OpenVPN driving me nuts
/etc/init.d/openvpn start
it just doesn't work I just get [fail] though I have no idea where logs are kept to work out what the problem is.
I must have gone through this 8 or 9 times now and I get the same result every time.
Any ideas?
11 Replies
Oct 2 07:12:17 localhost ovpn-client[13408]: OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Oct 2 07:12:17 localhost ovpn-client[13408]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 2 07:12:17 localhost ovpn-client[13408]: Cannot load private key file client1.key: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
Oct 2 07:12:17 localhost ovpn-client[13408]: Error: private key password verification failed
Oct 2 07:12:17 localhost ovpn-client[13408]: Exiting
Lookls like it can't find client1.key - which is weird because I've seen the file today.
Is there anyway to just start again with all of this from scratch? even re-install openvpn? I think that something must have done wrong
Here is the details of the first section:
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [chrisgilloch CA]:chrisgilloch CA
Name []:
Email Address [chris@pixelatedphotographer.com]:
root@swansea:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key-server server
Generating a 1024 bit RSA private key
...........++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Name []:
Email Address [chris@pixelatedphotographer.com]:chris@pixelatedphotographer.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'UK'
stateOrProvinceName :PRINTABLE:'LON'
localityName :PRINTABLE:'London'
organizationName :PRINTABLE:'chrisgilloch'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'chris@pixelatedphotographer.com'
Certificate is to be certified until Oct 1 07:00:54 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
For the second bit:
root@swansea:/etc/openvpn/easy-rsa/2.0# . /etc/openvpn/easy-rsa/2.0/build-key client1
Generating a 1024 bit RSA private key
..................++++++
...............................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:UK
State or Province Name (full name) [LON]:LON
Locality Name (eg, city) [London]:London
Organization Name (eg, company) [chrisgilloch]:chrisgilloch
Organizational Unit Name (eg, section) []:user1
Common Name (eg, your name or your server's hostname) [client1]:client1
Name []:user1
Email Address [chris@pixelatedphotographer.com]:test@pixelatedphotographer.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'UK'
stateOrProvinceName :PRINTABLE:'LON'
localityName :PRINTABLE:'London'
organizationName :PRINTABLE:'chrisgilloch'
organizationalUnitName:PRINTABLE:'user1'
commonName :PRINTABLE:'client1'
name :PRINTABLE:'user1'
emailAddress :IA5STRING:'test@pixelatedphotographer.com'
Certificate is to be certified until Oct 1 07:04:37 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
On the client.conf I have:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
and
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote chrisgilloch CA 1194
;remote my-server-2 1194
And the last bit is what I think is wrong (remote chrisgilloch CA 1194) on the guide as 'OpenVPN server's name', so I'm not sure what to put there but I've tried a few.
The files are also in the folder
~~![](<URL url=)http://www.pixelatedphotographer.com/chris/screen1.png
Any ideas?~~
remote
I'll also mention (you may have this covered, but its not clear from your pastes) that if you just ran the easy-rsa scripts on your mac, you'll need to put ca.crt, server.key, server.crt and ta.key (if using) into the server's openvpn directory (probably /etc/openvpn/). Its worth copying them over again even if you think you have this covered because if you've been through the stages several times its very easy to mix these things up
Cheers for the help, that actually sorted it - it's up and running now, I'll just finish the rest off tonight and hopefully I can connect it through!
Many thanks!
Chris
I have managed to get tunnelblick to connect to the vpn, how can I get it to send me the net connection and IP from the sever?
It's basically to play the iplayer outside of the UK.
Is this what a tunnel is? sorry for the noob questions!
Is there any way that I can see how to improve the performance of the connection - or is it just the case I'm too far away from the UK to get a decent connection. If this doesn't work out I may need another solution to getting iplayer etc over here.
Cheers,
Chris
For what you want to do a tunnel with a socks proxy usually works really well
This obviously isn't a video-streaming comparison, but it runs into similar constraints:
Local side: RoadRunner, Rochester NY
Tunnel server: Linode, Newark
Simulated long-haul test:
wget -O /dev/null
With OpenVPN active: 1.15 MB/s
Without OpenVPN active: 1.26 MB/s