Forums

Resolved
0 votes
Hi guys!

Is there any way to connect my ClearOS router to an external VPN server via PPTP/LP2T/OpenVPN etc protocol? ibVPN app available from the Marketplace doesn't work fine for me.

Many thanks for the help.
In VPN
Friday, February 10 2017, 12:11 PM
Share this post:
Responses (14)
  • Accepted Answer

    Sunday, February 12 2017, 09:44 PM - #Permalink
    Resolved
    0 votes
    Maybe @Darryl Sokoloski can help :)
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 12 2017, 09:29 PM - #Permalink
    Resolved
    0 votes
    I believe the problem is not in DNS since I cannot ping any IP address in the Internet as well. Will try to check a PPTP connection.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 12 2017, 12:25 PM - #Permalink
    Resolved
    0 votes
    As a hack, it looks like the script is trying to update resolv.conf to insert the DNS server 1.2.3.4. The equivalent file in ClearOS would be /etc/resolv-peerdns.conf.

    What you could try is set up ClearOS to use manually configured DNS servers. Choose your current ones then then try adding 1.2.3.4 as a third server. It may make your DNS lookups a little slow as, when the VPN is up, it needs to wait for the first two servers to time out.

    You may also just get away with manually configuring your DNS servers to public DNS servers such OpenDNS or GoogleDNS and not even need to add 1.2.3.4.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 12 2017, 09:30 AM - #Permalink
    Resolved
    0 votes
    I'm sorry I can't help much further as I don't want to sign up for a VPN service and I've no idea why it is not working.

    The "ping: unknown host www.google.com"; suggests your DNS lookups are failing which could be a problem with the update-resolv-conf implementation. Looking at the script, if yours is anything like mine, it will do nothing as the file /sbin/resolvconf does not exist. This will cause the script to exit immediately.

    You can try PPTP and IPsec implementations. In both cases look for router implementations (especially with IPsec).
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 11 2017, 10:15 PM - #Permalink
    Resolved
    0 votes
    Unfortunately I don't have any connectivity with the Internet from my network. I tried to ping google from the router itself and got
    ping: unknown host www.google.com
    . I also tried another VPN service. I downloaded corresponding OpenVPN configs and tried to feed them to the program. At the end, I got a successful connection but without access to the Internet. I applied your commands as well with a well known result.

    So, it is definitely a ClearOS issue with OpenVPN. Maybe it would be easier to establish a PPTP or IPSec connection?

    P.S. I've allowed both protocols for OpenVPN in the firewall rules.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 11 2017, 01:19 PM - #Permalink
    Resolved
    0 votes
    It looks like they are pushing the "redirect-gateway def1" when you connect so you should not need it in your config.

    I wonder if there is a firewalling issue. ClearOS sets up rules for tun+ but not tap+. To mirror the tun+ rules you'd need:
    iptables -w -I INPUT -i tap+ -j ACCEPT
    iptables -w -I FORWARD -i tap+ -j ACCEPT
    iptables -w -I OUTPUT -o tap+ -j ACCEPT
    iptables -w -I POSTROUTING -t nat -o tap+ -j ACCEPT
    I don't know if you'd need them as in this case ClearOS is a client and not a server.

    Do you have any connectivity from either ClearOS or from the LAN to the internet through the tunnel?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 11 2017, 10:50 AM - #Permalink
    Resolved
    0 votes
    I downloaded a configuration for Sabai router. (Basically the only difference is the absence of two lines with update-resolv-conf) Here is my output:


    [root@gateway VPN]# openvpn --config ibVPN_Bulgaria_Sofia.ovpn
    Sat Feb 11 12:33:04 2017 OpenVPN 2.3.13 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 3 2016
    Sat Feb 11 12:33:04 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
    Enter Auth Username: **********************
    Enter Auth Password: ********
    Sat Feb 11 12:33:46 2017 Socket Buffers: R=[229376->229376] S=[229376->229376]
    Sat Feb 11 12:33:47 2017 UDPv4 link local: [undef]
    Sat Feb 11 12:33:47 2017 UDPv4 link remote: [AF_INET]185.94.192.26:1196
    Sat Feb 11 12:33:47 2017 TLS: Initial packet from [AF_INET]185.94.192.26:1196, sid=522d5668 8a6bbe8c
    Sat Feb 11 12:33:47 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Feb 11 12:33:50 2017 VERIFY OK: depth=1, C=RO, ST=MS, L=TirguMures, O=Amplusnet, OU=ibVPN, CN=Amplusnet CA, name=EasyRSA, emailAddress=admin@ibvpn.com
    Sat Feb 11 12:33:50 2017 VERIFY OK: nsCertType=SERVER
    Sat Feb 11 12:33:50 2017 VERIFY OK: depth=0, C=RO, ST=MS, L=TirguMures, O=Amplusnet, OU=ibVPN, CN=server, name=EasyRSA, emailAddress=admin@ibvpn.com
    Sat Feb 11 12:33:52 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sat Feb 11 12:33:52 2017 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Sat Feb 11 12:33:52 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Sat Feb 11 12:33:52 2017 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
    Sat Feb 11 12:33:52 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Sat Feb 11 12:33:52 2017 [server] Peer Connection Initiated with [AF_INET]185.94.192.26:1196
    Sat Feb 11 12:33:54 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Sat Feb 11 12:33:54 2017 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.220.1,ping 10,ping-restart 60,redirect-gateway def1,dhcp-option DNS 1.2.3.4,ifconfig 10.10.220.2 255.255.255.0'
    Sat Feb 11 12:33:54 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Feb 11 12:33:54 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Feb 11 12:33:54 2017 OPTIONS IMPORT: route options modified
    Sat Feb 11 12:33:54 2017 OPTIONS IMPORT: route-related options modified
    Sat Feb 11 12:33:54 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Sat Feb 11 12:33:54 2017 ROUTE_GATEWAY 213.57.37.1/255.255.255.0 IFACE=enp3s0 HWADDR=00:e0:b4:17:72:08
    Sat Feb 11 12:33:54 2017 TUN/TAP device tap0 opened
    Sat Feb 11 12:33:54 2017 TUN/TAP TX queue length set to 100
    Sat Feb 11 12:33:54 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Feb 11 12:33:54 2017 /usr/sbin/ip link set dev tap0 up mtu 1500
    Sat Feb 11 12:33:54 2017 /usr/sbin/ip addr add dev tap0 10.10.220.2/24 broadcast 10.10.220.255
    Sat Feb 11 12:33:56 2017 /usr/sbin/ip route add 185.94.192.26/32 via 213.57.37.1
    Sat Feb 11 12:33:56 2017 /usr/sbin/ip route add 0.0.0.0/1 via 10.10.220.1
    Sat Feb 11 12:33:56 2017 /usr/sbin/ip route add 128.0.0.0/1 via 10.10.220.1
    Sat Feb 11 12:33:56 2017 Initialization Sequence Completed


    It seems to be there is no error in my VPN connection. And yes I set up my user_passt.txt file (actually it is set up automatically by their servers when downloading my configs).
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 11 2017, 07:43 AM - #Permalink
    Resolved
    0 votes
    Can you download a router config from ibVPN and have a look at it. On PureVPN they don't use "redirect-gateway def1" so perhaps it is not needed. What they do use is "route 0.0.0.0 0.0.0.0"

    Have you also set up your user_pass.txt file? Do your logs (/var/log/messages) give any errors?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 09:59 PM - #Permalink
    Resolved
    0 votes
    Sorry for confusion, Nick. I simply forgot to copy update-resolv-conf file with the ovpn config.

    Now I get a conection with the server but didn't have access to the Internet. Here is my configuration file where I added line "redirect-gateway def1"


    remote bg1.ibvpn.com 1196 udp
    remote 185.94.192.26 1196 udp
    fragment 1300
    explicit-exit-notify 3
    auth-user-pass user_pass.txt
    up 'update-resolv-conf'
    down 'update-resolv-conf'
    dev tap
    server-poll-timeout 20
    client
    nobind
    resolv-retry infinite
    auth-retry nointeract
    persist-key
    persist-tun
    cipher AES-256-CBC
    auth RSA-SHA512
    mute-replay-warnings
    comp-lzo
    verb 3
    mute 20
    ns-cert-type server
    route-method exe
    route-delay 2
    script-security 3
    reneg-sec 0
    redirect-gateway def1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 09:19 PM - #Permalink
    Resolved
    0 votes
    It looks like you are missing a file update-resolv-conf which I'd have thought you'd find in some of their configs. My remote Raspberry Pi has a file like that, but I've no idea if it is compatible. If it helps, its contents are below:
    #!/bin/bash
    #
    # Parses DHCP options from openvpn to update resolv.conf
    # To use set as 'up' and 'down' script in your openvpn *.conf:
    # up /etc/openvpn/update-resolv-conf
    # down /etc/openvpn/update-resolv-conf
    #
    # Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
    # Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
    #
    # Example envs set from openvpn:
    #
    # foreign_option_1='dhcp-option DNS 193.43.27.132'
    # foreign_option_2='dhcp-option DNS 193.43.27.133'
    # foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
    #

    [ -x /sbin/resolvconf ] || exit 0
    [ "$script_type" ] || exit 0
    [ "$dev" ] || exit 0

    split_into_parts()
    {
    part1="$1"
    part2="$2"
    part3="$3"
    }

    case "$script_type" in
    up)
    NMSRVRS=""
    SRCHS=""
    for optionvarname in ${!foreign_option_*} ; do
    option="${!optionvarname}"
    echo "$option"
    split_into_parts $option
    if [ "$part1" = "dhcp-option" ] ; then
    if [ "$part2" = "DNS" ] ; then
    NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
    elif [ "$part2" = "DOMAIN" ] ; then
    SRCHS="${SRCHS:+$SRCHS }$part3"
    fi
    fi
    done
    R=""
    [ "$SRCHS" ] && R="search $SRCHS
    "
    for NS in $NMSRVRS ; do
    R="${R}nameserver $NS
    "
    done
    echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
    ;;
    down)
    /sbin/resolvconf -d "${dev}.openvpn"
    ;;
    esac

    ..... but it is your risk!

    In the OpenVPN config you may want to check you have the option "redirect-gateway def1" in your config file. I suspect it is needed to put all traffic through the tunnel. Beyond that, I can't help much.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 08:33 PM - #Permalink
    Resolved
    0 votes
    The instructions for Linux look pretty simple, but I can't get to the underlying files. Whay are you trying to start with the command line and not the ibvpn app?


    Indeed they are, and this is exactly what I'm trying to do, to run the openvpn client with a personal config file downloaded from my ibVPN account (openvpn --config config.ovpn). Pretty simple, but I'm getting the above-mentioned error.

    With the app I can't get my whole system connected to VPN servers. I can't get it working even with my local PC (in the app you have to pick up a device, connected to the router, which should use the ibVPN service). If I type something like localhost I lose access to the Internet at all. However, as I said before, everything is ok for my laptop, which is a bit weird)
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 08:12 PM - #Permalink
    Resolved
    0 votes
    The instructions for Linux look pretty simple, but I can't get to the underlying files. Whay are you trying to start with the command line and not the ibvpn app?

    I'm afraid I can't troubleshoot much as the I don't have a user/pass for the ibvpn site. You may need a combination of the Linux and a linux based router config (dd-wrt, tomato etc).

    I did try to help another user with PureVPN but the thread fizzled out. They do have router based configs, but it should really be the VPN provider giving support.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 06:58 PM - #Permalink
    Resolved
    0 votes
    Here is an error I get while using openvpn config file:


    [root@gateway VPN]# openvpn --config ibVPN-Bulgaria.ovpn
    Options error: --up script fails with 'update-resolv-conf': No such file or directory
    Options error: Please correct this error.
    Use --help for more information.


    From my Ubuntu PC everything works fine.

    The issue with the ibVPN app is that I can't connect the router itself to a VPN server. Moreover, this app works only with my laptop via wi-fi and doesn't work with my main PC connected by wire. I've been searching for a while for a good instruction or FAQ here in this forum but couldn't find any complete solution. VPN providers usually give to users configuration settings in GUI mode.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, February 10 2017, 01:52 PM - #Permalink
    Resolved
    0 votes
    I believe ibVPN only uses OpenVPN under the hood. What is the issue?

    You should be able to use a number of different VPN providers. A lot of them use OpenVPN underneath, but I don't see why you would not be able to use some other type of VPN. You'd need to try to follow their instructions to get it up and running.
    The reply is currently minimized Show
Your Reply