Just wondering if it would be possible to update the version of OpenVPN that VIX uses. Currently it is set to 2.1.3 which dates back to 2010-2011.

2.3.2 is the latest, and it includes major changes even compared to latest 2.2.x release:


Full IPv6 support
SSL layer modularised, enabling easier implementation for other SSL libraries
PolarSSL support as a drop-in replacement for OpenSSL
New plug-in API providing direct certificate access, improved logging API and easier to extend in the future
Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP'
New feature: --management-external-key - to provide access to the encryption keys via the management interface
New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins
New feature: --client-nat support
New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling
New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback)
New feature: --stale-routes-check, which cleans up the internal routing table
New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name
Improved client-kill management interface command
Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins
Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation
More options can now be used inside <connection> blocks
Completely new build system, enabling easier cross-compilation and Windows builds
Much of the code has been better documented
Many documentation updates
Plenty of bug fixes and other code clean-ups

Just wondering if it would be possible to update the version of OpenVPN that VIX uses. Currently it is set to 2.1.3 which dates back to 2010-2011.

2.3.2 is the latest, and it includes major changes even compared to latest 2.2.x release:


Full IPv6 support
SSL layer modularised, enabling easier implementation for other SSL libraries
PolarSSL support as a drop-in replacement for OpenSSL
New plug-in API providing direct certificate access, improved logging API and easier to extend in the future
Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP'
New feature: --management-external-key - to provide access to the encryption keys via the management interface
New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins
New feature: --client-nat support
New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling
New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback)
New feature: --stale-routes-check, which cleans up the internal routing table
New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name
Improved client-kill management interface command
Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins
Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation
More options can now be used inside <connection> blocks
Completely new build system, enabling easier cross-compilation and Windows builds
Much of the code has been better documented
Many documentation updates
Plenty of bug fixes and other code clean-ups



i'll take a look, but i am rather busy atm. i presume a new config screen would be neeeded also, for the new options ?

No rush thanks Andy.

I don't think any UI changes would be needed. The current Start/Stop/Autostart options would be the exact same I imagine, and should hopefully still work with the /etc/init.d/openvpn script.

I tried to compile 2.3.2 myself yesterday, but I didn't get far.

Let me know if you need me to test the addon on my Duo2.

Let me know if you need me to test the addon on my Duo2.A thorough tutorial would be nice.

A thorough tutorial would be nice.

Tutorial on which now?

A thorough tutorial would be nice.

If you want to set up a server, I wrote a tutorial a couple of weeks ago.

'Guide to setting up an OpenVPN server on Vix (http://www.world-of-satellite.com/showthread.php?36336-Guide-to-setting-up-an-OpenVPN-server-on-Vix)'

the openvpn HOWTO is located here:-

http://openvpn.net/index.php/open-source/documentation/howto.html

andy, you should be able to update the download url in the bb with the new download link below, i have compiled + used new openvpns in oe a while back

http://swupdate.openvpn.org/community/releases/openvpn-2.3.2.tar.gz

A note about the recent OpenSSL 'Heartbleed' vulnerability in older versions of OpenVPN:

https://community.openvpn.net/openvpn/wiki/heartbleed

Looks like version 2.3.3 of OpenVPN has the Heartbleed fix. I would be anxious to get that running in Helios if at all possible due to the severity of the security hole.

Helios includes a updated version of OpenSSL that fixes the heartbleed issue.

Class. Thanks for the head up.

Looks like version 2.3.3 of OpenVPN has the Heartbleed fix. I would be anxious to get that running in Helios if at all possible due to the severity of the security hole.

and OpenVPN has been updated ;), as per requests.


https://github.com/oe-alliance/oe-alliance-core/commit/c8eccef3357db7c57c2bb08b0cbc429c7b348868

OpenVPN working great in Helios thanks Andy.

FYI, I had to run this command (in addition to the tutorial) to get the server to run OK (source (http://clintboessen.blogspot.ie/2009/10/openvpn-issue-on-ubuntu-jaunty-904.html)):

groupadd -g 1002 nobody

Sorry but i dont use OpenVPN so if you tell me where about in the tutorial you want this part added i'll amend it for you.

Guide should be fine without that Pheonix as

Step 7 has './build-ca' mentioned twice. The first can be removed.

Also step 11 has 'mv -r...' Maybe remove the -r as it
Is not needed In a unix move.

Also add a last step to remind people to comment out logging in Step 13 just jn case it fills up storage. Thanks!

Guide should be fine without that Pheonix as

Step 7 has './build-ca' mentioned twice. The first can be removed.

Also step 11 has 'mv -r...' Maybe remove the -r as it
Is not needed In a unix move.

Thanks for the clarification, if you ever do want it updating just let me know and i'll sort it for you.

Sorry my first post there was meant to read...

Guide should be fine without that line Pheonix as that command is only needed when adding extra security config options as per the OpenVPN HOWTO.

ive used openvpn for many years, different versions, on different os's and ive never had to use any extra commands to get it to work.

Hi Rossi, i have a vpn account that works perfect on my pc's at home, and yet on vix everthing is telling me its connecting..but its not working properly been pulling my hair out.

I have installed Openvpn, I get an "Initialization Sequence Completed" at the end of my log when starting it. In telnet I get a Tun0 device appearing if I do Ifconfig. The IP of the box also is confirmed as changing if i do "curl ipecho.net/plain", after starting openvpn it 100% correctly states my new vpn's ip as it should..stop openvpn and the ip reverts back.

On a pc I can connect to whatever I want and it uses the vpn to connect and is 100% superb. With the Tm nano-oe however it makes no difference i cannot connect to the same sites as I can on the pc using the same vpn... ie solar movies/primewire

It is almost as if the tun0 device is not in-fact being used by Tsmedia at all.

rossi/anybody shed any light on this matter at all? before i lose whats left of my sanity :)

when you say its running on your nano
can you connect to your box on the vpn ip via ftp?

post your configs. i guess as your trying to bypass restrictions you only got client config?

yeah trying to bypass restrictions, only have a client config, Using Torvpn.
config below

client
dev tun
proto udp
remote 89.248.174.41 443
remote 93.174.93.174 443
remote 93.174.93.224 443
remote 80.82.70.202 443
remote 80.82.70.245 443
remote 89.248.162.153 443
remote 89.248.172.148 443
remote 89.248.172.147 443
remote 89.248.172.103 443
remote 89.248.172.45 443
remote 89.248.169.34 443
remote 94.102.63.16 443
remote 94.102.63.17 443
remote 94.102.63.18 443
remote 94.102.63.21 443
remote 94.102.49.198 443
remote 89.248.169.106 443
remote 89.248.169.36 443
remote 89.248.173.115 443
remote 80.82.64.239 443
remote 80.82.64.234 443
remote 80.82.64.233 443
remote 94.102.56.145 443
remote 94.102.56.181 443
remote 94.102.56.151 443

remote 80.82.70.236 1194

remote 89.248.160.202 1194

remote 80.82.65.187 1194
tls-client
resolv-retry 5
nobind
fast-io
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca globalca.crt
auth-user-pass /etc/openvpn/password.conf
comp-lzo
route-delay 5 30
script-security 3 system
mute-replay-warnings
log-append /etc/openvpn/openvpn.log
verb 3

Log from connection conf in last post

Tue Apr 22 18:20:54 2014 OpenVPN 2.1.3 mipsel-oe-linux [SSL] [LZO2] [EPOLL] built on Apr 1 2014
Tue Apr 22 18:20:54 2014 WARNING: file '/etc/openvpn/password.conf' is group or others accessible
Tue Apr 22 18:20:54 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 22 18:20:54 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 22 18:20:54 2014 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Tue Apr 22 18:20:54 2014 LZO compression initialized
Tue Apr 22 18:20:54 2014 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 22 18:20:54 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Tue Apr 22 18:20:54 2014 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 22 18:20:54 2014 Local Options hash (VER=V4): 'd3a7571a'
Tue Apr 22 18:20:54 2014 Expected Remote Options hash (VER=V4): '5b1533a2'
Tue Apr 22 18:20:54 2014 UDPv4 link local: [undef]
Tue Apr 22 18:20:54 2014 UDPv4 link remote: 89.248.174.41:443
Tue Apr 22 18:20:54 2014 TLS: Initial packet from 89.248.174.41:443, sid=2c2a7294 53db424e
Tue Apr 22 18:20:54 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 22 18:20:55 2014 VERIFY OK: depth=1, /C=US/ST=FL/L=Orlando/O=TorGuard/OU=VPN/CN=TG-OVPN-CA/name=TorGuard/emailAddress=sysadmin@torguard.net
Tue Apr 22 18:20:55 2014 VERIFY OK: depth=0, /C=US/ST=FL/L=Orlando/O=TorGuard/OU=VPN/CN=TG-OVPN-CA/name=TorGuard/emailAddress=sysadmin@torguard.net
Tue Apr 22 18:20:56 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 22 18:20:56 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 22 18:20:56 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 22 18:20:56 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 22 18:20:56 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Apr 22 18:20:56 2014 [TG-OVPN-CA] Peer Connection Initiated with 89.248.174.41:443
Tue Apr 22 18:20:58 2014 SENT CONTROL [TG-OVPN-CA]: 'PUSH_REQUEST' (status=1)
Tue Apr 22 18:20:59 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.9.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.9.0.18 10.9.0.17'
Tue Apr 22 18:20:59 2014 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 22 18:20:59 2014 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 22 18:20:59 2014 OPTIONS IMPORT: route options modified
Tue Apr 22 18:20:59 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 22 18:20:59 2014 ROUTE default_gateway=192.168.1.254
Tue Apr 22 18:20:59 2014 TUN/TAP device tun0 opened
Tue Apr 22 18:20:59 2014 TUN/TAP TX queue length set to 100
Tue Apr 22 18:20:59 2014 /sbin/ifconfig tun0 10.9.0.18 pointopoint 10.9.0.17 mtu 1500
Tue Apr 22 18:21:04 2014 /sbin/route add -net 89.248.174.41 netmask 255.255.255.255 gw 192.168.1.254
Tue Apr 22 18:21:04 2014 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.9.0.17
Tue Apr 22 18:21:04 2014 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.9.0.17
Tue Apr 22 18:21:04 2014 /sbin/route add -net 10.9.0.1 netmask 255.255.255.255 gw 10.9.0.17
Tue Apr 22 18:21:04 2014 Initialization Sequence Completed

I can confirm box IP changes after startiing openvpn plugin..but still no connection to restricted stuff on tsmedia, Also i cant connect on VPN ip through to ftp :(

just thought to add ...808 and every zeus version so far I have tried acts same.. cant try Helios due to not out for Tm yet :(

ive used openvpn for many years, different versions, on different os's and ive never had to use any extra commands to get it to work.

That's probably because you've not turned on this feature:


If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives.

If you do that with the latest build, you get an error that the user 'nobody' does not exist. That's be uses the user group has changed ID. The command in the previous post fixes that and OpenVPN server can work again.

Just flashed my Duo to Helios 06 and restored settings from Zeus 023.
Openvpn won't start at all.
Any clue before I restore Zeus?

Inviato dal mio GT-I9505 utilizzando Tapatalk

Just flashed my Duo to Helios 06 and restored settings from Zeus 023.
Openvpn won't start at all.
Any clue before I restore Zeus?


No clues without a debug log...

OpenVPN config is not saved as part of a settings backup. You will need to re configure OpenVPN again. This is recommended anyway due to the severity of the OpenSSL bug that existed in the precious version if OpenVPN.

OpenVPN config is not saved as part of a settings backup. You will need to re configure OpenVPN again. This is recommended anyway due to the severity of the OpenSSL bug that existed in the precious version if OpenVPN.

Thx for that clue.
I'll give it a 2nd try

Anybody any idea's with my issue?

Thanks for you goed works!
Is it possible one of the clients configs used as a duo client? So that the duo2 works as server and the duo as client stay outside my house. Now i used remotestreamconverter with internet ip, that works but i cant connect to the map /hdd/media on the client.

Sure. You can use anything as a client.

Thanks for you goed works!
Is it possible one of the clients configs used as a duo client? So that the duo2 works as server and the duo as client stay outside my house. Now i used remotestreamconverter with internet ip, that works but i cant connect to the map /hdd/media on the
client.

map /hdd/media on the server

Andy, could the latest update of openvpn be used in a future update? E.g. 2.3.4
https://openvpn.net/index.php/open-source/downloads.html

Hi

I am a relative newbie to both linux & my Vu+ Duo2 box which I hav flashed with the Vix image. That said I have reasonable skills and have dabbled in linux before at a similar level to that described below ...

My issue is that I am trying to install OpenVPN-2.3.4 but using the very helpful guide by finbarr found at http://www.world-of-satellite.com/showthread.php?36336-Guide-to-setting-up-an-OpenVPN-server-on-Vix

However this is a guide to install the older OpenVPN 2.2.2 and having read about some of the discovered vulnerabilities in this version I am trying to install the most up-to-date version. But the directory structures and files seem to be quite different between the versions and trying to adapt the principles in the guide to the new version have gone beyond my capabilities.

To date I have:

Installed the service from within the menu settings on Vix (and I think this is the newer version?) but I can't start it and when I look in the /etc/openvpn/ directory it is empty.
I have copied the latest openvpn-2.3.4 and the easy-rsa-2.2.0 tar files to the /tmp/ folder and decompressed them. I have then tried to copy into the /etc/openvpn/ folder as well as the easy-rsa directories, but this obviously did not solve the problem.
I have looked for help on the OpenVPN support page and tried to ./configure from the top directory of /openvpn/ but this gives an error that it doesn't recognise te linux build being used.



At this point I decided to ask for HELP!! :confused:

I also would appreciate help on potentially using Hola.net VPN so I can watch Hulu.com ... not sure whether OpenVPN will manage to do this too? I am happy to pay for the VPN service to get a good quality service for streaming.

Any help is appreciated!

Thanks

Just to clarify ... I do realise that the 2 questions above are separate (as in the OpenVPN service will allow me to secure my network for streaming my Vu+ box outside my home ... the hola is to bypass geolocation limitations ... but the most 'elegant' solution is what I am looking for ...)

Did you try following the guide fully? The instructions are pretty complete. The reason it uses easyrsa 2 is because easy-rsa is no longer bundled with openvpn builds. This is just used to generate the keys and does not actively run all the time.

Vix uses the latest openvpn so that includes the Heartbleed fixes.

I did note that and downloaded the latest version of both easy-rsa as well as the Openvpn-2.3.4.tar.gz decompressed them (all in the tmp folder) and then coped them to the etc/openvpn/ folder (as I assumed that given this was empty that this was the problem). I also tried the './configure' & 'make install' commands unsuccessfully from both the /etc/openvpn/ folder as well as the /tmp/ folder ... all unsuccessfully.

So ... I suppose the short answer to your question is that 'no' I didn't follow exactly ... but that was only because when I typed in the commands line by line I was installing the Openvpn-2.2.2 version ... and as I say when I changed the commands to reflect the Openvpn-2.3.4 version some of the file structure has changed sufficiently to prevent the commands working.

So I came to halt really before anything was installed properly ...

Below are the lines of code I have tried:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
tar -xvf openvpn-2.2.2.tar.gz
cp -r /tmp/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ ...error at this point
cp /tmp/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
cp /tmp/openvpn-2.2.2/sample-config-files/client.conf /etc/openvpn/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/
chmod 777 *

Then:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.4.tar.gz
tar -xvf openvpn-2.3.4.tar.gz
cp -r /tmp/openvpn-2.3.4/easy-rsa/ /etc/openvpn/ ...error at this point due to the lack of easy-rsa in the new releases
cp /tmp/openvpn-2.3.4/sample-config-files/server.conf /etc/openvpn/
cp /tmp/openvpn-2.3.4/sample-config-files/client.conf /etc/openvpn/client.ovpn
cd /etc/openvpn/easy-rsa/2.0/
chmod 777 *

Then:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.4.tar.gz
wget http://swupdate.openvpn.org/community/releases/easy-rsa-2.2.0_master.tar.gz
tar -xvf openvpn-2.3.4.tar.gz
tar -xvf easy-rsa-2.2.0_master.tar.gz

.... I then tried various copy commands of variations/combinations of the folders of both Openvpn & easy-rsa ... all clearly unsuccessfully ...
cp -r /tmp/openvpn-2.3.4/easy-rsa/ /etc/openvpn/

I am sure those with the skill are probably shaking their heads saying here is a real newbie! ... but I would greatly appreciate a little direction on this!!

Many thanks!

Below are the lines of code I have tried:
cd /tmp/
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz
tar -xvf openvpn-2.2.2.tar.gz
cp -r /tmp/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ ...error at this point

Ok one part at a time.

Did you install OpenVPN from the feeds (in the UI, go to Settings>Setup>Network>OpenVPN and select Yes to install if not already done so).

Then on the command line run:


mkdir /etc/openvpn

if that directory doesnt exist.

Yes, I did install OpenVPN and there was a directory created /etc/openvpn/

So what error did you get then?

It didn't give an error when done through the on screen setup from the remote menu. However, when I tried to start the VPN there was no ability to configure or do anything ...?! (hence why I started to look for guides and came across your own ...)

(thanks for the help btw)

There is a large amount of configuration needed on the command line, and if you follow my guide steps, albeit with newer versions of OpenVPN, it will work.

However, as I said in the guide, if you are not comfortable with Linux and the command line, then I wouldn't delve into it.

If you are interested in learning more, I would suggest having a good read of the OpenVPN HOWTO (https://openvpn.net/howto.html) (which is what I did before I knew how to set one up).

There is now version 2.3.8 of OpenVPN.

Can the Bitbake recipe be updated to build this in the next update?


https://openvpn.net/index.php/open-source/downloads.html