OSMC and openvpn: openvpn works, but only from command line

Started here in an existing topic but someone suggested mine wasn’t directly related and I should go for a new topic, so…

I have set up openvpn on a RPI 3/OSMC system. It seems that openvpn works to a point (using the free vpn services to start).

Here’s where I’ve gotten to – when I execute:

openvpn --remote --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

I get as a result:

Wed Mar 22 10:13:50 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Wed Mar 22 10:13:50 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Wed Mar 22 10:13:50 2017 ******* WARNING *******: all encryption and authentication features disabled – all data will be tunnelled as cleartext
Wed Mar 22 10:13:50 2017 TUN/TAP device tun1 opened
Wed Mar 22 10:13:50 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Mar 22 10:13:50 2017 /sbin/ip link set dev tun1 up mtu 1500
Wed Mar 22 10:13:50 2017 /sbin/ip addr add dev tun1 local 10.9.8.1 peer 10.9.8.2
Wed Mar 22 10:13:50 2017 UDPv4 link local (bound): [undef]
Wed Mar 22 10:13:50 2017 UDPv4 link remote: [AF_INET]176.126.237.207:1194

…and the output stops, as if it’s waiting (which may be the right result).

Then if I execute ifconfig -a I get:

(eth0 and lo info…snip…)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.9.8.1  P-t-P:10.9.8.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

So the command line version seems to work. However, if I try to run

sudo openvpn /etc/openvpn/.vpn_config/FreeVPN.me-TCP443.ovpn

I get this msg (among other warnings):

…snip…
ERROR: Cannot ioctl TUNSETIFF tun1: Operation not permitted (errno=1)
Exiting due to fatal error

and running ifconfig -a shows me my eth0 and lo info, but the tun1 info is nowhere to be found.

This feels like a permissions issue, but could be something more subtle.

Thx for any help on this…

Have you tried to use the indispensable forum search?

The OP is trying to configure an openvpn client, not a server.

I checked the config file and it needs a userid and password. You need to create a file pass.txt in the same location as the config file. The file should contain two lines:

freevpnme
RD9PNBE3iNu

For now, I’d suggest you move the config file to directory /etc/openvpn and place pass.txt there too. Then edit the config file and change the line

auth-user-pass
to

auth-user-pass pass.txt

See what happens.

@ActionA

I did and the 1 thread (where I posted 1st) I came across was close, but no cigar. And I’m trying to do a client, not a server. Thx.

@dillthedog

As you (and the article “How to set up your VPN on raspberry pi using Brain Hornsby Openvpn for XBMC” which got me this far) suggested I created the pass.txt file and appropriately modified 2 profiles (1 for TDP, 1 for UDP) and, since my previous posting, moved to /etc/openvpn/.vpn_config/. I also changed the 3 files so ownership → root:root and permissions → 755.

As you’re prob’ly aware the profiles I’m using have 2 certificates (1 <cert> and 1 <ca>) and the private key actually in the profile so I’m assuming that’s taken care of.

My output from sudo openvpn /etc/openvpn/.vpn_config/FreeVPN.me-TCP443.ovpn now is:

Wed Mar 22 14:12:02 2017 NOTE: --fast-io is disabled since we are not using UDP
Wed Mar 22 14:12:02 2017 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 22 14:12:02 2017 Attempting to establish TCP connection with [AF_INET]176.126.237.207:443 [nonblock]
Wed Mar 22 14:12:03 2017 TCP connection established with [AF_INET]176.126.237.207:443
Wed Mar 22 14:12:03 2017 TCPv4_CLIENT link local: [undef]
Wed Mar 22 14:12:03 2017 TCPv4_CLIENT link remote: [AF_INET]176.126.237.207:443
Wed Mar 22 14:12:03 2017 Connection reset, restarting [0]
Wed Mar 22 14:12:03 2017 SIGUSR1[soft,connection-reset] received, process restarting
Wed Mar 22 14:12:03 2017 Restart pause, 5 second(s)
Wed Mar 22 14:12:05 2017 SIGINT[hard,init_instance] received, process exiting

…and it does indeed reset, pause and tries again.

and if I do sudo openvpn /etc/openvpn/.vpn_config/FreeVPN.me-UDP-40000.ovpn I get:

Wed Mar 22 14:23:45 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Wed Mar 22 14:23:45 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Wed Mar 22 14:23:45 2017 WARNING: file '/etc/openvpn/.vpn_config/pass.txt' is group or others accessible
Wed Mar 22 14:23:45 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Mar 22 14:23:45 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Mar 22 14:23:45 2017 UDPv4 link local: [undef]
Wed Mar 22 14:23:45 2017 UDPv4 link remote: [AF_INET]176.126.237.207:40000
Wed Mar 22 14:24:45 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Mar 22 14:24:45 2017 TLS Error: TLS handshake failed
Wed Mar 22 14:24:45 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Mar 22 14:24:45 2017 Restart pause, 2 second(s)

…and also resets and tries again (except in between “UPDv4 link remote: …” and “TLS Error: TLS key negotiation…” there is a 30 sec or so delay).

Cannot tell if I’m doing something wrong or if there’s a problem at the server side (tho, I’m sure there are people out there who have gotten it to work…so it must be something on my end).

Could this be a firewall issue? Doesn’t seem like it.

Thx…

Since it’s a free service and I can download the same files as you, I’ll try to connect to it (but not from OSMC) and report back.

Thx. I really appreciate the help. At worst, you’ll confirm what I already suspect but cannot quite figure out…it’s something on my end.

I always know enuf to get this far. However, I don’t know quite enuf to deal with a subtlety that someone more experienced would easily recognize.

I’ll look forward to what you find.

I may also try from a Win 10 system, but that may not answer questions that might be specific to OSMC/Debian.

Cheers…

I have a whole stack of VM templates that I can use for openvpn tests, so it’s easy for me to plug in a new config and give it a spin.

The site doesn’t work. Just as you found, the TCP 443 connection repeatedly restarts with a SIGUSR1. I didn’t bother with the UDP, since I’m sure it would give the same error as you found.

The site just ain’t worth further effort, especially as it’s probably a honey pot financed by the MPAA or some similar body.

Ahhhh…I feel both disappointed (the site isn’t working) and elated (that it’s not me and I have prob’ly been doing it right all along).

MPAA, eh? I guess that’s 1 way to get around the privacy, no logging and anonymity that a VPN is supposed to provide. Sneaky…maybe you just helped me dodge a bullet

OK. Time to move onto another solution that makes sense.

Figuring what’s wrong can be just as beneficial as figuring out what’s right.

Again, thx much for the help…Cheers…

I just can’t see much use for such a freebie VPN like theirs, since it costs money to operate one and, really, there is no Santa Claus. (Sorry to break that last one to you.)

And as for no logging, I think they’re probably referring to those cylindrical things made of wood.

If you really want to use a VPN, you’re going to have to pay some money.

Since I’m just starting out with VPN services, I figured to begin with a freebie site to get familiar and take time to figure out what would be a good pay-for-VPN access site. Guess I’m put in a position to have to do both pretty much at the same time.

I suppose if that’s the worst challenge I face in life, things can’t be too bad.

Sounds like you have VPN experience. Any good suggestions of a VPN service for primarily personal use? Thx.

One last question…so, can I assume that when I attempted to connect using the command line, I also wasn’t really connecting but only getting openvpn into active mode?

Cheers…

When openvpn connects successfully it will output a line to the log saying “Initialization Sequence Completed”. Until you see that, you’re probably not connected.

If you want to try another freebie, there’s always vpnbook.com.

I won’t recommend a commercial service but you can, for example, go to the “Privacy Technology” forum at wilderssecurity.com and read up on the latest recommendations.

I had a chance to do a bit more research and came across a number of articles concerning free VPN and honeypots. None of the articles were conclusive 1 way or the other, but they presented reasons both directions (honeypot and just a loss leader/freemium approach). Basically, it’s a “takes yer chances”.

Interestingly, at least 1 article mentioned that even paying for VPN services is not a guarantee to privacy. In certain situations, a VPN service can be bought by another unscrupulous organization solely for the purpose of getting access to private info (names, contact, credit cards, etc.). So, you’re right. There may not be a Santa Claus, but the devil is out there lurking about

I did come across vpnbook and will look more closely at that. Never heard of wilderssecurity.com so I will check that out, as well. Thx for the link.

Again, appreciate the help and knowledge xfer. Cheers…

Credit cards etc should be passed over a secure connection (TLS). This could only be leaked iff the VPN requires you to accept a TLS certificate. If they do, they are performing MITM operations, which is always going to be dangerous.

You also need to think about who would offer a free VPN, and why they’d do it. What would they gain from it?

Sam

Sam,

Appreciate the input. Why I enjoy asking questions about things I am yet to understand

Essentially, security begins “at home”. If I can’t find a way to keep my info private, I have no business depending on someone else to do so (as we have seen from recent major hacks

I used to be an executive in high tech marketing (in Silicon Valley). I know all too well the strategies of free/fremium and what that means. Not necessarily a bad thing, but as a gas commercial once stated: “You can pay me now. Or you can pay me later.” The implication being that you are going to pay me, one way or another…if not in cash/coin, then in your information.

Cheers…