OpenVPN setup issues [solved]

Here a happy user of OSMC for already several years. I recently moved from a RPI 2 to a RPI 3 and a clean OSMC image. Now I have difficulties getting my openvpn connection getting to work again. This was running perfectly un the RPI2 with openvpn (Nordvpn) and Zomboided plugin in Kodi.

Now with the new image and the RPI3 the Zomboided VPN manager plugin hangs on ‘Connected, checking location info…’ After an investigation on their wiki this is potentially due to DNS issues. To fix I installed GitHub - jonathanio/update-systemd-resolved: Helper script for OpenVPN to directly update the DNS settings of a link through systemd-resolved via DBus. and added the extra lines to my *.ovpn file. This still did not resolve the issues.

script-security 2

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

up /etc/openvpn/scripts/update-systemd-resolved

up-restart

down /etc/openvpn/scripts/update-systemd-resolved

down-pre

–

I tried to fully manual setup Openvpn in the SSH command line and connect to the NordVPN opvn server. The VPN server successfully connects, but then the outside internet connection is not functional anymore.

ifconfig is showing a connected TUN0 but e.g. ‘curl ipinfo.io’ is not returning anything anymore.

My log: grab-logs -J -K

https://paste.osmc.tv/rivubaloro

This is my log file. OpenVPN is autostarting (by systemd) and connecting to my VPN server then no outside internet connection is working anymore (for this log I was not using the update-systemd-resolved script).

After many hours of testing I am stuck and hope to get some support on how to troubleshoot this further and potentially get my VPN working again.

I think you’re going down a blind alley with systemd-resolved, which is disabled on OSMC and is likely to be incompatible with connman.

I don’t use Zomboided and have no real knowledge of its workings. However, vanilla OpenVPN should work, so you need to address this problem first. I’m sure Zomboided users will pitch in if the problem persists.

First off, please disable and stop the systemd-resolved service, then change references to

/etc/openvpn/scripts/update-systemd-resolved

to

/etc/openvpn/update-resolv-conf

then reboot

Once your OpenVPN link is up and running, please post the output from the following commands:

cat /etc/resolv.conf
route -n

and we can take it from there.

Thanks for your reply.
I disabled the service by: sudo systemctl disable systemd-resolved.service
sudo reboot

started openvpn:
cd /etc/openvpn/
sudo openvpn /etc/openvpn/nl605.conf
→ log

in new SSH window:
cat /etc/resolv.conf
→ log

route -n
→ log

The log output:
https://paste.osmc.tv/eyujinerog.coffee

The file: /etc/openvpn/update-resolv-conf
is not existing in my directory. Potentially I have deleted this one in the various testing.

:The missing script is part of the standard openvpn package, so a reinstall should fix that:

sudo apt-get install --reinstall openvpn

You’re still showing the original DNS server, but that should be fixed when you reinstall openvpn.

Are you able to ping Google DNS right now?

ping -c2 8.8.8.8

I reinstalled the package with: sudo apt-get install --reinstall openvpn
still this file is not in the /etc/openvpn directory (ls -la)

ping -c2 8.8.8.8 is working also when connected to the VPN

See the logs: https://paste.osmc.tv/izasazokes.coffee

What isn’t working after the VPN is connected (to check my IP):
dig +short myip.opendns.com @resolver1.opendns.com
OR
curl ipinfo.io

both command don’t anwer the IP anymore after the VPN is connected.

I can confirm that, although part of the package, it doesn’t install. You can copy/paste from here:

#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

# [ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
#	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
#        /usr/bin/connmanctl config ethernet_b827eb00bef9_cable --ipv4 manual 192.168.8.33 255.255.255.0 192.168.8.1 --nameservers "$NMSRVRS"
        /usr/bin/connmanctl config ethernet_b827eb00bef9_cable  --nameservers "$NMSRVRS"
	;;
  down)
#	/sbin/resolvconf -d "${dev}.openvpn"
#	/usr/bin/connmanctl config ethernet_b827eb00bef9_cable --ipv4 manual 192.168.8.33 255.255.255.0 192.168.8.1 --nameservers 8.8.8.8 8.8.4.4
	/usr/bin/connmanctl config ethernet_b827eb00bef9_cable --nameservers 8.8.8.8 8.8.4.4
	;;
esac

Remember to make it owned by root and 755 executable.

Since you’re still using the old “ntlworld” DNS server, it’s probably blocking external DNS requests. Blocked me, as well.

I create the file with root and chmod 755 in the/etc/openvpn dir:

the started the openvpn server (without link up / down) in my conf file; same result.
Then added in my open vpn conf file

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now i get an error and openvpn is not connecting anymore.
Mon Dec 9 07:13:10 2019 /etc/openvpn/update-resolv-conf tun0 1500 1585 10.8.2.29 255.255.255.0 init
Mon Dec 9 07:13:10 2019 WARNING: Failed running command (–up/–down): could not execute external program
Mon Dec 9 07:13:10 2019 Exiting due to fatal error

logs: https://paste.osmc.tv/ihoguhuyuq.coffee

From you log:

WARNING: External program may not be called unless '--script-security 2' or higher is enabled.

so did you remove script-security 2 from the config file? It was there in your first post – and is needed.

One of the hazards of not providing full logsis that we can’t see what’s installed on your machine. In case you haven’t done so, you need to have also installed either the resolvconf or openresolv package.

Edit. It seems that the update-resolv-conf script is being treated as a configuration file (conffile).The rule is that a conffile isn’t reinstalled if the system believes that you have deleted it. Therefore the correct command to install missing confiles should have been:

sudo apt-get install -o DPkg::options::=--force-confmiss --reinstall openvpn

The issue is solved! dillthedog, thank you so much for your perfect guidance!

If someone else is reading this thread, here is the summary on how it can be solved.

Follow this guide first: https://pimylifeup.com/raspberry-pi-nordvpn/
(except for preventing DNS leaks part)

Then install:
sudo apt-get install openresolv

then add to your /etc/openvpn/xxx.conf file:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

start the vpn:
sudo openvpn xxx.conf
curl ipinfo.io (this will then confirm your outside connection and new IP)

Glad it’s working now.

Since you’re using NordVPN, I thought you might find this interesting: https://medium.com/@derek./how-is-nordvpn-unblocking-disney-6c51045dbc30

I will have a look thanks.

Hi,
Can you give some more info about how you fixed this…
What is the /etc/openvpn/xxx.conf ?? Did you create it yourself or is that the .ovpn file?
My .ovpn is not in that folder…
Any help would be greatlt appreciated.

Nevermind it’s sorted…edited my ovpn and connected.