Raspberry+OpenVPN+PureVPN = mission impossible?

[andreaconsole]

Good afternoon,
Since a month I'm struggling with this configuration and the help desk of PureVPN seems unable to find a solution. Thus, as a last resort, I would like to ask to the real experts of OpenVPN.

I have a Raspberry Pi B, and I woul like to use it to give to my smart tv an internet connection through a VPN. The Raspberry is connected va wifi to my router, and when it works it will be connected via UTP to the smart tv.
I installed last version available of openVPN on raspbian. Everything is updated through the repositories.

I tried these two configuration, for TCP and UDP, with the following results:

Code: Select all

client
dev tun
proto tcp
push "dhcp-option DNS 8.8.8.8"
remote it1.purevpn.net 80
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
[omissis]
-----END CERTIFICATE-----


</ca>

# 
# 2048 bit OpenVPN static key 
# 
<tls-auth>
-----BEGIN OpenVPN Static key V1----- 
[omissis]
-----END OpenVPN Static key V1-----

</tls-auth>
key-direction 1

verb 1
mute 20
float
route-delay 2
auth-user-pass pass.txt
auth-retry interact
ifconfig-nowarn

this is the console output:

Code: Select all

connect to [AF_INET]188.72.109.130:80 failed, will try again in 5 seconds: connection timed out

UDP:

Code: Select all

client
dev tun
push "dhcp-option DNS 8.8.8.8"
remote it-po-ovpn-udp.pointtoserver.com 53
proto udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
[omissis]
-----END CERTIFICATE-----
</ca>

# 
# 2048 bit OpenVPN static key 
# 
<tls-auth>
-----BEGIN OpenVPN Static key V1----- 
[omissis]
-----END OpenVPN Static key V1-----

</tls-auth>
key-direction 1

verb 1
mute 20
route-method exe
route-delay 2
auth-user-pass pass.txt
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn

this is the console output:

Code: Select all

SIOCADDRT: Network is unreachable
ERROR: Linux route add command failed: external program exited with error status: 7

Can you give me some hint?

[Traffic]

Does your Pi connect to purevpn ?

[stellafin]

Hi,

I didn't much about these protocols but I read the relevant post on Makezine. Search it on Makezine you will get the solution for sure.

Thanks

[SomeGuy]

Error when trying conf 1:

Code: Select all

connect to [AF_INET]188.72.109.130:80 failed, will try again in 5 seconds: connection timed out

Error when trying conf 2:

Code: Select all

SIOCADDRT: Network is unreachable
ERROR: Linux route add command failed: external program exited with error status: 7

In both cases, networking issues. In the first, lack of complaint of routing suggests routing may be working, but host is not listening to port 80 for vpn service, or is dropping your packets to it, or there is a firewall/filter between you and the host dropping traffic. In the second case, there is evidence of a routing issue, like network connection through your gateway is down, or issues with routing table.

Next, why are do you have a "push" directing in your client configs? Are you sure you want to do that?

Code: Select all

push "dhcp-option DNS 8.8.8.8"

In the second config, what are you trying to do with this?

Code: Select all

route-method exe

IIRC, this "route-method" is just for windows, not for linux. If you are using Raspbian to run your OpenVPN client, this probably won't work as expected, and is probably related to the routing issue with the second config.

Next, between the two configs, why are two different host name used?
conf1: it1.purevpn.net (Resolved: 172.111.180.129 178.170.144.84 172.111.181.2 188.72.109.125 172.111.145.130 172.111.137.93 188.72.109.187 104.250.172.222 172.111.137.223 172.111.180.2 188.72.109.61 172.111.145.2 104.250.172.93 188.72.109.253)
conf2: it-po-ovpn-udp.pointtoserver.com (Resolved: 172.111.144.2 46.243.139.5)

They seem unrelated. Are you sure you mean to use it-po-ovpn-udp.pointtoserver.com as your server in your second config?

Are you trying to force a connection to a single IP/host for service out of the many that are returned when looking up it1.purevpn.net ?

Suggesting some changes, combine the configs into one, assuming it-po-ovpn-udp.pointtoserver.com in the second config was meant to be it1.purevpn.net , dropping the push for DNS in client from both, and the windows routing config in the second from a box running Raspbian:

Code: Select all

client
dev tun
remote it1.purevpn.net 80 tcp
remote it1.purevpn.net 53 udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float
route-delay 2
auth-user-pass pass.txt
auth-retry interact
ifconfig-nowarn
key-direction 1
<ca>
[chop: replace with encoded ca]
</ca>
<tls-auth>
[chop: replace with encoded tls auth]
</tls-auth>

With the above, it should try the first "remote" and then if that fails, try the next "remote".

Do they (PureVPN) really ask you to use a config without a <cert> or <key> in your client config to validate you are really being you?

In the first case, if that name is correct for their TCP/80-based service that claims to work with OpenVPN, and there are no routing issues, then the next guess would be a filtering device between you and them, dropping packets. Maybe layer-7 filter blocking traffic that does not conform to HTTP when using standard TCP port for HTTP.. There are many possible reasons for traffic to not reach a host on a port.

[willieaames]

If you do

Code: Select all

service openvpn restart

it resets fine, but this is a hassle as you have to ssh in.

[paul34949]

For many weeks I've been trying to get openvpn working with PureVPN. Their tech support has been poor and generally unresponsive and what little "instruction" they did offer had many errors that even I in my ignorance could see. Before I dump PureVPN I'm posting here to see if you experts can get me over the hump. I created an .ovpn file with the same commands SomeGuy used:

Code: Select all

client
dev tun
remote usil1-ovpn-udp.pointtoserver.com 53 udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float  
route-delay 2
auth-user-pass /etc/openvpn/pass.txt
auth-retry interact
ifconfig-nowarn
key-direction 1
ca /etc/openvpn/ca.crt
tls-auth /etc/openvpn/Wdc.key 1

I run openvpn passing it this .ovpn file and I get the following messages from openvpn:

Code: Select all

Sat Feb 11 20:13:51 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Sat Feb 11 20:13:51 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sat Feb 11 20:13:51 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:13:51 2017 Control Channel Authentication: using '/etc/openvpn/Wdc.key' as a OpenVPN static key file
Sat Feb 11 20:13:51 2017 UDPv4 link local: [undef]
Sat Feb 11 20:13:51 2017 UDPv4 link remote: [AF_INET]45.74.57.3:53
Sat Feb 11 20:13:51 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Feb 11 20:13:54 2017 [PureVPN] Peer Connection Initiated with [AF_INET]45.74.57.3:53
Sat Feb 11 20:13:56 2017 TUN/TAP device tun0 opened
Sat Feb 11 20:13:56 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Feb 11 20:13:56 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Feb 11 20:13:56 2017 /sbin/ip addr add dev tun0 45.74.57.134/26 broadcast 45.74.57.191
Sat Feb 11 20:13:59 2017 Initialization Sequence Completed

I use 'dig' to get my IP address but it reports an error:

Code: Select all

osmc@osmc:~$ dig +short myip.opendns.com @resolver1.opendns.com
;; connection timed out; no servers could be reached

Do you see anything obviously wrong with what I've done? Any suggestions would be appreciated. Thanks.

[paul34949]

Just a brief postscript: After the initialization messages, openvpn loops repeating messages like the following:

Code: Select all

Sat Feb 11 20:16:06 2017 [PureVPN] Inactivity timeout (--ping-restart), restarting
Sat Feb 11 20:16:06 2017 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 11 20:16:08 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:16:08 2017 UDPv4 link local: [undef]
Sat Feb 11 20:16:08 2017 UDPv4 link remote: [AF_INET]45.74.40.2:53
Sat Feb 11 20:17:08 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 11 20:17:08 2017 TLS Error: TLS handshake failed
Sat Feb 11 20:17:08 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Feb 11 20:17:10 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:17:10 2017 UDPv4 link local: [undef]
Sat Feb 11 20:17:10 2017 UDPv4 link remote: [AF_INET]45.74.40.2:53
Sat Feb 11 20:18:10 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 11 20:18:10 2017 TLS Error: TLS handshake failed
Sat Feb 11 20:18:10 2017 SIGUSR1[soft,tls-error] received, process restarting

[paul34949]

Just wondering if anybody reads this forum. Is this the best place for advice on openvpn installation?

[TinCanTech]

For many weeks I've been trying to get openvpn working with PureVPN.
<snip>
I created an .ovpn file with the same commands SomeGuy used

Why ?

The only config you can use is PureVPN's client config ..

otherwise you may as well be throwing darts at balloons while wearing a blindfold.

[paul34949]

TinCan, I have to disagree with you. Anyone can create a configuration file, and, in fact, I did eventually create one that worked with PureVPN. The ones supplied by PureVPN are outdated and in some cases are patently wrong. Yes, it's a little bit like throwing darts at balloons wearing a blindfold, but I gradually learned enough about openVPN to create a configuration file that worked.

[TinCanTech]

The ones supplied by PureVPN are outdated and in some cases are patently wrong

I will simply take your word on that ..

If a VPN Provider cannot provide correct client config files for its customers then I wonder what else it does wrong.

I would not trust them with my privacy if they cannot manage their own affairs.

But that is only speculation due to your unfounded claims ...

[paul34949]

Perhaps I can help you. Tell me about your problem.

[TinCanTech]

ho hum ..

For many weeks I've been trying to get openvpn working with PureVPN. Their tech support has been poor and generally unresponsive and what little "instruction" they did offer had many errors that even I in my ignorance could see. Before I dump PureVPN I'm posting here to see if you experts can get me over the hump. I created an .ovpn file with the same commands SomeGuy used:

Code: Select all

client
dev tun
remote usil1-ovpn-udp.pointtoserver.com 53 udp
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float  
route-delay 2
auth-user-pass /etc/openvpn/pass.txt
auth-retry interact
ifconfig-nowarn
key-direction 1
ca /etc/openvpn/ca.crt
tls-auth /etc/openvpn/Wdc.key 1

Use verb 4

I run openvpn passing it this .ovpn file and I get the following messages from openvpn:

Code: Select all

Sat Feb 11 20:13:51 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Sat Feb 11 20:13:51 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sat Feb 11 20:13:51 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:13:51 2017 Control Channel Authentication: using '/etc/openvpn/Wdc.key' as a OpenVPN static key file
Sat Feb 11 20:13:51 2017 UDPv4 link local: [undef]
Sat Feb 11 20:13:51 2017 UDPv4 link remote: [AF_INET]45.74.57.3:53
Sat Feb 11 20:13:51 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Feb 11 20:13:54 2017 [PureVPN] Peer Connection Initiated with [AF_INET]45.74.57.3:53
Sat Feb 11 20:13:56 2017 TUN/TAP device tun0 opened
Sat Feb 11 20:13:56 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Feb 11 20:13:56 2017 /sbin/ip link set dev tun0 up mtu 1500
Sat Feb 11 20:13:56 2017 /sbin/ip addr add dev tun0 45.74.57.134/26 broadcast 45.74.57.191
Sat Feb 11 20:13:59 2017 Initialization Sequence Completed

I use 'dig' to get my IP address but it reports an error:

Code: Select all

osmc@osmc:~$ dig +short myip.opendns.com @resolver1.opendns.com
;; connection timed out; no servers could be reached

Do you see anything obviously wrong with what I've done? Any suggestions would be appreciated. Thanks.

Just a brief postscript: After the initialization messages, openvpn loops repeating messages like the following:

Code: Select all

Sat Feb 11 20:16:06 2017 [PureVPN] Inactivity timeout (--ping-restart), restarting
Sat Feb 11 20:16:06 2017 SIGUSR1[soft,ping-restart] received, process restarting
Sat Feb 11 20:16:08 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:16:08 2017 UDPv4 link local: [undef]
Sat Feb 11 20:16:08 2017 UDPv4 link remote: [AF_INET]45.74.40.2:53
Sat Feb 11 20:17:08 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 11 20:17:08 2017 TLS Error: TLS handshake failed
Sat Feb 11 20:17:08 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Feb 11 20:17:10 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Feb 11 20:17:10 2017 UDPv4 link local: [undef]
Sat Feb 11 20:17:10 2017 UDPv4 link remote: [AF_INET]45.74.40.2:53
Sat Feb 11 20:18:10 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 11 20:18:10 2017 TLS Error: TLS handshake failed
Sat Feb 11 20:18:10 2017 SIGUSR1[soft,tls-error] received, process restarting

Lock out

I have to disagree with you. Anyone can create a configuration file, and, in fact, I did eventually create one that worked with PureVPN. The ones supplied by PureVPN are outdated and in some cases are patently wrong

I have to disagree with you ..

Perhaps I can help you. Tell me about your problem.

Your above nonsense ..

Also, you hijacking this thread.

[TinCanTech]

Can you give me some hint?

Do not use --ifconfig-nowarn .. otherwise you will not be made aware of certain errors.