I have made a small desktop applet for controlling openvpn connections. Get it from maemo Extras repository (http://maemo.org/downloads/product/OS2008/openvpn-applet/)


Features:
- Import openvpn settings through gui
- Needs only standard openvpn configuration files, no extra configuration
- Supports multiple connections
- Supports username and password authentication

How does it compare to vpnc-gui ?

Well as far as I know vpnc-gui doesn't do openvpn. And openvpn-applet is implemented as desktop plugin.

I made minor changes to openvpn-applet. New release is available from garage.

changes:
'sudo kill' is not required any more. /etc/init.d/openvpn is automatically added to sudoers file.
bug related to zombie processes is fixed.

Great addition... OpenVPN is my VPN of choice, and so far manually running the script was gettig boring... However, when I use the applet, I am able to define and import my vpn files, but when I go to Test or connect, there are no VPNs on the list...

Now if we can get rtcomm to see the VPNs :-)

Just released 0.3.2 with better import.

what is your configuration file name? It has to be .conf. Also .ovpn should work in theory, but I haven't tested so it is very likely that doesn't work.

Aha! I was trying with the .ovpn file... let me try with the .conf file...

Works, but I can't enter the password for the certificate... Let me see how to get around that...

OK, password thing is also not so much tested. Does you config contain auth-user-pass, askpass or something else authentication related?

edit:
openvpn-applet asks passwors only if condig contains askpass, and username and password only if config contains auth-user-pass

Done! ... Created the password file in the /etc/openvpn directory...

included askpass /etc/openvpn/password

in my .conf file and Voila! Working as a charm!

Thanks a lot!

Now checking if the sofia-sip (or Telepathy or mission control or ...) can see the tun device for the SIP stack :-)

Nope, still have to manually set the good ol' mc-account with the tun0 address ....

Are you trying to get built-in SIP client to talk through tun0?

I have done something like that with

redirect-gateway def1
up /etc/openvpn/domain.up
down /etc/openvpn/domain.down


redirect-gateway def1 directs all traffic though tun interface so up and down scritps are used to set nameservers.

I tried the redirect gateway a while ago and could not get the built-in client to connect to my Asterisk server when the openvpn was up... The only way that I could get it to work is with the mc-account set sip0 string:local-ip-address= $tun0_ip....

I was using only google talk, so there could be a difference. If you didn't set nameserver, that could also block sip?

With up script you can anyway run anything when openvpn connection starts

A while ago I reported bug 1860 in bugzilla... some of the nokia guys commented that the SIP stack is not currently aware of the tun0 interface going up/down, so the workaround that I found (here in the forums) was to manually assign the openvpn address to just the SIP account... Basically what I do is connect to the Openvpn server @ my office and log into my asterisk account with the N810 when out of the office... When I am @ the office i just log into the wlan and connect directly to Asterisk (192.168.x.x)... So I don't need to set the nameservers from the VPN connection...

Mikkov:

Now, do the if-up and if-down scripts execute when the tun0 goes up/down? I did some testing yesterday but did not get very far... A nice addition to your applet would be a pre/post-start and pre/post-stop scripts , since I am sure that many users need to do stuff before and after the vpn is up/down just related to the VPN tunnel :-)

Anyways, your applet removed a bunch of steps on setting up my SIP connection to the office...

Maybe there is slight misunderstanding.

Openvpn has up and down parameters which can run any command when tun device is opened and closed


--up cmd
Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel.

--down cmd
Shell command to run after TUN/TAP device close (post --user UID change and/or --chroot ). Called with the same parameters and environmental variables as the --up option above.

Note that if you reduce privileges by using --user and/or --group, your --down script will also run at reduced privilege.


To me it looks like this is exactly what you want to do.

:-) Yeap, seems like there is... let me get into those and will comment on the results!

Great! using the up and down parameters from openvpn and borrowing from jimhoy's scripts, I was able to get it working !

Here are Jimhoy's scripts...

http://www.internettablettalk.com/forums/showthread.php?t=10344&highlight=rtcomm&page=3

I used this part for the up:

#!/bin/sh
sleep 5
VPN_INT="tun0"
VPN_IP=`ifconfig $VPN_INT 2> /dev/null | sed -n 's/.*inet[adr: ]*\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/p'`
if [ -n "$VPN_IP" ]; then
mc-account set sip0 string:local-ip-address=$VPN_IP
fi

And a similar one for the down !

Excellent!

Maybe a dumb question but where is the tun/tap device?

I imported a ovpn file that I use on my laptop. Both 'test' and connect appears to work. However, there does not appear to be a tun or tap 'device'. If I type 'ifconfig' there is only lo and wlan0. 'route' does not show anything new.

I am running the latest diablo. I do not see a tun.ko module either. (unless is is built into the kernel) Any ideas?

Without seeing your config or log I guess that openvpn first starts but then crashes when using "Start" button.

Openvpn crashes if you have set verb 4 or higher in configuration file. Test button sets verb to 3 but start button uses what ever is set in configuration. Maybe I should address this problem in the next version.

If verb values isn't your problem maybe you could post you configuration file somewhere with private data anonymised (ip addresses etc)

How do I enter the username and password. It doesn't work for me without these two things.

openvpn-applet asks passwors only if condig contains askpass, and username and password only if config contains auth-user-pass

Your config file has to contain one of these parameters. If you are using something else for the authentication, let me know what.

My config file uses the auth-user-pass. When I run the test, I get a message stating: "Enter Auth Username:Mon Sep 1 16:21:00 2008 ERROR: could not read Auth username from stdin" and then it exits.

do you have version 0.3.3? It should work.

Is there anything else on the line with auth-user-pass?

Yes, I have version 0.3.3-1. The only other thing that it says is "OpenVPN 2.0.9 arm-unknown-linux-gnueabi [SSL] [LZO] [EPOLL] built on Jul 31 2008"

Thanks for helping me out here. I've been wracking my brain on how to get this to work even before you came out with this applet. I got it to work just fin on my Ubuntu laptop but this is more of a challenge.

Does it work if you start openvpn from console? start it with "/usr/sbin/openvpn /etc/openvpn/your_config"

Version 0.3.4 should fix problems with usernames and passwords.

Version 0.3.4 should fix problems with usernames and passwords.

I tried the new version but I am still getting the same message from before. :(
When I get the message that it can't read from "stdin", what is that? Can I edit this file? Where is it located? Is there a problem with the LZO option?

Configuration files are in /etc/openvpn. You have imported the file there, so you should have the "source" file. You can edit the source file and import it again. Or you can edit file directly from command line as root.

I can't reproduce you problem, so I would need to see your configuration file in order to fix the problem. You can edit ip-address and other sensitive information out from the file.

I've attached a copy of what my *.conf file looks like. I just edited out the sensitive info.

Seems to work for me. You could try to disable openvpn-applet and then enable it (or reboot).

Home applets don't seem to automatically restart after updating. I have to see if there is something that I could do about it for the next update.

Seems to work for me. You could try to disable openvpn-applet and then enable it (or reboot).

Home applets don't seem to automatically restart after updating. I have to see if there is something that I could do about it for the next update.

Thanks! That did the trick. I appreciate all of your help. :D

Why does the openvpn-applet work when i choose open option>test but not when i click client>start on n810 (assuming my config is client.conf)


I have been struggling for days to make it work.


The open option>test works but you cannot leave the openvpn-applet debug window, apparently the window is modal. Thus, you cannot do anything on the tablet while the debug window is open.


However, I can ping the vpn ip from another computer which shows the tunnel is up.


Even when I run it from the xterm /etc/init.d/openvpn start the vpn fails (FAILED)

When I ran openvpn --config /etc/openvpn/client.conf, I get Assertion Failed error message.

It seems vpn only works with the openvpn-applet option test mode.

Hope you could help me.


Thanks in advance,

mikkov, please disregard my post. While browsing the thread, I stumbled on post #21 at 08-31-2008, 01:45 AM where you suggested to get rid of the verb > 3.
which i did. Now it is working. Thanks to this wonderful thread. I have my openvpn working now.

Please forgive a newbie (both in N8x0 and OpenVPN use), but can I somehow make the applet remember the login and password for the OpenVPN connection?

I have imported the configuration I used in Tunnelblik and the CA cert file and when I enter the login and password at the prompt I get the connection, but is it possible to script the login and password somewhere so I wouldn't have to type them all the time?

I'm not in control of my password for OpenVPN and it's a very long sequence with digits and upper case symbols, there's no way I can remember it.

thanks!

This is a little bit late answer but you can define password in openvpn configuration file:


--auth-user-pass [up]
Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h).

If up is omitted, username/password will be prompted from the console.

The server configuration must specify an --auth-user-pass-verify script to verify the username/password provided by the client.



Actually I am not sure if extras repo openvpn is built with --enable-password-save option. There is no other method at least for the moment.

see http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html

Mikko,
thanks that worked fine. I've had the CA cert and the UP filenames in double-quotes, as soon as I removed them it just worked.

PS. Also thanks for porting FreeCIV, BOS Wars :).

It won't import the configuration.

openVPN works from the CLI just fine, but it seems the applet can't handle the configuration. The applet parses the config file, and automatically populates the filenames for the certificates (although it fails to grab the ta.key). Then I tap "import selected" and it just brings me to an empty dialog box, with no indication about what the problem is. This is the config file I'm feeding it:

float
remote xxx.xxx.xxx.xxx xxxx
dev tun
persist-key
persist-tun
proto udp
pull
route-method exe
route-delay 2
nobind
tun-mtu xxxx
comp-lzo
auth-user-pass pwauth
auth xxxxxxxxxxxxxx
cipher xxxxxxxxxxxxxxx
tls-cipher xxxxxxxxxxxxxxxxxxx
tls-client
client
tls-auth ta.key 1
ns-cert-type server
ca ca.crt
cert client.crt
key client.key
keepalive 10 60
resolv-retry xxxxxxx
verb 1
log openvpn.log

Is there a way to manually force a file import? Eg. can I just drop them in a folder and edit a configuration file for the applet itself?

Thanks for the report. I will try to investigate this problem later.

Until I fix the problem you can copy configuration files directly to /etc/openvpn directory. Applet should see the .conf or .ovpn file from there.

Thanks for the report. I will try to investigate this problem later.

Until I fix the problem you can copy configuration files directly to /etc/openvpn directory. Applet should see the .conf or .ovpn file from there.
That doesn't work either. That's where I had my configuration to begin with.

Currently I go to /etc/openvpn and execute

openvpn --config openvpn.conf

from the commandline to start the tunnel. It's a pain to do that every time though. I guess I need to write a script and find a way to trigger it from the gui.

is the .conf file readable by user?

is the .conf file readable by user?
Yes, both the copy on the MMC card, and the copy in /etc/openvpn.

Strangely, the files on the mmc card are owned by "user", but they are in the "root" group. The permission bits are 644. I logged in as root and tried to "chown root:users *", but got operation not permitted. I suppose that's not the problem, because the files on the mmc chip are readable by all.

The files in /etc/openvpn are owned by root:users, and have permission bits 640. So there is no reason why the applet would have trouble accessing the files.

ok, what are permissions for /etc/openvpn directory itself? They should be for example 755.

ok, what are permissions for /etc/openvpn directory itself? They should be for example 755.
That was it! The applet finds the tunnel configuration now.

/etc/openvpn was owned by root:root w/ permissions 700. I changed ownership to root:users w/ permission bits 750.

It's a quick fix. From a security standpoint, I think only root should see these files. Should the 's' bit be set on the applet?

I think that /etc/openvpn directory's 755 permission bits are default for many distributions including maemo.org's openvpn package (if it hasn't changed), but I can understand your view.

Problem with openvpn applet is that is is running inside hildon-desktop and it is always running as user. Applet needs to be able to read the configuration file and directory listing of /etc/openvpn, but it doesn't need to be able to read certificates or keys. For importing files and starting openvpn process it uses sudo.

I notice that the instant START is tapped, the icon turns green well before it could connect successfully. And it remains green, even if I shutdown the network. So what is the icon telling us?

FEATURE REQUEST:

To get an idea of how the tunnel is working, I generally run something like: "tail -f /var/log/openvpn.log" (the logfile is specified by the "log" key in the config file). It would indeed be useful if the openvpn applet gave the user a way to request a detailed status, which could simply involve launching an xterm that runs the tail command on whatever log is mentioned in the config file.

Sometimes I just want to see what my IP address is. So I scroll through my bookmarks for a website that will echo that back to me. It gives me a relatively quick way of confirming whether the tunnel is working. It would be useful if such a webpage could be launched directly from the applet.

I notice that the instant START is tapped, the icon turns green well before it could connect successfully. And it remains green, even if I shutdown the network. So what is the icon telling us?


It is looking for the pid file. After about 30 seconds it stops scanning the pid file and updates only when you select the connection from drop down list or use the stop button. So it isn't aware of network connection or even openvpn connection at all, but it's on my "todo" list to make it better.


FEATURE REQUEST:

To get an idea of how the tunnel is working, I generally run something like: "tail -f /var/log/openvpn.log" (the logfile is specified by the "log" key in the config file). It would indeed be useful if the openvpn applet gave the user a way to request a detailed status, which could simply involve launching an xterm that runs the tail command on whatever log is mentioned in the config file.


Test button in settings dialog is close to this, but as it restarts the connection every time (and dialog is modal to hildon-desktop) it's not exactly useful for this purpose. But this is a good idea and I think about it when I have the motivation to do something for applet.




Sometimes I just want to see what my IP address is. So I scroll through my bookmarks for a website that will echo that back to me. It gives me a relatively quick way of confirming whether the tunnel is working. It would be useful if such a webpage could be launched directly from the applet.

This kind of feature would be very nice, but I would see that it fits better for example for homeip applet.

I am trying to use openvpn to tunnel my sip/voip (Gizmo, Sipgate etc) from N810 to any openvpn server. Openvpn works fine and sip/voip works fine but it fails when openvpn is used. Are there scripts that can be used as a solution? The ones at https://bugs.maemo.org/show_bug.cgi?id=1860 seem not to work or I am doing it wrong. :confused:

I take it you've got it resolved now? There was a reply in the bug thread and I too replied in that other thread (summary: set "script-security 2" to openvpn config file, add 'x' bit (chmod u+s) to your scripts).

EDIT: I meant u+x of course, u+s was a typo.. that's something entirely different and won't work on scripts.

I take it you've got it resolved now? There was a reply in the bug thread and I too replied in that other thread (summary: set to , add 'x' bit (chmod u+s) to your scripts).
Yes I got it to work and thanks for your help. I used chmod +x, I read that chmod u+s doesn't work for scripts. I also found that trying to run more than one sip (my case it was sipgate and gizmo tied into Google Voice) seem to make them not reliable. I also added "script-security 2 system" to the openvpn config file. Now my N810-WE is humming! :cool:

Ops, u+s was a typo (s is the sticky bit, and won't work on scripts, as you said. I did mean u+x. Updated my post above.)

Just a happy user posting! It works! :-)

Just a happy user posting! It works! :-)
Nice to hear, what NXXX?

Hi ! I'v got everything working fine and have no problems running from console (e "/usr/sbin/openvpn /etc/openvpn/your_config"), BUT have this problem that the applet dissapears from Status bar. Uninstalling and re-installing gets it back - Does anybody have a solution on this problem ??

Hi ! I'v got everything working fine and have no problems running from console (e "/usr/sbin/openvpn /etc/openvpn/your_config"), BUT have this problem that the applet dissapears from Status bar. Uninstalling and re-installing gets it back - Does anybody have a solution on this problem ??

When does it disappear? What are the permissions in /etc/openvpn directory? There is very likely a bug in the applet.

When does it disappear? What are the permissions in /etc/openvpn directory? There is very likely a bug in the applet.

Hi ! It dissapears after reboot (eg turning off and on N900). I'm a newbie to Linux s 2 good at permission-stuff BUT I installed rootsh, ran sudo gainroot, cd /etc, sudo chmod 777 openvpn, turned off the N900 and started it again, BUT no applet in statusbar. SO it's there after installation (and works nicely over 3G :-)), BUT as soon as I restart machine the applet is gone :-(

Hi ! It dissapears after reboot (eg turning off and on N900). I'm a newbie to Linux s 2 good at permission-stuff BUT I installed rootsh, ran sudo gainroot, cd /etc, sudo chmod 777 openvpn, turned off the N900 and started it again, BUT no applet in statusbar. SO it's there after installation (and works nicely over 3G :-)), BUT as soon as I restart machine the applet is gone :-(

OK. It's possible that some other plugin is causing the problem. Do you have any other status menu plugins installed? If you have, try removing them. Note that if something else is crashing, you never have a chance to to see it in status bar.

OK. It's possible that some other plugin is causing the problem. Do you have any other status menu plugins installed? If you have, try removing them. Note that if something else is crashing, you never have a chance to to see it in status bar.

Hi ! BIG Thks - you were absolutely right - when I uninstalled Tor-applet YOUR/OpenVPN-applet applet came right back :) - didn't even have to restart. Do u have any idea where/if one can edit the loadingorder of applets - maybe that could do the trick !!

Hi ! BIG Thks - you were absolutely right - when I uninstalled Tor-applet YOUR/OpenVPN-applet applet came right back :) - didn't even have to restart. Do u have any idea where/if one can edit the loadingorder of applets - maybe that could do the trick !!

Tor applet and OpenVPN applet are working together fine for me. I don't believe that loading order is any help here.

Is it possible to add something like "status of VPN connection" to status-menu? Now you can't see, if the connection is established or not (on the desktop I mean).

This may be off-topic. But is it possible to have two VPN connections running on the N900? I'll describe why first. Currently I'm debating should I use a free OpenVPN provider or just run two of my own. Why two? Well one is at my parents' home and the other is at the apartment. At any time, one or both may be offline. I'd like to have the N900 try to connect to either one of them.

Reason why I want to use OpenVPN (retrieval and accessing it remotely in case it gets misplaced to delete files). Since it's on T-Mobile USA and behind a NAT I can't access it directly with SSH. I could try reverse SSH though (I suppose if I figured how to set it up).

Sorry if it's off-topic.

This may be off-topic. But is it possible to have two VPN connections running on the N900?

It is possible to have two openvpn connections open at the same time, no problem. If I understood correctly you wish have them open always automatically. It is possible too, but not with OpenVPN Applet, because it doesn't support "always on" connections from the boot you'll need to start them manually.

Is it possible to add something like "status of VPN connection" to status-menu? Now you can't see, if the connection is established or not (on the desktop I mean).

There is little icon in status area when openvpn is active. But it doesn't tell if connection is really established or is it still trying to connect.

There is little icon in status area when openvpn is active. But it doesn't tell if connection is really established or is it still trying to connect.
Yes, I know. But I would like to see if connection established is or not.

Sorry for my English..

It is not too hard to add "connecting" icon. I'll see if there is enough small fixes to made for a new release.

@Mikkov,

Is it possible to execute the applet from command-line? The reason i want to do this is that i want to start openvpn before i connect to wifi.

I was going to script something in /etc/network/if-pre-up.d/ but didnt want to use the openvpn script init script since it logs to syslog by default. With the applet it is easier to check the status. It will be awesome if it were possible to start and stop applet via command-line.

Thanks

Is it possible to execute the applet from command-line?

There used to be very simple text mode ui, but it wasn't exactly command line interface and it wouldn't work the you are hoping for. So the answer is no.

hi guys i just installed openvpn-applet to n900 but it seems like it doesn't get an local ip and i cant ping the other end but on my desktop machine for same configuration file it get connected and i get an IP from server. on n900 it shows that i have connected and even from server side without an issue but no ip adress. To make sure i tryed with my DNS records whether there is an entry, no luck so far.... help me over here

Done! ... Created the password file in the /etc/openvpn directory...

included askpass /etc/openvpn/password

in my .conf file and Voila! Working as a charm!

Thanks a lot!

Hi, could you publish the syntax of your config-file to compare mine with it, please? I am getting a socket.connect() failed thingy now, I must have messed it up.

cheers!

EDIT:

I have been experimenting around with stuff like

auth-user-pass /etc/openvpn/password.txt via-file

and
askpass /etc/openvpn/password.txt

and similar things, but I realize I am unfamiliar with the syntax and reading up on it is not as easy as I thought. The password.txt file contains user and password blank delimited and just for one person. I am not concerned about putting these bits on my N900, as I am using it only scarcely.

I might add, that if I leave OpenVPN as it is and edit in the user/pass combination with my VPN provider, it works flawless. Just the given pass and user combination is hellishly stupid to edit in every time.

answering myself - maybe some other kind soul will save some minutes.

Tried opening openvpn form shell, which gave me the necessary input:

the password file needs to have the user in one line, passwort after carriage return.

Using complete paths in the config file also was of great help to make it work (I am keeping the certs etc in a subdirectory of openvpn to make things digestible).

config file now goes like this:
client
dev tun
fast-io
persist-key
persist-tun
nobind
remote vpn.snugglysnugglyplace.co.uk 1194
pull
comp-lzo
tls-client
tls-remote server
ns-cert-type server
tls-auth /etc/openvpn/ssl/ta.key 1
ca /etc/openvpn/ssl/ca.crt
cipher AES-256-CBC
verb 3
mute 10
auth-user-pass /etc/openvpn/password via-file

Hi Mikko,
first off many thanks for this nifty little time saver! (I hope that still somebody is following this thread!(?))
For others' information, I had the same problem as user pm_home in post 59: the applet did not consistently show up in the status bar. I deleted the wifi-switch (?) applet and now openvpn-applet does show up. Could it be a general thing about too many applets maybe? (Has anybody seen the status menu bar providing slider bars?) Anyways, I hope it will stay visible as I am certain to make quite some use of it.
Cheers!
St. Mueller, Switzerland

I do randomly watch this thread, nice to hear that you like the applet.

I have heard couple of times before that applet isn't showing up until some other applet is removed. I have looked into it, but frankly haven't found any reason for it or seen it myself.

Mikkov,

thanks for your reply! By coincidence I found out that the status menu bar does indeed provide a sliding functionality. That is, if there are too many applets, one can scroll but there are no slider bars visible so that you won't realize there are additional applets (at least I did not until after two years of using my n900 ...). Since the OpenVPN applet seems to be added towards the bottom of the menu bar area it seems to be susceptible for being hidden down below.

Hope this helps others.

Cheers!
St. Mueller, Switzerland

I tried using openvpn to connect to my Ivacy account with these (http://ivacy.com/docs/support/windows_xp_ovpn) configuration files, but all I get is

Cannot load certificate file ivacy-keys/ivacy-client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib


What could be the problem?

Also, if I set

auth-user-pass /etc/openvpn/password via-file

in the configuration file, what format should be in the pass-file? username:password?

Hey bocephus
Just a quick shot in the dark: I would try specifying the full path of the files. I put mine under '/home/user/.ssl/' for instance.

Cheers!
St. Mueller, Switzerland

Well, I've tried that just to be sure, but that's not the problem. The error is not "not found", it's "PEM_read_bio:no start line". I suspect it might be encoding related. Does Leafpad save in UTF or ANSI? The latter might be preferable.

Edit: Nope. I saved all files in Unix ANSI in Notepad++ but I still get the same error.