OpenVPN refuses to start

[Dhruv Govil]

Hey guys,
So I was following the guide here [ https://forums.freenas.org/index.ph...g-up-transmission-with-openvpn-and-pia.24566/ ] to get OpenVPN setup on FreeNAS-9.3 [ STABLE-201512121950 ]

I tried it both first with the script and then manually. It looks like my configs are in the right place:

Code:

#  more/usr/local/etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote us-seattle.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass pass.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem

and

Code:

#  more /usr/local/etc/openvpn/pass.txt
PIA_USERNAME
PIA_PASSWORD

Double checked that there are no extraneous spaces.

So I check my external IP and it's the same as my regular IP.
So I start openVPN again

Code:

# /usr/local/etc/rc.d/openvpn start
Starting openvpn.

but then when I check the status

Code:

# /usr/local/etc/rc.d/openvpn status
openvpn is not running.

Any ideas? Any help at all would be much appreciated.
Cheers and happy New Years!

 

[m0nkey_]

No idea. What do the logs say? Maybe reply to the original how-to thread or getting in contact with the original poster?

 

[Dhruv Govil]

No idea. What do the logs say? Maybe reply to the original how-to thread or getting in contact with the original poster?

Ah yeah, the logs for some reason were not showing anything at first or I was checking the wrong file for the logs.
Now they're showing an auth failure. Going to try and see if I can remedy that otherwise I'll post in the thread.

Code:

tail /var/log/messages
Jan  3 21:05:11 transmission_1 openvpn[9590]: SIGTERM[soft,auth-failure] received, process exiting
Jan  4 20:23:49 transmission_1 openvpn[69187]: OpenVPN 2.3.9 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 30 2015
Jan  4 20:23:49 transmission_1 openvpn[69187]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Jan  4 20:23:49 transmission_1 openvpn[69187]: WARNING: file 'pass.txt' is group or others accessible
Jan  4 20:23:49 transmission_1 openvpn[69188]: UDPv4 link local: [undef]
Jan  4 20:23:49 transmission_1 openvpn[69188]: UDPv4 link remote: [AF_INET]104.200.154.32:1194
Jan  4 20:23:49 transmission_1 openvpn[69188]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  4 20:23:49 transmission_1 openvpn[69188]: [Private Internet Access] Peer Connection Initiated with [AF_INET]104.200.154.32:1194
Jan  4 20:23:51 transmission_1 openvpn[69188]: AUTH: Received control message: AUTH_FAILED
Jan  4 20:23:51 transmission_1 openvpn[69188]: SIGTERM[soft,auth-failure] received, process exiting

 

[zoomzoom]

If you haven't been able to make any headway yet, change the verb level to 7, restart openvpn, then check the log. I recommend leaving the client at verb 7 (though clients can generally get away with 5 if troubleshooting isn't required), as anything lower leaves out crucial info, while anything higher includes info not generally needed.

Depending on what country you live in, you may want to try setting up your own openvpn server (though your purpose may be to hide your WAN IP).

• An immediate concern [to me at least] is the plain text password file, as it puts all data flowing through the VPN at risk, thereby negating the purpose of a VPN.
  • The recommended way is to utilize SSL certs for authentication and a TLS key for server [HMAC] verification.
• It also appears PIA is a tad lax in their security offerings, as their current config makes a DoS attack possible (lacking HMAC verification via a TLS key)
• I am a bit perplexed by crl-verify crl.pem as you're not utilizing certs for authentication, thereby negating the need for a crl within the config.

None of those are meant as criticisms, simply things to be aware of. It could just be the way the copy and paste was applied, however I've had issues before running scripts and config files if there's not a blank line following the last line of text.

 

[Dhruv Govil]

If you haven't been able to make any headway yet, change the verb level to 7, restart openvpn, then check the log. I recommend leaving the client at verb 7 (though clients can generally get away with 5 if troubleshooting isn't required), as anything lower leaves out crucial info, while anything higher includes info not generally needed.

Depending on what country you live in, you may want to try setting up your own openvpn server (though your purpose may be to hide your WAN IP).

• An immediate concern [to me at least] is the plain text password file, as it puts all data flowing through the VPN at risk, thereby negating the purpose of a VPN.
  • The recommended way is to utilize SSL certs for authentication and a TLS key for server [HMAC] verification.
• It also appears PIA is a tad lax in their security offerings, as their current config makes a DoS attack possible (lacking HMAC verification via a TLS key)
• I am a bit perplexed by crl-verify crl.pem as you're not utilizing certs for authentication, thereby negating the need for a crl within the config.

None of those are meant as criticisms, simply things to be aware of. It could just be the way the copy and paste was applied, however I've had issues before running scripts and config files if there's not a blank line following the last line of text.

Ah thanks for the pretty thorough reply.
So managed to solve it, was having issues authenticating but managed to resolve it with PIA.

Definitely agree that I'd rather not keep my password in a plain text. I'll look into SSL certs. This setup was pretyt much just following the guide I linked, which I guess was designed for ease of use and not maximum security.

And yup, I always leave an empty line at the end of my scripts. Too much time in tcsh land wondering why my last line never executes and now I'm just paranoid.

Thanks again for the advice. I'll look further into it.

 

[zoomzoom]

Definitely agree that I'd rather not keep my password in a plain text. I'll look into SSL certs. This setup was pretyt much just following the guide I linked, which I guess was designed for ease of use and not maximum security.

If your purpose in having the VPN is to hide your WAN IP, you'll have to go through a 3rd party VPN service; however, if that's not why you need the VPN, you can set up your own OpenVPN server within a jail to route the traffic (of which would also provide higher throughput and lower latency).

There are a ton of guides on how to setup an OpenVPN Server on FreeBSD, but I will paste the most efficient server config I've been able to come up with after reading all literature (including the man page) provided by OpenVPN.

• If you're simply looking to get a server up and running, and not immediately bother with reading the literature and understanding all the possible options, a server/client setup, as well as issuing certs, takes ~30 - 45 min.
  • If you choose to setup your own VPN server, I highly recommend reading the OpenVPN HowTO and Man pages, of which takes about 15 and 45 min, respectively.

Server

Prebuilt OpenVPN-Server.conf

Code:

			##::[[--- OpenVPN Server Config ---]]::##

# --- Protocol ---#
   dev		   tun
   dev		   tun1
   topology	   subnet
   proto	   udp
   port		   1194

#--- Routes ---#
  server	   '10.0.0.0 255.255.255.240'
  ifconfig	   '10.0.0.1 255.255.255.240'	

#--- Client Config ---#
#   ccd_exclusive	   1
#   ifconfig_pool_persist  /etc/openvpn/clients/ipp.txt
#   client_config_dir	   /etc/openvpn/clients/

#--- Pushed Routes ---#
  list  push	   'route 192.168.0.0 255.255.255.0'
  list  push	   'dhcp-option DNS 192.168.0.1'
  list  push	   'dhcp-option WINS 192.168.0.1'
  list  push	   'dhcp-option DNS 8.8.8.8'
  list  push	   'dhcp-option DNS 8.8.4.4'
  list  push	   'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#

  # Diffie-Hellmann:
  dh		   /etc/ssl/certs/openvpn/dh4096.pem

  # PKCS12:
  pkcs12	   /etc/ssl/certs/openvpn/vpn-server.p12

  # SSL:
  cipher	   AES-256-CBC
  auth		   SHA512
  tls_auth	   '/etc/ssl/certs/openvpn/ta.key 0'

  # TLS:
  tls_version_min  1.2
  tls_cipher	   "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"

#--- Logging ---#
  log_append	   /tmp/openvpn.log
  status	   /tmp/openvpn-status.log
  verb		   7

#--- Connection Options ---#
  keepalive	   "10 120"
  comp_lzo	   yes

#--- Connection Reliability ---#
  client_to_client 1
  persist_key	   1
  persist_tun	   1

#--- Connection Speed ---#  
  sndbuf	   393216
  rcvbuf	   393216
  fragment	   0
  mssfix	   0
  tun_mtu	   48000

#--- Pushed Buffers ---#
  list  push	   'sndbuf 393216'
  list  push	   'rcvbuf 393216'

#--- Permissions ---#
  user		   nobody
  group		   nogroup
# chroot	   /var/chroot-openvpn/

Client

Prebuilt Client.ovpn

Code:

			##::[[--- OpenVPN Client Config ---]]::##

# --- Config Type --- #
  client

# --- Protocol ---#
   dev		   tun
   proto	   udp

# --- Routes --- #
  remote	   your.ddns.com 1194

# --- Encryption --- #
  auth-nocache
  cipher	   AES-256-CBC
  pkcs12	   OpenWRT-VPNclient1.p12

# --- Server Security --- #
  key-direction	1
  remote-cert-tls  server

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
PASTE KEY HERE
-----END OpenVPN Static key V1-----
</tls-auth>

# --- Logging --- #
  verb		   5

# --- Connection --- #
  comp-lzo
  float
  nobind
  resolv-retry	   infinite

# --- Connection Reliability --- #
  persist-key
  persist-tun

# --- Connection Speed ---#
  fragment	   0
  mssfix	   0
  tun_mtu	   48000

While the configs and server setups are completely different in between FreeBSD and OpenWRT, you can review the Wiki I wrote for OpenWRT, of which provides an extremely clear explanation about both client and server configs.

You can also create your own CA [Certificate Authority] and sign and issue certs with OpenSSL by using the following OpenSSL config (required openssl commands included at bottom of config).

• The main thing you'll need to determine is the encryption level you'll want, as while 2048bit/AES256 is uncrackable without a quantum supercomputer, you probably don't need that level of encryption for Transmission. Once you do know, edit the default_bits under [ req ] (line 84), but keep SHA256 digest.

OpenSSL.cnf

Prebuilt OpenSSL.cnf​

 

[Steo]

There are a ton of guides on how to setup an OpenVPN Server on FreeBSD, but I will paste the most efficient server config I've been able to come up with after reading all literature (including the man page) provided by OpenVPN.

Hello ZoonZoom, thank you for your post, it provides really nice and order configuration files for OpenVPN. I like it and surely I will take advantage of it!

Maybe can you try giving me your opinion for my situation? I'm having a problem on starting OpenVPN on my Jail FreeNAS, like the title of the post says here.
You can read my post here:

https://forums.freenas.org/index.ph...emote-hosts-via-nat.22873/page-20#post-316867

Thank you in advance!