How do I get OpenVPN to connect to privateinternetaccess

W

walterbyrd

I am trying to install security/openvpn so I can connect to:

https://www.privateinternetaccess.com/

They have a client install package for Windows, Mac, Android, and Linux, but not FreeBSD

I have OpenVPN installed, I have a user name and password for the VPN service, but I am not sure how to connect.

This is what I have tried:

Code: 
# ping privateinternetaccess.com

PING privateinternetaccess.com (72.52.9.107): 56 data bytes
64 bytes from 72.52.9.107: icmp_seq=0 ttl=242 time=35.483 ms

# pkg install openvpn
# mkdir /usr/local/etc/openvpn
# cd /usr/local/etc/openvpn
# fetch http://www.tf.uni-kiel.de/rbg/vpn/conf/ovpn-conf.zip
# unzip ovpn-confs.zip
# rm ovpn-confs.zip
# openvpn /usr/local/etc/openvpn/TF-normal.ovpn
# openvpn --dev tun --remote host 72.52.9.107

Wed Dec 23 16:51:26 2015 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015
Wed Dec 23 16:51:26 2015 library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Wed Dec 23 16:51:26 2015 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Wed Dec 23 16:51:26 2015 RESOLVE: Cannot resolve host address: host: hostname nor servname provided, or not known
Wed Dec 23 16:51:26 2015 TUN/TAP device /dev/tun0 opened
Wed Dec 23 16:51:26 2015 RESOLVE: Cannot resolve host address: host: hostname nor servname provided, or not known
 
Looking at openvpn(8) and your output
cannot resolve host address: host
Click to expand...

I'd wager you'd want to run:
openvpn --dev tun --remote 72.52.9.107

However I suspect you have some configuration to do first.
******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Click to expand...
 
Here is what I get:

# openvpn --dev tun --remote 72.52.9.107
Code: 
Thu Dec 24 09:28:18 2015 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015
Thu Dec 24 09:28:18 2015 library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Thu Dec 24 09:28:18 2015 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Thu Dec 24 09:28:18 2015 TUN/TAP device /dev/tun0 opened
Thu Dec 24 09:28:18 2015 UDPv4 link local (bound): [undef]
Thu Dec 24 09:28:18 2015 UDPv4 link remote: [AF_INET]72.52.9.107:1194


After than, it seems to hang. I do not get a prompt. So am I connected?

If so, what do I do so that my internet sessions are private? I entered that as root, but I am using my browser as a user.

I also put these two lines in /etc/rc.conf

Code: 
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/TF-normal.ovpn"

When my system booted up, I was asked for an openvpn login name, and password. Do they want the login that PIA sent me? I did not have that available, so entered non-sense.
 
walterbyrd said:
Here is what I get:

# openvpn --dev tun --remote 72.52.9.107
Code: 
Thu Dec 24 09:28:18 2015 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Click to expand...
You do realise that message means your connection is not encrypted right? Which means there is nothing private about the connection whatsoever.

walterbyrd said:
When my system booted up, I was asked for an openvpn login name, and password. Do they want the login that PIA sent me? I did not have that available, so entered non-sense.
Click to expand...
I would expect authentication to require the correct username and password. Would you expect your email login to work if you entered gibberish? Of course not.

Sorry but I know nothing about openvpn, nor the service you are attempting to use. I just know how to read a manpage (most of the time :rolleyes: anyway).
You may get more help on an openvpn mailing list or contacting this private internet service.

But first, I would try entering the correct authentication information........
 
I would expect authentication to require the correct username and password. Would you expect your email login to work if you entered gibberish? Of course not.
Click to expand...

But at the login, I would not expect openvpn to know anything about PIA, so why use PIA credentials?

Also, I figured that if I launched openvpn later, it would re-prompt for login.
 
The contents of that file are:

Code: 
client
dev tun
proto tcp
remote vpngw.tf.uni-kiel.de 1194
resolv-retry infinite
nobind
persist-tun
persist-key
persist-local-ip
persist-remote-ip
tls-remote vpngw.tf.uni-kiel.de[/file]
<chop>
reneg-sec 0
auth-user-pass
auth-nocache
comp-lzo
verb 4

Indicating you want to connect with vpngw.tf.uni-kiel.de at startup (which resolves to 134.245.247.78 AKA Faculty of Engineering at Kiel University, Germany), so it appears you are not trying to connect to PIA with this config.

I would further guess the auth-user-pass is why you are being asked for credentials when the service starts.

Where on privateinternet's site are the instructions that told you to download that specific zipfile?
I'm thinking you are trying to connect to a completely different entity.

You could try (and again, I'm guessing) replacing the vpngw.tf.uni-kiel.de with 72.52.9.107 and see if that gets you anywhere, restart the openvpn service, enter the credentials you have and see what happens.
 
Okay made the change to file, and tried this:

# openvpn --config /usr/local/etc/openvpn/TF-normal.ovpn

I get prompted for name, and password, I enter what was provided by PIA.

I end up with this message constantly repeated:

Code: 
Thu Dec 24 19:26:25 2015 us=23274 TCP: connect to [AF_INET]72.52.9.107:1194 failed, will try again in 5 seconds: Connection refused

Before I am prompted to log in, I get this:

Code: 
Thu Dec 24 19:25:47 2015 us=127246 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015

Is this looking for IPv6? Because I am using IPv4.
 
> I just know how to read a manpage (most of the time :rolleyes: anyway).

I can usually read a man page. But I am not seeing details about how to build a client configuration file. I wish I knew where I could find such details.
 
OK, maybe try a server from this page. It looks like they don't give out any information on how to connect to them, so I would guess that is burnt into the software they supply to you. It may be that their software is the only thing that connects with their vpn too ... if they have specific certificates embedded in the software for example, there's no way we'd know.

OpenVPN is using an IPv4 address going by the earlier message, I think it's just IPv6 enabled also.
 
walterbyrd said:
> I just know how to read a manpage (most of the time :rolleyes: anyway).

I can usually read a man page. But I am not seeing details about how to build a client configuration file. I wish I knew where I could find such details.
Click to expand...

Suprisingly all the client configuration options are the command like options but with the leading dashes removed. So if you write --remote on the command line the option becomes remote in the configuration file.
 
walterbyrd

I don't know if you have resolved this already but see below the setup for PIA. I think the config file you use may not be correct in some respects. You don't disclose the full setup so I wrote a brief guide


I got the OpenVPN and PIA setup info from

- openvpn.net website

- and the PIA linux setup files at https://www.privateinternetaccess.com/pages/client-support/

- and http://www.freebsddiary.org/openvpn.php


Assuming you
- already have a valid PIA username and password
- you've installed security/openvpn package or port on FreeBSD
- you want to run PIA openvpn from boot up (if you wish to run when needed you will have to execute the openvpn.conf file from command line as and when needed)

Add this to /etc/rc.conf to run openvpn(8)
Code: 
# To enable openvpn from start up with tun activated
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
#this last line specifies where you will set up the openvpn config file as indicated below

Copy the ca.crt and crl.pem files to /etc/ or wherever you wish to store them (this you get from the Linux PIA downloads or whatever link the PIA support guys have sent you)

Create a password_pia file in /etc

Enter your your user name and password into the password file on separate lines, like so
Code: 
username
password

Make sure there is nothing else in the password file
Use chmod 600 password_pia to make it readable by root only

SEE the PIA config sample file below; I've added comments to explain it a bit

Code: 
#your PIA clientconfig file under /usr/local/etc/openvpn/openvpn.conf"
client
dev tun

#make sure the correct protocol is used
proto udp

# use the vpn server of your choice; rather put the name of the server in then the IP address; the ip addresses change frequently
remote aus.privateinternetaccess.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun

# copy the ca.crt files to wherever you wish to store them in /etc or in the config directory but indicate here where to find the file example:
#ca /etc/ca.crt
#crl-verify /etc/crl.pem
ca ca.crt
crl-verify crl.pem

tls-client
remote-cert-tls server

#indicate where you have stored the password file if you want to log in from boot example:

# auth-user-pass /etc/password_pia.txt
# and make it only readable by root with: chmod 600 filename
auth-user-pass

#this suppresses the caching of the password and user name
auth-nocache

comp-lzo
verb 1
reneg-sec 0

To start and test the PIA client enter in terminal via sudo or as root
#openvpn --config /path/to/openvpn/config/file

Hope this helps
 
PeteDana said:
I am working on writing up a How-To. Need to get the formatting right and testing the detail as I go so anyone can use it. Will post to that section once done.
Click to expand...
I'd be happy to test that, if you like. I must admit I have ulterior motives as I need to control our users traffic more stringently, so being able to tag this means I can dump it into the unprivileged bucket of bandwidth.
 
Perhaps I missed something in scanning the above posts, but I'm pretty sure you need to log in to all paid services like that. I've used similar and it was just a regular OpenVPN configuration which I could manage in a file. The thing to remember with that is that if you're using OpenVPN as a package it probably won't work because it doesn't allow saving your password. You need to compile it from ports and check that option.

Note: openvpn.auth and openvpn.conf are in /usr/local/etc/openvpn.
 

Code:
OJ said:
Perhaps I missed something in scanning the above posts, but I'm pretty sure you need to log in to all paid services like that. I've used similar and it was just a regular OpenVPN configuration which I could manage in a file. The thing to remember with that is that if you're using OpenVPN as a package it probably won't work because it doesn't allow saving your password. You need to compile it from ports and check that option.

Note: openvpn.auth and openvpn.conf are in /usr/local/etc/openvpn.
Click to expand...
PIA is a paid VPN service. Once you purchase the VPN service online they will supply you with the username and you choose the password. The username and password is entered and saved in the set up file as per the configuration set up - see post above. OpenVPN configuration is pointed toward the file containing the username and password.
 
leebrown66 said:
I'd be happy to test that, if you like. I must admit I have ulterior motives as I need to control our users traffic more stringently, so being able to tag this means I can dump it into the unprivileged bucket of bandwidth.
Click to expand...
I have uploaded a more detailed How-To under the How-To section. The unmoderated title "HOW-TO Set up a Privateinternetaccess client on OpenVPN" The thread awaits moderation.
 
PeteDana said:

Code:

PIA is a paid VPN service. Once you purchase the VPN service online they will supply you with the username and you choose the password. The username and password is entered and saved in the set up file as per the configuration set up - see post above. OpenVPN configuration is pointed toward the file containing the username and password.
Click to expand...

Sorry, I thought that's what I said. I am quite familiar with your situation. :) So now you need to have OpenVPN be allowed to use that password. If you installed OpenVPN as a package, it won't.
 
OK, I've not yet subscribed, but here's a few suggestions I have, just reading through it.
Remove 2.1

2.2 mkdir -p may be less problematic for new folk.

2.3 Use what's in base:
fetch --no-verify-peer https://www.privateinternetaccess.com/openvpn/openvpn.zip

2.4 Don't copy into /etc/somewhere which belongs to base related things, but rather /usr/local/etc/somewhere where locally installed related things go.

4 No need to touch the file into existence, ee and nano will create it.
4 File perm 600 is rw, did you mean 400 (although it bugs me when I edit a file and can't save it)

5 Maybe instead of downloading the zip (step 2) to one place and copying the single file the user wants to the /usr/local/etc/openvpn directory, just create, download and unzip everything directly into /usr/local/etc/openvpn. In which case you could collapse 2.1-2.4 into this:
mkdir -p /usr/local/etc/openvpn
fetch --no-verify-peer https://www.privateinternetaccess.com/openvpn/openvpn.zip -o - | tar xzvf - -C /usr/local/etc/openvpn
The side-benefit of this is you can anchor the file locations in your openvpn.conf for ca, crl-verify and auth-user-pass. I would assume a novice user isn't going to care and an advanced user will adapt to suit their own needs. I don't see that ca.crt and crl.pem need special treatment as they are world-readable from the web.
5 Consider not calling the conf file openvpn.conf but pia.conf as it's specific to connecting to pia and not openvpn.

(tested only in my brain, YMMV)
 
To start and test the PIA client enter in terminal via sudo or as root
#openvpn --config /path/to/openvpn/config/file

Hope this helps
Click to expand...

I get an error I can't figure out when I run this

I followed the rest of the "how to" guide, felt kind of ready but I got this message:
Code: 
Options error: Unrecognized option or missing parameter(s) in /usr/local/etc/openvpn/openvpn.conf:11: es (2.3.8)

And I can't figure out what this mean. Any ideas? This is the config file
Code: 
#your PIA clientconfig file under /usr/local/etc/openvpn/openvpn.conf
client
dev tun

proto udp
# use the vpn server of your choice; rather put the name of the server in then the IP address; the ip addresses change frequently
remote us-east.privateinternetaccess.com

# you can add other servers here and comment them out in case you want to change servers later ▒~@~S you can do this as your username and password stays the same. But only use one server at a tim
#remote aus.privateinternetaccess.com 1194
#remote us-west.privateinternetaccess.com 1194
#remote russia.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

# copy the ca.crt files to wherever you wish to store them in /etc or in the config directory but indicate here where to find the file example:
#ca /etc/pia_openvpn/ca.crt
#crl-verify /etc/pia_openvpn/crl.pem
ca  etc/pia_openvpn/ca.crt
crl-verify  etc/pia_openvpn/crl.pem


tls-client
remote-cert-tls server

#indicate where you have stored the password file if you want to log in from boot example:
# auth-user-pass /etc/pia_openvpn/password_pia.txt
# and make it only readable by root with: chmod 600 filename

auth-user-pass /etc/pia_openvpn/password_pia.txt

#this suppresses the caching of the password and user name
 
My guess, it's either the relative paths for ca and crl-verify (try ca /etc/...., crl-verify /etc....) or the funky characters on the line that starts with
Code: 
# you can add o

Also looking at the guide, the line
Code: 
remote us-east.privateinternetaccess.com
should have an 1194 at the end.

Hope that helps
 
Hi JonasNico

I agree with leebrown66 the syntax on the server needs the
Code: 
1194
at thevend and the absolute paths to the certificate files are missing the
Code: 
/
character in front of the path name. Just make sure the files are where the references are pointing to.
It should solve the problem!
 
You must log in or register to reply here.
Back
Top