search

OpenVPN / openvpn3-linux

OpenVPN 3 Linux client
GNU Affero General Public License v3.0
554 stars 148 forks source link

openvpn3-autoload not working with username/password + killswitch question #65

Closed Danrancan closed 3 years ago

Danrancan commented 3 years ago

I am attemting to run openvpn3 as a client on ubuntu server 20.04. 1). First, I want to test and make sure my config/auth file is working properly. So I get the vpn up and running by placing the auth & conf files in /etc/openvpn3/ directory and running the following commands:

openvpn3 config-import --config /etc/openvpn3/myvpn.conf

which returns a success:

Configuration imported.  Configuration path: /net/openvpn/v3/configuration/05793ae5xde06x54a5xa226x3e77b6e21e45

Then, I run 

openvpn3 session-start --config-path /net/openvpn/v3/configuration/05793ae5xde06x54a5xa226x3e77b6e21e45

which also returns a success:

Session path: /net/openvpn/v3/sessions/1d8ee146s168cs48e2sbd0asfbddbdc57d04
Connected

I verify that I am properly connected by going to whatsmyip.org and checking to be sure that my ip has changed to my vpn server's IP. It has! SUCCESS!

BUT NOW, I want to 3 more things to make my vpn client function as desired.

  1. Ensure that the VPN Client connects to the vpn server upon each boot.
  2. Ensure that the VPN Client automatically reconnects if the ethernet cable is pulled out or the internet connection drops, and then gets plugged back in again/internet goes up again.
  3. Create a kill switch with openvpn3 that blocks all outgoing internet traffic when the VPN client disconnects or goes down.

So far, I am still on step 1, and in regards to this step, I am encountering a strange Warning message. To reproduce this I place the auth_myvpn.txt, myvpn.conf, and myvpn.autoload files into the /etc/openvpn3/autoload/ directory.

My myvpn.conf file is located in /etc/openvpn3/autoload/myvpn.conf, and it looks like this (without the keys & certs):

client
proto udp
nobind
remote 149.28.124.68
port 1194
dev tun
dev-type tun
remote-cert-tls server
tls-version-min 1.2
reneg-sec 604800
auth-user-pass auth_myvpn.txt
verb 3
push-peer-info
resolv-retry infinite
persist-key
persist-tun
keepalive 10 120

My auth_myvpn.txt file is located at /etc/openvpn3/autoload/auth_myvpn.txt and looks like this:

# This the authorization file for your "myvpn" vpn connection. It contains your vpn username on the first uncommented line, and your vpn password on the second uncommented line.
myvpnusernamehere
myvpnpasswordhere

My myvpn.autoload file is located at /etc/openvpn3/autoload/myvpn.autoload and looks like this:

{
   "autostart": true,
    "name": "myvpn",
    "acl": {
        "public": true
    },
    "crypto": {
        "force-aes-cbc": true,
        "tls-params": {
            "cert-profile": "suiteb",
            "min-version": "tls_1_2"
        }
    },
    "tunnel": {
        "ipv6": "no",
        "persist": true,
        "dns-fallback": "google",
        "dns-setup-disabled": false
    },
    "user-auth": {
        "autologin": false,
        "username": "myvpnusernamehere",
        "password": "myvpnpasswordhere"
    }
}

I then run the following command:

openvpn3-autoload --directory /etc/openvpn3/autoload/

which returns

Configuration "myvpn.conf" imported: /net/openvpn/v3/configuration/ca728511xb141x46cdx81a4xc9eba7f18ff4 [public_access]
WARNING: org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.DBus.Properties” on object at path /net/openvpn/v3/sessions/36aa82bcsd10fs4395s9bf2s4c0f5d767e54
WARNING: This configuration may not have been auto-started.

My vpn does not start after this.

Hopefully my question is obvious, but in case it is not here is what I must ask:

  1. What am i doing wrong that causes this error?
  2. What does this error mean?
  3. How can I PROPERLY configure my vpn so that the VPN Client connects to the vpn server upon each boot?
  4. How can I ensure that the VPN Client automatically reconnects if the ethernet cable is pulled out and then plugged back in again?
  5. How can I create a kill switch with openvpn3 that blocks all outgoing internet traffic when the VPN client disconnects or goes down?

Sorry for if this post is in the wrong place, but I figured this error/warning message was a good excuse to also ask the developers for some other help. If you can help me solve these issues, i will gladly help you implement the answers into a mini tutorial/example configurations that you can merge into the openvpn3 documentation or man pages.

Thanks for any help and answers you can provide here!

dsommers commented 3 years ago

You are mixing a few things here, which may collide.

In your myvpn.conf try replacing your auth-user-pass auth_myvpn.txt line with just auth-user-pass.

Then in the corresponding .autoload file, remove the whole crypto section. This is going to fail. The defaults in OpenVPN 3 should attempt to use the best settings the server supports.

I would also be cautious with your acl settings too; rather use "set-owner": "username". And in the user-auth section, remove the autologin setting (false is the default value regardless).

So to summarize - your updated .autoload should look something like this:

{
   "autostart": true,
    "name": "myvpn",
    "acl": {
        "set-owner": "my-username"
    },
    "tunnel": {
        "ipv6": "no",
        "persist": true,
        "dns-fallback": "google",
        "dns-setup-disabled": false
    },
    "user-auth": {
        "username": "myvpnusernamehere",
        "password": "myvpnpasswordhere"
    }
}

If this doesn't work, you need to increase logging and check the system logs.

    [root@host:~]# openvpn3-admin log-service --log-level 6

Then (re)start the openvpn3-autoload service and look at the logs:

    [root@host:~]# journalctl --since -30m SYSLOG_IDENTIFIER=net.openvpn.v3.log + SYSLOG_IDENTIFIER=openvpn3-service-logger + SYSLOG_IDENTIFIER=dbus + _SYSTEMD_UNIT=dbus.service + UNIT=dbus.service

In regards to have a kill-switch, that's out-of-scope for OpenVPN, as that's more or less a firewall issue. Basically you could block any traffic going out of your computer on your physical network cards (wired + wlan) unless it is DNS requests (to lookup the IP address of your VPN server hostname) and OpenVPN ports. You may also want to allow NTP traffic too, to ensure clocks are synced, otherwise the SSL/TLS handshake may fail. That is essentially all the ports OpenVPN would need to connect.

Danrancan commented 3 years ago

You are mixing a few things here, which may collide.

In your myvpn.conf try replacing your auth-user-pass auth_myvpn.txt line with just auth-user-pass.

Then in the corresponding .autoload file, remove the whole crypto section. This is going to fail. The defaults in OpenVPN 3 should attempt to use the best settings the server supports.

I would also be cautious with your acl settings too; rather use "set-owner": "username". And in the user-auth section, remove the autologin setting (false is the default value regardless).

So to summarize - your updated .autoload should look something like this:

{
   "autostart": true,
    "name": "myvpn",
    "acl": {
        "set-owner": "my-username"
    },
    "tunnel": {
        "ipv6": "no",
        "persist": true,
        "dns-fallback": "google",
        "dns-setup-disabled": false
    },
    "user-auth": {
        "username": "myvpnusernamehere",
        "password": "myvpnpasswordhere"
    }
}

If this doesn't work, you need to increase logging and check the system logs.

    [root@host:~]# openvpn3-admin log-service --log-level 6

Then (re)start the openvpn3-autoload service and look at the logs:

    [root@host:~]# journalctl --since -30m SYSLOG_IDENTIFIER=net.openvpn.v3.log + SYSLOG_IDENTIFIER=openvpn3-service-logger + SYSLOG_IDENTIFIER=dbus + _SYSTEMD_UNIT=dbus.service + UNIT=dbus.service

In regards to have a kill-switch, that's out-of-scope for OpenVPN, as that's more or less a firewall issue. Basically you could block any traffic going out of your computer on your physical network cards (wired + wlan) unless it is DNS requests (to lookup the IP address of your VPN server hostname) and OpenVPN ports. You may also want to allow NTP traffic too, to ensure clocks are synced, otherwise the SSL/TLS handshake may fail. That is essentially all the ports OpenVPN would need to connect.

Thank you so much! This fixed things (mostly). I just have one more problem. After running openvpn3-autoload --directory /etc/openvpn3/autoload/ (and it works), openvpn3 does not automatically start after a reboot or after the cable is disconnected & reconnected, even with the resolv-retry infinite directive present. Is there a way to make this autostart on boot and after disconnect (without using cron)?

Finally, what type of ownership and permissions should I be using for my myvpn.conf and my myvpn.autoload files? Should they be owned by root or by my home user? I'm assumming chmod 600myfiles.* would be a good command for both files after I change ownership correct?

Thanks for all the help and clarifications!

dsommers commented 3 years ago

To start OpenVPN sessions during boot, you need to enable the openvpn3-autoload service via systemctl:

 [root@host:~]# systemctl enable openvpn3-autoload.service

Files in /etc/openvpn3/autoload should be owned and be readable only by root.

To better understand how OpenVPN 3 Linux handles ownership of configuration files and VPN sessions, please have a look at the openvpn3-config-acl(1) and openvpn3-session-acl(1) man pages. OpenVPN 3 Linux supports management of configurations and sessions on multi-user environments out-of-the box.

Danrancan commented 3 years ago

To start OpenVPN sessions during boot, you need to enable the openvpn3-autoload service via systemctl:

 [root@host:~]# systemctl enable openvpn3-autoload.service

Files in /etc/openvpn3/autoload should be owned and be readable only by root.

To better understand how OpenVPN 3 Linux handles ownership of configuration files and VPN sessions, please have a look at the openvpn3-config-acl(1) and openvpn3-session-acl(1) man pages. OpenVPN 3 Linux supports management of configurations and sessions on multi-user environments out-of-the box.

This solved my issues. To any other users reading this, let it be known that the command sudo systemctl enable openvpn3-autoload.service not only auto-connects openvpn3 on boot, but also automatically reconnects openvpn3 if wifi or ethernet is disconnected and reconnected again.

Thank you much for all of your help @dsommers ! Muchos Gracias amigo!

dsommers commented 3 years ago

Closing as resolved.