# How do I get OpenVPN to connect to privateinternetaccess



## walterbyrd (Dec 23, 2015)

I am trying to install security/openvpn so I can connect to:

https://www.privateinternetaccess.com/

They have a client install package for Windows, Mac, Android, and Linux, but not FreeBSD

I have OpenVPN installed, I have a user name and password for the VPN service, but I am not sure how to connect.

This is what I have tried:


```
# ping privateinternetaccess.com

PING privateinternetaccess.com (72.52.9.107): 56 data bytes
64 bytes from 72.52.9.107: icmp_seq=0 ttl=242 time=35.483 ms

# pkg install openvpn
# mkdir /usr/local/etc/openvpn
# cd /usr/local/etc/openvpn
# fetch http://www.tf.uni-kiel.de/rbg/vpn/conf/ovpn-conf.zip
# unzip ovpn-confs.zip
# rm ovpn-confs.zip
# openvpn /usr/local/etc/openvpn/TF-normal.ovpn
# openvpn --dev tun --remote host 72.52.9.107

Wed Dec 23 16:51:26 2015 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015
Wed Dec 23 16:51:26 2015 library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Wed Dec 23 16:51:26 2015 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Wed Dec 23 16:51:26 2015 RESOLVE: Cannot resolve host address: host: hostname nor servname provided, or not known
Wed Dec 23 16:51:26 2015 TUN/TAP device /dev/tun0 opened
Wed Dec 23 16:51:26 2015 RESOLVE: Cannot resolve host address: host: hostname nor servname provided, or not known
```


----------



## leebrown66 (Dec 24, 2015)

Looking at openvpn(8) and your output


> cannot resolve host address: *host*



I'd wager you'd want to run:
`openvpn --dev tun --remote 72.52.9.107`

However I suspect you have some configuration to do first.


> ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext


----------



## walterbyrd (Dec 24, 2015)

Here is what I get:

`# openvpn --dev tun --remote 72.52.9.107`

```
Thu Dec 24 09:28:18 2015 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015
Thu Dec 24 09:28:18 2015 library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Thu Dec 24 09:28:18 2015 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Thu Dec 24 09:28:18 2015 TUN/TAP device /dev/tun0 opened
Thu Dec 24 09:28:18 2015 UDPv4 link local (bound): [undef]
Thu Dec 24 09:28:18 2015 UDPv4 link remote: [AF_INET]72.52.9.107:1194
```


After than, it seems to hang. I do not get a prompt. So am I connected?

If so, what do I do so that my internet sessions are private? I entered that as root, but I am using my browser as a user. 

I also put these two lines in /etc/rc.conf


```
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/TF-normal.ovpn"
```

When my system booted up, I was asked for an openvpn login name, and password. Do they want the login that PIA sent me? I did not have that available, so entered non-sense.


----------



## leebrown66 (Dec 24, 2015)

walterbyrd said:


> Here is what I get:
> 
> `# openvpn --dev tun --remote 72.52.9.107`
> 
> ...


You do realise that message means your connection is *not* encrypted right?  Which means there is nothing private about the connection whatsoever.



walterbyrd said:


> When my system booted up, I was asked for an openvpn login name, and password. Do they want the login that PIA sent me? I did not have that available, so entered non-sense.


I would expect authentication to _require_ the correct username and password.  Would you expect your email login to work if you entered gibberish?  Of course not.

Sorry but I know nothing about openvpn, nor the service you are attempting to use.  I just know how to read a manpage (most of the time  anyway).
You may get more help on an openvpn mailing list or contacting this private internet service.

But first, I would try entering the correct authentication information........


----------



## walterbyrd (Dec 24, 2015)

> I would expect authentication to _require_ the correct username and password. Would you expect your email login to work if you entered gibberish? Of course not.



But at the login, I would not expect openvpn to know anything about PIA, so why use PIA credentials?

Also, I figured that if I launched openvpn later, it would re-prompt for login.


----------



## leebrown66 (Dec 24, 2015)

The contents of that file are:


```
client
dev tun
proto tcp
remote vpngw.tf.uni-kiel.de 1194
resolv-retry infinite
nobind
persist-tun
persist-key
persist-local-ip
persist-remote-ip
tls-remote vpngw.tf.uni-kiel.de[/file]
<chop>
reneg-sec 0
auth-user-pass
auth-nocache
comp-lzo
verb 4
```

Indicating you want to connect with vpngw.tf.uni-kiel.de at startup (which resolves to 134.245.247.78 AKA *Faculty of Engineering at Kiel University, Germany*), so it appears you are not trying to connect to PIA with this config.

I would further guess the *auth-user-pass* is why you are being asked for credentials when the service starts.

Where on privateinternet's site are the instructions that told you to download that specific zipfile?
I'm thinking you are trying to connect to a completely different entity.

You could try (and again, I'm guessing) replacing the vpngw.tf.uni-kiel.de with 72.52.9.107 and see if that gets you anywhere, restart the openvpn service, enter the credentials you have and see what happens.


----------



## walterbyrd (Dec 25, 2015)

Okay made the change to file, and tried this:

`# openvpn --config /usr/local/etc/openvpn/TF-normal.ovpn`

I get prompted for name, and password, I enter what was provided by PIA.

I end up with this message constantly repeated:


```
Thu Dec 24 19:26:25 2015 us=23274 TCP: connect to [AF_INET]72.52.9.107:1194 failed, will try again in 5 seconds: Connection refused
```

Before I am prompted to log in, I get this:


```
Thu Dec 24 19:25:47 2015 us=127246 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec  8 2015
```

Is this looking for IPv6? Because I am using IPv4.


----------



## leebrown66 (Dec 25, 2015)

Try replacing

```
remote 72.52.9.107 1194
```

with

```
remote 72.52.9.107
```


----------



## walterbyrd (Dec 25, 2015)

> I just know how to read a manpage (most of the time  anyway).

I can usually read a man page. But I am not seeing details about how to build a client configuration file. I wish I knew where I could find such details.


----------



## walterbyrd (Dec 25, 2015)

> Replacing
> 
> ```
> remote 72.52.9.107 1194
> ...



Did not work. Same problem. Thanks anyway.


----------



## leebrown66 (Dec 25, 2015)

OK, maybe try a server from this page.  It looks like they don't give out any information on how to connect to them, so I would guess that is burnt into the software they supply to you.  It may be that their software is the only thing that connects with their vpn too ... if they have specific certificates embedded in the software for example, there's no way we'd know.

OpenVPN is using an IPv4 address going by the earlier message, I think it's just IPv6 enabled also.


----------



## kpa (Dec 25, 2015)

walterbyrd said:


> > I just know how to read a manpage (most of the time  anyway).
> 
> I can usually read a man page. But I am not seeing details about how to build a client configuration file. I wish I knew where I could find such details.



Suprisingly all the client configuration options are the command like options but with the leading dashes removed. So if you write --remote on the command line the option becomes remote in the configuration file.


----------



## PeteDana (Dec 26, 2015)

walterbyrd

I don't know if you have resolved this already but see below the setup for PIA. I think the config file you use may not be correct in some respects. You don't disclose the full setup so I wrote a brief guide


I got the OpenVPN and PIA setup info from

- openvpn.net website

- and the PIA linux setup files at https://www.privateinternetaccess.com/pages/client-support/

- and http://www.freebsddiary.org/openvpn.php


Assuming you
- already have a valid PIA username and password
- you've installed security/openvpn package or port on FreeBSD
- you want to run PIA openvpn from boot up (if you wish to run when needed you will have to execute the openvpn.conf file from command line as and when needed)

Add this to /etc/rc.conf to run openvpn(8)

```
# To enable openvpn from start up with tun activated
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
#this last line specifies where you will set up the openvpn config file as indicated below
```

Copy the ca.crt and crl.pem files to /etc/ or wherever you wish to store them (this you get from the Linux PIA downloads or whatever link the PIA support guys have sent you)

Create a password_pia file in /etc

Enter your your user name and password into the password file on separate lines, like so

```
username
password
```

Make sure there is nothing else in the password file
Use `chmod 600 password_pia` to make it readable by root only

SEE the PIA config sample file below; I've added comments to explain it a bit


```
#your PIA clientconfig file under /usr/local/etc/openvpn/openvpn.conf"
client
dev tun

#make sure the correct protocol is used
proto udp

# use the vpn server of your choice; rather put the name of the server in then the IP address; the ip addresses change frequently
remote aus.privateinternetaccess.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun

# copy the ca.crt files to wherever you wish to store them in /etc or in the config directory but indicate here where to find the file example:
#ca /etc/ca.crt
#crl-verify /etc/crl.pem
ca ca.crt
crl-verify crl.pem

tls-client
remote-cert-tls server

#indicate where you have stored the password file if you want to log in from boot example:

# auth-user-pass /etc/password_pia.txt
# and make it only readable by root with: chmod 600 filename
auth-user-pass

#this suppresses the caching of the password and user name
auth-nocache

comp-lzo
verb 1
reneg-sec 0
```

To start and test the PIA client enter in terminal via sudo or as root
`#openvpn --config /path/to/openvpn/config/file`

Hope this helps


----------



## leebrown66 (Dec 26, 2015)

This might be useful in the How-To section.


----------



## PeteDana (Dec 26, 2015)

leebrown66 said:


> This might be useful in the How-To section.


I am working on writing up a How-To. Need to get the formatting right and testing the detail as I go so anyone can use it. Will post to that section once done.


----------



## leebrown66 (Dec 27, 2015)

PeteDana said:


> I am working on writing up a How-To. Need to get the formatting right and testing the detail as I go so anyone can use it. Will post to that section once done.


I'd be happy to test that, if you like.  I must admit I have ulterior motives as I need to control our users traffic more stringently, so being able to tag this means I can dump it into the unprivileged bucket of bandwidth.


----------



## Deleted member 9563 (Dec 27, 2015)

Perhaps I missed something in scanning the above posts, but I'm pretty sure you need to log in to all paid services like that. I've used similar and it was just a regular OpenVPN configuration which I could manage in a file. The thing to remember with that is that if you're using OpenVPN as a package it probably won't work because it doesn't allow saving your password. You need to compile it from ports and check that option.

Note: openvpn.auth and openvpn.conf are in /usr/local/etc/openvpn.


----------



## PeteDana (Dec 27, 2015)

```

```



OJ said:


> Perhaps I missed something in scanning the above posts, but I'm pretty sure you need to log in to all paid services like that. I've used similar and it was just a regular OpenVPN configuration which I could manage in a file. The thing to remember with that is that if you're using OpenVPN as a package it probably won't work because it doesn't allow saving your password. You need to compile it from ports and check that option.
> 
> Note: openvpn.auth and openvpn.conf are in /usr/local/etc/openvpn.


PIA is a paid VPN service. Once you purchase the VPN service online they will supply you with the username and you choose the password. The username and password is entered and saved in the set up file as per the configuration set up - see post above. OpenVPN configuration is pointed toward the file containing the username and password.


----------



## PeteDana (Dec 27, 2015)

leebrown66 said:


> I'd be happy to test that, if you like.  I must admit I have ulterior motives as I need to control our users traffic more stringently, so being able to tag this means I can dump it into the unprivileged bucket of bandwidth.


I have uploaded a more detailed How-To under the How-To section. The unmoderated title "HOW-TO Set up a Privateinternetaccess client on OpenVPN" The thread awaits moderation.


----------



## leebrown66 (Dec 27, 2015)

OK, it will be a few days before I can provide some feedback.  Looks very good glancing over it.


----------



## Deleted member 9563 (Dec 28, 2015)

PeteDana said:


> ```
> 
> ```
> 
> PIA is a paid VPN service. Once you purchase the VPN service online they will supply you with the username and you choose the password. The username and password is entered and saved in the set up file as per the configuration set up - see post above. OpenVPN configuration is pointed toward the file containing the username and password.



Sorry, I thought that's what I said. I am quite familiar with your situation.  So now you need to have OpenVPN be allowed to use that password. If you installed OpenVPN as a package, it won't.


----------



## leebrown66 (Dec 28, 2015)

OK, I've not yet subscribed, but here's a few suggestions I have, just reading through it.
Remove 2.1

2.2 `mkdir -p` may be less problematic for new folk.

2.3 Use what's in base:
`fetch --no-verify-peer https://www.privateinternetaccess.com/openvpn/openvpn.zip`

2.4 Don't copy into /etc/somewhere which belongs to base related things, but rather /usr/local/etc/somewhere where locally installed related things go.

4 No need to touch the file into existence, ee and nano will create it.
4 File perm 600 is rw, did you mean 400 (although it bugs me when I edit a file and can't save it)

5 Maybe instead of downloading the zip (step 2) to one place and copying the single file the user wants to the /usr/local/etc/openvpn directory, just create, download and unzip everything directly into /usr/local/etc/openvpn.  In which case you _could_ collapse 2.1-2.4 into this:
`mkdir -p /usr/local/etc/openvpn`
`fetch --no-verify-peer https://www.privateinternetaccess.com/openvpn/openvpn.zip -o - | tar xzvf - -C /usr/local/etc/openvpn`
The side-benefit of this is you can anchor the file locations in your openvpn.conf for ca, crl-verify and auth-user-pass.  I would assume a novice user isn't going to care and an advanced user will adapt to suit their own needs.  I don't see that ca.crt and crl.pem need special treatment as they are world-readable from the web.
5 Consider not calling the conf file openvpn.conf but pia.conf as it's specific to connecting to pia and not openvpn.

(tested only in my brain, YMMV)


----------



## JonasNico (Jan 2, 2016)

> To start and test the PIA client enter in terminal via sudo or as root
> `#openvpn --config /path/to/openvpn/config/file`
> 
> Hope this helps



I get an error I can't figure out when I run this

I followed the rest of the "how to" guide, felt kind of ready but I got this message:

```
Options error: Unrecognized option or missing parameter(s) in /usr/local/etc/openvpn/openvpn.conf:11: es (2.3.8)
```

And I can't figure out what this mean. Any ideas? This is the config file

```
#your PIA clientconfig file under /usr/local/etc/openvpn/openvpn.conf
client
dev tun

proto udp
# use the vpn server of your choice; rather put the name of the server in then the IP address; the ip addresses change frequently
remote us-east.privateinternetaccess.com

# you can add other servers here and comment them out in case you want to change servers later ▒~@~S you can do this as your username and password stays the same. But only use one server at a tim
#remote aus.privateinternetaccess.com 1194
#remote us-west.privateinternetaccess.com 1194
#remote russia.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

# copy the ca.crt files to wherever you wish to store them in /etc or in the config directory but indicate here where to find the file example:
#ca /etc/pia_openvpn/ca.crt
#crl-verify /etc/pia_openvpn/crl.pem
ca  etc/pia_openvpn/ca.crt
crl-verify  etc/pia_openvpn/crl.pem


tls-client
remote-cert-tls server

#indicate where you have stored the password file if you want to log in from boot example:
# auth-user-pass /etc/pia_openvpn/password_pia.txt
# and make it only readable by root with: chmod 600 filename

auth-user-pass /etc/pia_openvpn/password_pia.txt

#this suppresses the caching of the password and user name
```


----------



## leebrown66 (Jan 2, 2016)

My guess, it's either the relative paths for ca and crl-verify (try ca /etc/...., crl-verify /etc....) or the funky characters on the line that starts with

```
# you can add o
```

Also looking at the guide, the line

```
remote us-east.privateinternetaccess.com
```
should have an 1194 at the end.

Hope that helps


----------



## PeteDana (Jan 4, 2016)

Hi JonasNico

I agree with leebrown66 the syntax on the server needs the 
	
	



```
1194
```
 at thevend and the absolute paths to the certificate files are missing the 
	
	



```
/
```
 character in front of the path name. Just make sure the files are where the references are pointing to.
It should solve the problem!


----------



## PeteDana (Jan 4, 2016)

Hi leebrown66
Thanks for the review of the How-to. I will make the necessary amendments soon.


----------



## walterbyrd (Feb 4, 2016)

Sorry about being away so long. For now, I have given up on VPN for FreeBSD. I just use Windows. 

I have been going back and forth about whether FreeBSD is right for me, especially since I have found that FreeBSD does not work with Dropbox, or Seacloud.


----------



## Deleted member 9563 (Feb 5, 2016)

Well we all have to figure out what's best for us. The freedom to choose is most important.

That said, I still think you didn't get what I said earlier about the pkg of OpenVPN not being able to take passwords from a file. The package just won't work for you so there is no point in trying.


----------

