Jump to content

How to configure VPN client to auto start with the NANO?

Recommended Posts

Hello. I am wanting to autostart openvpn on the wifi pineapple nano. I have a open vpn subscription with expressVPN. I can go through the GUI and configure the vpn manually, but I would much rather have it autostart when the pineapple NANO is powered.

How do I go about doing this? I have been  going through the forum and trying what is recommended. I have downloaded the certificate from expressVPN and had it upload to the pineapple. How do I autostart the vpn client with the credentials provided by expressVPN to login to their server?

Also, How do I make it so that the NANO allows for more than 5mb on the wifi connection?

Link to post
Share on other sites

Did you get the manually set up VPN working? Reading your post from the 25th of June, it appears that you hadn't gotten that to work at that moment, but now it seems as if you can at least start it manually. The reason for my question is to make sure you know that the VPN connection from the WiFi Pineapple is really up and running, i.e. that you have verified the public facing IP address is originating from ExpressVPN and that the tun interface is up. The OpenVPN GUI/module for the WiFi Pineapple isn't that accurate sadly. It says that is enabled or running but it can be totally "dead" under the hood despite the status that the module is showing. There are some ways to get it to autostart, but I wanted to start off by verifying that the VPN is actually working in your case.

Link to post
Share on other sites

Yea the VPN client works via the GUI when I start it manually, it is a hit or a miss whether it is actually running or not though. It was confusing for a while, eventually I understood that 'running...' means the VPN actually turned on.

It seems to work without a hitch with a VPN server without login creds (i.e. my router's built in VPN server); but with expressVPN its a hassle, hence me wanting to automate the thing.

Link to post
Share on other sites

So you get a tun interface listed when you ssh into the Pineapple and run ifconfig (or check the available interfaces in the Networking "tab" of the Pineapple web GUI). The "running..." status in the web GUI doesn't necessarily mean that the VPN is up. I forced the Nano into that status just with some bogus settings that doesn't actually establish any VPN connection, so I wouldn't count on that it actually is a 100% reliable status indicator. However, my Nano reboots all the time as I try to do the "non GUI" setup of a OpenVPN client. It doesn't matter if using different VPN providers or different types of configurations, it's the same every time. It just resets/reboots. Looking at the release notes of the 2.7.0 firmware version it says "Fixed an issue where OpenVPN would cause a kernel panic upon establishing tunnel." This seems to have not really been fixed though, it's in that exact moment when the tun interface is to be established that the Nano resets and reboots. That's why I'm extra interested in if you really have got it to work. If so, then there must be some specific fault in my setup (which is factory reset 2.7.0) that is present. If I could get that fixed, I was hoping in guiding you to set it all up to autostart at Pineapple boot. Sadly I can't do that right now.


The "crashes" I experience can not be reproduced using the same OpenVPN setup on a GL-AR150 (same mips_24kc architecture as the Nano, but running OpenWrt 19.07.4, r11208-ce6496d796, kernel 4.14.195), so I guess it is either kernel related and/or has something to do with the implementation on the WiFi Pineapple Nano hardware specifically.

Edited by chrizree
New information
Link to post
Share on other sites

:( Yea the "running..." status is through the web gui. Its always a hit or a miss when it comes to the web gui interface.

Aw man... I guess I have to manually start the VPN and pain stakingly input the login creds of expressVPN and use the vpn that way... Please let me know when/if you get it to work.... 

Link to post
Share on other sites

Well, even if I can't get my own Nano running, I won't keep any OpenVPN secrets from you 🙂 Try the following...

Note that this has been done on a LAN Turtle (and also on my "non Hak5" mips_24kc based GL-AR150), *not* the WiFi Pineapple Nano since it crashes/panics all the time when initiating a VPN connection. As a matter of fact, I'm writing this post using the LAN Turtle based autostarted OpenVPN connection.

I'm adding a standard "Do this at your own risk" message to begin with 😬

The OpenVPN modules are of course available in the Pineapple file system, but I wouldn't go down that road for now since it can be done using the command line. Everything is possible and it can of course be included in a module and being controlled using the web GUI, but I don't really see the need for that (or have the time at the moment to make it happen).

I'm using a free Tunnelbear account here. Not to endorse Tunnelbear in any way, but it was the first free account I had at hand at the moment. It is also an easy way to reproduce it all for anyone in order to verify that OpenVPN works as it should. Then, if it works, one can start getting any other VPN service provider (such as ExpressVPN) to work.

Since you have OpenVPN working, I guess you have already completed the steps on the following lines, but I'm including them anyway.
opkg update
opkg install openvpn-openssl

I normally do not use the above command when installing OpenVPN since I want opkg to default to installing openvpn-mbedtls instead of openvpn-openssl. openvpn-mbedtls is optimized for embedded devices with limited resources which OpenSSL really isn't in its original implementation, hence most likely "heavier" for OpenWRT devices to carry.

Get an ovpn file from your VPN service provider (or Tunnelbear to follow this example). Either it's one file only with certs and keys included, or a client config file along with separate key and certificate files. If the files are not included in one (1) file only, then the other files needs to be referred to in the config file. They probably already are if the VPN provider has chosen to keep them as separate files, but I often want to add absolute paths to those files. This can be added to the config file, i.e. if the config file includes references to other needed files like this:
ca CACertificate.crt
cert UserCertificate.crt
key PrivateKey.key

... I use to refer to them with their absolute path in the file system, for example:
ca /etc/openvpn/CACertificate.crt
cert /etc/openvpn/UserCertificate.crt
key /etc/openvpn/PrivateKey.key

The config file mentioned above can really be stored anywhere in the file system of the Nano. I usually put it in one of the following directories:

but... since we are automating this, the config file will be put in a directory so that OpenVPN can find it when running as a service, put it in:
and name it:

It's time to verify that the OpenVPN connection works (you will be prompted for username and password to be entered manually for now).
openvpn --config /etc/openvpn/openvpn.conf
or, simply
openvpn /etc/openvpn/openvpn.conf

If this works, i.e. that you reach the treasure chest at the end of the rainbow = "Initialization Sequence Completed", then you are successful in connecting via VPN and can try to automate this further.

VPN username and password can be stored in a file and be referred to in the OpenVPN config file. Doing this will skip the need of manually entering the VPN credentials which is good for automation 🙂 Be aware though, since this obviously will expose your VPN credentials in the Pineapple file system!

Create a file in /etc/openvpn called openvpn.auth

Edit the file and put the VPN username on line 1, and the VPN password on line 2, nothing more, nothing less.

Now, edit the OpenVPN config file and add the path to the auth-file that was just created to the line that says auth-user-pass so that it looks like:
auth-user-pass /etc/openvpn/openvpn.auth

Also add auth-nocache to the config file to stop passwords from being cached in memory.

Now, be very sure that everything works as expected. You may end up in a endless boot-loop that will run until Judgment Day if including a non working VPN setup in an autostart scenario. In that case you will have to go through the recovery procedure of the Pineapple that brings it back to the Stone Age and you will need to upgrade the Nano to 2.7.0 again and also stand with empty hands as all the data and settings that wasn't backed up on the Nano will be lost. For me, that is like the Pepsi Max commercial... "been there, done that" 🙂

OK, so now there should be a working VPN setup that is also doing the login automatically without putting strain on any human fingertips.

Enable the OpenVPN service so that it starts at boot up:
/etc/init.d/openvpn enable
If in need of not having the VPN tunnel to start at boot for some reason, then use:
/etc/init.d/openvpn disable

Start the service
/etc/init.d/openvpn start
it can be stopped with
/etc/init.d/openvpn stop

Now check with ifconfig that you get a tun interface

Running ps should also show that OpenVPN is up using the config file created
/usr/sbin/openvpn --syslog openvpn(openvpn) --status /var/run/openvpn.openvpn.status --cd /etc/openvpn --config /etc/openvpn/openvpn.conf

Restart the device/Pineapple to make sure that the OpenVPN service autostarts at boot and creates a tun interface (ps and ifconfig)

The routing should be automatically set up for you, but some VPN services can be a struggle to set up to enable this. Most likely because of how the OpenVPN server on the other side is set up, but also because of the fact that the number of possible local interfaces on the device confuses OpenVPN a bit. I have experienced hair-pulling scenarios with some providers, while other works out of the box with the provided OpenVPN configuration file(s). If not routing correctly through the tunnel interface/VPN service, all traffic will get stuck and not moving forward to the internet.

Also note that some VPN providers use encryption that OpenWRT (or the Nano specifically) can't handle out of the box. This will be "loud and clear" though when trying to connect to your VPN service using OpenVPN. It will just interrupt the connection process telling you that the server mandatory ciphers (or such) aren't supported, for example cipher aes-256-cbc.

Edited by chrizree
Link to post
Share on other sites

Yes, the configuration for the client is most often supplied by the VPN service provider (such as ExpressVPN) as an ovpn file.

Link to post
Share on other sites

When I ran the openvpn /etc/openvpn/openvpn.conf  command; this is what the process that the nano took, but it failed.

Sat Oct 10 00:35:39 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Enter Auth Username:********
Enter Auth Password:*********
Sat Oct 10 00:36:52 2020 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-ce             rt-tls instead.
Sat Oct 10 00:36:52 2020 Outgoing Control Channel Authentication: Using 512 bit              message hash 'SHA512' for HMAC authentication
Sat Oct 10 00:36:52 2020 Incoming Control Channel Authentication: Using 512 bit              message hash 'SHA512' for HMAC authentication
Sat Oct 10 00:36:53 2020 TCP/UDP: Preserving recently used remote address: [AF_I             NET]
Sat Oct 10 00:36:53 2020 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Oct 10 00:36:53 2020 UDP link local: (not bound)
Sat Oct 10 00:36:53 2020 UDP link remote: [AF_INET]
Sat Oct 10 00:36:53 2020 TLS: Initial packet from [AF_INET], sid             =5d24a25c 47a0d958
Sat Oct 10 00:36:53 2020 WARNING: this configuration may cache passwords in memo             ry -- use the auth-nocache option to prevent this
Sat Oct 10 00:36:53 2020 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=Expr             essVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Sat Oct 10 00:36:53 2020 VERIFY OK: nsCertType=SERVER
Sat Oct 10 00:36:53 2020 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=Expr             essVPN, CN=Server-5357-1a, emailAddress=support@expressvpn.com
Sat Oct 10 00:36:53 2020 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=Expr             essVPN, CN=Server-5357-1a, emailAddress=support@expressvpn.com
Sat Oct 10 00:36:53 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GC             M_SHA384, 2048 bit RSA
Sat Oct 10 00:36:53 2020 [Server-5357-1a] Peer Connection Initiated with [AF_INE             T]
Sat Oct 10 00:36:54 2020 SENT CONTROL [Server-5357-1a]: 'PUSH_REQUEST' (status=1             )
Sat Oct 10 00:36:54 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-ga             teway def1,dhcp-option DNS,comp-lzo no,route,topology net3             0,ping 10,ping-restart 60,ifconfig,peer-id 20,cipher AES             -256-GCM'
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: compression parms modified
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: --ifconfig/up options modified
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: route options modified
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options              modified
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: peer-id set
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: adjusting link_mtu to 1629
Sat Oct 10 00:36:54 2020 OPTIONS IMPORT: data channel crypto options modified
Sat Oct 10 00:36:54 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Oct 10 00:36:54 2020 NCP: overriding user-set keysize with default
Sat Oct 10 00:36:54 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized              with 256 bit key
Sat Oct 10 00:36:54 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized              with 256 bit key

Link to post
Share on other sites

What happens after the last line of the output of the OpenVPN connection attempt is shown? Can you access the Nano? Is it responsive in the way that you get back to the command line prompt or is it stuck? Do you have to reconnect to the Nano using SSH? Does the LED of the Nano turn off and then start blinking?

Edited by chrizree
Link to post
Share on other sites

OK, then you have the exact same scenario as me, i.e. you have never had any VPN connection successfully working even though the Nano web GUI has indicated the opposite. There should be no need to wipe anything, a reboot will get the Nano back where it was before issuing the command.

Link to post
Share on other sites

Do you mean known "ordinary" wireless networks? It's possible in the WiFi Pineapple web interface. I always have my Nano to connect to one of my own networks when in reach. I use the USB port for an additional WiFi adapter (wlan2) and let it connect to provide the Nano with an internet connection without interfering with the Nano functionality using the onboard radios (wlan0 and wlan1). It's for sure possible to use one of the onboard radios but, as said, it might reduce the functionality of the Nano. It all depends on how you use the Pineapple. It might not be a problem in your specific case.

Link to post
Share on other sites

I tried going through the steps again. A new issue pop'd up. Whenever I reboot the nano, It seems like the nano is trying to open a captive portal... but it just opens a browser up to msn.com.... what is this?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...