Hello,
I’m trying to install my VPN on my new Rpi4, but it does not work.
Here is what I did:
1- installed openvpn via apt-get install openvpn
2- created a VPN_folder called FIP under /etc/openvpn
3- copied my ovpn files to /etc/openvpn/FIP
But when I start my vpn, it does not start…
sudo openvpn --config /etc/openvpn/FIP/NL.ovpn
2023-05-21 11:42:32 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
2023-05-21 11:42:32 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
2023-05-21 11:42:32 WARNING: file ‘/etc/openvpn/FIP/password.txt’ is group or others accessible
2023-05-21 11:42:32 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-05-21 11:42:32 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2023-05-21 11:42:32 RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not known)
2023-05-21 11:42:32 RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not known)
2023-05-21 11:42:32 Could not determine IPv4/IPv6 protocol
2023-05-21 11:42:32 SIGUSR1[soft,init_instance] received, process restarting
2023-05-21 11:42:37 RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not known)
2023-05-21 11:42:37 RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not known)
2023-05-21 11:42:37 Could not determine IPv4/IPv6 protocol
2023-05-21 11:42:37 SIGUSR1[soft,init_instance] received, process restarting
…
Any idea what this cipher warning is about ?
Here is the .ovpn file content (I have replaced the >< in the code by & and *, since this would otherwise create a “blockquote”):
client
port 443
proto tcp
dev tun
remote nl1.freedom-ip.com
resolv-retry infinite
setenv CLIENT_CERT 0
*ca&
-----BEGIN CERTIFICATE-----
MII…
-----END CERTIFICATE-----
*/ca&
key-direction 1
*tls-auth&
-----BEGIN OpenVPN Static key V1-----
2c7…
-----END OpenVPN Static key V1-----
*/tls-auth&
auth-user-pass /etc/openvpn/FIP/password.txt
cipher AES-256-CBC
comp-lzo
verb 1
nobind
#ns-cert-type server
remote-cert-tls server
Thanks in advance
Hi,
The openvpn server in the client config, doesn’t resolve:
I would ask the openvpn provider for an up to date client config.
Regards Tom.
I might have used old files. I reloaded the most recent files.
Seems to work, because I get this:
sudo openvpn --config /etc/openvpn/FIP/NL.ovpn
2023-05-21 13:00:07 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-05-21 13:00:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-05-21 13:00:07 WARNING: file '/etc/openvpn/FIP/ta.key' is group or others accessible
2023-05-21 13:00:07 WARNING: file '/etc/openvpn/FIP/password.txt' is group or others accessible
2023-05-21 13:00:07 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-05-21 13:00:07 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2023-05-21 13:00:07 TCP/UDP: Preserving recently used remote address: [AF_INET]185.212.226.142:443
2023-05-21 13:00:07 UDP link local: (not bound)
2023-05-21 13:00:07 UDP link remote: [AF_INET]185.212.226.142:443
2023-05-21 13:00:07 [server] Peer Connection Initiated with [AF_INET]185.212.226.142:443
2023-05-21 13:00:19 TUN/TAP device tun2 opened
2023-05-21 13:00:19 net_iface_mtu_set: mtu 1500 for tun2
2023-05-21 13:00:19 net_iface_up: set tun2 up
2023-05-21 13:00:19 net_addr_ptp_v4_add: 10.9.0.30 peer 10.9.0.29 dev tun2
2023-05-21 13:00:19 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-05-21 13:00:19 Initialization Sequence Completed
But when I check the status, it’s weird
sudo systemctl status openvpn@NL
* openvpn@NL.service - OpenVPN connection to NL
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-05-20 23:07:46 CEST; 13h ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 373 (openvpn)
Status: "Pre-connection initialization successful"
Tasks: 1 (limit: 3931)
CPU: 627ms
CGroup: /system.slice/system-openvpn.slice/openvpn@NL.service
`-373 /usr/sbin/openvpn --daemon ovpn-NL --status /run/openvpn/NL.status 10 --cd /etc/openvpn --config >
May 21 12:54:01 osmc ovpn-NL[373]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
May 21 12:54:01 osmc ovpn-NL[373]: RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not>
May 21 12:54:01 osmc ovpn-NL[373]: RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not>
May 21 12:54:01 osmc ovpn-NL[373]: Could not determine IPv4/IPv6 protocol
May 21 12:54:01 osmc ovpn-NL[373]: SIGUSR1[soft,init_instance] received, process restarting
May 21 12:59:01 osmc ovpn-NL[373]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
May 21 12:59:01 osmc ovpn-NL[373]: RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not>
May 21 12:59:02 osmc ovpn-NL[373]: RESOLVE: Cannot resolve host address: nl1.freedom-ip.com:443 (Name or service not>
May 21 12:59:02 osmc ovpn-NL[373]: Could not determine IPv4/IPv6 protocol
May 21 12:59:02 osmc ovpn-NL[373]: SIGUSR1[soft,init_instance] received, process restarting
lines 1-23/23 (END)
Thank you
Hi,
Does it work if you issue:
sudo systemctl restart openvpn@NL
I’m think openvpn may be running before the network is up.
Regards Tom.
Hi Tom,
sudo systemctl restart openvpn@NL
Job for openvpn@NL.service failed because the control process exited with error code.
See "systemctl status openvpn@NL.service" and "journalctl -xe" for details.
Here the journalctl -xe log:
May 21 23:55:32 osmc ovpn-NL[7579]: Use --help for more information.
May 21 23:55:32 osmc systemd[1]: openvpn@NL.service: Main process exited, code=>
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit openvpn@NL.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
May 21 23:55:32 osmc systemd[1]: openvpn@NL.service: Failed with result 'exit-c>
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit openvpn@NL.service has entered the 'failed' state with result 'exit>
May 21 23:55:32 osmc systemd[1]: Failed to start OpenVPN connection to NL.
-- Subject: A start job for unit openvpn@NL.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit openvpn@NL.service has finished with a failure.
--
-- The job identifier is 8816 and the job result is failed.
lines 4634-4656/4656 (END)
May 21 23:55:32 osmc ovpn-NL[7579]: Use --help for more information.
May 21 23:55:32 osmc systemd[1]: openvpn@NL.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit openvpn@NL.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
May 21 23:55:32 osmc systemd[1]: openvpn@NL.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit openvpn@NL.service has entered the 'failed' state with result 'exit-code'.
May 21 23:55:32 osmc systemd[1]: Failed to start OpenVPN connection to NL.
-- Subject: A start job for unit openvpn@NL.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit openvpn@NL.service has finished with a failure.
--
-- The job identifier is 8816 and the job result is failed.
Not sure why it failed to start…not clear to me
Hi,
What’s the output of: systemctl status openvpn@NL.service
After the restart?
Regards Tom.
Hi @Tom_Doyle ,
sorry, did not see your answer…
sudo systemctl status openvpn@NL.service
* openvpn@NL.service - OpenVPN connection to NL
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor pres>
Active: activating (auto-restart) (Result: exit-code) since Thu 2023-05-25>
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 19185 ExecStart=/usr/sbin/openvpn --daemon ovpn-NL --status /run/o>
Main PID: 19185 (code=exited, status=1/FAILURE)
CPU: 30ms
lines 1-9/9 (END)...skipping...
* openvpn@NL.service - OpenVPN connection to NL
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Thu 2023-05-25 21:23:32 CEST; 918ms ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 19185 ExecStart=/usr/sbin/openvpn --daemon ovpn-NL --status /run/openvpn/NL.status 10 --cd /etc/openvpn --config /etc/op>
Main PID: 19185 (code=exited, status=1/FAILURE)
CPU: 30ms
~
~
Hi,
If you changed config files you may need to issue:
systemctl daemon-reload
Thanks Tom.
Here is what I get after daemon-reload
sudo systemctl status openvpn@NL.service
* openvpn@NL.service - OpenVPN connection to NL
Loaded: loaded (/lib/systemd/system/openvpn@.ser>
Active: activating (auto-restart) (Result: exit->
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wi>
https://community.openvpn.net/openvpn/wi>
Process: 22901 ExecStart=/usr/sbin/openvpn --daem>
Main PID: 22901 (code=exited, status=1/FAILURE)
CPU: 30ms
lines 1-9/9 (END)
Thanks
Hi,
Probably a long shot, but have you created a copy of the config with a .conf extenstion? e.g
sudo cp /etc/openvpn/FIP/NL.ovpn /etc/openvpn/FIP/NL.conf
All the guides I have seen for using openvpn with systemd, suggest doing this. If you do need to create this file, you probably need to issue systemctl daemon-reload again.
Also could you please try the following:
sudo systemctl stop openvpn
sudo killall -9 openvpn@NL
sudo systemctl start openvpn
Thanks Tom.
Hi @Tom_Doyle ,
sorry I was away the past week.
sudo killall -9 openvpn@NL
openvpn@NL: no process found
The other commands do not return anything (which is expected).
Thanks
Hi,
Sorry that probably should have been:-
sudo killall -9 openvpn
Is this with ovpn now a conf file?
Can we try these commands:-
sudo systemctl stop openvpn
sudo killall -9 openvpn
sudo systemctl start openvpn
sudo systemctl status openvpn@NL
Thanks Tom.
Hi,
Yes it’s with the .conf file.
* openvpn@NL.service - OpenVPN connection to NL
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Sun 2023-06-04 21:40:33 CEST; 23h ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 1556 ExecStart=/usr/sbin/openvpn --daemon ovpn-NL --status /run/openvpn/NL.status 10 --cd >
Main PID: 1556 (code=exited, status=1/FAILURE)
CPU: 63ms
Jun 04 21:40:33 osmc systemd[1]: Stopped OpenVPN connection to NL
Thanks
Hi,
Please provide the output of:
sudo openvpn --config /etc/openvpn/FIP/NL.conf
Regards Tom.
Hi Tom,
Looks like it’s working !!
2023-06-05 23:19:08 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-06-05 23:19:08 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-06-05 23:19:08 WARNING: file '/etc/openvpn/FIP/ta.key' is group or others accessible
2023-06-05 23:19:08 WARNING: file '/etc/openvpn/FIP/password.txt' is group or others accessible
2023-06-05 23:19:08 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-06-05 23:19:08 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10
2023-06-05 23:19:08 TCP/UDP: Preserving recently used remote address: [AF_INET]185.212.226.142:443
2023-06-05 23:19:08 UDP link local: (not bound)
2023-06-05 23:19:08 UDP link remote: [AF_INET]185.212.226.142:443
2023-06-05 23:19:08 [server] Peer Connection Initiated with [AF_INET]185.212.226.142:443
2023-06-05 23:19:10 TUN/TAP device tun0 opened
2023-06-05 23:19:10 net_iface_mtu_set: mtu 1500 for tun0
2023-06-05 23:19:10 net_iface_up: set tun0 up
2023-06-05 23:19:10 net_addr_ptp_v4_add: 10.9.0.30 peer 10.9.0.29 dev tun0
2023-06-05 23:19:10 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-06-05 23:19:10 Initialization Sequence Completed
Is it the fact to have a .conf file that makes it work ?
And if so, how to make sure that only the .conf is called ?
Thanks a lot
Hi,
Either delete the ovpn file or move to your home directory.
Regards Tom.
Or use zomboided vpn manager, makes things a lot easier…
1 Like