OpenVPN Server & Client for unRAID 6.2+ (6.1 are still supported)


peter_sm

Recommended Posts

Hi,

 

"Initialization Sequence Completed" indicate that all went OK, and the process are running. and you stopped the connection with "ctrl +c"

If you like to see the prompt after connection you need to add a & at the end of your command, like this

 

openvpn --config /boot/openvpn/karli.ovpn &

 

You can then check if the process are running with this command.

 ps -ef | grep openvpn

 

Running with a "&" suffix still results in the same hung terminal session.  After pressing Ctrl C and checking ps

 

nobody    14748      1  0  2016 ?        00:00:09 openvpn --writepid /var/run/openvpnserver/openvpnserver.pid --config /mnt/cache/appdata/myVPNserver/openvpnserver.ovpn --script-security 2 --daemon
root      25180 127452  0 14:53 pts/2    00:00:00 openvpn --config /boot/openvpn/karli.ovpn
root      33595 127452  0 15:09 pts/2    00:00:00 grep openvpn

 

This shows that it is still running and I can ping the IPMI interface and the running remote unRaid server.  However running

 

 ipmitool -I lan -H 192.168.1.179 -U ADMIN -P ADMIN chassis power status
Error: Unable to establish LAN session
Unable to get Chassis Power Status

 

So it isn't really full connected??

 

My bad....  I was checking wrong ipmi ip address.  This shows that it is correctly working even though the terminal is hung....

 

ipmitool -I lan -H 192.168.1.178 -U ADMIN -P ADMIN chassis power status
Chassis Power is on

Link to comment

Hi,

 

I've tried searching through this thread (search is so annoying  ;D )

 

But can't find the answer!

 

Is it possible to use the OpenVPN client plugin to connect only specific things, i.e. I need all of my dockers going through a VPN except for Plex, which doesn't work remotely when going through a VPN :(

So is there a way to bypass / exclude a single docker container from using the VPN / TUN interface? :)

 

Any help would be greatly appreciated!

Thanks

Link to comment

 

Is it possible to use the OpenVPN client plugin to connect only specific things, i.e. I need all of my dockers going through a VPN except for Plex, which doesn't work remotely when going through a VPN :(

So is there a way to bypass / exclude a single docker container from using the VPN / TUN interface? :)

 

Any help would be greatly appreciated!

Thanks

Normally this specific plugin is used to provide a private tunnel for you to connect back to your server from outside securely. Connecting to a VPN service is better served by Binhex's VPN enabled torrent and nzb dockers.
Link to comment

 

Is it possible to use the OpenVPN client plugin to connect only specific things, i.e. I need all of my dockers going through a VPN except for Plex, which doesn't work remotely when going through a VPN :(

So is there a way to bypass / exclude a single docker container from using the VPN / TUN interface? :)

 

Any help would be greatly appreciated!

Thanks

Normally this specific plugin is used to provide a private tunnel for you to connect back to your server from outside securely. Connecting to a VPN service is better served by Binhex's VPN enabled torrent and nzb dockers.

 

I'm talking about the client, to push all traffic through a PIA VPN :) As opposed to hosting a VPN server to connect back into my home network

 

I have used various VPN dockers but I very much prefer this implementation, meaning I can use dockers which take up less room, all use the same alpine base image (big user of LinuxServerIO dockers ;) ) I just hoped there would be a way of either excluding a docker from the tun5 network... OR a way in the docker config to use a completely separate network / network interface :)

Link to comment

I'm talking about the client, to push all traffic through a PIA VPN :) As opposed to hosting a VPN server to connect back into my home network

Yeah, I understand what you want, it's just a bad idea unless you know exactly what you are doing. The VPN service does not firewall the endpoint connection, so theoretically connecting to them allows other vpn users on the same network node free access to your system totally bypassing your router, since unraid doesn't have a built in firewall.

 

I personally would never risk it. Binhex's dockers go to great lengths to ensure isolation and security, to make sure VPN traffic doesn't leak out of the docker, or vice versa.

 

Network security is hard. Too many ways for things to go wrong, and not many ways to do it right.

Link to comment

I'm talking about the client, to push all traffic through a PIA VPN :) As opposed to hosting a VPN server to connect back into my home network

Yeah, I understand what you want, it's just a bad idea unless you know exactly what you are doing. The VPN service does not firewall the endpoint connection, so theoretically connecting to them allows other vpn users on the same network node free access to your system totally bypassing your router, since unraid doesn't have a built in firewall.

 

I personally would never risk it. Binhex's dockers go to great lengths to ensure isolation and security, to make sure VPN traffic doesn't leak out of the docker, or vice versa.

 

Network security is hard. Too many ways for things to go wrong, and not many ways to do it right.

 

Aha, ok cool - Well that's fair enough! Sadly my Linux networking knowledge is very lacking... I'll have to sacrifice using my tiny docker containers and grab VPN specific versions :)

 

Thanks!

Link to comment

Hello,

 

I'm using sabnzbd and deluge.

How to be sure that the both softwares are covering by the vpn?

 

Thanks

Using this plugin? Dunno, I'm doing it the easy way, using Binhex's excellent VPN enabled dockers. He builds them with failsafes against accidental IP leakage, and as a bonus has privoxy baked in so you can use the same VPN tunnel to browse through if you want.

 

I wouldn't use this plugin to connect to a VPN service, it's meant for you to create a private tunnel to allow secure remote access for your own devices when you are away from home.

 

Binhex plugins are not working on my server :

 

[info] Starting OpenVPN...

2017-01-13 11:08:00,703 DEBG 'start-script' stdout output:
Fri Jan 13 11:08:00 2017 OpenVPN 2.3.12 x86_64-unknown-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [iPv6] built on Aug 24 2016
Fri Jan 13 11:08:00 2017 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.09
Fri Jan 13 11:08:00 2017 WARNING: file 'credentials.conf' is group or others accessible

2017-01-13 11:08:00,897 DEBG 'start-script' stdout output:
Fri Jan 13 11:08:00 2017 UDPv4 link local: [undef]
Fri Jan 13 11:08:00 2017 UDPv4 link remote: [AF_INET]81.171.85.68:1194

2017-01-13 11:08:00,961 DEBG 'start-script' stdout output:
Fri Jan 13 11:08:00 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, name=VPN, emailAddress=VPN
Fri Jan 13 11:08:00 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Jan 13 11:08:00 2017 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 13 11:08:00 2017 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 13 11:08:00 2017 TLS Error: TLS handshake failed

 

So, I'm still going to use openvpn client plugin.

But my port are all closed on transmission.

How could I open them being still covered by von?

 

Thanks

Tranmission.JPG.cead959c8bd11bb355cd3ef3c5dcd823.JPG

Link to comment

@peter fantastic job!

 

I'm running client (2016.12.31a) on unRAID 6.2.4 and everything is working perfectly.

 

My question - I noticed someone asking about auto start on boot instead of with array for the openvpn server.

 

With me running the client is there a way for the openvpn client plugin to start on boot rather than waiting for array?

 

My issue is this unRAID box is not local to me and if I need to stop the array on this box to make an unRAID change I lose connectivity due to vpn closing.

 

I'd like the VPN to be connected basically all the time while the webgui is running.

 

Any thoughts?  Maybe a feature request?

 

Thanks for everything and I'm happy to test!

Link to comment

@peter fantastic job!

 

I'm running client (2016.12.31a) on unRAID 6.2.4 and everything is working perfectly.

 

My question - I noticed someone asking about auto start on boot instead of with array for the openvpn server.

 

With me running the client is there a way for the openvpn client plugin to start on boot rather than waiting for array?

 

My issue is this unRAID box is not local to me and if I need to stop the array on this box to make an unRAID change I lose connectivity due to vpn closing.

 

I'd like the VPN to be connected basically all the time while the webgui is running.

 

Any thoughts?  Maybe a feature request?

 

Thanks for everything and I'm happy to test!

 

Hi SmallwoodDR82,

 

What you can try with is to add below line to your go file located in /boot/config/

 

/etc/rc.d/rc.openvpnclient start

 

//Peter

 

Link to comment

I'm confused.  I've installed the server, installed RSA, generated certs, and added a client.  I can even start the server and my client name appears in a list as an expected client.

 

But when I added the client name I got a window saying that it all went well and generated an inline file (I attached a screenshot here).

 

But how do I download that file to give to my client?

 

Thanks!

keys.png.86ed1a25560331f625337f814315d200.png

Link to comment

Take a look under the client folder for the path you entered in the cert config.

 

It should also be some help text to activate , I think this info exist where to DL the client file, if not I can make it more clear in the window.

 

Skickat från min iPhone med Tapatalk

 

Now that I know where to look, I just used FTP to grab the file and voila.  I can't wait to test it from a coffee shop with my Mac.

 

 

One more question regarding OpenVPN client (not server this time) which I may also use for another purpose.  My VPN provider only gives me a cert file--it does not give me a .ovpn file.  Can I still configure the OpenVPN client you packaged for unRAID to connect to them?

 

Thanks again.  Great work.

Link to comment

One more question regarding OpenVPN client (not server this time) which I may also use for another purpose.  My VPN provider only gives me a cert file--it does not give me a .ovpn file.  Can I still configure the OpenVPN client you packaged for unRAID to connect to them?

 

Thanks again.  Great work.

What I know a ovpn or config file needs for all vpn.

 

//Peter

 

Link to comment

One more question regarding OpenVPN client (not server this time) which I may also use for another purpose.  My VPN provider only gives me a cert file--it does not give me a .ovpn file.  Can I still configure the OpenVPN client you packaged for unRAID to connect to them?

 

Thanks again.  Great work.

What I know a ovpn or config file needs for all vpn.

 

//Peter

 

 

After trying a different VPN service, it all works now. 

 

One final question:  Am I able to keep the OpenVPN client connected but still keep the OpenVPN server also open for incoming connections?

 

Thanks again.

Link to comment

@peter fantastic job!

 

I'm running client (2016.12.31a) on unRAID 6.2.4 and everything is working perfectly.

 

My question - I noticed someone asking about auto start on boot instead of with array for the openvpn server.

 

With me running the client is there a way for the openvpn client plugin to start on boot rather than waiting for array?

 

My issue is this unRAID box is not local to me and if I need to stop the array on this box to make an unRAID change I lose connectivity due to vpn closing.

 

I'd like the VPN to be connected basically all the time while the webgui is running.

 

Any thoughts?  Maybe a feature request?

 

Thanks for everything and I'm happy to test!

 

Hi SmallwoodDR82,

 

What you can try with is to add below line to your go file located in /boot/config/

 

/etc/rc.d/rc.openvpnclient start

 

//Peter

 

Peter so this works perfect thanks!

 

My final issue is even with the array mounting option set to 'no' and the go file adjustment.

 

If I stop the array to make an unraid change the OpenVPN client stops the VPN connection.

 

Shouldn't it stay connected when array is offline?  When I stopped the array, I then have no way to start it again :(

 

Thanks for the help in advance!

Link to comment

Peter - So one thing that isn't working when I connect to my unRAID box with OpenVPN from my Mac is access to shares.  I seem to have a great connection otherwise and can access computers via local IP, just no shares.

 

Thoughts?

You should be able to connect even with hostname. and your complete LAN shall be available as well.

 

Did you modified much of the default settings?

 

//Peter

Link to comment

Peter - So one thing that isn't working when I connect to my unRAID box with OpenVPN from my Mac is access to shares.  I seem to have a great connection otherwise and can access computers via local IP, just no shares.

 

Thoughts?

You should be able to connect even with hostname. and your complete LAN shall be available as well.

 

Did you modified much of the default settings?

 

//Peter

 

It's not and I didn't modify any of the defaults.

Link to comment

Here is what happens if I run the client from the command line.  It connects, but the terminal hangs...

 

 openvpn --config /boot/openvpn/karli.ovpn &
[1] 58675
root@Kim:/boot/RhettKarli# Wed Jan 25 12:08:35 2017 OpenVPN 2.4.0 x86_64-slackware-linux-gnu [sSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 29 2016
Wed Jan 25 12:08:35 2017 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Wed Jan 25 12:08:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]23.127.66.250:1197
Wed Jan 25 12:08:35 2017 UDP link local: (not bound)
Wed Jan 25 12:08:35 2017 UDP link remote: [AF_INET]23.127.66.250:1197
Wed Jan 25 12:08:35 2017 [server] Peer Connection Initiated with [AF_INET]23.127.66.250:1197
Wed Jan 25 12:08:36 2017 TUN/TAP device tun1 opened
Wed Jan 25 12:08:36 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan 25 12:08:36 2017 /usr/sbin/ip link set dev tun1 up mtu 1500
Wed Jan 25 12:08:36 2017 /usr/sbin/ip addr add dev tun1 10.8.0.3/24 broadcast 10.8.0.255
RTNETLINK answers: File exists
Wed Jan 25 12:08:36 2017 ERROR: Linux route add command failed: external program exited with error status: 2
RTNETLINK answers: File exists
Wed Jan 25 12:08:36 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Jan 25 12:08:36 2017 Initialization Sequence Completed
^C

 

Running with a "&" suffix still results in the same hung terminal session.  After pressing Ctrl C and checking ps

 

nobody    14748      1  0  2016 ?        00:00:09 openvpn --writepid /var/run/openvpnserver/openvpnserver.pid --config /mnt/cache/appdata/myVPNserver/openvpnserver.ovpn --script-security 2 --daemon
root      25180 127452  0 14:53 pts/2    00:00:00 openvpn --config /boot/openvpn/karli.ovpn
root      33595 127452  0 15:09 pts/2    00:00:00 grep openvpn

 

Is this the right way to kill an VPN session to a server?  It also hangs the bash terminal..  You need to press Ctrl C to continue, and then it seems to work fine again.

 

pkill -SIGTERM -f 'openvpn --config /boot/openvpn/karli.ovpn' & 

 

How do I kill hung openvpn command line sessions?  I want to script the following

openvpn start
do some stuff with the vpn active
openvpn stop

 

but hung sessions are causing a problem. 

Link to comment

Peter - So one thing that isn't working when I connect to my unRAID box with OpenVPN from my Mac is access to shares.  I seem to have a great connection otherwise and can access computers via local IP, just no shares.

 

Thoughts?

You should be able to connect even with hostname. and your complete LAN shall be available as well.

 

Did you modified much of the default settings?

 

//Peter

 

It's not and I didn't modify any of the defaults.

 

Peter,

 

It turns out I can access the shares via IP address, but not NETBIOS name.  Perhaps there's no internal DNS or NETBIOS naming being passed through the VPN.  (I'm not terribly familiar with how this is done.)  Is there anything with OpenVPN that would be causing this or is this some other thing related to my network?

 

Thanks.

Link to comment
  • 2 weeks later...

[solved] at this moment the user is offline in the status page

Hi,

 

today i have install the vpn server. It works out of the box. Thanks for this great plugin.

 

One Question, when a user connect to the server i could see on the status page that the user is offline, but when the user disconnect, the user will still shown as online though the connection is disconnected on client side.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.