Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] trouble with openvpn in debian (PIA)

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
kkfu
Posts: 8
Joined: 2020-11-09 12:15

[SOLVED] trouble with openvpn in debian (PIA)

#1 Post by kkfu »

Hi,

I am running Debian testing:

Code: Select all

deb http://deb.debian.org/debian/ testing main
deb-src http://deb.debian.org/debian/ testing main

deb http://security.debian.org/ testing-security main
deb-src http://security.debian.org/ testing-security main

# buster-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ testing-updates main
deb-src http://deb.debian.org/debian/ testing-updates main
I want to setup an openvpn client (I already have a client.ovpn file that I got from my other machine [which runs the latest openvpn-as server).

This is what I did so far:

Code: Select all

sudo ufw allow 1194/udp

Code: Select all

sudo apt install openvpn
sudo apt install network-manager-openvpn-gnome

Code: Select all

cd /etc/openvpn/
ls
sudo mv /home/XXX/Documents/client.ovpn /etc/openvpn/client/
My client.ovpn file is ok, since I am using it in my windows machine.

Code: Select all

sudo systemctl restart openvpn
sudo systemctl status openvpn
sudo systemctl start openvpn
It did not work so I tried to follow this guide (the Debian section): https://community.openvpn.net/openvpn/w ... twareRepos. But when I try to import the public GPG key that is used to sign the packages and type:

Code: Select all

wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
I get this error
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
. Now I have been trying to find a solution for this but have not found one.
I need some help regarding:
1) how to solve the apt-key deprecated issue
2) the steps I should follow to just install the openvpn client and make it work. I recently moved from windows to debian and I love it. But installing openvpn client in windows was so easy that I cannot understand what I am missing here in Debian. For sure it must be something easy to solve but ran out of ideas.
Let me know if you need I run any commands to help me further.
More info:

Code: Select all

$ sudo systemctl status openvpn.service
● openvpn.service - OpenVPN service
     Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sun 2020-11-08 20:59:02 GMT; 8min ago
    Process: 24823 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 24823 (code=exited, status=0/SUCCESS)

Nov 08 20:59:02 venus systemd[1]: Starting OpenVPN service...
Nov 08 20:59:02 venus systemd[1]: Finished OpenVPN service.
I also tried to install:

Code: Select all

sudo apt install apt-transport-https

sudo wget https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub
--2020-11-08 21:18:58--  https://swupdate.openvpn.net/repos/openvpn-repo-pkg-key.pub
Resolving swupdate.openvpn.net (swupdate.openvpn.net)... 104.18.109.96, 104.18.110.96
Connecting to swupdate.openvpn.net (swupdate.openvpn.net)|104.18.109.96|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3165 (3.1K) [binary/octet-stream]
Saving to: ‘openvpn-repo-pkg-key.pub’

openvpn-repo-pkg-key.pub       100%[===================================================>]   3.09K  --.-KB/s    in 0s      

2020-11-08 21:18:58 (17.9 MB/s) - ‘openvpn-repo-pkg-key.pub’ saved [3165/3165]
Regarding this I have some questions:
-where it was downloaded?
-I gues I should move it to /etc/apt/trusted.gpg/, right?

This is what I get if:

Code: Select all

sudo apt-key --keyring /etc/apt/trusted.gpg list
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2019-02-13 [SC]
      8A90 3102 6374 5AEB CF58  5F02 5511 80AB 92C3 19F8
uid           [ unknown] OpenVPN PPA Repository Key <pkg@openvpn.net>
sub   rsa4096 2019-02-13 [E]

pub   rsa4096 2019-03-15 [SC]
      8B1B C7FE CB72 59E1 430A  3AA0 26EB 3912 3AAA AA96
uid           [ unknown] Access Server (Access Server Package Key) <packaging@openvpn.net>
sub   rsa4096 2019-03-15 [E]
Rgds
Last edited by kkfu on 2020-12-01 17:22, edited 1 time in total.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: trouble with openvpn in debian

#2 Post by reinob »

It seems you didn't even enable your config.

You should
# systemctl enable openvpn-client@yourconfig

this will actually enable the config at /etc/openvpn/client/yourconfig.conf

kkfu
Posts: 8
Joined: 2020-11-09 12:15

Re: trouble with openvpn in debian

#3 Post by kkfu »

ok, now I managed to establish a connection from my openvpn client (I installed network manager[gnome] although I am running kde) to the openvpn server.

just to make sure openvpn is working on my client I tried an PIA location.ovpn file and it works.

now I try to connect to my server running the openvpn server. I do connect since I get the server wan ip:

Code: Select all

"Nov 22 19:29:36 ws1 nm-openvpn[6513]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]2.189.89.61:1194" 
this is when I connected:

Code: Select all

sudo grep VPN /var/log/syslog
Nov 22 17:04:04 ws1 pia-daemon[691]: [+2.606][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv4): OFF
Nov 22 17:04:04 ws1 pia-daemon[691]: [+2.609][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv6): OFF
Nov 22 17:04:04 ws1 pia-daemon[691]: [+2.700][iptables][posix/posix_firewall_iptables.cpp:674][info] VPN interface: ""
Nov 22 17:04:04 ws1 pia-daemon[691]: [+2.962][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv4): OFF
Nov 22 17:04:04 ws1 pia-daemon[691]: [+2.965][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv6): OFF
Nov 22 17:04:05 ws1 pia-daemon[691]: [+3.051][iptables][posix/posix_firewall_iptables.cpp:674][info] VPN interface: ""
Nov 22 19:29:36 ws1 NetworkManager[580]: <info>  [1606073376.1193] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",0]: Started the VPN service, PID 6506
Nov 22 19:29:36 ws1 NetworkManager[580]: <info>  [1606073376.1540] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",0]: VPN plugin: state changed: starting (3)
Nov 22 19:29:36 ws1 nm-openvpn[6513]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Nov 22 19:29:36 ws1 nm-openvpn[6513]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]2.189.89.61:1194
Nov 22 19:29:37 ws1 NetworkManager[580]: <info>  [1606073377.8979] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",0]: VPN connection: (IP Config Get) reply received.
Nov 22 19:29:37 ws1 NetworkManager[580]: <info>  [1606073377.8998] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",3:(tun0)]: VPN connection: (IP4 Config Get) reply received
Nov 22 19:29:37 ws1 NetworkManager[580]: <info>  [1606073377.9001] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",3:(tun0)]: Data: VPN Gateway: 2.189.89.71
Nov 22 19:29:37 ws1 NetworkManager[580]: <info>  [1606073377.9004] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",3:(tun0)]: VPN plugin: state changed: started (4)
Nov 22 19:29:37 ws1 NetworkManager[580]: <info>  [1606073377.9011] vpn-connection[0x55a2ef570150,fedcccc2-cd27-44e3-8180-d7f5924a0a04,"papa",3:(tun0)]: VPN connection: (IP Config Get) complete
Nov 22 19:29:38 ws1 pia-daemon[691]: [+2:25:36.090][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv4): OFF
Nov 22 19:29:38 ws1 pia-daemon[691]: [+2:25:36.093][iptables.stdout][exec.cpp:107][info] 200.allowVPN(IPv6): OFF
Nov 22 19:29:38 ws1 pia-daemon[691]: [+2:25:36.179][iptables][posix/posix_firewall_iptables.cpp:674][info] VPN interface: ""
but if I ping from my client I get this error: "icmp_seq=2 Destination Host Unreachable", so I cannot ping the host.

more info about when the VPN is NOT connected:

Code: Select all

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp4s0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp4s0

ifconfig -a
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.200  netmask 255.255.255.0  broadcast 192.168.1.255
        
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
now info about when the VPN is connected:

Code: Select all

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.27.224.1    0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp4s0
2.189.89.61     192.168.1.1     255.255.255.255 UGH       0 0          0 enp4s0
172.27.224.0    0.0.0.0         255.255.240.0   U         0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp4s0
192.168.1.1     0.0.0.0         255.255.255.255 UH        0 0          0 enp4s0

 ifconfig -a
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.200  netmask 255.255.255.0  broadcast 192.168.1.255

  lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.27.224.14  netmask 255.255.240.0  destination 172.27.224.14
Pls, need help.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: trouble with openvpn in debian

#4 Post by reinob »

kkfu wrote:Pls, need help.
It's hard to help in this case. In your first post you wanted to use openvpn (the client, not the protocol), but then in your last post you have a weird mix of NetworkManager and whatever "pia-daemon" might be.

You need to settle on a program/way to connect, not have multiple programs trying to do one thing.
but if I ping from my client I get this error: "icmp_seq=2 Destination Host Unreachable", so I cannot ping the host.
Show the command, and the output. Are you pinging 2.189.89.61 (via enp4s0) or 172.27.224.1 (via tun0).

Whatever you've done, you've ended up with two default routes (one over tun0, one over enp4s0).
That's (very likely) not what to want.

Note: if all you want is a peer-to-peer link between two computers, your best bet is to use wireguard.
It's infinitely simpler, and VPN connection is very fast (a couple of milliseconds), so you can enable it at startup and keep it on all the time, without needing to think about it..

kkfu
Posts: 8
Joined: 2020-11-09 12:15

Re: trouble with openvpn in debian

#5 Post by kkfu »

Thx for quick replay.
reinob wrote:
kkfu wrote:Pls, need help.
In your first post you wanted to use openvpn (the client, not the protocol), but then in your last post you have a weird mix of NetworkManager and whatever "pia-daemon" might be.
I just used one of the location´s .ovpn of PIA.
Somehow the pia-daemon keeps on even after the connection to PIA vpn is off.
but if I ping from my client I get this error: "icmp_seq=2 Destination Host Unreachable", so I cannot ping the host.
Show the command, and the output. Are you pinging 2.189.89.61 (via enp4s0) or 172.27.224.1 (via tun0).
It´s a ping to the server´s ip that I want to connect to in the remote location. The server´s ip is 192.168.1.20.
Whatever you've done, you've ended up with two default routes (one over tun0, one over enp4s0).
That's (very likely) not what to want.
I guess I need to uninstall and purge all I did..and start again.
Note: if all you want is a peer-to-peer link between two computers, your best bet is to use wireguard.
It's infinitely simpler, and VPN connection is very fast (a couple of milliseconds), so you can enable it at startup and keep it on all the time, without needing to think about it..
Yes, this is what I want. Will have a look at it.
Can I setup this peer-to-peer link between two computers and in parallel route all my internet traffic to the WAN through a different vpn?

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: trouble with openvpn in debian

#6 Post by reinob »

kkfu wrote: but if I ping from my client I get this error: "icmp_seq=2 Destination Host Unreachable", so I cannot ping the host.
reinob wrote: Show the command, and the output. Are you pinging 2.189.89.61 (via enp4s0) or 172.27.224.1 (via tun0).
kkfu wrote: It´s a ping to the server´s ip that I want to connect to in the remote location. The server´s ip is 192.168.1.20.
If I understand correctly what you've posted so far, we have this:

Your IP address in your local network is 192.168.1.200 (your router is 192.168.1.1, over enp4s0).
The remote endpoint is 2.189.89.61. This is the public IP address your your VPN server.

When you're connected, you get the IP address 172.27.224.14 (over tun0).
The VPN server is at 172.27.224.1 (over tun0).

You said "I ping from my client" and I asked to to show the exact command, to which you replied "It's a ping to the server's ip ... 192.168.1.20"

But 192.168.1.20 in ON YOUR LOCAL NETWORK, i.e routed over enp4s0 and not over tun0. It has nothing to do with the VPN.

Your tunnel (VPN) is only usable for 172.27.224.0/28 as well as (randomly) as default route, but any connection to your local network (192.168.1.1/24) will use the more specific route, i.e. via 192.168.1.1 over enp4s0.

So either I'm completely confused, or you are completely confused, but as long as that is not clarified, there's nothing I can do.

Good luck in any case! :)

kkfu
Posts: 8
Joined: 2020-11-09 12:15

Re: trouble with openvpn in debian

#7 Post by kkfu »

reinob wrote: Your IP address in your local network is 192.168.1.200 (your router is 192.168.1.1, over enp4s0).
The remote endpoint is 2.189.89.61. This is the public IP address your your VPN server.

When you're connected, you get the IP address 172.27.224.14 (over tun0).
The VPN server is at 172.27.224.1 (over tun0).

You said "I ping from my client" and I asked to to show the exact command, to which you replied "It's a ping to the server's ip ... 192.168.1.20"

But 192.168.1.20 in ON YOUR LOCAL NETWORK, i.e routed over enp4s0 and not over tun0. It has nothing to do with the VPN.

Your tunnel (VPN) is only usable for 172.27.224.0/28 as well as (randomly) as default route, but any connection to your local network (192.168.1.1/24) will use the more specific route, i.e. via 192.168.1.1 over enp4s0.
You are right ... I am a bit lost :). Let me try to explain my network:

office1:
wan: 2.189.89.61,
lan: 192.168.1.0/24,
here is the openvpn-server
here is my nas (it has the ip 192.168.1.20)

office2:
lan: 192.168.1.0/24
here is the openvpn-client

I am trying to set up the vpn between office2 to office1. When it is established I want be able to open a browser in office2 and enter the ip of my nas gui (192.168.1.20).

I have already done many steps and mixed the pia setup with the openvpn one, now my debian is not the ideal one. It is better to start a new fresh openvpn install. I recovered a backup of a fresh debian buster stable and did start from the beginning.

This is what I have done so far (openvpn is not yet installed):

Code: Select all

nmcli -o
    enp4s0: connected to Wired connection 1
            "Red Hat Virtio"
            ethernet (virtio_net), 52:54:00:F6:82:88, hw, mtu 1500
            ip4 default
            inet4 192.168.1.47/24
            route4 0.0.0.0/0
            route4 192.168.1.0/24
            inet6 fe80::5054:ff:fef6:8288/64
            route6 fe80::/64
            route6 ff00::/8

    lo: unmanaged
            "lo"
            loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

    DNS configuration:
            servers: 45.90.28.61 45.90.30.61
            interface: enp4s0
I installed net-tools.

Code: Select all

netstat -pnltu
    (Not all processes could be identified, non-owned process info
    will not be shown, you would have to be root to see it all.)
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      -                   
    tcp6       0      0 :::1716                 :::*                    LISTEN      3784/kdeconnectd    
    udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -                   
    udp        0      0 0.0.0.0:38567           0.0.0.0:*                           -                   
    udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
    udp6       0      0 :::5353                 :::*                                -                   
    udp6       0      0 :::49260                :::*                                -                   
    udp6       0      0 :::1716                 :::*                                3784/kdeconnectd    
    

Code: Select all

netstat -rn
    $ netstat -rn
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enp4s0
    192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enp4s0
Now I installed openvpn:

Code: Select all

sudo apt install openvpn
I placed in "/etc/openvpn/client" papa.ovpn (the file that openvpn-server created for me before; I did not modify it at all).

I tried to setup in network-manager a connection for papa.ovpn: settings>+>import VPN connection. When I did this it asked me: "Do you want to copy your certificates to /home/rafaws1/.local/share/networkmanagement/certificates/?" and I said yes.

Now I did check what you said in your first post about enabling the config:

Code: Select all

/etc/openvpn/client$ systemctl status openvpn.service 
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2020-11-24 15:41:36 GMT; 3s ago
  Process: 8174 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 8174 (code=exited, status=0/SUCCESS)
and enabled the config:

Code: Select all

:/etc/openvpn/client$ systemctl enable openvpn-client@papa 
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-client@papa.service → /lib/systemd/system/openvpn-client@.service.
I have not touched ufw yet since I guess it is not needed from the client.

I start the vpn:

Code: Select all

$ sudo openvpn --config papa.ovpn --auth-user-pass      
and the initialilization sequence starts succesfully (I think so):

Code: Select all

[Tue Nov 24 17:31:25 2020 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp4s0 HWADDR=52:54:00:f6:82:88
Tue Nov 24 17:31:25 2020 TUN/TAP device tun0 opened
Tue Nov 24 17:31:25 2020 TUN/TAP TX queue length set to 100
Tue Nov 24 17:31:25 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Nov 24 17:31:25 2020 /sbin/ip addr add dev tun0 172.27.224.16/20 broadcast 172.27.239.255
Tue Nov 24 17:31:31 2020 ROUTE remote_host is NOT LOCAL
Tue Nov 24 17:31:31 2020 /sbin/ip route add 2.189.89.61/32 via 192.168.1.1
Tue Nov 24 17:31:31 2020 /sbin/ip route add 0.0.0.0/1 via 172.27.224.1
Tue Nov 24 17:31:31 2020 /sbin/ip route add 128.0.0.0/1 via 172.27.224.1
Tue Nov 24 17:31:31 2020 Initialization Sequence Completed
Now I am one step ahead as I was before. But when I open my browser (in office2's browser) I cannot connect to the nas gui. Still in office2 I open a terminal and ping the nas ip:

Code: Select all

$ ping 192.168.1.20
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
From 192.168.1.47 icmp_seq=1 Destination Host Unreachable
From 192.168.1.47 icmp_seq=2 Destination Host Unreachable
I have tested to do the same from another machine (windows) that is in office2 and I can ping 192.168.1.20 and connect to it via the browser.

I can ping from office2 the following:

Code: Select all

$ ping 2.189.89.61
PING 2.189.89.61 (2.189.89.61) 56(84) bytes of data.
64 bytes from 2.189.89.61: icmp_seq=1 ttl=58 time=4.23 ms
64 bytes from 2.189.89.61: icmp_seq=2 ttl=58 time=2.90 ms
^C
--- 2.189.89.61 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 2.901/3.564/4.227/0.663 ms

Code: Select all

$ ping 172.27.224.1
PING 172.27.224.1 (172.27.224.1) 56(84) bytes of data.
64 bytes from 172.27.224.1: icmp_seq=1 ttl=64 time=3.59 ms
64 bytes from 172.27.224.1: icmp_seq=2 ttl=64 time=3.89 ms
64 bytes from 172.27.224.1: icmp_seq=3 ttl=64 time=3.86 ms
^C
--- 172.27.224.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 3.589/3.781/3.891/0.145 ms
I hope to have clarified everything a bit.

Let me know your thoughts.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: trouble with openvpn in debian

#8 Post by reinob »

Thanks for the details. Now it seems much clearer :)

The problem is you have the same subnet (192.168.1.0/24) in both Office1 and Office2.

When Office2 is connected to Office1, according to the log/output from openvpn it does:

Code: Select all

Tue Nov 24 17:31:31 2020 /sbin/ip route add 2.189.89.61/32 via 192.168.1.1
Tue Nov 24 17:31:31 2020 /sbin/ip route add 0.0.0.0/1 via 172.27.224.1
Tue Nov 24 17:31:31 2020 /sbin/ip route add 128.0.0.0/1 via 172.27.224.1
Notice that 192.168.1.0/24 has not been touched, so it stays like it was.

That means that anything on 192.168.1.0/24 ** including 192.168.1.20 ** will use the previous route over enp4s0, which will likely fail (as it seems to do), because you happen not to have any server with that address at Office2.

Only 128.0.0.0/1 and 0.0.0.0/1 (default route) will actually go via the VPN.

If you really want to access 192.168.1.20 (and only that one) via the VPN (i.e. the one in Office1), then you can add a specific route only for that one address. Like "ip route add 192.168.1.20/32 via tun0" or whatever.
This effectively "punches a hole" in your routing table, as always the more specific route wins over a more general route.

The alternative would be to use a separate subnet in each Office, like 192.168.1.0/24 for Office1 and 192.168.2.0/24 for Office2. This way you can have a permanent VPN connection and anything from Office1 to 192.168.2.0/24 should go via VPN and anything from Office2 to 192.168.1.0/24 should go via VPN.

Hope that helps!

kkfu
Posts: 8
Joined: 2020-11-09 12:15

[SOLVED] Re: trouble with openvpn in debian

#9 Post by kkfu »

After some further research I could find a solution. This is a step by step guide of what needs to be done. I wanted to close this post with a solution in case anyone will need it in a future.

How to connect to PIA (using the installed openvpn)

Step 1: Install Openvpn (from terminal): follow Debian's guide

Step 2: create directory for PIA
cd /etc/openvpn
sudo mkdir pia

Step 3: Download the zip (openvpn-strong zip) with PIA's ovpn files. IMPORTANT: only the ones in this link work for me: https://www.privateinternetaccess.com/o ... extgen.zip. The ones in the openvpn-nextgen.zip do not work for me.

Step 4: Unzip the file:
sudo unzip openvpn-strong-nextgen.zip -d /etc/openvpn/pia

Step 5: create a credentials file to specify your PIA username and password.. so you can log automatically:
sudo nano /etc/openvpn/pia/.secrets

Step 6: Change the permission of the login.txt file so it is only owned by root:
sudo chmod 700 /etc/openvpn/pia/.secrets

Step 7: test if it’s working by manually running OpenVPN:
$ sudo openvpn --config /etc/openvpn/pia/XXX.ovpn --auth-user-pass /etc/openvpn/pia/.secrets

Step 8: edit .ovpn for hardening and add:
user nobody
(group nobody)
auth-nocache

That's it. Enjoy.

I also tested setting up the XXX.ovpn from NETWORK-MANAGER and it works. You need to select in connection-type "Password".
IPV6=Ignored.
GATEWAY: XXX.privacy.network
CA cert=add yours
In advanced:
port=1197
use custom renegotiation interval?0
lzo compression=adaptive
set virtual device type=TUN
security>AES-256-CBC
security>SHA-256

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: [SOLVED] trouble with openvpn in debian (PIA)

#10 Post by sgosnell »

For just accessing a NAS in a local office, I don't think a VPN is the optimal solution. It's very much overkill. Simple NFS should be sufficient, or even just ssh or sshfs, depending on what you need to do with the files. If what you have works for you, fine, but a VPN inside a LAN makes no sense to me unless you need to access the server from outside the office.
Take my advice, I'm not using it.

Post Reply