[SOLVED] OpenVPN with PrivateInternetAccess Broken

besseriym · 2015-03-29 23:21:03

Hi guys,

This is my first post in the forums, so I just want to say thank you in advance for the help. I've recently switched to Arch and love the system, but have run into a snag with OpenVPN that I have somehow made worse. I've read all the OpenVPN related articles in the wiki and attempted to fix the problem on my own, but after a week of failure I need help.

I use PrivateInternetAccess VPN, and have attempted to set it up using OpenVPN (using both manual configuration and NetworkManager) with no success. I read and followed the OpenVPN page on the Arch Wiki to get everything set up. My first few attempts to set it up left me with a working VPN connection, but a DNS leak. I attempted to manually set the DNS servers in the NetworkManager config and still had a DNS leak. I also attempted to use several of the tools in the AUR for PIA (like pia-tools and private-internet-access-vpn) but still had the same problem. I have been researching the issue and found several pages that had some helpful information, but nothing seemed to fix the issue. Somehow along the way I managed to break my OpenVPN all together. Instead of having a working VPN connection, I connect to the VPN and it breaks my internet connection. I will try to visit webpages and it just says "Connecting..." at the bottom of the page but never connects. I have tried clearing all of the previous config files from the OpenVPN directory and manually creating a new one with the settings that worked for me initially, but I still can't get it to connect. Fearing that I may have screwed up something beyond repair I uninstalled and reinstalled OpenVPN, but I still have the exact same problem. I can no longer connect to the internet after I successfully connect to the PIA host.

I am using the latest OpenVPN from the official repo, and have followed the OpenVPN setup from the PIA website to set up OpenVPN. I am also using the default kernel on a 64-bit system.

If there's any help you guys can offer, I would very much appreciate it.

Last edited by besseriym (2015-03-30 00:37:27)

jasonwryan · 2015-03-29 23:26:53

Works fine for me. Paste your config (with the sensitive information redacted).

besseriym · 2015-03-29 23:39:30

I have removed OpenVPN and reinstalled it so I have a default config at the moment.

The last attempt I made to set it up was using the NetworkManager and I followed the OpenVPN instructions on the PIA website. Just entered the host address (us-east.privateinternetaccess.com) and username/password. Clicked on the advanced settings and checked "Use LZO compression" and then launched.

After setting it up using NetworkManager I do not see any config files in /etc/openvpn, is there somehwere else they are stored?

I have also downloaded the preconfigured config files from PrivateInternetAccess (along with the ca.crt file) and tried using those. Here is the file I used from the website:

client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem

jasonwryan · 2015-03-29 23:46:49

Forget using NM to manage it for the time being, just get it running properly and then introduce complexity.

You should use absolute paths to your cert and pass file (and the .pem, if you are using it).

Run that manually and see if you connect sucessfully.

besseriym · 2015-03-29 23:56:16

$ openvpn us-east.ovpn
Sun Mar 29 19:53:50 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Sun Mar 29 19:53:50 2015 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.09
Enter Auth Username: ********
Enter Auth Password: ****************
Sun Mar 29 19:54:02 2015 UDPv4 link local: [undef]
Sun Mar 29 19:54:02 2015 UDPv4 link remote: [AF_INET]108.61.68.168:1194
Sun Mar 29 19:54:02 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar 29 19:54:06 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]108.61.68.168:1194
Sun Mar 29 19:54:08 2015 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Sun Mar 29 19:54:08 2015 Exiting due to fatal error

This is what I get when I just run the config file listed above. Should I be using sudo to run it?

jasonwryan · 2015-03-30 00:06:00

Yes, it has to be run with elevated privileges...

besseriym · 2015-03-30 00:09:15

After running with elevated privileges, it initiates the connection. I have verified my IP address, but still have a dns leak.

Here is the output:

$ sudo openvpn us-east.ovpn
[sudo] password ---
Sun Mar 29 20:04:03 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 2 2014
Sun Mar 29 20:04:03 2015 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.09
Enter Auth Username: ********
Enter Auth Password: ****************
Sun Mar 29 20:04:17 2015 UDPv4 link local: [undef]
Sun Mar 29 20:04:17 2015 UDPv4 link remote: [AF_INET]209.222.15.236:1194
Sun Mar 29 20:04:17 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar 29 20:04:17 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]209.222.15.236:1194
Sun Mar 29 20:04:20 2015 TUN/TAP device tun0 opened
Sun Mar 29 20:04:20 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Mar 29 20:04:20 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Sun Mar 29 20:04:20 2015 /usr/bin/ip addr add dev tun0 local 10.127.1.6 peer 10.127.1.5
Sun Mar 29 20:04:20 2015 Initialization Sequence Completed

jasonwryan · 2015-03-30 00:23:54

See http://security.stackexchange.com/quest … s-dns-leak

besseriym · 2015-03-30 00:33:38

OK, I think I may have just figured this out.

I was misunderstanding the instructions in the OpenVPN part of the wiki. I was copying the default client config from my /examples directory (following instructions in the wiki) and then adding the config variables from the us-east.ovpn config file to the client.conf file. I was getting a DNS leak because openvpn was not able to edit the resolv.conf file. Although I created the script described in the wiki, and then added the extra commands to the config it was not working. When I deleted all of the config files from the openvpn directory and just put the us-east.ovpn config file back into the directory and added the commands to that file and launched it manually it seemed to connect and change the resolv.conf file correctly to reflect the VPN DNS servers. After doing this and testing the DNS, it appears I no longer have a DNS leak.

I should have tried that way sooner, but for some reason I wasn't thinking clearly when troubleshooting the issue.

Thank you very much for your help Jasonwryan.

rabarrett · 2016-01-06 01:43:31

For anyone else who finds this (because I still haven't found a great description but this is the best I've found). My solution involved cobbling together bits and pieces of info that are on different pages. The whole of setting up openvpn with pia is not described fully anywhere. Also, I have not had great success with the AUR private-internet-access-vpn. Perhaps you will, but it seems like there is... unpolished maintenance of the AUR.

You can find most of the first part of setting it up on the arch linux wiki for openvpn (just be sure to note that you're setting up just the client so you skip a large part of the wiki; pia handles the server stuff).

Then you will find that you're going through a new server (for example, test here):
https://www.dnsleaktest.com/

But, if you run the "extended test" you'll find you have a DNS leak. Now this is mentioned later in the openvpn wiki, but it didn't explain the full solution. But, first at least read this:
https://wiki.archlinux.org/index.php/OpenVPN#DNS

Each script file you use (which are your piaFrance or piaFrance.conf files -- other services use different naming conventions like .ovpn), must include those line (I put them at the end of my file and that works). Specifically, add this to your .conf file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Also, make sure you've installed two additional packages:
openresolv
and
openvpn-update-resolv-conf

What does all this do? (This is what I would have liked someone to explain better along the way.)
Without these additional steps, you can still connect your VPN successfully, but you also want it to adjust your computer to only use your VPN domain name servers also (otherwise it will probably keep using those of your local internet provider, e.g. Time Warner or something). The additional lines in the .conf file, along with the new packages, tell it to update those DNS servers when you start the VPN and when you end it. In theory, you could just manually edit your resolv.conf file yourself (as root) but it would be a pain and some service might switch it back. This way it is all handled automatically as part of your starting and stopping the vpn.

Last edited by rabarrett (2016-01-06 01:45:30)

Arch Linux

#1 2015-03-29 23:21:03

[SOLVED] OpenVPN with PrivateInternetAccess Broken

#2 2015-03-29 23:26:53

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#3 2015-03-29 23:39:30

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#4 2015-03-29 23:46:49

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#5 2015-03-29 23:56:16

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#6 2015-03-30 00:06:00

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#7 2015-03-30 00:09:15

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#8 2015-03-30 00:23:54

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#9 2015-03-30 00:33:38

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

#10 2016-01-06 01:43:31

Re: [SOLVED] OpenVPN with PrivateInternetAccess Broken

Board footer