OpenVPN driving me nuts

Hi guys - I'm following the linode openvpn guide (http://library.linode.com/networking/op … ng-openvpn">http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid#sph_installing-openvpn) and I've hit a roadblock once I get to;

/etc/init.d/openvpn start

it just doesn't work I just get [fail] though I have no idea where logs are kept to work out what the problem is.

I must have gone through this 8 or 9 times now and I get the same result every time.

Any ideas?

11 Replies

Check /var/log/syslog and /etc/openvpn-status.log

cheers Obs, I have the syslog but no openvpn-status.log

Oct  2 07:12:17 localhost ovpn-client[13408]: OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Oct  2 07:12:17 localhost ovpn-client[13408]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct  2 07:12:17 localhost ovpn-client[13408]: Cannot load private key file client1.key: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
Oct  2 07:12:17 localhost ovpn-client[13408]: Error: private key password verification failed
Oct  2 07:12:17 localhost ovpn-client[13408]: Exiting

Lookls like it can't find client1.key - which is weird because I've seen the file today.

Is there anyway to just start again with all of this from scratch? even re-install openvpn? I think that something must have done wrong

Where did you see it? It should be in /etc/openvpn/easy-rsa/2.0/keys/ per the guide. It's better to go through it again with your current install if you missed something, particularly the key generating process.

Ok - I have gone through it again and again. Driving me nuts.

Here is the details of the first section:

writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [chrisgilloch CA]:chrisgilloch CA
Name []:
Email Address [chris@pixelatedphotographer.com]:
root@swansea:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key-server server
Generating a 1024 bit RSA private key
...........++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [chris@pixelatedphotographer.com]:chris@pixelatedphotographer.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UK'
stateOrProvinceName   :PRINTABLE:'LON'
localityName          :PRINTABLE:'London'
organizationName      :PRINTABLE:'chrisgilloch'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'chris@pixelatedphotographer.com'
Certificate is to be certified until Oct  1 07:00:54 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

For the second bit:

root@swansea:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key client1
Generating a 1024 bit RSA private key
..................++++++
...............................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:user1
Common Name (eg, your name or your server's hostname) [client1]:client1
Name []:user1
Email Address [chris@pixelatedphotographer.com]:test@pixelatedphotographer.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UK'
stateOrProvinceName   :PRINTABLE:'LON'
localityName          :PRINTABLE:'London'
organizationName      :PRINTABLE:'chrisgilloch'
organizationalUnitName:PRINTABLE:'user1'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'user1'
emailAddress          :IA5STRING:'test@pixelatedphotographer.com'
Certificate is to be certified until Oct  1 07:04:37 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

On the client.conf I have:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key

and

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote chrisgilloch CA 1194
;remote my-server-2 1194

And the last bit is what I think is wrong (remote chrisgilloch CA 1194) on the guide as 'OpenVPN server's name', so I'm not sure what to put there but I've tried a few.

The files are also in the folder

~~![](<URL url=)http://www.pixelatedphotographer.com/chris/screen1.png" />

Any ideas?~~

the remote line should be

remote would be the DNS name / IP if your linode, would stay as 1194 unless you've changed the port in your server config.

I'll also mention (you may have this covered, but its not clear from your pastes) that if you just ran the easy-rsa scripts on your mac, you'll need to put ca.crt, server.key, server.crt and ta.key (if using) into the server's openvpn directory (probably /etc/openvpn/). Its worth copying them over again even if you think you have this covered because if you've been through the stages several times its very easy to mix these things up :)

TehDan,

Cheers for the help, that actually sorted it - it's up and running now, I'll just finish the rest off tonight and hopefully I can connect it through!

Many thanks!

Chris

Hi guys

I have managed to get tunnelblick to connect to the vpn, how can I get it to send me the net connection and IP from the sever?

It's basically to play the iplayer outside of the UK.

Is this what a tunnel is? sorry for the noob questions!

Scrap that - I have it showing that it has the IP address of the server THOUGH its so slow it wont load any web pages - any ideas?

Hi guys, I've managed to get this to connect and I can get streaming from the UK via iPlayer etc, though it's like being connected to a 56k modem - stop start etc.

Is there any way that I can see how to improve the performance of the connection - or is it just the case I'm too far away from the UK to get a decent connection. If this doesn't work out I may need another solution to getting iplayer etc over here.

Cheers,

Chris

I never did get the vpn (using the library article method) to work effectively for what you are trying to do.

For what you want to do a tunnel with a socks proxy usually works really well :)

Are you set for TCP or UDP? I don't always stream video to my netbook, but when I do, it's through OpenVPN with proto udp. TCP is not good for tunneling: if a packet is lost, the tunnel stream stops until the packet is recovered, which will cause the internal streams to assume packets were lost, which will cause them to freak out, etc. Basically, it's like putting a car in your car.

This obviously isn't a video-streaming comparison, but it runs into similar constraints:

Local side: RoadRunner, Rochester NY

Tunnel server: Linode, Newark

Simulated long-haul test:

wget -O /dev/null http://fremont1.linode.com/100MB-fremont.bin

With OpenVPN active: 1.15 MB/s

Without OpenVPN active: 1.26 MB/s

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct