Tunnel DietPi through OpenVPN

nicolasbuch · 12 December 2016 13:04

Hi there,

i have my odroid xu-4 running DietPi. I want to run all internet connection through a VPN service like Private Internet Access. But i cant seem to find anything about it. Can anybody give me a clue to how its done ?

k-plan · 12 December 2016 19:47

Hi,

As far as I see, you want to run a openvpn client on your device, not act as an openvpn server.

First of all, it will only work for IPv4 connection. If you have a dual stack network and you want to run all internet connection through your tun interface, you have to disable IPv6 support in dietpi-config.

You have to install OpenVPN or PiVPN on your device first.

Now you have to put the client config files " *.ovpn " on your device, e.g. into your home directory ( /root/vpnbook.ovpn )

In this example here, I will use a free account from VPNBook.

For testing, start your openvpn client with this config file:

root@ZeroPi:~# openvpn --config /root/vpnbook.ovpn
Mon Dec 12 19:53:12 2016 OpenVPN 2.3.11 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 23 2016
Mon Dec 12 19:53:12 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Enter Auth Username: *******
Enter Auth Password: *********

Type in your Username and your password if you will need one.
Now you will see some messages like this:

Mon Dec 12 19:55:46 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 12 19:55:46 2016 UDPv4 link local: [undef]
Mon Dec 12 19:55:46 2016 UDPv4 link remote: [AF_INET]176.126.237.214:25000
Mon Dec 12 19:55:47 2016 TLS: Initial packet from [AF_INET]176.126.237.214:25000, sid=628e66d9 cae50908
Mon Dec 12 19:55:47 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec 12 19:55:47 2016 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Mon Dec 12 19:55:47 2016 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Mon Dec 12 19:55:47 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 12 19:55:47 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 12 19:55:47 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 12 19:55:47 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 12 19:55:47 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 12 19:55:47 2016 [vpnbook.com] Peer Connection Initiated with [AF_INET]176.126.237.214:25000
Mon Dec 12 19:55:49 2016 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
Mon Dec 12 19:55:49 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS  84.200.69.80,dhcp-option DNS  37.235.1.177,route 10.10.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.10.1.14 10.10.1.13'
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: route options modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 12 19:55:49 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=a0:ce:c8:08:68:d0
Mon Dec 12 19:55:49 2016 TUN/TAP device tun2 opened
Mon Dec 12 19:55:49 2016 TUN/TAP TX queue length set to 100
Mon Dec 12 19:55:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Dec 12 19:55:49 2016 /sbin/ip link set dev tun2 up mtu 1500
Mon Dec 12 19:55:49 2016 /sbin/ip addr add dev tun2 local 10.10.1.14 peer 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 176.126.237.214/32 via 192.168.0.100
Mon Dec 12 19:55:52 2016 /sbin/ip route add 0.0.0.0/1 via 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 128.0.0.0/1 via 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 10.10.0.1/32 via 10.10.1.13
Mon Dec 12 19:55:52 2016 Initialization Sequence Completed

“Initialization Sequence Completed” means that your openvpn connection is established.

Leave this terminal session open and open a new ssh session to test if vpn connection is working.

root@ZeroPi:~# ip  a | grep tun
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
11: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.10.1.14 peer 10.10.1.13/32 scope global tun2

10.10.1.14/32 ==>> is my VPN client address (tun2 - client Point-to-Point connection)

10.10.1.13/32 ==>> is VPN server tunnel endpoint ip address

176.126.237.214 ==>> is VPN server endpoint public ip address (euro214.vpnbook.com)

root@ZeroPi:~# route -n
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.1.13      128.0.0.0       UG    0      0        0 tun2
0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.10.0.1       10.10.1.13      255.255.255.255 UGH   0      0        0 tun2
10.10.1.13      0.0.0.0         255.255.255.255 UH    0      0        0 tun2
128.0.0.0       10.10.1.13      128.0.0.0       UG    0      0        0 tun2
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
176.126.237.214 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0

ping or trace some targets at the internet:

root@ZeroPi:~# mtr dietpi.com

 Host 
 1. 10.10.0.1 
 2. 176.126.237.193
 3. 185.57.80.77
 4. buc-ird-01c.voxility.net
 5. fra-in8-01c.voxility.net
 6. ddos.protection.interwerk.de
 7. fra-in-01-edge.myvirtualserver.com 
 8. ???
 9. 185.101.92.145

If all this is working like you want it and your OpenVPN connection needs to manually type in a username and password, you can modify your " *.ovpn " to get automatic login:

Save Password in OpenVPN for Automatic Login

Now openvpn --config /root/vpnbook.ovpn should end up with a VPN connection without type in username and password.

If you want to start a VPN Client connection on every boot, you have to edit:

root@ZeroPi:~# nano /etc/rc.local

and paste something like this before the last line (exit 0):

sleep 3
echo -e " * Starting VPN connection ..."
/usr/sbin/openvpn --daemon --config /root/vpnbook.ovpn
sleep 2
echo -e ".   Done! \n"

exit 0

Hope this will help you out.

cu
k-plan

nicolasbuch · 13 December 2016 08:36

Hi k-plan,

Thank you so much for your elaborative answer. It was definitely more than just a clue Actually it was spot on and exactly what i needed.

There are tons of tutorials out there that explains how to set it up as a VPN server, but none (that i could find) that explains the client side setup. So i’m sure that your answer will be able to help out others as well. Either way, you helped me.

Once again, thank you

k-plan · 13 December 2016 14:36

Hi nicolasbuch,

Yes, where are many tutorials for GUI client setup or Windows clients, but for Linux CLI it’s narrow.
Have to fiddle around some days to get it on work for me.

Starting VPN client via /etc/rc.local is not perfect way, because if you like to restart VPN client session, you have to kill it (e.g. with htop) and do a manually restart or execute /etc/rc.local once again.
But I like the feedback message.

Better way will be to build a “VPN-clinet” service and start it via dietpi-services but after running a update, this will be gone every time.

Nice to hear this and thanks for your feedback. It’s no longer self-evident.

cu
k-plan

k-plan · 13 December 2016 20:46

To get this on work, you have to do (same example as above):

delete the new lines, you have put in /etc/rc.local before and save.

root@ZeroPi:~# nano /etc/rc.local

...

## sleep 3
## echo -e " * Starting VPN connection ..."
## /usr/sbin/openvpn --daemon --config /root/vpnbook.ovpn
## sleep 2
## echo -e ".   Done! \n"

exit 0

copy your VPN client config files (e.g in my example /root/vpnbook.ovpn) and if you need one, your username and password file (e.g. /root/auth.txt)

root@ZeroPi:~# cp /root/vpnbook.ovpn /etc/openvpn/vpnbook.conf

root@ZeroPi:~# cp /root/auth.txt /etc/openvpn/auth.txt

edit /etc/default/openvpn :

root@ZeroPi:~# nano /etc/default/openvpn

if you want to auto-start on boot local OpenVPN Server and OpenVPN Client, then uncomment:

# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#

if you want to auto-start on boot only OpenVPN Client, then uncomment and edit:

# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
#AUTOSTART="all"
#AUTOSTART="none"
AUTOSTART="vpnbook"
#

… and save edited file!

now reboot your system:

root@ZeroPi:~# reboot

after system restart, run htop and watch for openvpn processes:

root@ZeroPi:~# htop

you should see a running openvpn client process as daemon:

161213-0001.gif703×55 11.2 KB
Test your connection like before
if you want to restart your OpenVPN client connection, you can now simply use dietpi-services

root@ZeroPi:~# dietpi-services restart

cu
k-plan

Fourdee · 16 December 2016 15:39

Excellent guide K-Plan. Stickied!

EDIT: Created a new sub-forum for guides by our users and moved it there: http://dietpi.com/phpbb/viewforum.php?f=15

odreezy · 3 February 2017 00:24

Is it possible to configure openvpn client to read username and password via environment variables?