Installation tips for installation of OpenVpn on YunoHost

Hi
The default OpenVpn package for YunoHost is not working. There is a package sshuttel,which makes an tunnel between the client and the server through ssh but it can not be used on android or mobile device.

Can someone give a tutorial on how to configure OpenVpn with YunoHost ? Ldap authentication is not a priority as I don’t want other users to have this OpenVPn access because of bandwidth limitation.

Thanks

Hi, I don’t have time to do a real tutorial but here are some tips :slight_smile:

  1. Uninstall OpenVPN and remove any subdomain certificate if any.
    You have to start from scratch !

  2. Create a subdomain on your registar : e.g.
    vpn.domain.tld with CNAME redirection to Yunohost

  3. Create this domain on the admin interface of your Yunohost instance
    DO NOT INSTALL Let’s Encrypt certificate yet

  4. Copy all files in /etc/yunohost/certs/vpn.domain.tld to a new folder, e.g.
    /etc/yunohost/certs/vpn.domain.tld.Autosign

  5. Install Let’s Encrypt certificate on your vpn.domain.tld via Yunohost admin interface

  6. Install OpenVPN package via Yunohost admin interface

  7. Check if “tun” mode works
    lsmod | grep tun

  8. If not, you can execute this line then reboot
    modprobe tun

  9. Find the name of your interface with this command (it can be something like eth0 or vnet0)
    ifconfig

  10. Execute this command (with respect with your interface name)
    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  11. Find your dh.pem from /etc/yunohost/certs/vpn.domain.tld and copy it to /etc/yunohost/certs/vpn.domain.tld.Autosign

  12. Modify the configuration file
    sudo nano /etc/openvpn/yunohost.conf

  13. Change the folder indicated on those lines :

ca /etc/yunohost/certs/vpn.domain.tld.Autosign/ca.pem
cert /etc/yunohost/certs/vpn.domain.tld.Autosign/crt.pem
key /etc/yunohost/certs/vpn.domain.tld.Autosign/key.pem
dh /etc/yunohost/certs/vpn.domain.tld.Autosign/dh.pem

  1. Stop OpenVPN service
    yunohost service stop openvpn

  2. :sweat_smile: Now your VPN should normally work !
    But we need first to test it

  3. Start manually the server. It should say something like initialization sequence complete
    sudo openvpn --config /etc/openvpn/yunohost.conf

  4. Open another terminal window and try to launch a client. Normally it will ask you for your Yunohost credentials, and if you return to your first terminal window, you should see a lot of lines basically saying that there is a kind of connexion between both
    sudo openvpn /var/www/openvpn/vpn.domain.tld.ovpn

  5. If everything looks good, you can stop both commands with ^c

  6. Then start OpenVPN service
    yunohost service start openvpn

  7. You can now go to vpn.domain.tld then download the .ovpn and launch it from a normal client (on your Windows, Mac, iPhone, Androïd…). It should connect !

  8. Bonus 1 : if you are in China like me and udp protocol is blocked on port 1194, no problem, you just need to update accordingly both files (I’m using port 8080 with udp protocol, works fantastic)

/etc/openvpn/yunohost.conf
/var/www/openvpn/vpn.domain.tld.ovpn

  1. Bonus 2 : if you are in China like me and the main benefit from your VPN is to use the internet access of your remote server or VPS, here is the trick. You just need to add on your /etc/openvpn/yunhost.conf file thos lines :

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.4.4"
push “dhcp-option DNS 8.8.8.8”

  1. Bonus 3 : if you are using an iPhone like me, i’ve found that you may need to remove the two dashes “–” before “auth-user-pass” in the .ovpn file. This line seem to be not consistent with the tunnelblick client for Mac, for example. This is why I use two different .ovpn files, depending on the client. One with and another without the dashes.

Hope it helps, I’ve spent so many hours to get mine working…
(To get a bit more challenge, of course China is blocking nearly all openvpn forums and discussions on the net…)

3 Likes

Hi @Limezy

Thanks for the wonderful tutorial. I will try it today.

Regarding point 16. you can check if tun interface was opened in a new terminal window with the command ifconfig
Regarding Bonus 1, don’t forget to open the right port with the right protocol on your Yunohost firewall!

I tried the as described by you but I am unable to connect.
Here is the error log of the server:

Mon Oct 30 01:18:26 2017 XXXXXXX:20629 TLS: Initial packet from [AF_INET]XXXXXXXX:20629, sid=dce6fd25 aa2d1aa8
Mon Oct 30 01:18:26 2017 XXXXXXX:20629 TLS_ERROR: BIO read tls_read_plaintext error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Mon Oct 30 01:18:26 2017 XXXXXXX:20629 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 30 01:18:26 2017 XXXXXXX:20629 TLS Error: TLS handshake failed
Mon Oct 30 01:18:26 2017 XXXXXXX:20629 SIGUSR1[soft,tls-error] received, client-instance restarting

Here is the client side log:

Mon Oct 30 01:18:25 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 30 01:18:25 2017 Control Channel Authentication: tls-auth using INLINE static key file
Mon Oct 30 01:18:25 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Oct 30 01:18:25 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Oct 30 01:18:25 2017 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Oct 30 01:18:25 2017 UDPv4 link local: [undef]
Mon Oct 30 01:18:25 2017 UDPv4 link remote: [AF_INET]XXXXXXXXX:1194
Mon Oct 30 01:18:25 2017 TLS: Initial packet from [AF_INET]XXXXXXXXXX:1194, sid=971664d9 afef68bd
Mon Oct 30 01:18:25 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Oct 30 01:19:25 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 30 01:19:25 2017 TLS Error: TLS handshake failed
Mon Oct 30 01:19:25 2017 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 30 01:19:25 2017 Restart pause, 2 second(s)
Mon Oct 30 01:19:27 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Oct 30 01:19:27 2017 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Oct 30 01:19:27 2017 UDPv4 link local: [undef]
Mon Oct 30 01:19:27 2017 UDPv4 link remote: [AF_INET]XXXXXXXXXX:1194
^CMon Oct 30 01:19:48 2017 event_wait : Interrupted system call (code=4)
Mon Oct 30 01:19:48 2017 SIGINT[hard,] received, process exiting
1 Like

After updating my client to latest version it works.

1 Like

Sadly I don’t think I have the competence to update the OpenVPN package accordingly to my tutorial. It shouldn’t be so complicated, I need to dig into the Yunohost packaging documentation.

But I still have a strange problem, When I connect to the vpn I cannot access my server page and on disconnecting vpn I still can not ping the server. Server needs to restart to get accessible again.

Secondly vpn do not work for IPv6.

Can you give more information about your setup ?
Is your Yunohost instance at home ? On a hosted VPS ?
I just check I can perfectly access my Yunohost behind my VPN.

My instance is hosted on a DigitalOcean VPS.

What’s your interest in using this VPN?
Is it to securly access and transmit information to your Yunohost instance or to access internet via your VPS network ? Did you try to use different OpenVPN clients ? Can you access other websites than your yunohost ? Did you put those lines in your configuration file ? Did you try to read the openvpn logs ?

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.4.4"
push “dhcp-option DNS 8.8.8.8”

For your information, my Yunohost is on a OVH “SSD1” VPS in the Strasbourg Data Center.
It’s working incredibly good, I can even watch HD Youtube videos or make WhatsApp video calls from Shanghai !
Let’s try to debug yours :spy:

I can watch videos and surf internet after on the vpn. But the problem is I get errors while opening my YunoHost login page or any app on the server, trying to ssh to the server I get ssh: connect to host domian.tld port 22: No route to host and my connecting to mail server too shows error in the certificate.

After I disconnect I can not ping the my server or reconnect to vpn because the server becomes unavailable for my network. I have to restart the server through the DigitalOcean web console because ssh to the server is not possible.

There are lot of similar topics on internet but I am unable to find a solution. Problem is I have to restart the server after each test through web interface of DigitalOcean which is time consuming and risky for the server.




Did you manage to find a solution to your problem ?

Not yet I tried few of the solutions, but none of them worked.

@Limezy
Can you show me your /etc/openvpn/yunohost.conf with comments on top of the lines you modified manually?

Of course !

# Change the port
port 8080
dev tun
# Change the protocol
proto udp
# Change the files location ##########
ca /etc/yunohost/certs/vpn.mydomain.fr.Autosign/ca.pem
cert /etc/yunohost/certs/vpn.mydomain.fr.Autosign/crt.pem
key /etc/yunohost/certs/vpn.mydomain.fr.Autosign/key.pem
dh /etc/yunohost/certs/vpn.mydomain.fr.Autosign/dh.pem
################################
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 60
inactive 600
user openvpn
group openvpn
persist-tun
persist-key
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
status /var/log/openvpn.log
comp-lzo
# Change the dhcp options to “transfer” non filtered internet to the client
# This is to escape “Chinese Great FireWall” :smile: ######
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 8.8.4.4"
push “dhcp-option DNS 8.8.8.8”
#############################################

Hope this helps…

@Limezy
Thanks you for all the tips and support. Everything works now.
I confirm that this work with this commit https://github.com/YunoHost-Apps/openvpn_ynh/tree/adb08e39b7b28dd58d83996c5ff0956416fb46c6
Latest commit works but I have a problem after I disconnect from the vpn as I can not connect to the vpn server again until I restart it.

1 Like