OVPN script not working

After setting up my brand new 4k I decided to install the ovpn script, I followed this guide http://brianhornsby.com/blog/how-to-setup-your-vpn-client.php and a few posts on here mostly because that’s what I used on my pi3 as well.
At first it didn’t start, couldn’t find openvpn, turns out it’s in sbin not in bin.
With the exception of my file location which is /etc/openvp/ for the certs and ovpn files instead.

It says it connects but if I do an IP check with SSH wget http://ipecho.net/plain -O - -q ; echo or curl an IPcheck site it either doesn’t resolve or comes up an empty line.
example file

client
dev tun
proto udp
remote fr.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/user.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ

This is what my client file looks like, user text just has my
user
pass
and everything is located in the same directory just as I have set up on my Pi.

I changed the menu to use sudo with and without a password and set the directory to sbin instead of bin.
The script says it’s connected but it isn’t.

Can you access other services like scrapers and updates?

I can with my normal connection. Not with the vpn on, it gets stuck on 0% during manual update.

SSH to the vero also keeps timing out randomly, out of the box I had problems finding my NFS’s too, if that helps. It didn’t go smoothly at all so I updated right away but didn’t seem to have changed much.

Can you post the log from Brian Hornsby’s add-on?

I think it’s probably at /home/osmc/.kodi/userdata/addon_data/script.openvpn/openvpn.log in which case you should run

paste-log /home/osmc/.kodi/userdata/addon_data/script.openvpn/openvpn.log

If it’s not there, you’ll need to look around in that general area.

Sat Apr 7 22:02:40 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sat Apr 7 22:02:40 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sat Apr 7 22:02:41 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]
Sat Apr 7 22:02:41 2018 UDP link local: (not bound)
Sat Apr 7 22:02:41 2018 UDP link remote: [AF_INET]
Sat Apr 7 22:02:41 2018 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sat Apr 7 22:02:41 2018 Peer Connection Initiated with [AF_INET]
Sat Apr 7 22:02:43 2018 TUN/TAP device tun0 opened
Sat Apr 7 22:02:43 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Apr 7 22:02:43 2018 /sbin/ip link set dev tun0 up mtu 1500
Sat Apr 7 22:02:43 2018 /sbin/ip addr add dev tun0 local 10.97.10.6 peer 10.97.10.5
Sat Apr 7 22:02:43 2018 Initialization Sequence Completed
Sat Apr 7 22:02:53 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:04 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:14 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:34 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:44 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:03:54 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:04:04 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:04:14 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:04:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:04:34 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:04:43 2018 Inactivity timeout (–ping-restart), restarting
Sat Apr 7 22:04:43 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 7 22:04:48 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]
Sat Apr 7 22:04:48 2018 UDP link local: (not bound)
Sat Apr 7 22:04:48 2018 UDP link remote: [AF_INET]
Sat Apr 7 22:04:48 2018 Peer Connection Initiated with [AF_INET]
Sat Apr 7 22:04:54 2018 AUTH: Received control message: AUTH_FAILED
Sat Apr 7 22:04:54 2018 /sbin/ip addr del dev tun0 local 10.97.10.6 peer 10.97.10.5
Sat Apr 7 22:04:54 2018 SIGTERM[soft,auth-failure] received, process exiting

1. Why didn’t you use paste-log?

2. You need to change verb 1 to verb 3 in the openvpn config file. I think with Brian Hornsby’s app you then need to import it (or words to that effect).

~$ paste-log /home/osmc/.kodi/userdata/addon_data/script.openvpn/openvpn.log
curl: Can’t open ‘/home/osmc/.kodi/userdata/addon_data/script.openvpn/openvpn.log’!
curl: try ‘curl --help’ or ‘curl --manual’ for more information
curl: Can’t open ‘/home/osmc/.kodi/userdata/addon_data/script.openvpn/openvpn.log’!
curl: try ‘curl --help’ or ‘curl --manual’ for more information
Unable to upload log. Please check your internet connection.

that’s why

I don’t think there even is a verb setting in the config by default, didn’t see it in his guide either.

And I keep disconnecting from SSH every 30 seconds thats pretty annoying too. Wired connection, static IP.

This is what hornsby advices on his How to by the way

clientdev tunproto udpremote us-midwest.privateinternetaccess.com 1194resolv-retry infinitenobindpersist-keypersist-tunca /home/pi/vpn-config/ca.crttls-clientremote-cert-tls serverauth-user-pass /home/pi/vpn-config/pass.txtcomp-lzoverb 1reneg-sec 0crl-verify /home/pi/vpn-config/crl.pem

Verb set to default I think.

With verb set to 3 I have the same issue

~$ wget http://ipecho.net/plain -O - -q ; echo

~$

I need to see the log now it’s running with verb 3. (Verb means verbosity, so more detail in the log.)

Sat Apr 7 22:32:08 2018 /sbin/ip addr add dev tun0 local 10.56.10.6 peer 10.56.10.5
Sat Apr 7 22:32:08 2018 Initialization Sequence Completed
Sat Apr 7 22:32:18 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:32:28 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:32:38 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:32:48 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:32:58 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:08 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:18 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:28 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:38 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:48 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:33:58 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:34:08 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Apr 7 22:34:08 2018 Inactivity timeout (–ping-restart), restarting
Sat Apr 7 22:34:08 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sat Apr 7 22:34:13 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]
Sat Apr 7 22:34:13 2018 UDP link local: (not bound)
Sat Apr 7 22:34:13 2018 UDP link remote: [AF_INET]
Sat Apr 7 22:34:13 2018 Peer Connection Initiated with [AF_INET]
Sat Apr 7 22:34:19 2018 AUTH: Received control message: AUTH_FAILED
Sat Apr 7 22:34:19 2018 /sbin/ip addr del dev tun0 local 10.56.10.6 peer 10.56.10.5
Sat Apr 7 22:34:19 2018 SIGTERM[soft,auth-failure] received, process exiting

Looks like it’s less verbose on verb 3.

It won’t be. But you’ve lost the top part of the log.

This is the complete log i’m getting from verb 3, I might have cut something off by mistake.

Sun Apr 8 05:29:40 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sun Apr 8 05:29:40 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sun Apr 8 05:29:41 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]
Sun Apr 8 05:29:41 2018 UDP link local: (not bound)
Sun Apr 8 05:29:41 2018 UDP link remote: [AF_INET]
Sun Apr 8 05:29:41 2018 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Sun Apr 8 05:29:41 Peer Connection Initiated with [AF_INET]
Sun Apr 8 05:29:42 2018 TUN/TAP device tun0 opened
Sun Apr 8 05:29:42 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 8 05:29:42 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Apr 8 05:29:42 2018 /sbin/ip addr add dev tun0 local 10.68.10.6 peer 10.68.10.5
Sun Apr 8 05:29:42 2018 Initialization Sequence Completed
Sun Apr 8 05:29:52 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:02 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:12 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:22 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:32 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:42 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:30:52 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:31:02 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:31:12 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:31:22 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:31:32 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sun Apr 8 05:31:42 2018 Inactivity timeout (–ping-restart), restarting
Sun Apr 8 05:31:42 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Apr 8 05:31:47 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]185.210.218.104:1198
Sun Apr 8 05:31:47 2018 UDP link local: (not bound)
Sun Apr 8 05:31:49 2018 AUTH: Received control message: AUTH_FAILED
Sun Apr 8 05:31:49 2018 /sbin/ip addr del dev tun0 local 10.68.10.6 peer 10.68.10.5
Sun Apr 8 05:31:49 2018 SIGTERM[soft,auth-failure] received, process exiting

I thought i’d check my Pi on which it used to work just fine so I could retrace my steps but that seems to fail now as well…

Sun Apr 8 06:26:39 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] $
Sun Apr 8 06:26:39 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.08
Sun Apr 8 06:27:19 2018 RESOLVE: Cannot resolve host address: jp.privateinternetaccess.com:1198 (Name or service not known)
Sun Apr 8 06:27:59 2018 RESOLVE: Cannot resolve host address: jp.privateinternetaccess.com:1198 (Name or service not known)
Sun Apr 8 06:27:59 2018 Could not determine IPv4/IPv6 protocol
Sun Apr 8 06:27:59 2018 SIGUSR1[soft,init_instance] received, process restarting
Sun Apr 8 06:28:44 2018 RESOLVE: Cannot resolve host address: jp.privateinternetaccess.com:1198 (Name or service not known)

So now none of the scripts seem to work while I’m sure the one on my Pi used to work just fine.

Edit: I seem to have lost WAN all together on the Pi now, Vero does have WAN, LAN works fine on both. The strange part is that I didn’t change anything in my Pi, Vero or router ofter then giving the Vero a dedicated static ip.
The only odd thing I see on my Pi on shutdown now is “A startup job is running to query time HTTP” something along those lines.

That’s still verbosity level 1. I believe you need to “import” the changed openvpn config into Brian Hornsby’s add-on for it to take effect.

One other small point. I downloaded at the PIA config files (http://privateinternetaccess.com/openvpn/openvpn.zip) and for France it shows a domain name of france.privateinternetaccess.com, whereas yours starts with fr.

[user@fedora-26 ~]$ nslookup fr.privateinternetaccess.com
Server:		10.137.2.1
Address:	10.137.2.1#53

** server can't find fr.privateinternetaccess.com: NXDOMAIN

[user@fedora-26 ~]$ nslookup france.privateinternetaccess.com
Server:		10.137.2.1
Address:	10.137.2.1#53

Non-authoritative answer:
Name:	france.privateinternetaccess.com
Address: 108.61.122.215
Name:	france.privateinternetaccess.com
Address: 108.61.123.66
Name:	france.privateinternetaccess.com
Address: 108.61.122.214
Name:	france.privateinternetaccess.com
Address: 108.61.122.223
Name:	france.privateinternetaccess.com
Address: 108.61.122.9
Name:	france.privateinternetaccess.com
Address: 108.61.123.69
Name:	france.privateinternetaccess.com
Address: 108.61.122.65
Name:	france.privateinternetaccess.com
Address: 108.61.123.71
Name:	france.privateinternetaccess.com
Address: 108.61.122.158
Name:	france.privateinternetaccess.com
Address: 108.61.122.114
Name:	france.privateinternetaccess.com
Address: 108.61.123.72
Name:	france.privateinternetaccess.com
Address: 108.61.122.225
Name:	france.privateinternetaccess.com
Address: 108.61.122.217

Similarly, the config file for Japan says it’s japan.privateinternetaccess.com, not jp.

I redownloaded the config files and changed everything to the way I did it on my pi (which was almost the same).

Instead of user.txt I used login.conf (was suggested somewhere) and it connects on both devices. My Pi was just on a name server that was down added googles dns as a test.

But

wget http://ipecho.net/plain -O - -q ; echo
gives me a correct IP now.

The problem now is that they constantly drop, it can take an hour or 1 second but the connection doesn’t persist for some reason.
they just always drop.

i set my static DNS to 209.222.18.222 and 209.222.18.218.
I dont know if it will help with stabilizing the connection but it’s worth to try.

it would be nice if it could automatically run on vero startup and keep the tunnel on or automatically reconnect if it drops.

I think the answer is that you can configure the system to run the Brian Hornsby add-on on startup:

but the add-on won’t automatically re-start openvpn if it stops/crashes. For that to happen you would need to run openvpn using systemd – and not use the add-on.

If you want to solve the dropping connection, we will need a log with a verbosity level of 3.

I thought systemd wasn’t an option with the latest version.

I could just as well set it up as systemd if someone could guide me through it, it’s an always on mediacenter so I wouldn’t mind for the vpn to just always be on by default, and since I’m doing the initial setup of everything now anyway be against it at all.

If the connection drops again i’ll post a verbose 3 log for now, it seems like I can’t connect with my pi anymore being unable to resolve the host through the DNS it used 10 minutes ago and the address it resolved at the moment so I wouldn’t call it stable.

Not that I’m aware of.

To run openvpn at startup:

To enable automatic restart:

thats so much easier! Why is everyone using the script! and no more openvpn error in the startup checklist, which I always thought was odd.

Going to try the automation thing and see how it goes but restarted and it went straight to connected.

Added the lines, no errors.

sudo wget http://ipecho.net/plain -O – -q ; echo
returns nothing just a empty space

curl ipinfo.io/ip
returns a vpn ip

Any other tests just to be sure?

My mistake sudo screws up wget http://ipecho.net/plain -O - -q ; echo

Tested a while now and it works like a charm, thank so you @dillthedog

Are there any iptables or such available to create an auto start killswitch/leak protection by any chance?

No, but you’ll find a whole bunch of articles using your favourite search engine. Just one example: