OpenVPN issue on OMV 1.9

    • OMV 1.0
    • Resolved
    • OpenVPN issue on OMV 1.9

      Hi all,

      I just got a IPVanish VPN account (ipvanish.com) and I'm currently trying to set up the VPN connection.
      Thus I have installed the openmediavault-openvpn 1.1 pluging (not the openvpnas).
      Unfortunately, when I go in the certificat tab then try to add a user it return me the following error message:

      Failed to execute command 'export LANG=C; omv-mkconf openvpn add 6ccbc240-f81e-4cba-b31f-7d3a3588aaf0 2>&1': /usr/share/openmediavault/mkconf/openvpn: line 409: cd: /etc/openvpn/easy-rsa/2.0/: No such file or directory

      Erreur #4000:
      exception 'OMVException' with message 'Failed to execute command 'export LANG=C; omv-mkconf openvpn add 6ccbc240-f81e-4cba-b31f-7d3a3588aaf0 2>&1': /usr/share/openmediavault/mkconf/openvpn: line 409: cd: /etc/openvpn/easy-rsa/2.0/: No such file or directory' in /usr/share/openmediavault/engined/rpc/openvpn.inc:394
      Stack trace:
      #0 [internal function]: OMVRpcServiceOpenVpn->set(Array, Array)
      #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
      #2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('set', Array, Array)
      #3 /usr/sbin/omv-engined(500): OMVRpc::exec('OpenVpn', 'set', Array, Array, 1)
      #4 {main}


      Neverthless, if I switch to parameter tab, then go back in the certificat tab, the new user is properly listed.

      However, after selecting the new user, I cannot download the certificat (nothing happen when I click on "Download certificat")

      => Could somebody help me setting up my VPN connection?
    • The openvpn plugin is a server not a client. Uninstall the openvpn plugin, and leave the openvpn binary package.

      apt-get remove openmediavault-openvpn

      place your ipvanish conf file at /etc/openvpn/ folder

      and start the service with

      /etc/init.d/openvpn start

      check route
      "ip r s"
      and interface
      "ifconfig tun0"
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Hi,

      Thanks subzero79 for your quick feedback.
      I the meantime I also found a tuto on IPVanish web site (support.ipvanish.com/customer/…envpn-linux-command-line-).
      With all these data I was able to setup my VPN.
      Unfortunately, IPVanish VPN does not support port forwarding. Thus, once the VPN is activated on OMV, the server is no more accessible from the web, but only from my LAN.
      As I mostly control the server from outside my home, this is not acceptable for me. In addtition, if the VPN is activated I can no more use the FTP.
      The good point is that I did not paid for this VPN account (gift from my usenet provider).

      => For people who plan to set a VPN on there OMV server, take care to set a VPN that support port forwarding, otherwise you will only have acces to it from you LAN
    • davr971 wrote:

      Thus, once the VPN is activated on OMV, the server is no more accessible from the web, but only from my LAN.


      This is true because ipvanish (and any other provider) is gonna push redirect-gateway def1, you can already imagine what that does directive does, and if you don't know, go and read the openvpn documentation.

      Any request to ssh on the normal WAN gateway is gonna get replied through the tun interface. What you need is to establish rules to redirect packets that come from your home gateway to where they come from.

      For this you need iptables rules (with fwmark probably), a secondary route table, and add some route-up route-down scripts in openvpn configuration file.

      For help on this you can get much more information at #networking, #Netfilter and #openvpn channels at IRC freenode.

      Some time ago i purchased some ipvanish month for testing. My goal was to establish and exclusive vpn gateway for torrent application based on the daemon user (UID). Also if openvpn was down, no connection was allowed from the torrent application. The current iptables ruleset is uploaded to github as bash script. This might help you to get ideas
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Sorry for the late reply this is a simple solution that @davidh2k mentioned here some time ago to solve this issue

      Source Code

      1. echo "1 admin" >> /etc/iproute2/rt_tables
      2. ip route add 192.168.178.0/24 dev eth0 src 192.168.178.58 table admin
      3. ip route add default via 192.168.178.1 dev eth0 table admin
      4. ip rule add from 192.168.178.58/32 table admin
      5. ip rule add to 192.168.178.58/32 table admin


      This solves the problem that i mentioned before, incoming traffic through eth0 gets replied through tun0, given the alteration to the route table, that your openvpn provider pushes to fwd all traffic through their gateway
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 1 time, last by subzero79 ().

    • @davr971 I am the owner of the openvpn plugin. The plugin currently doesn't offer a client config option. I am working on that for a future release. For VPN providers like ipvanish, I will have to test connectivity and see if I can split the routing table to accept the LAN and WAN connections. For now, go with @subzero79 suggestion.
      ShadowZero -- OMV Fan since 0.3

      The post was edited 1 time, last by shadowzero ().

    • Hi all,

      As I'm not an expert, I took time to have a look @subzero79 and @shadowzero sugestion.
      After some research about iptable I think I find someting that could help bypassing the VPN with few Iptables Rules.
      Actually I found 2 web sites which explain how to develop a script to set up the iptable properly at boot:
      linksysinfo.org/index.php?thre…hrough-vpn-openvpn.37240/
      forum.hidemyass.com/index.php/…websites-and-more-tomato/

      Then I have set one script for my peronal need:

      Source Code

      1. # First it is necessary to disable Reverse Path Filtering on all
      2. # current and future network interfaces:
      3. #
      4. for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      5. echo 0 > $i
      6. done
      7. # Delete table 100 and flush any existing rules if they exist.
      8. #
      9. ip route flush table 100
      10. ip route del default table 100
      11. ip rule del fwmark 1 table 100
      12. ip route flush cache
      13. iptables -t mangle -F PREROUTING
      14. # Copy all non-default and non-VPN related routes from the main table into table 100.
      15. # Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
      16. #
      17. ip route show table main | grep -Ev ^default | grep -Ev "tun0" \
      18. | while read ROUTE ; do
      19. ip route add table 100 $ROUTE
      20. done
      21. ip route add default table 100 via $(nvram get wan_gateway)
      22. ip rule add fwmark 1 table 100
      23. ip route flush cache
      24. # Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
      25. #All traffic for Direct Download and Usenet goes into the VPN, all other bypasses the VPN
      26. iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport 80,443,563 -j MARK --set-mark 0
      27. iptables -t mangle -I PREROUTING -i br0 -p tcp -m multiport --dport ! 80,443,563 -j MARK --set-mark 1
      Display All


      However, before breaking all my network interfaces, I would appreciate if someone could have a look to this code.
      Actually, there are for me several open points:
      - In its previous comment @davidh2k talks about "table admin", but when looking on the web I mostly saw iptable with "table 100" (as in the above script) => Wath is the difference between these tables ?
      - In my understanding "nvram get wan_gateway" is a Tomato command that provides the gateway address, but is there an equivalent on OMV?

      Again, thanks for helping

      The post was edited 2 times, last by davr971 ().

    • That's different from what you mentioned initially.
      The solution I presented was to solve the wrong route for incoming WAN requests in a simple way. In general this is out f the scope of OMV.

      What you want is called linux routing policy, as i mention before take a look at this for an example:

      github.com/subzero79/Openvpn-iptables

      That's routing done through process UID owner. If you need help in this again i recommend you the #netfilter and #openvpn channel.

      And also you're not going to break anything testing, the iptables rules are flushed away on reboot if you don't have iptables-persistent package installed
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • davr971 wrote:

      what are the "#netfilter and #openvpn channel"?


      Those are irc chat channels at freenode irc servers.

      Another option i analized back at the time are prebuilt docker container images that runs only sabnzbd+openvpn (or torrent_client+openvpn) which close the exit gateway if the vpn goes down.

      Like this one registry.hub.docker.com/u/binhex/arch-sabnzbdvpn/

      or this one registry.hub.docker.com/u/binhex/arch-delugevpn/

      I tested the deluge one once, and it worked correctly.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server