VPN client for DietPi Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
JRaducha
Posts: 7
Joined: Sat May 25, 2019 11:49 pm

VPN client for DietPi

Post by JRaducha »

I am using a Allo Boss DAC for Roon connectivity. I am looking to put the DAC at a remote location and access my server through a L2TP VPN connection. I am looking for a VPN CLIENT that will allow me to do this in DietPi, and make sure all the traffic goes through the VPN connection. How can I do this? What app should be downloaded?

Thank you!
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN client for DietPi

Post by MichaIng »

Are you bound to L2TP? That does not work with the VPN clients we offer through DietPi-Software. So if OpenVPN or WireGuard is an option, that would work.

I have no experience with L2TP, which is usually paired with IPsec, which again is known to be a bid complicated to setup. However hopefully this guide helps you: https://gist.github.com/mietek/4877cd74423bf6925b92
JRaducha
Posts: 7
Joined: Sat May 25, 2019 11:49 pm

Re: VPN client for DietPi

Post by JRaducha »

I am not bound to L2TP. The Qnap I am using as my VPN server does support OpenVPN.

I looked all over, and I can not find where to install just the CLIENT on OpenVPN in DietPi. Do you have instructions on that?

The other option, I was thinking about would be just using a SSH Tunnel. What are your thoughts on that?\

I have my iPhone and a MacBook Pro already configured to use the L2TP, and it works great. That is why I was trying to use that for the ALLO Boss.


MichaIng wrote: Sun May 26, 2019 2:18 am Are you bound to L2TP? That does not work with the VPN clients we offer through DietPi-Software. So if OpenVPN or WireGuard is an option, that would work.

I have no experience with L2TP, which is usually paired with IPsec, which again is known to be a bid complicated to setup. However hopefully this guide helps you: https://gist.github.com/mietek/4877cd74423bf6925b92
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN client for DietPi

Post by MichaIng »

@JRaducha
Ah yeah that's true, our OpenVPN install configures it as server. WireGuard allows to choose between server and client setup.

However for a client setup usually the config must be provided by the server. Perhaps the Qnap has an option to export a client config based on the VPN server configuration?
Generally the Debian guide explains and gives examples about how to setup both sides: https://wiki.debian.org/OpenVPN

A SSH tunnel is an alternative, but a VPN will be generally more secure, easier to be forced for all network requests on the client and faster (AFAIK) since it can be used with UDP protocol as well.
JRaducha
Posts: 7
Joined: Sat May 25, 2019 11:49 pm

Re: VPN client for DietPi

Post by JRaducha »

OK… I figured out how to get OpenVPN Client setup for DietPi.


Step 1
Set up your OpenVPN Server

Step 2
Login as root on to your DietPi

Step 3 Type-
apt-get update

Step 4 Type-
apt-get install openvpn

Step 5 – Configure the OpenVPN Client
In /etc/openvpn/ create a new text file named – (Your sever name).ovpn

Paste this text in - PLEASE MAKE CHANGES-----
## How to setup OpenVPN client?
## 1. Install OpenVPN software on your platform.
## 2. Double click XXXX.ovpn file to create new connection profile.
## 3. Type username and password while connection.

client
dev tun
script-security 3
remote (YOUR IP ADDRESS X.X.X.X) 1194
resolv-retry infinite
nobind
auth-nocache
auth-user-pass
remote-cert-tls server
reneg-sec 0
cipher AES-128-CBC
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
comp-lzo
proto udp
explicit-exit-notify 1
<ca>
-----BEGIN CERTIFICATE-----
(THIS IS LOCATED ON YOUR SERVER CALLED YOURSERVERNAME.CA)
-----END CERTIFICATE-----
</ca>

Step 6
Copy your CA from the server to the client
On the client - located at - /etc/openvpn/client/

Step 7 Type-
service openvpn restart

Step 8 (Just to make sure you have connectivity on both sides)
On the client, try and ping your server

Step 9 Type-
openvpn --config clientname.ovpn

Step 10
Enter your user name and password

Step 11
When OpenVPN shows the message “Initialization Sequence Completed“, then you are connected.
Last edited by JRaducha on Thu May 30, 2019 1:13 am, edited 2 times in total.
User avatar
MichaIng
Site Admin
Posts: 2295
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN client for DietPi

Post by MichaIng »

@JRaducha
Many thanks for providing your solution. Jep looks good.

I am still thinking if OpenVPN ships a command to create a client config directly from the server :?. Will check this out.
JRaducha
Posts: 7
Joined: Sat May 25, 2019 11:49 pm

Re: VPN client for DietPi

Post by JRaducha »

MichaIng wrote: Tue May 28, 2019 2:44 pm @JRaducha
Many thanks for providing your solution. Jep looks good.

I am still thinking if OpenVPN ships a command to create a client config directly from the server :?. Will check this out.
It does, but I could not get it to work properly.

How to configure the client via command line - At least this is how it was explained to me.

OpenVPN server creates certificates for each VPN client machine. These certificates should be available on the client computer at the /etc/openvpn directory. Normally, we use the scp command and copy these files from the OpenVPN server to the machine.

# scp root@vpnserver.com:/etc/openvpn/clients/clientname.tar.gz
# tar -xzvf clientname.tar.gz

This would fetch all the client certificates from the OpenVPN server.

Going further, we would then copy the OpenVPN configuration file using the command:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

Now, on the client machine it’s time to make a few edits in the client specific configuration file at /etc/openvpn/client.conf.

Here, we set the address of the OpenVPN server, the port configured on the OpenVPN server and the actual name of the certificate and key file names. Usually, the OpenVPN port will be 1194.
przemko
Posts: 70
Joined: Sun Mar 15, 2020 5:40 pm

Re: VPN client for DietPi

Post by przemko »

Hi, I have VPS server with openvpn installed. I use this vpn for my laptops, smartphone and osmc(Rpi3) but cannot make it work with dietpi. I try to copy my dietpi.ovpn file to /etc/openvpn and /etc/openvpn/clients. I also change name for dietpi.config but also don;t work. When I make command in ssh terminal I see:

Code: Select all

dietpi@DietPi:/$ sudo service openvpn restart
dietpi@DietPi:/$ sudo openvpn --config dietpi.ovpn
Options error: In [CMD-LINE]:1: Error opening configuration file: dietpi.ovpn
Use --help for more information.

Code: Select all

dietpi@DietPi:/$ sudo systemctl status openvpn@dietpi
Broadcast message from root@DietPi (Tue 2020-03-24 13:09:29 CET):

Password entry required for 'Enter Private Key Password:' (PID 4396).
Please enter password with the systemd-tty-ask-password-agent tool:


● openvpn@dietpi.service - OpenVPN connection to dietpi
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-03-24 13:09:29 CET; 4s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 4394 (openvpn)
   Status: "Pre-connection initialization successful"
    Tasks: 2 (limit: 4616)
   Memory: 1.2M
   CGroup: /system.slice/system-openvpn.slice/openvpn@dietpi.service
           ├─4394 /usr/sbin/openvpn --daemon ovpn-dietpi --status /run/openvpn/dietpi.status 10 --cd /etc/openvpn --config /etc/openvpn/dietpi.conf --writepid /run/openvpn/dietpi.pid
           └─4396 /bin/systemd-ask-password --icon network-vpn Enter Private Key Password:

mar 24 13:09:29 DietPi systemd[1]: Starting OpenVPN connection to dietpi...
mar 24 13:09:29 DietPi ovpn-dietpi[4394]: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/dietpi.conf:17: block-outside-dns (2.4.7)
mar 24 13:09:29 DietPi ovpn-dietpi[4394]: OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
mar 24 13:09:29 DietPi systemd[1]: Started OpenVPN connection to dietpi.
mar 24 13:09:29 DietPi ovpn-dietpi[4394]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
And still ask me for password. I generate ovpn file with password first time but then I delete it because of error and generate second file without password.
Regards Przemek
User avatar
Joulinar
Posts: 2077
Joined: Sat Nov 16, 2019 12:49 am

Re: VPN client for DietPi

Post by Joulinar »

maybe you should investigate the error message on your config file

Code: Select all

Unrecognized option or missing or extra parameter(s) in /etc/openvpn/dietpi.conf:17
You would need to create the config file on your VPS OpenVPN Server and copy it to your DietPi system.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
przemko
Posts: 70
Joined: Sun Mar 15, 2020 5:40 pm

Re: VPN client for DietPi

Post by przemko »

I use openvpn-script who create dietpi.ovpn file on my VPS and then copy it to my Dietpi (Rpi4).
Post Reply