NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Installing and running OpenVPN @ boot - PrivateInternetAcces
Hi All,
I have been trying to install OpenVPN and use PrivateInternetAccess (PIA) as my VPN Server on my ReadyNAS for a while now - my prime usecase was that I wanted all the connection to be encrypted while exposing it to external world (like sharing files right out of my NAS or torrent). The following are the steps which worked for me and my NAS is always on VPN now.
1. Enable SSH by going into System -> Settings in your WebView
PS: This may cause problem with Netgear support - so do @ your own risk. However, I am not modifying anything with system and it looks safe to me.
2. Download Putty from link below
3. Go to command prompt, navigate to the directory where you placed putty. Once in the directory, execute the following command
4. You will see a terminal window open up asking for your login. enter your login info that you use to access your NAS from webbrowser
5. Now enter the following command on the terminal prompt
6. This will install OpenVPN. Now, you need to get the VPN config files from PIA. Use the following commands below to navigate the OpenVPN directory and get the files
7. Extract the files using unzip command. If you dont have the program, use apt-get command as above (replace openvpn with unzip)
8. Now, create a file - say userpass.file and type username on first line and password on the second line and save it. To save a file, press Esc and type :wq (including the colon) and press enter
9. Chose one of the .ovpn file - for this eg, I chose France.ovpn and edit it. When you open it using the vi command, there will be a line auth-user-pass. Change it to auth-user-pass userpass.file and save the file as mentioned above.
10. at this time, you are all set to create a VPN connection. However, the issue is that now you need to always activate it manually. So, now we will create a startup file which runs automatically everytime you boot your NAS. Use the following commands to create a new file called startvpn.sh - you can name whatever you want
11. Now type the following lines and save the file
12. Once saved, you need to make the script executable. Use the command below for the same
13. Now, you need to add this script to run at everyboot. To do so, you need to add the following command in crontab file. Open the crontab file using command
13a. You can also use the following command to add this command to startup
14. Now you need to see if the VPN has started. To do so, type ifconfig on the command line and you will see a new connection starting with a config similar to below
This means your vpn is running perfectly and you added another layer of security.
Please let me know if this worked for you - i am not a Linux expert but will try to answer any questions you may have
Linux experts - comment/add anything to make it better.
Thanks,
Arpan
I have been trying to install OpenVPN and use PrivateInternetAccess (PIA) as my VPN Server on my ReadyNAS for a while now - my prime usecase was that I wanted all the connection to be encrypted while exposing it to external world (like sharing files right out of my NAS or torrent). The following are the steps which worked for me and my NAS is always on VPN now.
1. Enable SSH by going into System -> Settings in your WebView
PS: This may cause problem with Netgear support - so do @ your own risk. However, I am not modifying anything with system and it looks safe to me.
2. Download Putty from link below
http://the.earth.li/~sgtatham/putty/0.63/x86/putty.exe
3. Go to command prompt, navigate to the directory where you placed putty. Once in the directory, execute the following command
putty <NAS Address>
4. You will see a terminal window open up asking for your login. enter your login info that you use to access your NAS from webbrowser
5. Now enter the following command on the terminal prompt
apt-get install openvpn
6. This will install OpenVPN. Now, you need to get the VPN config files from PIA. Use the following commands below to navigate the OpenVPN directory and get the files
cd /etc/openvpn
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
7. Extract the files using unzip command. If you dont have the program, use apt-get command as above (replace openvpn with unzip)
unzip openvpn.zip
8. Now, create a file - say userpass.file and type username on first line and password on the second line and save it. To save a file, press Esc and type :wq (including the colon) and press enter
vi userpass.file
9. Chose one of the .ovpn file - for this eg, I chose France.ovpn and edit it. When you open it using the vi command, there will be a line auth-user-pass. Change it to auth-user-pass userpass.file and save the file as mentioned above.
vi France.ovpn
10. at this time, you are all set to create a VPN connection. However, the issue is that now you need to always activate it manually. So, now we will create a startup file which runs automatically everytime you boot your NAS. Use the following commands to create a new file called startvpn.sh - you can name whatever you want
cd /etc/init.d
vi startvpn.sh
11. Now type the following lines and save the file
#!/bin/bash
cd /etc/openvpn
openvpn France.ovpn
12. Once saved, you need to make the script executable. Use the command below for the same
chmod +x startvpn.sh
13. Now, you need to add this script to run at everyboot. To do so, you need to add the following command in crontab file. Open the crontab file using command
crontab -eand then add the following line anywhere in the file
@reboot ./etc/init.d/startvpn.sh &. Save it using the Esc -> :wq!
13a. You can also use the following command to add this command to startup
update-rc.d startvpn.sh defaults
14. Now you need to see if the VPN has started. To do so, type ifconfig on the command line and you will see a new connection starting with a config similar to below
tun0-00 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
This means your vpn is running perfectly and you added another layer of security.
Please let me know if this worked for you - i am not a Linux expert but will try to answer any questions you may have
Linux experts - comment/add anything to make it better.
Thanks,
Arpan
Thanks to arpanj2 for starting the thread. I've found there are better and easier ways to do a few things which may have saved people some frustration. I hope this helps! If anyone wants to merge my suggestions with the original to create a definitive post, they're most welcome. Here are my changes:
Step 5: It's probably a good idea to retrieve new lists of packages so that you fetch the latest version of openvpn:
# apt-get update
... # apt-get install openvpnIf you want an easier to use text editor, now is a good time to install nano:
# apt-get install nano
Step 8: If you installed nano, you probably want to use it:
# nano userpass.file
...Step 9 is where I depart a bit; I prefer to keep the unzipped PIA .ovpn files unmodified. Instead, I create a copy of my preferred PIA site then edit it as directed:
# cp France.ovpn My.ovpn
...Or, if you like one-liners:
# sed s/"auth-user-pass"/"auth-user-pass userpass.file"/ France.ovpn > My.ovpn
Steps 10 through 13a: There is no need to create a script or a cron job!!!
New Step 10: Let's now test our config file by running OpenVPN in the background:
# openvpn My.ovpn &
You'll see console output which looks something like this:
[1] 6938
root@hostname:/etc/openvpn# Sun Nov 1 01:26:49 2015 OpenVPN 2.2.1 arm-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Sun Nov 1 01:26:49 2015 WARNING: file 'userpass.file' is group or others accessible
Sun Nov 1 01:26:49 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Nov 1 01:26:49 2015 LZO compression initialized
Sun Nov 1 01:26:49 2015 RESOLVE: NOTE: france.privateinternetaccess.com resolves to 13 addresses
Sun Nov 1 01:26:49 2015 UDPv4 link local: [undef]
Sun Nov 1 01:26:49 2015 UDPv4 link remote: [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:49 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Nov 1 01:26:51 2015 [Private_Internet_Access] Peer Connection Initiated with [AF_INET]108.61.122.156:1194
Sun Nov 1 01:26:53 2015 TUN/TAP device tun0 opened
Sun Nov 1 01:26:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
...
Sun Nov 1 01:26:53 2015 Initialization Sequence CompletedIt might look as though you don't have a prompt, but you do. Just hit enter a to get a fresh one.
New Step 11: Check the vpn is running with ifconfig:
# ifconfig
...and do whatever testing you need with your applications.
New Step 12: Find the job you created earlier and send it a TERM signal with the kill command:
root@hostname:/etc/openvpn# jobs [1]+ Running openvpn My.ovpn & root@hostname:/etc/openvpn# kill -term %1 Sun Nov 1 02:23:54 2015 event_wait : Interrupted system call (code=4) root@hostname:/etc/openvpn# Sun Nov 1 02:23:54 2015 /sbin/ifconfig tun0 0.0.0.0 Sun Nov 1 02:23:54 2015 SIGTERM[hard,] received, process exiting [1]+ Done openvpn My.ovpn root@hostname:/etc/openvpn#
New Step 13: Once you're happy with your configuration file, rename it to something ending in '.conf':
# mv My.ovpn client.conf
New Step 14: Start the OpenVPN init script:
# /etc/init.d/openvpn start
[ ok ] Starting openvpn (via systemctl): openvpn.service.That's it, you're done! As installed by default on my RN104, the OpenVPN init script looks for .conf files in the default /etc/openvpn directory where we unzipped the PIA files and did everything else. The OpenVPN init script is also set by default to start with the other services at runlevels 2-5. This means the init script will start a connection using your .conf file when the system reboots.
If you're like me, and prefer to access your ReadyNAS from the outside world using port forwarding configured on a router, you'll notice that turning on OpenVPN breaks remote access. I'll write another reply soon with directions on how to configure IP rules and routes on your ReadyNAS so that your port forwarding setup will function properly.
Until then, TTFN!
36 Replies
Replies have been turned off for this discussion
- I can't imagine how raid level could affect couch potato and/or sickbeard. If you've completely taken over formatting your own partition layout or something then maybe front view is totally broken, but raid level is pretty darn transparent to applications on the system. Could you elaborate on what problem you encountered?
- I followed the instruction again but used /US California.ovpn instead where I had to enter #!/bin/bash I get and error and it says
"search hit TOP, continue at Bottom"
I can't enter the # dannieboiz wrote: I followed the instruction again but used /US California.ovpn instead where I had to enter #!/bin/bash I get and error and it says
"search hit TOP, continue at Bottom"
I can't enter the #
I am guessing you may need to press I or e to enter into edit mode of Vi editor. You may be missing that.- I believe I got it working. Below is my ifconfig. I rebooted the RN and tun0 is still there, so I guess my startvpn.sh script works. Now how do I stop it?
Also, my port fowarding no longer work. Do I need to stop openvpn before I can access my device remotely for things like ftp and stuff?
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.129.84.2 P-t-P:10.149.84.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6683 errors:0 dropped:0 overruns:0 frame:0
TX packets:9854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1587345 (1.5 MiB) TX bytes:1596541 (1.5 MiB) dannieboiz wrote: I believe I got it working. Below is my ifconfig. I rebooted the RN and tun0 is still there, so I guess my startvpn.sh script works. Now how do I stop it?
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.129.84.2 P-t-P:10.149.84.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6683 errors:0 dropped:0 overruns:0 frame:0
TX packets:9854 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1587345 (1.5 MiB) TX bytes:1596541 (1.5 MiB)
Looks good to me :) Have fun!!!- I edit my post but here's my other question..
Also, my port fowarding no longer work. Do I need to stop openvpn before I can access my device remotely for things like ftp and stuff?
and how do I stop openvpn? dannieboiz wrote: I edit my post but here's my other question..
Also, my port fowarding no longer work. Do I need to stop openvpn before I can access my device remotely for things like ftp and stuff?
and how do I stop openvpn?
Will let the linux guru's answer this question.- Hi
I know this is quite an old thread now.... first of all thanks for your informative post. I am trying to get my NV+ to use OpenVPN to connect using PrivateInternetAccess VPN. After having successfully gone through all of your steps... sadly I can't get it the NAS to connect.
I think Ive narrowed it down to the version of Openvpn that is installed by apt-get being 2.0, while the latest config files from PIA expect 2.1+.
In particular I believe the option "remote-cert-tls server" causes a problem. I tried tried reverting to the earlier option "ns-cert-type server" which stops errors being thrown but then the certificate seems to fail.
any hints or tips would be much appreciated. - Hi,
I'm having the similar issues to lucky_readynas, I've also installed OpenVPN on my ReadyNAS Duo in the hope to connect to PIA and followed the configuration from earlier posts. When I attempt to bring the tunnel up it gets as far as verifing the server certificate and errors out. If anyone can assist here that would be fantastic.
NAS_DRIVE:/etc/init.d# ./startvpn.sh
Sun Apr 19 15:53:37 2015 OpenVPN 2.0 sparc-unknown-linux [SSL] [LZO] [EPOLL] built on Jan 17 2007
Sun Apr 19 15:53:37 2015 WARNING: file 'userpass.file' is group or others accessible
Sun Apr 19 15:53:37 2015 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Apr 19 15:53:37 2015 LZO compression initialized
Sun Apr 19 15:53:37 2015 RESOLVE: NOTE: aus.privateinternetaccess.com resolves to 4 addresses, choosing one by random
Sun Apr 19 15:53:37 2015 UDPv4 link local: [undef]
Sun Apr 19 15:53:37 2015 UDPv4 link remote: 103.43.72.133:1194
Sun Apr 19 15:53:37 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cert ificate verify failed
Sun Apr 19 15:53:37 2015 TLS Error: TLS object -> incoming plaintext read error
Sun Apr 19 15:53:37 2015 TLS Error: TLS handshake failed
Sun Apr 19 15:53:37 2015 SIGUSR1[soft,tls-error] received, process restarting
Sun Apr 19 15:53:39 2015 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Apr 19 15:53:39 2015 Re-using SSL/TLS context - Ask privateinternetaccess support how to configure an older version of openvpn. They are usually pretty responsive.
steve
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
