openvpn client on raspberry PI

Posted by: lordvan 4 years, 9 months ago

(0 comments)

Needing OpenVPN on my raspberry PI caused me to have some .. unexpected issues. But first a very quick run-down on what I did:

apt-get install openvpn

(I did an upgrade and dist-upgrade to buster too since my install was quite old already, but that is a different story).

then create a .conf file in /etc/openvpn:

Here's a simple example that I am using (I am using the "embedded" style config since I don't like to have loads of files in that folder:

# OpenVPN CLient Configuration

client
dev tun

proto udp
remote <SERVER NAME OR IP> <PORT>

resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

# if you want to save your certificates in seperate files then use this:
# ca <path/to/your/ca.crt>
# cert <path/to/your/client.crt>
# key <path/to/your/client.key>

ns-cert-type server
comp-lzo
verb 3

# I like to just embed the keys and certificates in the conf file
# useful also for the android client,..

# paste contents of ca.crt 
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
# paste contents of client.key
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
# paste contents of client.cert
<cert>
Certificate:
    Data:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

Then just testing it by running sudo openvpn /etc/openvpn/client.conf.  If you didn't make any mistakes it will look something like this:

Fri Jul  5 07:21:33 2019 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Fri Jul  5 07:21:33 2019 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Fri Jul  5 07:21:33 2019 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri Jul  5 07:21:33 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]SERVER_NAME_IP:SERVER_PORT
Fri Jul  5 07:21:33 2019 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jul  5 07:21:33 2019 UDP link local: (not bound)
Fri Jul  5 07:21:33 2019 UDP link remote: [AF_INET]SERVER_NAME_IP:SERVER_PORT
Fri Jul  5 07:21:33 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Fri Jul  5 07:21:33 2019 TLS: Initial packet from [AF_INET]SERVER_NAME_IP:SERVER_PORT, sid=60ead8c7 c03a7c1d
Fri Jul  5 07:21:33 2019 VERIFY OK: depth=1, C=AT, ST=LOCATION_COUNTY, L=LOCATION, O=ORGANIZATION, CN=SERVER_NAME_IP, name=SERVER_NAME_IP, emailAddress=webmaster@SERVER_NAME_IP
Fri Jul  5 07:21:33 2019 VERIFY OK: nsCertType=SERVER
Fri Jul  5 07:21:33 2019 VERIFY OK: depth=0, C=AT, ST=LOCATION_COUNTY, L=LOCATION, O=ORGANIZATION, CN=SERVER_NAME_IP, name=SERVER_NAME_IP, emailAddress=webmaster@SERVER_NAME_IP
Fri Jul  5 07:21:34 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Fri Jul  5 07:21:34 2019 [SERVER_NAME_IP] Peer Connection Initiated with [AF_INET]SERVER_NAME_IP:SERVER_PORT
Fri Jul  5 07:21:35 2019 SENT CONTROL [SERVER_NAME_IP]: 'PUSH_REQUEST' (status=1)
Fri Jul  5 07:21:35 2019 PUSH: Received control message: 'PUSH_REPLY,route VPN_SUBNET 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig YOUR_VPN_IP YOUR_VPN_ROUTER,peer-id 1,cipher AES-256-GCM'
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: route options modified
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: peer-id set
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Fri Jul  5 07:21:35 2019 OPTIONS IMPORT: data channel crypto options modified
Fri Jul  5 07:21:35 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Jul  5 07:21:35 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul  5 07:21:35 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Jul  5 07:21:35 2019 ROUTE_GATEWAY LOCAL_GATEWAY/255.255.255.0 IFACE=eth0 HWADDR=MAC_ADDR
Fri Jul  5 07:21:35 2019 TUN/TAP device tun0 opened
Fri Jul  5 07:21:35 2019 TUN/TAP TX queue length set to 100
Fri Jul  5 07:21:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Fri Jul  5 07:21:35 2019 /sbin/ip addr add dev tun0 local YOUR_VPN_IP peer YOUR_VPN_ROUTER
Fri Jul  5 07:21:35 2019 /sbin/ip route add VPN_SUBNET/24 via YOUR_VPN_ROUTER
Fri Jul  5 07:21:35 2019 GID set to nogroup
Fri Jul  5 07:21:35 2019 UID set to nobody
Fri Jul  5 07:21:35 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jul  5 07:21:35 2019 Initialization Sequence Completed

If you run ifconfig it should now include an entry for your new VPN device - similar to this:

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet YOUR_VPN_IP  netmask 255.255.255.255  destination YOUR_VPN_ROUTER
        inet6 YOUR_VPN_IPV6_IP  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 432 (432.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Or if you prefer ip addr show:

5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet YOUR_VPN_IP peer YOUR_VPN_ROUTER/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 YOUR_VPN_IPV6_IP/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Then just stop it with <ctrl>+c or otherwise kill the process. The output will be like this:

Fri Jul  5 07:22:15 2019 event_wait : Interrupted system call (code=4)
Fri Jul  5 07:22:15 2019 /sbin/ip route del VPN_SUBNET/24
RTNETLINK answers: Operation not permitted
Fri Jul  5 07:22:15 2019 ERROR: Linux route delete command failed: external program exited with error status: 2
Fri Jul  5 07:22:15 2019 Closing TUN/TAP interface
Fri Jul  5 07:22:15 2019 /sbin/ip addr del dev tun0 local YOUR_VPN_IP peer YOUR_VPN_ROUTER
RTNETLINK answers: Operation not permitted
Fri Jul  5 07:22:15 2019 Linux ip addr del failed: external program exited with error status: 2
Fri Jul  5 07:22:15 2019 SIGTERM[hard,] received, process exiting

So I was having a little .. issue with getting my openvpn client to start (and then to start on boot).

Turns out both were easy to solve issues:

First I had this error:

ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

That was just because I forgot to reboot after a dist-upgrade (which included a new kernel). So Reboot and done :)

The second issue is because I am using Gentoo usually - and without systemd that is .. so I was like how the hell do I get it to start my vpn. Just running /etc/init.d/openvpn start did not start it for one. Changing the init.d file AUTOSTART="all" to AUTOSTART="client" did not do anything either. After looking it up on google a bit I found what I needed:

systemctl start openvpn@lv_new.service

And then you can check again with ifconfig or ip addr show that you have your device up. So then how to get it to autostart? Turns out that is fairly similar:

systemctl enable openvpn@lv_new.service

Turns out most of it was rather simple and the "biggest" issue for me was lack of systemd knowledge .. maybe I should install Gentoo on it after all ;)

• ← DBMail swap from LDAP to SQL auth
• Autoclicker for Linux →