Closed Danrancan closed 3 years ago
You are mixing a few things here, which may collide.
In your myvpn.conf
try replacing your auth-user-pass auth_myvpn.txt
line with just auth-user-pass
.
Then in the corresponding .autoload
file, remove the whole crypto
section. This is going to fail. The defaults in OpenVPN 3 should attempt to use the best settings the server supports.
I would also be cautious with your acl
settings too; rather use "set-owner": "username"
. And in the user-auth
section, remove the autologin
setting (false
is the default value regardless).
So to summarize - your updated .autoload
should look something like this:
{
"autostart": true,
"name": "myvpn",
"acl": {
"set-owner": "my-username"
},
"tunnel": {
"ipv6": "no",
"persist": true,
"dns-fallback": "google",
"dns-setup-disabled": false
},
"user-auth": {
"username": "myvpnusernamehere",
"password": "myvpnpasswordhere"
}
}
If this doesn't work, you need to increase logging and check the system logs.
[root@host:~]# openvpn3-admin log-service --log-level 6
Then (re)start the openvpn3-autoload
service and look at the logs:
[root@host:~]# journalctl --since -30m SYSLOG_IDENTIFIER=net.openvpn.v3.log + SYSLOG_IDENTIFIER=openvpn3-service-logger + SYSLOG_IDENTIFIER=dbus + _SYSTEMD_UNIT=dbus.service + UNIT=dbus.service
In regards to have a kill-switch, that's out-of-scope for OpenVPN, as that's more or less a firewall issue. Basically you could block any traffic going out of your computer on your physical network cards (wired + wlan) unless it is DNS requests (to lookup the IP address of your VPN server hostname) and OpenVPN ports. You may also want to allow NTP traffic too, to ensure clocks are synced, otherwise the SSL/TLS handshake may fail. That is essentially all the ports OpenVPN would need to connect.
You are mixing a few things here, which may collide.
In your
myvpn.conf
try replacing yourauth-user-pass auth_myvpn.txt
line with justauth-user-pass
.Then in the corresponding
.autoload
file, remove the wholecrypto
section. This is going to fail. The defaults in OpenVPN 3 should attempt to use the best settings the server supports.I would also be cautious with your
acl
settings too; rather use"set-owner": "username"
. And in theuser-auth
section, remove theautologin
setting (false
is the default value regardless).So to summarize - your updated
.autoload
should look something like this:{ "autostart": true, "name": "myvpn", "acl": { "set-owner": "my-username" }, "tunnel": { "ipv6": "no", "persist": true, "dns-fallback": "google", "dns-setup-disabled": false }, "user-auth": { "username": "myvpnusernamehere", "password": "myvpnpasswordhere" } }
If this doesn't work, you need to increase logging and check the system logs.
[root@host:~]# openvpn3-admin log-service --log-level 6
Then (re)start the
openvpn3-autoload
service and look at the logs:[root@host:~]# journalctl --since -30m SYSLOG_IDENTIFIER=net.openvpn.v3.log + SYSLOG_IDENTIFIER=openvpn3-service-logger + SYSLOG_IDENTIFIER=dbus + _SYSTEMD_UNIT=dbus.service + UNIT=dbus.service
In regards to have a kill-switch, that's out-of-scope for OpenVPN, as that's more or less a firewall issue. Basically you could block any traffic going out of your computer on your physical network cards (wired + wlan) unless it is DNS requests (to lookup the IP address of your VPN server hostname) and OpenVPN ports. You may also want to allow NTP traffic too, to ensure clocks are synced, otherwise the SSL/TLS handshake may fail. That is essentially all the ports OpenVPN would need to connect.
Thank you so much! This fixed things (mostly). I just have one more problem. After running openvpn3-autoload --directory /etc/openvpn3/autoload/
(and it works), openvpn3 does not automatically start after a reboot or after the cable is disconnected & reconnected, even with the resolv-retry infinite directive present. Is there a way to make this autostart on boot and after disconnect (without using cron)?
Finally, what type of ownership and permissions should I be using for my myvpn.conf
and my myvpn.autoload
files? Should they be owned by root or by my home user? I'm assumming chmod 600
myfiles.* would be a good command for both files after I change ownership correct?
Thanks for all the help and clarifications!
To start OpenVPN sessions during boot, you need to enable the openvpn3-autoload
service via systemctl
:
[root@host:~]# systemctl enable openvpn3-autoload.service
Files in /etc/openvpn3/autoload
should be owned and be readable only by root.
To better understand how OpenVPN 3 Linux handles ownership of configuration files and VPN sessions, please have a look at the openvpn3-config-acl(1) and openvpn3-session-acl(1) man pages. OpenVPN 3 Linux supports management of configurations and sessions on multi-user environments out-of-the box.
To start OpenVPN sessions during boot, you need to enable the
openvpn3-autoload
service viasystemctl
:[root@host:~]# systemctl enable openvpn3-autoload.service
Files in
/etc/openvpn3/autoload
should be owned and be readable only by root.To better understand how OpenVPN 3 Linux handles ownership of configuration files and VPN sessions, please have a look at the openvpn3-config-acl(1) and openvpn3-session-acl(1) man pages. OpenVPN 3 Linux supports management of configurations and sessions on multi-user environments out-of-the box.
This solved my issues. To any other users reading this, let it be known that the command sudo systemctl enable openvpn3-autoload.service
not only auto-connects openvpn3 on boot, but also automatically reconnects openvpn3 if wifi or ethernet is disconnected and reconnected again.
Thank you much for all of your help @dsommers ! Muchos Gracias amigo!
Closing as resolved.
I am attemting to run openvpn3 as a client on ubuntu server 20.04. 1). First, I want to test and make sure my config/auth file is working properly. So I get the vpn up and running by placing the auth & conf files in
/etc/openvpn3/
directory and running the following commands:which returns a success:
Then, I run
which also returns a success:
I verify that I am properly connected by going to whatsmyip.org and checking to be sure that my ip has changed to my vpn server's IP. It has! SUCCESS!
BUT NOW, I want to 3 more things to make my vpn client function as desired.
So far, I am still on step 1, and in regards to this step, I am encountering a strange Warning message. To reproduce this I place the
auth_myvpn.txt
,myvpn.conf
, andmyvpn.autoload
files into the/etc/openvpn3/autoload/
directory.My
myvpn.conf
file is located in/etc/openvpn3/autoload/myvpn.conf
, and it looks like this (without the keys & certs):My
auth_myvpn.txt
file is located at/etc/openvpn3/autoload/auth_myvpn.txt
and looks like this:My
myvpn.autoload
file is located at/etc/openvpn3/autoload/myvpn.autoload
and looks like this:I then run the following command:
which returns
My vpn does not start after this.
Hopefully my question is obvious, but in case it is not here is what I must ask:
Sorry for if this post is in the wrong place, but I figured this error/warning message was a good excuse to also ask the developers for some other help. If you can help me solve these issues, i will gladly help you implement the answers into a mini tutorial/example configurations that you can merge into the openvpn3 documentation or man pages.
Thanks for any help and answers you can provide here!