OpenVPN Service

OpenVPN Service

[Raghav Gururajan]

[-- Attachment #1.1.1: Type: text/plain, Size: 1255 bytes --]

Hello Guix!

I am struggling to setup OpenVPN Service Type. Here is my current 
configuration.

*** START ***

(service openvpn-client-service-type
  (openvpn-client-configuration
   (remote
    (list
     (openvpn-remote-configuration
      (name "vpn.riseup.net")
      (port 1194))))
   (auth-user-pass "/etc/openvpn/Riseup.txt")
   (ca "/etc/openvpn/RiseupCA.pem")))

*** END ***

When I do, `sudo herd status vpn-client`, I get:

*** START ***

Status of vpn-client:
   It is stopped.
   It is enabled.
   Provides (vpn-client).
   Requires (networking).
   Conflicts with ().
   Will be respawned.

*** END ***

When I do, `openvpn /gnu/store/[...]-openvpn.conf`, I get:

*** START ***

Options error: --ca fails with '/etc/openvpn/ca.crt': No such file or 
directory (errno=2)
Tue Nov 17 21:32:44 2020 WARNING: cannot stat file 
'/etc/openvpn/client.key': No such file or directory (errno=2)
Options error: --key fails with '/etc/openvpn/client.key': No such file 
or directory (errno=2)
Tue Nov 17 21:32:44 2020 WARNING: file '/etc/openvpn/Riseup.txt' is 
group or others accessible
Options error: Please correct these errors.

*** END ***

Could anyone please help me with this?

Regards,
RG.

[-- Attachment #1.1.2: OpenPGP_0x5F5816647F8BE551.asc --]
[-- Type: application/pgp-keys, Size: 675 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: OpenVPN Service

[Julien Lepiller]

Le 17 novembre 2020 21:36:07 GMT-05:00, Raghav Gururajan <rg@raghavgururajan.name> a écrit :
>Hello Guix!
>
>I am struggling to setup OpenVPN Service Type. Here is my current 
>configuration.
>
>*** START ***
>
>(service openvpn-client-service-type
>  (openvpn-client-configuration
>   (remote
>    (list
>     (openvpn-remote-configuration
>      (name "vpn.riseup.net")
>      (port 1194))))
>   (auth-user-pass "/etc/openvpn/Riseup.txt")
>   (ca "/etc/openvpn/RiseupCA.pem")))
>
>*** END ***
>
>When I do, `sudo herd status vpn-client`, I get:
>
>*** START ***
>
>Status of vpn-client:
>   It is stopped.
>   It is enabled.
>   Provides (vpn-client).
>   Requires (networking).
>   Conflicts with ().
>   Will be respawned.
>
>*** END ***
>
>When I do, `openvpn /gnu/store/[...]-openvpn.conf`, I get:
>
>*** START ***
>
>Options error: --ca fails with '/etc/openvpn/ca.crt': No such file or 
>directory (errno=2)

I'm surprised by this one: you already set ca to something different. Can you share the generated openvpn.conf?

>Tue Nov 17 21:32:44 2020 WARNING: cannot stat file 
>'/etc/openvpn/client.key': No such file or directory (errno=2)
>Options error: --key fails with '/etc/openvpn/client.key': No such file

Ok, looking at the service definition, this is not so surprising: it expects a file in the cert and key fields, and uses the defaults here. I'm surprised it doesn't complain about client.crt. I pushed a small update to the service. After you run guix pull, you should be able to specify (cert 'disabled) and (key 'disabled).

>
>or directory (errno=2)
>Tue Nov 17 21:32:44 2020 WARNING: file '/etc/openvpn/Riseup.txt' is 
>group or others accessible
>Options error: Please correct these errors.

This is only a warning, but you don't want your password to be world readable: chown it to openvpn's user, and chmod it to 600.

>
>*** END ***
>
>Could anyone please help me with this?
>
>Regards,
>RG.

Re: OpenVPN Service

[Raghav Gururajan]

[-- Attachment #1.1.1: Type: text/plain, Size: 832 bytes --]

Hello Julien!

> I'm surprised by this one: you already set ca to something different. Can you share the generated openvpn.conf?

OOPS! There was a mistake in config.scm. This error is gone now.

Now the openvpn.conf is https://paste.debian.net/1173026/

and error is https://paste.debian.net/1173027/

> Ok, looking at the service definition, this is not so surprising: it expects a file in the cert and key fields, and uses the defaults here. I'm surprised it doesn't complain about client.crt. I pushed a small update to the service. After you run guix pull, you should be able to specify (cert 'disabled) and (key 'disabled).

Thanks a lot! I will try it.

> This is only a warning, but you don't want your password to be world readable: chown it to openvpn's user, and chmod it to 600.

Cool!

Regards,
RG.

[-- Attachment #1.1.2: OpenPGP_0x5F5816647F8BE551.asc --]
[-- Type: application/pgp-keys, Size: 675 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: OpenVPN Service

[jbranso]

I had an issue with openvpn service leaking my DNS queries.  I've set up network manager to manage my vpn connections.  Though, I think I had to use DNS over HTTPS to fix the leaking DNS issue.

November 18, 2020 2:55 PM, "Raghav Gururajan" <rg@raghavgururajan.name> wrote:

> Hello Julien!
> 
>> I'm surprised by this one: you already set ca to something different. Can you share the generated
>> openvpn.conf?
> 
> OOPS! There was a mistake in config.scm. This error is gone now.
> 
> Now the openvpn.conf is https://paste.debian.net/1173026
> 
> and error is https://paste.debian.net/1173027
> 
>> Ok, looking at the service definition, this is not so surprising: it expects a file in the cert and
>> key fields, and uses the defaults here. I'm surprised it doesn't complain about client.crt. I
>> pushed a small update to the service. After you run guix pull, you should be able to specify (cert
>> 'disabled) and (key 'disabled).
> 
> Thanks a lot! I will try it.
> 
>> This is only a warning, but you don't want your password to be world readable: chown it to
>> openvpn's user, and chmod it to 600.
> 
> Cool!
> 
> Regards,
> RG.

Re: OpenVPN Service

[Julien Lepiller]

Le 18 novembre 2020 20:04:33 GMT-05:00, jbranso@dismail.de a écrit :
>I had an issue with openvpn service leaking my DNS queries.  I've set
>up network manager to manage my vpn connections.  Though, I think I had
>to use DNS over HTTPS to fix the leaking DNS issue.

Well, this is not tomething you can configure on the VPN side I think. The server might advertise a DNS server on the VPN, in which case it won't leak. Ocherwise, you need to check your DNS settings and default routes to make sure that your DNS server is not on your local network, and uses the VPN route.

DoH does not solve this: it's only a way to use DNS over a diffirent, encrypted port. Usually it's used with an external server (eg. Cloudflare), but it can also be implemented on your local network, in which case you're still leaking your DNS queries. Again, if you want to use DoH, you need to configure it properly :)

>
>November 18, 2020 2:55 PM, "Raghav Gururajan" <rg@raghavgururajan.name>
>wrote:
>
>> Hello Julien!
>> 
>>> I'm surprised by this one: you already set ca to something
>different. Can you share the generated
>>> openvpn.conf?
>> 
>> OOPS! There was a mistake in config.scm. This error is gone now.
>> 
>> Now the openvpn.conf is https://paste.debian.net/1173026
>> 
>> and error is https://paste.debian.net/1173027
>> 
>>> Ok, looking at the service definition, this is not so surprising: it
>expects a file in the cert and
>>> key fields, and uses the defaults here. I'm surprised it doesn't
>complain about client.crt. I
>>> pushed a small update to the service. After you run guix pull, you
>should be able to specify (cert
>>> 'disabled) and (key 'disabled).
>> 
>> Thanks a lot! I will try it.
>> 
>>> This is only a warning, but you don't want your password to be world
>readable: chown it to
>>> openvpn's user, and chmod it to 600.
>> 
>> Cool!
>> 
>> Regards,
>> RG.