that the service is stopped, you should try to start it manually with systemctl start openpyn. If it tells you that it failed however, you will have to dig in the logging which you will find by using the command journalctl -u openpyn


#6

Alright, I checked and it said at “Active:” that it’s inactive.
Itried to activate it with systemctl enable openpyn and checked again.
Looks like it turns itself off immediately:

* openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; enabled; vendor preset:
   Active: inactive (dead) since Thu 2018-10-11 12:06:54 CEST; 2s ago
  Process: 7282 ExecStop=/usr/local/bin/openpyn --kill (code=exited, status=0/SU
  Process: 7276 ExecStart=/usr/local/bin/openpyn --p2p --silent (code=exited, st
  Process: 7273 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS)
 Main PID: 7276 (code=exited, status=0/SUCCESS)

Oct 11 12:06:52 osmc systemd[1]: Started NordVPN connection manager.
Oct 11 12:06:54 osmc openpyn[7282]: 2018-10-11 12:06:54 [WARNING] Killing the ru
Oct 11 12:06:54 osmc openpyn[7282]: Killing the running processes
Oct 11 12:06:54 osmc sudo[7285]:     root : TTY=unknown ; PWD=/usr/local/lib/pyt
Oct 11 12:06:54 osmc sudo[7285]: pam_unix(sudo:session): session opened for user
Oct 11 12:06:54 osmc sudo[7285]: pam_unix(sudo:session): session closed for user
Oct 11 12:06:54 osmc sudo[7303]:     root : TTY=unknown ; PWD=/usr/local/lib/pyt
Oct 11 12:06:54 osmc sudo[7303]: pam_unix(sudo:session): session opened for user
Oct 11 12:06:54 osmc sudo[7303]: pam_unix(sudo:session): session closed for user
Oct 11 12:06:54 osmc openpyn[7282]: sudo: killall: command not found

Not quite sure how to go from here…


#7

Looks like openpyn is looking for killall:

sudo apt-get install psmisc

Thanks Tom.


#8

Awesome, we’re closer :slight_smile:
Thank you so much for your help lads!

 * openpyn.service - NordVPN connection manager
   Loaded: loaded (/etc/systemd/system/openpyn.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-10-11 19:04:48 CEST; 52s ago
  Process: 1004 ExecStartPre=/bin/sleep 5 (code=exited, status=0/SUCCESS)
 Main PID: 1162 (openpyn)
   CGroup: /system.slice/openpyn.service
           |-1162 /usr/bin/python3 /usr/local/bin/openpyn uk
           |-1891 /usr/bin/python3 /usr/local/bin/openpyn-management
           |-1908 sudo openvpn --redirect-gateway --auth-retry nointeract --config /usr/local/lib/python3.5/dist-packages/openpyn/files/ovpn_udp/uk287.nordvpn.com.udp.ovpn --auth-user-pass /usr/local/lib/python3.5/dist-packages/openpyn/c
           `-1915 openvpn --redirect-gateway --auth-retry nointeract --config /usr/local/lib/python3.5/dist-packages/openpyn/files/ovpn_udp/uk287.nordvpn.com.udp.ovpn --auth-user-pass /usr/local/lib/python3.5/dist-packages/openpyn/creden

Oct 11 19:05:27 osmc openpyn[1162]: Thu Oct 11 19:05:27 2018 Validating certificate extended key usage
Oct 11 19:05:27 osmc openpyn[1162]: Thu Oct 11 19:05:27 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Oct 11 19:05:27 osmc openpyn[1162]: Thu Oct 11 19:05:27 2018 VERIFY EKU OK
Oct 11 19:05:27 osmc openpyn[1162]: Thu Oct 11 19:05:27 2018 VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=uk287.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Oct 11 19:05:30 osmc openpyn[1162]: Thu Oct 11 19:05:30 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 11 19:05:30 osmc openpyn[1162]: Thu Oct 11 19:05:30 2018 [uk287.nordvpn.com] Peer Connection Initiated with [AF_INET]89.238.139.77:1194
Oct 11 19:05:31 osmc openpyn[1162]: Thu Oct 11 19:05:31 2018 SENT CONTROL [uk287.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Oct 11 19:05:31 osmc openpyn[1162]: Thu Oct 11 19:05:31 2018 AUTH: Received control message: AUTH_FAILED
Oct 11 19:05:31 osmc openpyn[1162]: Thu Oct 11 19:05:31 2018 SIGUSR1[soft,auth-failure] received, process restarting
Oct 11 19:05:31 osmc openpyn[1162]: Thu Oct 11 19:05:31 2018 Restart pause, 10 second(s)

I tried now to check with curl ipinfo.io/ip, but still get my normal ISP IP which confuses me.
Maybe I missed some settings (maybe at NordVPN directly).
I will check in that direction.


#9

My bad :man_facepalming:
Got it now.

Thanks again for your amazing support (and patience)!


#10

What was it? Will help other users avoid the same mistake.

Thanks Tom.


#11

AUTH: Received control message: AUTH_FAILED
Username/password combination simply was wrong :smile:

Now I have the issue that none of my streaming plug-ins care to open anymore but just keep loading, but I don’t want to mix topics here.


#12

Added psmisc to the dependencies to install. Thanks!


#13

Added curl ipinfo.io/ip as a tip to check the vpn status. Thanks!