Automated OpenVPN Server Setup Script

[arthbkins]

This guide worked for me to the point where i was going to connect.
Have made everything in the order requested of me.

The weird thing is that it connects to the server and now it's just saying "authenticating".... (It connects to my external ip address).

BUT when i change the ip address in the .ovpn file to the internal ip address (192.168.1.XXX of the server it connects straight away.

Have opened the port 1194 with udp.
And followed both guides on how to change the ip to static!
Even called and checked so that my ISP is not blocking anything.

Does anyone know what i can do?

Although thank you for the script!

I am in the same boat you are in! If I change the .ovpn key to point at the PI's static IP address (instead of my public IP address), then I can connect while on my home network. Which to me smells like it may be our router settings as we cannot reach the OPENVPN server from the outside yet the server is clearly up and running. I have an Apple airport extreme with:

- 'Router Mode' set to 'DHCP and NAT'

- The router assigns the PI (detected by its MAC address) a static iP of 10.0.1.2 which I know is working

- And UDP IPv4 port forwarding of port 1194 to the pi's static IP address (10.0.1.2).

That should be all good but something is not working. I may tell the script to revert itself another time and try again tomorrow night. If that fails I may try another fresh install of Raspian. I used Jesse this time but the OP mentions Jesse lite so I may try that next time.

[Brewmaster9]

I also set up port triggering on my router. In addition the static IP of the Pi is reserved on the router, so nothing can steal it if the Pi isn't running. Don't forget to reboot after making changes.

[raztafari]

Never mind, tried connecting from another network and now it's working!
I also activated Port Trigger with UDP 1194.
Going to try and turn that off and se if that makes any difference.

Thank so much for this awesome script!

[arthbkins]

Never mind, tried connecting from another network and now it's working!
I also activated Port Trigger with UDP 1194.
Going to try and turn that off and se if that makes any difference.

Thank so much for this awesome script!

Congrats! I'm still stuck. The airport extreme doesn't have a separate setting for port triggering it just has port forwarding. What router are you using? I may try a different router.

[Brewmaster9]

I'm using a plusnet Sagem Router. This router doesn't allow port triggering from normal settings screen, but does if you use expert mode. I found out this on the plusnet forum.

My Pi Vpnserver works great, but I had to ensure all the following steps were done.

Port triggering 1194

Port forward 1194 udp to Pi MAC (some routers use host name, but I found if more than 1 pi's on network my router got confused and screwed up associated MACS).

Reserved static IP on router, so it can't give it to another device.

On pi

Set static IP
Run script

You can try DMZ on router to check firewall isn't an issue, but turn back off to make sure you protected. Port 1194 shouldn't be an issue anyway......

[cjdawson]

I've not looked at the script, however, I do know that most of the VPN Setup guides on the web are out of date. I'm working on a server for my home based on a PI 3 running Raspbian Jessie. Some of the things have changed since Wheezy which may be enough to break automated scripts.

Here's the post that I've put together for setting up OpenVPN.
http://blog.cjdawson.com/?p=331

If you are running a PI or PI2, you'll probably want to overclock the processor, I've skipped it as with the PI 3 you can't overclock anymore. Also I personally never liked over clocking my PI 1 or 2, so I skipped that bit completely.

If you also take a look around the blog, you'll see that I've been working on a bigger project that makes the VPN work much much nicer. My OpenVPN install is on a PI 3 that is also actiing as also performing DHCP, DNS and NTP. It's effectively offloaded most of the work from my router. I'm working on getting Active directory running on it as well, so that I can have a windows domain. I digress. For the OpenVPN if you look through the steps that I've laid out, hopefully you'll find the bit that was stopping your setup from working properly.

[arthbkins]

After more digging, I am still stumped. Here is what I am seeing:

- A UDP port scanner shows that port 1194 is successfully being forwarded to the PI. So looks like my router is successfully forwarding port 1194. This is the port scanner for others wanting to check: https://pentest-tools.com/network-vulne ... nline-nmap

- In my client config file, if I change the IP address to the local static IP of my Raspberry PI on my home network, then I can connect successfully on my home network. Which tells me that a lot is working (openvpn server, keys, etc).

- But, if I leave my IP set to my external IP address of my home, then I am unable to connect from any network and here is the debug log viscosity on my mac shows [I substituted my real IP with XX.XXX.XXX.XXX]:

Mar 28 21:37:23: Checking reachability status of connection...
Mar 28 21:37:23: Connection is reachable. Starting connection attempt.
Mar 28 21:37:23: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
Mar 28 21:37:23: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Mar 28 21:37:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 28 21:37:26: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.xYmHdA/ta.key' as a OpenVPN static key file
Mar 28 21:37:26: UDPv4 link local: [undef]
Mar 28 21:37:26: UDPv4 link remote: [AF_INET]XX.XXX.XXX.XXX:1194
Mar 28 21:38:26: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 28 21:38:26: TLS Error: TLS handshake failed
Mar 28 21:38:26: SIGUSR1[soft,tls-error] received, process restarting

I have followed all the tips in this thread on how to configure the PI and have started fresh a few times to be sure I didn’t miss anything. I have tried from multiple clients (iPhone, Mac) from multiple networks.

Here is my openvpn config file for reference:

local 10.0.1.201
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.201 255.255.255.0"
# Set your primary domain name server address to Google DNS 8.8.8.8
push "dhcp-option DNS 8.8.8.8"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite.

Any ideas would be much appreciated!

[Brewmaster9]

After more digging, I am still stumped. Here is what I am seeing:

- A UDP port scanner shows that port 1194 is successfully being forwarded to the PI. So looks like my router is successfully forwarding port 1194. This is the port scanner for others wanting to check: https://pentest-tools.com/network-vulne ... nline-nmap

- In my client config file, if I change the IP address to the local static IP of my Raspberry PI on my home network, then I can connect successfully on my home network. Which tells me that a lot is working (openvpn server, keys, etc).

- But, if I leave my IP set to my external IP address of my home, then I am unable to connect from any network and here is the debug log viscosity on my mac shows [I substituted my real IP with XX.XXX.XXX.XXX]:

Mar 28 21:37:23: Checking reachability status of connection...
Mar 28 21:37:23: Connection is reachable. Starting connection attempt.
Mar 28 21:37:23: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
Mar 28 21:37:23: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
Mar 28 21:37:26: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 28 21:37:26: Control Channel Authentication: using '/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/connection.xYmHdA/ta.key' as a OpenVPN static key file
Mar 28 21:37:26: UDPv4 link local: [undef]
Mar 28 21:37:26: UDPv4 link remote: [AF_INET]XX.XXX.XXX.XXX:1194
Mar 28 21:38:26: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 28 21:38:26: TLS Error: TLS handshake failed
Mar 28 21:38:26: SIGUSR1[soft,tls-error] received, process restarting

I have followed all the tips in this thread on how to configure the PI and have started fresh a few times to be sure I didn’t miss anything. I have tried from multiple clients (iPhone, Mac) from multiple networks.

Here is my openvpn config file for reference:

local 10.0.1.201
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 10.0.1.201 255.255.255.0"
# Set your primary domain name server address to Google DNS 8.8.8.8
push "dhcp-option DNS 8.8.8.8"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite.

Any ideas would be much appreciated!

Have you checked out firewall settings? I know you've set up port forwarding, but try turning off firewall temporarily to rule it out.

[arthbkins]

I think I know what my problem is: I have double NAT. Because my cable modem, a Motorola surfboard sb6120, is running it's own DHCP server which you can't explicitly disable. It apparently turns itself on when it thinks it's a good idea (some theorize cable company unreachable). So I'll be looking for a better cable modem that I can explicitly control to be in 'bridge mode' (no DHCP server) so that my router (Apple Airport Extreme) can do DHCP and port forwarding. Any recommendations for a good cable modem that allows more control - I have Comcast as a provider.

[Brewmaster9]

Will the cable modem let you assign a DMZ?

[arthbkins]

The cable modem has no user configuration options - it 'auto-configures' itself. The cable company has some control supposedly but there are no user settings. I've ordered a new cable modem (surfboard SB6183) which should arrive tomorrow so I will give that a try.

[WispaGold]

I've got a Apple Extreme router (2nd Gen) and had trouble getting it to work with my pi VPN.

I did a hard factory reset today and set it up again with port 1194 forwarded. Tested it on a online port scanner site and saw it open for a tiny bit before it got filtered by the routers firewall. I think the reset helped.

I looked into my OpenVPN and managed to see that my iptables were not set up.

Code: Select all

sudo netstat -uapn | grep openvpn

This showed I had no ip and port open for openvpn.

Code: Select all

sudo iptables --list

Showed me I had nothing set up.

Code: Select all

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

This helped to forward the LAN to the tunnel and visa versa.

Code: Select all

sudo iptables -A INPUT -p udp --dport 1194 -m state --state New,Established -j ACCEPT

This helped to open the port of 1194.

Code: Select all

sudo iptables -A OUTPUT -p udp -m state --state Established -j ACCEPT

This helped to send traffic out.

Then I used iptables-persistent to make them stick at boot up.

Code: Select all

sudo apt-get install iptables-persistent

Code: Select all

sudo systemctl enable netfilter-persistent

I'm not totally sure if what I've done is right or I've opened up too much in the firewall but my pi OpenVPN is working now and I don't have any problems with it anymore.

Hope this helps.

[mrCrumbSnatcher]

Donation sent. Thank you so much for your contribution. I struggled with all the other tutorials floating around, but this helped me out. As some others pointed out, I had to leverage the startup script on reboot and all works well (I did have to set my sleep value to 15, though).

I've put together a script that configures OpenVPN on the Raspberry Pi to turn it into a personal VPN server. It is located here:

https://github.com/StarshipEngineer/OpenVPN-Setup

I'm hoping that users can discuss, collaborate, and resolve issues and feature ideas here! I'd love to share the project with the community, give users an easier place to discuss things than GitHub comments, and provide another forum for feedback.

[rjotto]

Hello to you all!
First I want to thank StarshipEngineer for all of the work that he has done.
I successfully used the scripts on Raspbian Jessie and RPi 2. It worked great.
Now I want to try OSMC. My question is: Can I use the same scripts to install and configure OPENVPN server on OSMC based RPi?

Thanks in advance.

[Sanddancer75]

Thank you very much, I'd tried setting up OpenVPN a couple of times with guides that I found on the internet, but failed & didn't know enough to troubleshoot things. This has taken all the pain out of things & just works. Great work.

[0.kaladin]

Just wanted to let everyone know here that I made a new version of this you can check out @ http://pivpn.io
I fixed a few open issues, added functionality based on feedback, etc.
So if anyone here can use it and provide feedback via the github or here please do so, I'd like to make it as simple as possible.

[rjotto]

Just wanted to let everyone know here that I made a new version of this you can check out @ http://pivpn.io
I fixed a few open issues, added functionality based on feedback, etc.
So if anyone here can use it and provide feedback via the github or here please do so, I'd like to make it as simple as possible.

Hello!
Nice of you to improve the scripts. I know that the recommended OS is Raspbian Jessie but I want to try it on OSMC (I read somewhere that it is based on Debian Jessie). What do you think, will it work on OSMC? Do I need to change something (users, directories, paths...) to adapt the scripts to make them work on OSMC?

[0.kaladin]

I think it'll work but if not just post any output you get here, it'd probably be pretty easy to fix.

[rjotto]

I think it'll work but if not just post any output you get here, it'd probably be pretty easy to fix.

Will do. Thanks for the reply.

[thelatinist]

Any reason this wouldn't work on Ubuntu-MATE (16.04 LTS)?

[alexus]

I'm using Raspberry Pi 3 with Raspbian (jessie):

Code: Select all

root@igla:~# cat /etc/debian_version
8.0
root@igla:~# uname -a
Linux X 4.1.19-v7+ #858 SMP Tue Mar 15 15:56:00 GMT 2016 armv7l GNU/Linux
root@igla:~#

I'm trying to use OpenVPN-Setup: Shell script to set up Raspberry Pi (TM) as an OpenVPN server, per StarshipEngineer/OpenVPN-Setup: Shell script to set up Raspberry Pi (TM) as an OpenVPN server, I did `git clone`, `chmod +x openvpnsetup.sh` and then `sudo ./openvpnsetup.sh`, and then shortly after I connect using Tunnelblick | Free open source OpenVPN VPN client server software for Mac OS X, I got following message:

Warning
After connecting to test, the Internet does not appear to be reachable.
This may mean that your VPN is not configured correctly.

something tells me this is could be why:

Code: Select all

root@igla:/home/pi/OpenVPN-Setup# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.13
root@igla:/home/pi/OpenVPN-Setup# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24          anywhere             to:0.0.0.0
root@igla:/home/pi/OpenVPN-Setup# 

[alexus]

my issue was, iptables for whatever reason had 0.0.0.0 instead of my LOCALIP, as soon as I changed that, everything start to work!)

[jonathan68]

i setup a pivpn box and managed to connect to it correctly using openvpn for mac (which i installed using homebrew)

when i try to connect from another raspberry pi (under exactly the same conditions as the mac) using openvpn (installed via apt-get install openvpn on the second pi) i get errors as shown below (note, i have changed the public facing address and port numbers in this log, for privacy reasons).

Mon May 2 00:25:51 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Mon May 2 00:25:51 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Mon May 2 00:25:51 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon May 2 00:25:51 2016 Control Channel Authentication: tls-auth using INLINE static key file
Mon May 2 00:25:51 2016 UDPv4 link local: [undef]
Mon May 2 00:25:51 2016 UDPv4 link remote: [AF_INET]12.34.56.78:9012
Mon May 2 01:48:37 2016 [UNDEF] Inactivity timeout (--ping-restart), restarting
Mon May 2 01:48:37 2016 SIGUSR1[soft,ping-restart] received, process restarting
Mon May 2 01:48:39 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon May 2 01:48:39 2016 UDPv4 link local: [undef]
Mon May 2 01:48:39 2016 UDPv4 link remote: [AF_INET]12.34.56.78:9012
Mon May 2 01:49:39 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 2 01:49:39 2016 TLS Error: TLS handshake failed
Mon May 2 01:49:39 2016 SIGUSR1[soft,tls-error] received, process restarting
Mon May 2 01:49:41 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon May 2 01:49:41 2016 UDPv4 link local: [undef]
Mon May 2 01:49:41 2016 UDPv4 link remote: [AF_INET]12.34.56.78:9012
Mon May 2 01:50:41 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 2 01:50:41 2016 TLS Error: TLS handshake failed
Mon May 2 01:50:41 2016 SIGUSR1[soft,tls-error] received, process restarting
Mon May 2 01:50:43 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon May 2 01:50:43 2016 UDPv4 link l12.34.56.78ocal: [undef]
Mon May 2 01:50:43 2016 UDPv4 link remote: [AF_INET]12.34.56.78:9012
^CMon May 2 01:50:47 2016 event_wait : Interrupted system call (code=4)
Mon May 2 01:50:47 2016 SIGINT[hard,] received, process exiting

i'm using the same .ovpn file as on the mac, which was generate with the nopass option

the same result occurs when i use a .ovpn file made without nopass (eg needs a password), and it's worth noting the the mac CAN connect using an .ovpn file generated without nopass - i made 2 files, they both work on mac, neither work on the pi

both devices are connecting to the internet the same way (on the wifi router) and both devices have normal behaviour when you don't start up a tunnel.

[torbeta]

Thank you for this outstanding contribution. I followed the clear instructions and got immediate success.
I have tried many instruction sets for vpn on Pi. I have achieved PPTP with moderate success but this is in a different league.
To look at current connections with detail go to: /var/log/openvpn-status.log
Thanks again.

Torbeta

[Bofvar]

Hello from me as well,

i have tried to (finally) run a script from StarshipEngineer and the setup seems to run smoothly. I do run on the following error though when i try to create the client certificate:

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter pass phrase for Client_Desktop_Bofvar.key:
unable to load Private Key
1996060768:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
1996060768:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
1996060768:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
1996060768:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:138:
Client�s cert found: Client_Desktop_Bofvar
[ERROR]: Client 3des Private Key not found: Client_Desktop_Bofvar.3des.key

needless to say i've never (tried to) setup a vpn in raspberry pi.

Any input would be appreciated.
Tak!