[kgoerbig]

Hi All,

My setup:

Raspberry PI2 #1 - Setup as a VPN Server. I setup the server using this script:

https://github.com/StarshipEngineer/OpenVPN-Setup.git

Raspberry PI2 #2 - Setup as a dedicated Media Center using OSMC

I am able to access from my MediaCenter, login, and I can see traffic pass across tun0 and traffic passing on the physical vpn eth0 while it is running, so I know it is working in that respect.

My issue, is that I can only login via CLI from the mediacenter, and when I do I am presented with a request for a "Private Password":


root@osmc:~# openvpn /home/osmc/vpn-config/osmc.ovpn
Fri Feb 5 09:57:22 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 19 2015
Fri Feb 5 09:57:22 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Enter Private Key Password:


Same applies using the Kodi "openvpn" addon (https://github.com/brianhornsby/script.openvpn). I try to initiate the VPN connection with the addon, and with the debug mode on a prompt for a private key flashes.

Is there a way in Kodi to execute 'openvpn /home/osmc/vpn-config/osmc.ovpn' and when it asks for a 'Private Key Password' the virtual keyboard populates?

[DarrenHill]

Which version of Raspbian is your server Pi running?

I have a similar set-up, and originally mine was running Wheezy and I couldn't get OpenVPN to connect to it (in my case under OpenElec using Lrusak's excellent OpenVPN add-on for OE).

In the end it was due to my server's OpenVPN version being too old. I rebuilt it using Jessie-Lite, and it's now working beautifully and connects every time with the server (mine was built using this tutorial, but yours may work equally well).

[kgoerbig]

I have Full Jessie version installed on the VPN-PI. I disabled the gui through raspi-config. I am running OpenVPN 2.3.4.

When you login into OpenVPN do you get prompted for a "Private Key Password"? If not, where or what method did you follow for your VPN setup?

As I said, my VPN works, it's just the extra password authentication that OpenVPN prompts for is causing issues from kodi. I'm wondering if that Openelec version will work in OSMC.

[DarrenHill]

No, no login needed. Can you post your ovpn file, suitably redacted to remove the sensitive information?

You can include or link to key files in there, I'd guess you're missing one which it is replacing by asking you to type the key in.

[kgoerbig]

client
dev tun
proto udp
remote 192.168.2.20 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
<ca>


-----BEGIN CERTIFICATE-----


Keys

[DarrenHill]

For comparison, this is mine (with sensitive details removed):

Code:

client
dev tun
proto udp
remote {{myexternalIPaddress}} 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;ca ca.crt
;cert client.crt
;key client.key
ns-cert-type server
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
{{mycertdetails}}
-----END CERTIFICATE-----
</ca>
<cert>
{{myprofiledetails}}
-----BEGIN CERTIFICATE-----
{{mycertdetails}}
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
{{mykeydetails}}
-----END PRIVATE KEY-----
</key>

Depending on what you've removed from the bottom, you may be missing some of the built-in key and certificate information (the details from the files normally linked to by the ;ca ca.crt ;cert client.crt ;key client.key lines which are commented out here as the information is built into the ovpn file).

I also note that your IP address is an internal network one, not a public IP address. So whilst it will work fine on your local network, it won't work from the wider internet unless you have some sort of portal in place (which would make the VPN kinda redundant). Is that just for testing, as it should normally be the public IP address of your router or gateway.

You can also add a line auth-user-pass login.txt, and put a text file called login.txt in the same folder as your ovpn file (or point to it with an absolute path before the filename). That is just a 2-line file, the first line being your user name and the second being your password. Not the most secure way in the world, but it can be used to pass basic log-in details automatically (and you'll get a warning comment in the log/screen text about security).

[kgoerbig]

Alright, I think I have this working. Testing connection from:

client (PI media Center) - to - server (PI VPN server):

traceroute to http://www.google.com (216.58.216.196), 30 hops max, 60 byte packets
1 10.8.0.1 (10.8.0.1) 6.491 ms 6.466 ms 6.486 ms
2 OpenWrt.lan (192.168.2.1) 6.643 ms 6.622 ms 6.717 ms
3 96.120.40.241 (96.120.40.241) 12.166 ms 18.453 ms 19.028 ms

...[remaining hops excluded]....

I am also able to connect to the vpn server from the client without a private key password prompt. So, if I were to say stream video via a torrent session with my Media Center PI while connected to my VPN server, would that be sufficient enough to encrypt the traffic so not to get picked off for any type of copyright violation?