NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
arpanj2
Nov 14, 2014Tutor
Installing and running OpenVPN @ boot - PrivateInternetAcces
Hi All, I have been trying to install OpenVPN and use PrivateInternetAccess (PIA) as my VPN Server on my ReadyNAS for a while now - my prime usecase was that I wanted all the connection to be encry...
- Nov 01, 2015
Thanks to arpanj2 for starting the thread. I've found there are better and easier ways to do a few things which may have saved people some frustration. I hope this helps! If anyone wants to merge my suggestions with the original to create a definitive post, they're most welcome. Here are my changes:
Step 5: It's probably a good idea to retrieve new lists of packages so that you fetch the latest version of openvpn:
# apt-get update
... # apt-get install openvpnIf you want an easier to use text editor, now is a good time to install nano:
# apt-get install nano
Step 8: If you installed nano, you probably want to use it:
# nano userpass.file
...Step 9 is where I depart a bit; I prefer to keep the unzipped PIA .ovpn files unmodified. Instead, I create a copy of my preferred PIA site then edit it as directed:
# cp France.ovpn My.ovpn
...Or, if you like one-liners:
# sed s/"auth-user-pass"/"auth-user-pass userpass.file"/ France.ovpn > My.ovpn
Steps 10 through 13a: There is no need to create a script or a cron job!!!
New Step 10: Let's now test our config file by running OpenVPN in the background:
# openvpn My.ovpn &
You'll see console output which looks something like this:
[1] 6938
root@hostname:/etc/openvpn# Sun Nov 1 01:26:49 2015 OpenVPN 2.2.1 arm-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Sun Nov 1 01:26:49 2015 WARNING: file 'userpass.file' is group or others accessible
Sun Nov 1 01:26:49 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 1 01:26:49 2015 LZO compression initialized
Sun Nov 1 01:26:49 2015 RESOLVE: NOTE: france.privateinternetaccess.com resolves to 13 addresses
Sun Nov 1 01:26:49 2015 UDPv4 link local: [undef]
Sun Nov 1 01:26:49 2015 UDPv4 link remote: [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:49 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 1 01:26:51 2015 [Private_Internet_Access] Peer Connection Initiated with [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:53 2015 TUN/TAP device tun0 opened
Sun Nov 1 01:26:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
...
Sun Nov 1 01:26:53 2015 Initialization Sequence CompletedIt might look as though you don't have a prompt, but you do. Just hit enter a to get a fresh one.
New Step 11: Check the vpn is running with ifconfig:
# ifconfig
...and do whatever testing you need with your applications.
New Step 12: Find the job you created earlier and send it a TERM signal with the kill command:
root@hostname:/etc/openvpn# jobs [1]+ Running openvpn My.ovpn & root@hostname:/etc/openvpn# kill -term %1 Sun Nov 1 02:23:54 2015 event_wait : Interrupted system call (code=4) root@hostname:/etc/openvpn# Sun Nov 1 02:23:54 2015 /sbin/ifconfig tun0 0.0.0.0 Sun Nov 1 02:23:54 2015 SIGTERM[hard,] received, process exiting [1]+ Done openvpn My.ovpn root@hostname:/etc/openvpn#
New Step 13: Once you're happy with your configuration file, rename it to something ending in '.conf':
# mv My.ovpn client.conf
New Step 14: Start the OpenVPN init script:
# /etc/init.d/openvpn start
[ ok ] Starting openvpn (via systemctl): openvpn.service.That's it, you're done! As installed by default on my RN104, the OpenVPN init script looks for .conf files in the default /etc/openvpn directory where we unzipped the PIA files and did everything else. The OpenVPN init script is also set by default to start with the other services at runlevels 2-5. This means the init script will start a connection using your .conf file when the system reboots.
If you're like me, and prefer to access your ReadyNAS from the outside world using port forwarding configured on a router, you'll notice that turning on OpenVPN breaks remote access. I'll write another reply soon with directions on how to configure IP rules and routes on your ReadyNAS so that your port forwarding setup will function properly.
Until then, TTFN!
jungleboydotca
Nov 01, 2015Initiate
Thanks to arpanj2 for starting the thread. I've found there are better and easier ways to do a few things which may have saved people some frustration. I hope this helps! If anyone wants to merge my suggestions with the original to create a definitive post, they're most welcome. Here are my changes:
Step 5: It's probably a good idea to retrieve new lists of packages so that you fetch the latest version of openvpn:
# apt-get update
... # apt-get install openvpn
If you want an easier to use text editor, now is a good time to install nano:
# apt-get install nano
Step 8: If you installed nano, you probably want to use it:
# nano userpass.file
...
Step 9 is where I depart a bit; I prefer to keep the unzipped PIA .ovpn files unmodified. Instead, I create a copy of my preferred PIA site then edit it as directed:
# cp France.ovpn My.ovpn
...
Or, if you like one-liners:
# sed s/"auth-user-pass"/"auth-user-pass userpass.file"/ France.ovpn > My.ovpn
Steps 10 through 13a: There is no need to create a script or a cron job!!!
New Step 10: Let's now test our config file by running OpenVPN in the background:
# openvpn My.ovpn &
You'll see console output which looks something like this:
[1] 6938
root@hostname:/etc/openvpn# Sun Nov 1 01:26:49 2015 OpenVPN 2.2.1 arm-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Sun Nov 1 01:26:49 2015 WARNING: file 'userpass.file' is group or others accessible
Sun Nov 1 01:26:49 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 1 01:26:49 2015 LZO compression initialized
Sun Nov 1 01:26:49 2015 RESOLVE: NOTE: france.privateinternetaccess.com resolves to 13 addresses
Sun Nov 1 01:26:49 2015 UDPv4 link local: [undef]
Sun Nov 1 01:26:49 2015 UDPv4 link remote: [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:49 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 1 01:26:51 2015 [Private_Internet_Access] Peer Connection Initiated with [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:53 2015 TUN/TAP device tun0 opened
Sun Nov 1 01:26:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
...
Sun Nov 1 01:26:53 2015 Initialization Sequence Completed
It might look as though you don't have a prompt, but you do. Just hit enter a to get a fresh one.
New Step 11: Check the vpn is running with ifconfig:
# ifconfig
...and do whatever testing you need with your applications.
New Step 12: Find the job you created earlier and send it a TERM signal with the kill command:
root@hostname:/etc/openvpn# jobs [1]+ Running openvpn My.ovpn & root@hostname:/etc/openvpn# kill -term %1 Sun Nov 1 02:23:54 2015 event_wait : Interrupted system call (code=4) root@hostname:/etc/openvpn# Sun Nov 1 02:23:54 2015 /sbin/ifconfig tun0 0.0.0.0 Sun Nov 1 02:23:54 2015 SIGTERM[hard,] received, process exiting [1]+ Done openvpn My.ovpn root@hostname:/etc/openvpn#
New Step 13: Once you're happy with your configuration file, rename it to something ending in '.conf':
# mv My.ovpn client.conf
New Step 14: Start the OpenVPN init script:
# /etc/init.d/openvpn start
[ ok ] Starting openvpn (via systemctl): openvpn.service.
That's it, you're done! As installed by default on my RN104, the OpenVPN init script looks for .conf files in the default /etc/openvpn directory where we unzipped the PIA files and did everything else. The OpenVPN init script is also set by default to start with the other services at runlevels 2-5. This means the init script will start a connection using your .conf file when the system reboots.
If you're like me, and prefer to access your ReadyNAS from the outside world using port forwarding configured on a router, you'll notice that turning on OpenVPN breaks remote access. I'll write another reply soon with directions on how to configure IP rules and routes on your ReadyNAS so that your port forwarding setup will function properly.
Until then, TTFN!
- Coyote21Feb 07, 2016Initiate
Thanks for your excelent guide, it all work exactly as described except for the very last step.
When I start openvpn from the command line (openvpn myvpn.conf) it works perfectly but if I use service openvpn start it fails.
Actually it reports:
[ ok ] Starting openvpn (via systemctl): openvpn.service.
but then using ifconfig shows that there are no VPN tunnels and using service openvpn status shows :
(Modified to hide identifying information)
SIGUSR1[soft,tls-error] received, process restarting
NOTE: the current --script-security setting may allow this configuration to call u...scriptsRe-using SSL/TLS context
LZO compression initialized
RESOLVE: NOTE: XXXXXXXXXXXXXXXXX resolves to 13 addresses
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:XXX
ERROR: could not read Auth username from stdin
ExitingThis seems to indicate that when starting using init.d it cant read the myvpn.conf file?
Checked permissions on myvpn.conf and username/pass files and chmod'd 444 (read all) to test, but no change
any help?
- jungleboydotcaFeb 09, 2016Initiate
Hey Coyote21,
I'm wondering if something may have changed in either the OpenVPN package or in the PIA config files between when I posted and now; can you post your version information and .conf file?
Here's what I get:
# openvpn --version OpenVPN 2.2.1 arm-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
...# more /etc/openvpn/client.conf
client
dev tun
proto udp
remote <some PIA server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass userpass.file
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
script-security 2
up /etc/openvpn/up.shThe last two lines are for my routing rules script.
The thing which sticks out to me in your message is "ERROR: could not read Auth username from stdin". Did you point the .conf file at the userpass.file in Step 9? It's not clear to me why it's trying to read from STDIN.
For comparison, here is my service status output:
Starting virtual private network daemon: client. UDPv4 link local: [undef] UDPv4 link remote: [AF_INET]<ipaddress>:<port> WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this [Private_Internet_Access] Peer Connection Initiated with [AF_INET] <ipaddress>:<port> TUN/TAP device tun0 opened do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 /sbin/ifconfig tun0 <ipaddress> pointopoint <ipaddress> mtu 1500 /etc/openvpn/up.sh tun0 1500 1542 <ipaddress> <ipaddress> init Initialization Sequence Completed
Similarly, there is a line in there about my little routing rules script.
I haven't written that follow-up piece yet either because I was wanting to test stability, but in the interval the connection to my local ISP has gotten flaky and created a whole new class of problems which I'm taking a look at when I have the time.
I hope this message helps some!
- Coyote21Feb 12, 2016Initiate
Thanks for that jungleboy,
I checked my openvpn version and .conf files and could'nt find anything different from yours (except for the routing rules script extras) but I did notice that starting the openvpn service again did not change the timestamps from the service status output, so I tried service openvpn stop and then start again and it worked.
I'm guessing that it would'nt re-read the .conf file until I had stopped it and then started it again, so what ever was causing the error (probably missing auth-user-pass entry) was fixed long ago but the init.d script never re-read the changed file until I had first stopped the current instance that was using the (Faulty) .conf file.
Sorry to have bothered you about this.
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!