OpenVPN, moving from init.d way to the Stretch/systemd way

zilexa · 22 January 2018 21:17

Strangely, I tried with a different conf file (different NordVPN server) and it works, so perhaps it is server related.

This is the conf that gave me trouble:

osmc@Vero:/etc/openvpn$ cat se8.conf


#           _   _               ___     ______  _   _
#          | \ | | ___  _ __ __| \ \   / /  _ \| \ | |
#          |  \| |/ _ \| '__/ _` |\ \ / /| |_) |  \| |
#          | |\  | (_) | | | (_| | \ V / |  __/| |\  |
#          |_| \_|\___/|_|  \__,_|  \_/  |_|   |_| \_|
#


client
dev tun
proto udp
remote 193.105.134.166 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
explicit-exit-notify 3

remote-cert-tls server
auth-user-pass /etc/openvpn/login.txt

#mute 10000

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

<ca>
-----BEGIN CERTIFICATE-----
MIIExDCCA6ygAwIBAgIJANWtKw0IUFj3MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEYMBYGA1UEAxMPc2U4Lm5vcmR2cG4u
Y29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2
cG4uY29tMB4XDTE2MDgxODEyNDIwM1oXDTI2MDgxNjEyNDIwM1owgZwxCzAJBgNV
BAYTAlBBMQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdO
b3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRgwFgYDVQQDEw9zZTgubm9yZHZwbi5j
b20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9yZHZw
bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf1kufExPBmrIi
h/hFEXUQ+D9pjPj78JTeG4lfEJctIjoODvzA5JEzGUu0CJufopAzbZ38iMvlQ0We
qwvpThNPFk9Xa7xEh6mZFVrXCHbEOUigSCh5IVh9sCnzbk7M3rHnBzJl1blTKOTa
ny3oi15F3n6ed+cGAE6nZDgv7JZgZDXlwIuZ4ABRP+fJDNE5YbjSvNAGlz+n0y4T
vn0n0T1Fyl5RIDCHtMIogZ5uAr5cz+QHAO5ikzL5FK40hYjqHe7tLTL3DPWLYhQr
nd4MwDggnILdHSQX2FhIjXWU6c3MPNGkdfjfFK/SkviUPGvQO7UyfnmMwvByhqvQ
0x2DUgV1AgMBAAGjggEFMIIBATAdBgNVHQ4EFgQU1p4U+ye2F1xabVPU1/2sn3rd
+swwgdEGA1UdIwSByTCBxoAU1p4U+ye2F1xabVPU1/2sn3rd+syhgaKkgZ8wgZwx
CzAJBgNVBAYTAlBBMQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYD
VQQKEwdOb3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRgwFgYDVQQDEw9zZTgubm9y
ZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRA
bm9yZHZwbi5jb22CCQDVrSsNCFBY9zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4IBAQAIIa7KjRYpF1FNzEvi8R5yC3aQkshYC32Drmbu1SmKd7G0ZfZas414
iaojJlAhMcTQRLfaLWdHEWPLNAIE6vc+0+PDmDRmj8n6QrVur11tahNz2g+7EDsB
5rVSz+2AfQB3hN95ouTolgFlEfarH21SitUthrgzc20DszCPdbM+HiVdXLehaCeP
4NeYRlfr+AAxCRbV6bPx8iF1HJ3EEWOVriPsEQFlot9BSB+ACQN+rkWN9vkk4k2/
SWRnA92q3f4zUB4fxK1WxZIsWJGNl77B9BsIiZ0ZIvB3kwdtDzmFf3XLpdiWPGhF
KB0dc0BS8lQmb2NfUf4UdJLpK5d7ckjZ
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
c2bc3a0b361776230d70add89979dd4d
5ec2a8e7c12a8a65e3df4f25dc533283
7e993fd3894804d55755357247bfaf71
06f8df816cee258bb21c1800b25aacc4
70e654d81d5692219448f73ae748397b
977bf17a75517cb0b90165868fb2ccc3
06f33212215805dcca7594f5e45a0efe
46cb06d9aec58c00582bf6ebfda67236
5fe624fe37da830f4a9eacab244bea45
36d63347101bfb91510d4ce7e60dbc52
c260144d6d44024fffc21eb07501a7bd
9bbeab1f11b0c7b01750d3824f105ef8
25feca52a3b09d88cc6556c6c67bd112
900b8d23e4fb4ee75aff11e0ff5a7433
69c75326361dda146ac885477ee6d88a
ad887d29948a4482a9572e811107a7e0
-----END OpenVPN Static key V1-----
</tls-auth>

And this one just works, with and without login.txt:

osmc@Vero:/etc/openvpn$ sudo cat nl170.conf


#           _   _               ___     ______  _   _
#          | \ | | ___  _ __ __| \ \   / /  _ \| \ | |
#          |  \| |/ _ \| '__/ _` |\ \ / /| |_) |  \| |
#          | |\  | (_) | | | (_| | \ V / |  __/| |\  |
#          |_| \_|\___/|_|  \__,_|  \_/  |_|   |_| \_|
#


client
dev tun
proto udp
remote 185.212.171.201 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass login.txt

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAJxdh2FZzsr+MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwxNzAubm9yZHZw
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
ZHZwbi5jb20wHhcNMTcxMTEzMTY1MzM0WhcNMjcxMTExMTY1MzM0WjCBnjELMAkG
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEW5sMTcwLm5vcmR2
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuMmGVKz/
bfVmX7ZGqlWAsfKqDPUuzvbqETKyfPYlwK6zgCagMyf/49sdS6Tl2YdhLr8QKuo+
GkzTZ0I5ou+okPrmC7loxS7b6BiC6iyfpgPnCv1Nobuzk8+Omlru4nhg4T9DJXRz
1vroKmI9oIIsOG7mBbE2NGlGPRse82WNdT7gquTHO8de+fa+UfMV4y3/Y972sENq
mfS8Q6gNWVQ5oiY6Um86+A4F6FRobCoa0frSrTerku74mqkAUp8WS0n1B7sNsRwr
7ftL499zsyqwx7H8lBO7KMAa6ZNEj39DrDZJKUVv2xxE5ROJ/VWp/mOjiW9nZzQu
qu6VlXszXZfyvwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFLL0m3WnRfl3Ac/1NsrZ
x4pFKwZ9MIHTBgNVHSMEgcswgciAFLL0m3WnRfl3Ac/1NsrZx4pFKwZ9oYGkpIGh
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRbmwx
NzAubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
EGNlcnRAbm9yZHZwbi5jb22CCQCcXYdhWc7K/jAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCu27ooEldEvIonI96Tz92BumXPb/Hfw70HFgkVCZfh74Fh
+y9UreJ6J5nQZGqvMJAe+zrO+z+fj9UJ6r2FtBYljpm99EUhT0h/u6lXIkSbUxcs
ztBRpjUABYlpHtc8LX7M5fsOD4JqbYeR49u1dmUe8a7pyaCqKf36g/o1+3rrpvf/
qhcIRmrWoODee3UO/48KtJEltcHDvB4VPhHO5OFPVsi+29Y2AxQS/7aYAq6MpNuO
jvInEMxRlDas+Nvbx53KWKTjed0FnNIk3MTx5OgojdxDz5DMMmiaMW++U4461Ab2
Hfs1ePSIsaeMEb27zN82bzW71q5vUQcM3vonvsLI
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ea06884eec88d28e3803967d7c40bec3
d5b2e9407e3418bc4e1f714960b7a393
7a1b5e12b6ffdd19ccc16c627d64f192
1f32277047ee3d4e4cf5222aff14e3ba
e7bff54df513cf59ec8d2d48cc5acade
3ab682e10c45e92fc855473d4a2fcd45
07c9218ece36e16f3b334420b6c62d2c
56403178ce72039927900eef0d99337f
d914604bc9609617bf642d3d5da6df0d
cf2c3f12c758a16464bb39fd21599348
ed9a7602b5523d9a7dd8fabc9733223d
4552933d865ca24100e4d19a5757b16a
26740c91080d64d275784e9b91cc025e
57cb920f44f95c2be09bb859abd8d336
5261f8e61e1946b3376e3aa0cfc3673e
1f88e4258a1dc288abcb051478390806
-----END OpenVPN Static key V1-----
</tls-auth>

zilexa · 22 January 2018 21:24

Learned something new.

My apologies for wasting your time, it must be a server issue, of their 2500 servers I happen to choose a bad one! Other servers from NordVPN just work immediately.

Sorry to waste everybody’s time!

If anyone is interested in a true OpenVPN mystery… I have one posted in the openvpn forum (I didn’t want to harass people here, seemed a bit too far off topic).

Thanks again for this stupid stuff with NordVPN!

dillthedog · 22 January 2018 21:26

Generally, the CA certificate will always be the same - but here they’re different.

Try a good conf file to the “bad” server; just change the IP address.

zilexa · 22 January 2018 21:34

Tested and indeed, NordVPN server 193.105.134.166 (port 1194) is definitely having trouble! Guess they have monitoring for this. I’ll test again tomorrow and send them an email if it still doesn’t work.
I’ll just use the working server for now.

zilexa · 22 January 2018 21:46

strangely, there still is an issue when I just run sudo systemctl start openvpn:

Jan 22 22:38:20 Vero ovpn-nl170[4687]: ERROR: Linux route add command failed: external program exited with error status: 2

But I will check with a fresh mind tomorrow.

Jan 22 22:38:19 Vero ovpn-nl170[4687]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=nl170.nordvpn.com, name=NordVPN, emailAddr
Jan 22 22:38:19 Vero ovpn-nl170[4687]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 22 22:38:19 Vero ovpn-nl170[4687]: [nl170.nordvpn.com] Peer Connection Initiated with [AF_INET]185.212.171.201:1194
Jan 22 22:38:20 Vero ovpn-nl170[4687]: SENT CONTROL [nl170.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 22 22:38:20 Vero ovpn-nl170[4687]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 7
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: route options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: route-related options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: peer-id set
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 22 22:38:20 Vero ovpn-nl170[4687]: OPTIONS IMPORT: data channel crypto options modified
Jan 22 22:38:20 Vero ovpn-nl170[4687]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 22 22:38:20 Vero ovpn-nl170[4687]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 22 22:38:20 Vero ovpn-nl170[4687]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=wlan0 HWADDR=cc:b8:a8:11:64:48
Jan 22 22:38:20 Vero ovpn-nl170[4687]: TUN/TAP device tun1 opened
Jan 22 22:38:20 Vero ovpn-nl170[4687]: TUN/TAP TX queue length set to 100
Jan 22 22:38:20 Vero ovpn-nl170[4687]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 22 22:38:20 Vero ovpn-nl170[4687]: /sbin/ip link set dev tun1 up mtu 1500
Jan 22 22:38:20 Vero connmand[365]: tun1 {create} index 7 type 65534 <NONE>
Jan 22 22:38:20 Vero connmand[365]: tun1 {update} flags 4240 <DOWN>
Jan 22 22:38:20 Vero connmand[365]: tun1 {newlink} index 7 address 00:00:00:00:00:00 mtu 1500
Jan 22 22:38:20 Vero connmand[365]: tun1 {newlink} index 7 operstate 2 <DOWN>
Jan 22 22:38:20 Vero connmand[365]: tun1 {update} flags 69841 <UP,RUNNING,LOWER_UP>
Jan 22 22:38:20 Vero connmand[365]: tun1 {newlink} index 7 address 00:00:00:00:00:00 mtu 1500
Jan 22 22:38:20 Vero connmand[365]: tun1 {newlink} index 7 operstate 0 <UNKNOWN>
Jan 22 22:38:20 Vero ovpn-nl170[4687]: /sbin/ip addr add dev tun1 10.8.8.134/24 broadcast 10.8.8.255
Jan 22 22:38:20 Vero connmand[365]: tun1 {add} address 10.8.8.134/24 label tun1 family 2
Jan 22 22:38:20 Vero connmand[365]: tun1 {add} route 10.8.8.0 gw 0.0.0.0 scope 253 <LINK>
Jan 22 22:38:20 Vero ovpn-nl170[4687]: /sbin/ip route add 185.212.171.201/32 via 192.168.1.254
Jan 22 22:38:20 Vero ovpn-nl170[4687]: ERROR: Linux route add command failed: external program exited with error status: 2
Jan 22 22:38:20 Vero ovpn-nl170[4687]: /sbin/ip route add 0.0.0.0/1 via 10.8.8.1
Jan 22 22:38:20 Vero ovpn-nl170[4687]: ERROR: Linux route add command failed: external program exited with error status: 2
Jan 22 22:38:20 Vero ovpn-nl170[4687]: /sbin/ip route add 128.0.0.0/1 via 10.8.8.1
Jan 22 22:38:20 Vero ovpn-nl170[4687]: ERROR: Linux route add command failed: external program exited with error status: 2
Jan 22 22:38:20 Vero ovpn-nl170[4687]: Initialization Sequence Completed

dillthedog · 22 January 2018 22:11

Check with route -n

If the lines

0.0.0.0         10.8.8.1        128.0.0.0       UG    0      0        0 tun1
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun1

already exist, then the server is incorrectly pushing them - but the VPN is probably okay.