Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenVPN and tun device
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mounty1
l33t
l33t


Joined: 06 Jul 2006
Posts: 792
Location: Queensland

PostPosted: Wed Sep 25, 2019 10:09 am    Post subject: OpenVPN and tun device Reply with quote

Hello, can't get this working. I've modprobed tun.
ls -l /dev/net/tun:
crw-rw-rw- 1 root root 10, 200 Sep 25 19:44 /dev/net/tun
so that is present. First I tried just relying on the system to create the device:
systemctl restart openvpn-client@NGV ; sleep 1 ; systemctl status openvpn-client@NGV:
● openvpn-client@NGV.service - OpenVPN tunnel for NGV
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2019-09-25 19:54:01 AEST; 921ms ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 973914 ExecStart=/usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf (code=exited, status=1)
 Main PID: 973914 (code=exited, status=1)
   Status: "Pre-connection initialization successful"
      CPU: 17ms

Sep 25 19:54:01 ida openvpn[973914]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:393 ET:0 EL:3 ]
Sep 25 19:54:01 ida openvpn[973914]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysiz>
Sep 25 19:54:01 ida openvpn[973914]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth S>
Sep 25 19:54:01 ida openvpn[973914]: failed to find UID for user ngv\michael
Sep 25 19:54:01 ida openvpn[973914]: Exiting due to fatal error
Sep 25 19:54:01 ida openvpn[973914]: Closing TUN/TAP interface
Sep 25 19:54:01 ida openvpn[973914]: /etc/openvpn/down.sh tun0 1500 1544   init
Sep 25 19:54:01 ida openvpn[973914]: Unknown interface 'tun0': No such device
Sep 25 19:54:01 ida systemd[1]: openvpn-client@NGV.service: Main process exited, code=exited, status=1/n/a
Sep 25 19:54:01 ida systemd[1]: openvpn-client@NGV.service: Failed with result 'exit-code'.
so I tried
tunctl -u mounty -g users -t tun0:
Set 'tun0' persistent and owned by uid 573 gid 100
to force creation of the device but that didn't help much:
systemctl restart openvpn-client@NGV ; sleep 1 ; systemctl status openvpn-client@NGV:
● openvpn-client@NGV.service - OpenVPN tunnel for NGV
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2019-09-25 19:58:07 AEST; 737ms ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 974132 ExecStart=/usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf (code=exited, status=1)
 Main PID: 974132 (code=exited, status=1)
   Status: "Pre-connection initialization successful"
      CPU: 10ms

Sep 25 19:58:07 ida openvpn[974132]: Incoming Static Key Encryption: HMAC KEY: 37900e14 f23225e4 7c5d4753 70c64e9c 9a43ab3a
Sep 25 19:58:07 ida openvpn[974132]: Incoming Static Key Encryption: HMAC size=20 block_size=20
Sep 25 19:58:07 ida openvpn[974132]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 44 bytes
Sep 25 19:58:07 ida openvpn[974132]: MTU DYNAMIC mtu=1450, flags=2, 1544 -> 1450
Sep 25 19:58:07 ida openvpn[974132]: GETADDRINFO flags=0x0901 ai_family=0 ai_socktype=2
Sep 25 19:58:07 ida openvpn[974132]: RESOLVE_REMOTE flags=0x0901 phase=1 rrs=0 sig=-1 status=0
Sep 25 19:58:07 ida openvpn[974132]: ERROR: Cannot ioctl TUNSETIFF tun0: Invalid argument (errno=22)
Sep 25 19:58:07 ida openvpn[974132]: Exiting due to fatal error
Sep 25 19:58:07 ida systemd[1]: openvpn-client@NGV.service: Main process exited, code=exited, status=1/n/a
Sep 25 19:58:07 ida systemd[1]: openvpn-client@NGV.service: Failed with result 'exit-code'.
My config looks like this:
cat NGV.conf:
dev tun0
dev-type tun
remote (redacted) 19209 udp
nobind
persist-tun
persist-key
verb 9
ping 10
ping-restart 60
server-poll-timeout 4
sndbuf 393216
rcvbuf 393216

# auth-user-pass /etc/openvpn/client/NGV/auth
user (redacted)
secret /etc/openvpn/client/NGV/static-key

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
The device certainly exists:
ifconfig tun0:
tun0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 62:9a:0c:57:a9:36  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
So what is causing the above error? and am I right in thinking that I shouldn't have to create the device?
_________________
Michael Mounteney
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4322
Location: Dallas area

PostPosted: Wed Sep 25, 2019 10:38 am    Post subject: Reply with quote

Code:
$ grep tun /etc/openvpn/openvpn.conf
dev tun
persist-tun


from my openvpn.conf

I don't think you should have tun0 in your config file, it will create it from /dev/net/tun directly.

Edit to add: and no you shouldn't have to or even try to create tun devices.
I don't use systemd so I can't speak to that aspect or whether it affects it.

ETA2: even though I reference tun in the config this is from the log file
Code:
 TUN/TAP device tun0 opened

_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
mounty1
l33t
l33t


Joined: 06 Jul 2006
Posts: 792
Location: Queensland

PostPosted: Wed Sep 25, 2019 10:57 am    Post subject: Different error Reply with quote

tun0 -> tun just changes the error. I also fixed the 'user' line in my config. and now
systemctl restart openvpn-client@NGV ; sleep 1 ; systemctl status openvpn-client@NGV:
● openvpn-client@NGV.service - OpenVPN tunnel for NGV
   Loaded: loaded (/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-09-25 20:58:13 AEST; 1s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 976537 (openvpn)
   Status: "Pre-connection initialization successful"
      CPU: 12ms
   CGroup: /system.slice/system-openvpn\x2dclient.slice/openvpn-client@NGV.service
           └─976537 /usr/sbin/openvpn --suppress-timestamps --script-security 2 --nobind --config NGV.conf

Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0000 ev=3 arg=0x55c65aa5f7ec
Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT Tr|Tw|SR|SW [1/110844]
Sep 25 20:58:13 ida openvpn[976537]: PO_WAIT[0,0] fd=4 rev=0x00000004 rwflags=0x0002 arg=0x55c65aa5fea8
Sep 25 20:58:13 ida openvpn[976537]:  event_wait returned 1
Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT status=0x0002
Sep 25 20:58:13 ida openvpn[976537]: UDP WRITE [60] to [AF_INET]139.130.85.54:19209:  DATA 56a418db 7f808965 ab5d34ff 038d2b4f d81be851 0fc1afe7 d4ec0c55 >
Sep 25 20:58:13 ida openvpn[976537]: UDP write returned 60
Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0001 ev=4 arg=0x55c65aa5fea8
Sep 25 20:58:13 ida openvpn[976537]: PO_CTL rwflags=0x0001 ev=3 arg=0x55c65aa5f7ec
Sep 25 20:58:13 ida openvpn[976537]: I/O WAIT TR|Tw|SR|Sw [1/110844]
However:
ifconfig -a:
...
tun0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 62:9a:0c:57:a9:36  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4240<POINTOPOINT,NOARP,MULTICAST>  mtu 1500
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...
so no IP address. One thing wrong is that nowhere am I supplying the username and password I've been given. What am I missing? If I add the line auth-user-pass /etc/openvpn/client/NGV/auth to the config., when I restart the service it complains, Options error: --auth-user-pass requires --pull but if add the line pull to the config., restart complains, Options error: Parameter --pull can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. And I don't have a CA file etc. so can't go down that route.

BTW, the server is of type PPTP.
_________________
Michael Mounteney


Last edited by mounty1 on Wed Sep 25, 2019 11:13 am; edited 1 time in total
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4322
Location: Dallas area

PostPosted: Wed Sep 25, 2019 11:10 am    Post subject: Reply with quote

for my remote line I just have the ip/name and port number nothing after, but I use proto udp so that it works.

I don't use sndbuf/rcvbuf

I modified the openvpn script that was provided by my vpn server, that way I use things they expect cipher, auth, etc.

I'll post my script anyway, maybe it will help.

Code:
client
dev tun
proto udp
remote <vpn name> <vpn port #>
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
#auth-user-pass
auth-user-pass /etc/openvpn/openvpn.up
#comp-lzo
compress
verb 1
reneg-sec 0
crl-verify crl.pem
ca ca.crt
#disable occ

# partial network vpn - bittorrent
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.route.down"
route-up "/etc/openvpn/openvpn.route.up"
# full network vpn
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/openvpn.rte.down"
#route-up "/etc/openvpn/openvpn.rte.up"

route-delay 2
route-noexec
log-append /var/log/openvpn/openvpn.log

user openvpn
group openvpn


Edit to add: the ca file should be provided by the server end.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
mounty1
l33t
l33t


Joined: 06 Jul 2006
Posts: 792
Location: Queensland

PostPosted: Wed Sep 25, 2019 11:15 am    Post subject: Reply with quote

My sysadmin doesn't know Linux but he assures me that a CA file is not required.
_________________
Michael Mounteney
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4322
Location: Dallas area

PostPosted: Wed Sep 25, 2019 11:51 am    Post subject: Reply with quote

I don't know if it's needed but I do know it would be provided by the server end if used.

https://openvpn.net/community-resources/how-to/ might have more info for you
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
mike155
Veteran
Veteran


Joined: 17 Sep 2010
Posts: 1684
Location: Frankfurt, Germany

PostPosted: Wed Sep 25, 2019 11:59 am    Post subject: Reply with quote

Are you sure that OpenVPN is the right tool? Does your provider recommend OpenVPN? Does he provide a sample configuration file or a howto/tutorial?
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4322
Location: Dallas area

PostPosted: Wed Sep 25, 2019 12:24 pm    Post subject: Reply with quote

There is pptpclient in the gentoo repo (although not to sure if it will work for you)
I'm not sure that openvpn will ever work with a pptp server

Edit to add: https://wiki.archlinux.org/index.php/PPTP_Client
http://pptpclient.sourceforge.net/
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum