Tunnel DietPi through OpenVPN

Guides and tutorials for various stuff. Posted by DietPi users.
Post Reply
nicolasbuch

Tunnel DietPi through OpenVPN

Post by nicolasbuch »

Hi there,

i have my odroid xu-4 running DietPi. I want to run all internet connection through a VPN service like Private Internet Access. But i cant seem to find anything about it. Can anybody give me a clue to how its done ?
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: Tunnel DietPi through VPN

Post by k-plan »

Hi,
nicolasbuch wrote:I want to run all internet connection through a VPN service like Private Internet Access.
As far as I see, you want to run a openvpn client on your device, not act as an openvpn server.

First of all, it will only work for IPv4 connection. If you have a dual stack network and you want to run all internet connection through your tun interface, you have to disable IPv6 support in dietpi-config.

You have to install OpenVPN or PiVPN on your device first.

Now you have to put the client config files " *.ovpn " on your device, e.g. into your home directory ( /root/vpnbook.ovpn )

In this example here, I will use a free account from VPNBook.

For testing, start your openvpn client with this config file:

Code: Select all

root@ZeroPi:~# openvpn --config /root/vpnbook.ovpn
Mon Dec 12 19:53:12 2016 OpenVPN 2.3.11 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 23 2016
Mon Dec 12 19:53:12 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.08
Enter Auth Username: *******
Enter Auth Password: *********
Type in your Username and your password if you will need one.
Now you will see some messages like this:

Code: Select all

Mon Dec 12 19:55:46 2016 Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Dec 12 19:55:46 2016 UDPv4 link local: [undef]
Mon Dec 12 19:55:46 2016 UDPv4 link remote: [AF_INET]176.126.237.214:25000
Mon Dec 12 19:55:47 2016 TLS: Initial packet from [AF_INET]176.126.237.214:25000, sid=628e66d9 cae50908
Mon Dec 12 19:55:47 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Dec 12 19:55:47 2016 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Mon Dec 12 19:55:47 2016 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Mon Dec 12 19:55:47 2016 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 12 19:55:47 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 12 19:55:47 2016 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Dec 12 19:55:47 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 12 19:55:47 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Dec 12 19:55:47 2016 [vpnbook.com] Peer Connection Initiated with [AF_INET]176.126.237.214:25000
Mon Dec 12 19:55:49 2016 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
Mon Dec 12 19:55:49 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS  84.200.69.80,dhcp-option DNS  37.235.1.177,route 10.10.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.10.1.14 10.10.1.13'
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: route options modified
Mon Dec 12 19:55:49 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Dec 12 19:55:49 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=a0:ce:c8:08:68:d0
Mon Dec 12 19:55:49 2016 TUN/TAP device tun2 opened
Mon Dec 12 19:55:49 2016 TUN/TAP TX queue length set to 100
Mon Dec 12 19:55:49 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Dec 12 19:55:49 2016 /sbin/ip link set dev tun2 up mtu 1500
Mon Dec 12 19:55:49 2016 /sbin/ip addr add dev tun2 local 10.10.1.14 peer 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 176.126.237.214/32 via 192.168.0.100
Mon Dec 12 19:55:52 2016 /sbin/ip route add 0.0.0.0/1 via 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 128.0.0.0/1 via 10.10.1.13
Mon Dec 12 19:55:52 2016 /sbin/ip route add 10.10.0.1/32 via 10.10.1.13
Mon Dec 12 19:55:52 2016 Initialization Sequence Completed
"Initialization Sequence Completed" means that your openvpn connection is established.

Leave this terminal session open and open a new ssh session to test if vpn connection is working.

Code: Select all

root@ZeroPi:~# ip  a | grep tun
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
11: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.10.1.14 peer 10.10.1.13/32 scope global tun2
10.10.1.14/32 ==>> is my VPN client address (tun2 - client Point-to-Point connection)

10.10.1.13/32 ==>> is VPN server tunnel endpoint ip address

176.126.237.214 ==>> is VPN server endpoint public ip address (euro214.vpnbook.com)

Code: Select all

root@ZeroPi:~# route -n
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.1.13      128.0.0.0       UG    0      0        0 tun2
0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.10.0.1       10.10.1.13      255.255.255.255 UGH   0      0        0 tun2
10.10.1.13      0.0.0.0         255.255.255.255 UH    0      0        0 tun2
128.0.0.0       10.10.1.13      128.0.0.0       UG    0      0        0 tun2
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0
176.126.237.214 192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
ping or trace some targets at the internet:

Code: Select all

root@ZeroPi:~# mtr dietpi.com

 Host 
 1. 10.10.0.1 
 2. 176.126.237.193
 3. 185.57.80.77
 4. buc-ird-01c.voxility.net
 5. fra-in8-01c.voxility.net
 6. ddos.protection.interwerk.de
 7. fra-in-01-edge.myvirtualserver.com 
 8. ???
 9. 185.101.92.145 

If all this is working like you want it and your OpenVPN connection needs to manually type in a username and password, you can modify your " *.ovpn " to get automatic login:

Save Password in OpenVPN for Automatic Login

Now openvpn --config /root/vpnbook.ovpn should end up with a VPN connection without type in username and password.

If you want to start a VPN Client connection on every boot, you have to edit:

Code: Select all

root@ZeroPi:~# nano /etc/rc.local
and paste something like this before the last line (exit 0):

Code: Select all

sleep 3
echo -e " * Starting VPN connection ..."
/usr/sbin/openvpn --daemon --config /root/vpnbook.ovpn
sleep 2
echo -e ".   Done! \n"

exit 0
Hope this will help you out.

cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
nicolasbuch

Re: Tunnel DietPi through VPN

Post by nicolasbuch »

Hi k-plan,

Thank you so much for your elaborative answer. It was definitely more than just a clue :D Actually it was spot on and exactly what i needed.

There are tons of tutorials out there that explains how to set it up as a VPN server, but none (that i could find) that explains the client side setup. So i'm sure that your answer will be able to help out others as well. Either way, you helped me.

Once again, thank you :)
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: Tunnel DietPi through VPN

Post by k-plan »

Hi nicolasbuch,
nicolasbuch wrote:... but none (that i could find) that explains the client side setup.
Yes, where are many tutorials for GUI client setup or Windows clients, but for Linux CLI it's narrow.
Have to fiddle around some days to get it on work for me.

Starting VPN client via /etc/rc.local is not perfect way, because if you like to restart VPN client session, you have to kill it (e.g. with htop) and do a manually restart or execute /etc/rc.local once again.
But I like the feedback message.

Better way will be to build a "VPN-clinet" service and start it via dietpi-services but after running a update, this will be gone every time.
nicolasbuch wrote:Either way, you helped me.
Nice to hear this and thanks for your feedback. It's no longer self-evident.

cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: Tunnel DietPi through VPN

Post by k-plan »

k-plan wrote:Better way will be to build a "VPN client" service and start it via dietpi-services
To get this on work, you have to do (same example as above):

- delete the new lines, you have put in /etc/rc.local before and save.

Code: Select all

root@ZeroPi:~# nano /etc/rc.local

...

## sleep 3
## echo -e " * Starting VPN connection ..."
## /usr/sbin/openvpn --daemon --config /root/vpnbook.ovpn
## sleep 2
## echo -e ".   Done! \n"

exit 0

- copy your VPN client config files (e.g in my example /root/vpnbook.ovpn) and if you need one, your username and password file (e.g. /root/auth.txt)

Code: Select all

root@ZeroPi:~# cp /root/vpnbook.ovpn /etc/openvpn/vpnbook.conf

root@ZeroPi:~# cp /root/auth.txt /etc/openvpn/auth.txt
- edit /etc/default/openvpn :

Code: Select all

root@ZeroPi:~# nano /etc/default/openvpn
- if you want to auto-start on boot local OpenVPN Server and OpenVPN Client, then uncomment:

Code: Select all

# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#

- if you want to auto-start on boot only OpenVPN Client, then uncomment and edit:

Code: Select all

# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
#AUTOSTART="all"
#AUTOSTART="none"
AUTOSTART="vpnbook"
#
... and save edited file!

- now reboot your system:

Code: Select all

root@ZeroPi:~# reboot
- after system restart, run htop and watch for openvpn processes:

Code: Select all

root@ZeroPi:~# htop


- you should see a running openvpn client process as daemon:
OpenVPN client process as daemon
OpenVPN client process as daemon
161213-0001.gif (11.17 KiB) Viewed 10153 times
- Test your connection like before

- if you want to restart your OpenVPN client connection, you can now simply use dietpi-services

Code: Select all

root@ZeroPi:~# dietpi-services restart
cu
k-plan
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
User avatar
Fourdee
Site Admin
Posts: 2783
Joined: Tue Feb 06, 2007 1:36 pm

Re: Tunnel DietPi through VPN

Post by Fourdee »

Excellent guide K-Plan. Stickied!

EDIT: Created a new sub-forum for guides by our users and moved it there: http://dietpi.com/phpbb/viewforum.php?f=15
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal or become a DietPi patron.
odreezy

Re: Tunnel DietPi through VPN

Post by odreezy »

Is it possible to configure openvpn client to read username and password via environment variables?
Post Reply