I am trying to get my old pi running a VPN server so I can access local resources from outside my local network.
Following the steps below:
curl -L https://install.pivpn.io | bash
Selecting default settings, OpenVPN, DHCP reservation, udp, port 1194, CloudFlare and rebooting
pivpn add
Trying to connect to the server from another device with the generated .ovpn file imported brings no joy.
I have tried uninstalling and reinstalling OpenVPN following the same steps, which to no surprise gave the same outcome.
When rebooting, I get [OK] started OpenVPN service then [FAILED] Failed to start OpenVPN connection to server
This suggests running the command systemctl status openvpn@server.service
Doing this gives the following output:
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2022-03-30 12:35:52 BST; 231ms ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 744 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid (code=exited, status=1/FAILURE)
Main PID: 744 (code=exited, status=1/FAILURE)
CPU: 274ms
pivpn -d gives the following output:
::: Generating Debug Output
:::: PiVPN debug ::::
=============================================
:::: Latest commit ::::
Branch: master
Commit: f80b0a7962d91862132c0a4abd65c1e67bd37bd7
Author: 4s3ti
Date: Fri Dec 3 21:41:13 2021 +0100
Summary: Update Changelog
=============================================
:::: Installation settings ::::
PLAT=Raspbian
OSCN=bullseye
USING_UFW=0
IPv4dev=wlan0
dhcpReserv=1
IPv4addr=192.168.1.212/24
IPv4gw=192.168.1.254
install_user=pi
install_home=/home/pi
VPN=openvpn
pivpnPROTO=udp
pivpnPORT=1194
pivpnDNS1=1.1.1.1
pivpnDNS2=1.0.0.1
pivpnSEARCHDOMAIN=
pivpnHOST=REDACTED
TWO_POINT_FOUR=1
pivpnENCRYPT=256
USE_PREDEFINED_DH_PARAM=
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnDEV=tun0
pivpnNET=10.8.0.0
subnetClass=24
ALLOWED_IPS=""
UNATTUPG=1
INSTALLED_PACKAGES=(openvpn)
HELP_SHOWN=1
=============================================
:::: Server configuration shown below ::::
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/raspberrypi_9b23f305-6583-48ad-b87a-1815a883620c.crt
key /etc/openvpn/easy-rsa/pki/private/raspberrypi_9b23f305-6583-48ad-b87a-1815a883620c.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
=============================================
:::: Client template file shown below ::::
client
dev tun
proto udp
remote REDACTED 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name raspberrypi_9b23f305-6583-48ad-b87a-1815a883620c name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
=============================================
:::: Recursive list of files in ::::
::: /etc/openvpn/easy-rsa/pki shows below :::
/etc/openvpn/easy-rsa/pki/:
ca.crt
crl.pem
Default.txt
ecparams
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
iphone.ovpn
issued
openssl-easyrsa.cnf
private
renewed
revoked
safessl-easyrsa.cnf
serial
serial.old
ta.key
/etc/openvpn/easy-rsa/pki/ecparams:
prime256v1.pem
/etc/openvpn/easy-rsa/pki/issued:
iphone.crt
raspberrypi_9b23f305-6583-48ad-b87a-1815a883620c.crt
/etc/openvpn/easy-rsa/pki/private:
ca.key
iphone.key
raspberrypi_9b23f305-6583-48ad-b87a-1815a883620c.key
/etc/openvpn/easy-rsa/pki/renewed:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/renewed/private_by_serial:
/etc/openvpn/easy-rsa/pki/renewed/reqs_by_serial:
/etc/openvpn/easy-rsa/pki/revoked:
private_by_serial
reqs_by_serial
/etc/openvpn/easy-rsa/pki/revoked/private_by_serial:
/etc/openvpn/easy-rsa/pki/revoked/reqs_by_serial:
=============================================
:::: Self check ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] OpenVPN is running
:: [OK] OpenVPN is enabled (it will automatically start on reboot)
:: [ERR] OpenVPN is not listening, try to restart now? [Y/n] y
Done
[INFO] Run pivpn -d again to see if we detect issues
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: Snippet of the server log ::::
Mar 30 11:56:14 raspberrypi ovpn-server[27301]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Mar 30 11:56:14 raspberrypi ovpn-server[27301]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Mar 30 11:56:14 raspberrypi ovpn-server[27301]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
Mar 30 11:56:14 raspberrypi ovpn-server[27301]: Options error: Please correct these errors.
Mar 30 11:56:14 raspberrypi ovpn-server[27301]: Use --help for more information.
Mar 30 11:56:19 raspberrypi ovpn-server[27314]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Mar 30 11:56:19 raspberrypi ovpn-server[27314]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Mar 30 11:56:19 raspberrypi ovpn-server[27314]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
Mar 30 11:56:19 raspberrypi ovpn-server[27314]: Options error: Please correct these errors.
Mar 30 11:56:19 raspberrypi ovpn-server[27314]: Use --help for more information.
Mar 30 11:56:30 raspberrypi ovpn-server[27322]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Mar 30 11:56:30 raspberrypi ovpn-server[27322]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Mar 30 11:56:30 raspberrypi ovpn-server[27322]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
Mar 30 11:56:30 raspberrypi ovpn-server[27322]: Options error: Please correct these errors.
Mar 30 11:56:30 raspberrypi ovpn-server[27322]: Use --help for more information.
Mar 30 11:56:36 raspberrypi ovpn-server[27334]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Mar 30 11:56:36 raspberrypi ovpn-server[27334]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Mar 30 11:56:36 raspberrypi ovpn-server[27334]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
Mar 30 11:56:36 raspberrypi ovpn-server[27334]: Options error: Please correct these errors.
Mar 30 11:56:36 raspberrypi ovpn-server[27334]: Use --help for more information.
=============================================
:::: Debug complete ::::
:::
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::
Focusing on the error:
--writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
I couldn't find any working solutions for this and trying to manually start the server doesn't seem to do anything:
sudo OpenVPN /etc/openvpn/server/server.conf
2022-03-30 12:15:25 Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
pi@raspberrypi:/etc/openvpn/server $
Looking at the status of the OpenVPN service makes it seem like it is running okay:
systemctl service openvpn
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2022-03-30 11:56:42 BST; 27min ago
Process: 27361 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 27361 (code=exited, status=0/SUCCESS)
CPU: 16ms
Mar 30 11:56:42 raspberrypi systemd[1]: Starting OpenVPN service...
Mar 30 11:56:42 raspberrypi systemd[1]: Finished OpenVPN service.
Any suggestions or help would be greatly appreciated, I am quite new to networking and this is the first problem I have had to give in to and ask the experts. If I have missed any information or useful outputs that could help with suggestions let me know.
