OpenVPN on LibreELEC (Krypton) v7.90.004 ALPHA on a Raspberry Pi 2

  • Hi.
    I'm trying to connect to Hide.me VPN service with OpenVPN on LibreELEC (Krypton) v7.90.004 ALPHA on a Raspberry Pi 2.
    I have this error:


    May be some Root CA missed in LibreSSL?

    Just for your info, with OpenELEC 6.0.3 and with LibreELEC (Jarvis 16.1) v7.0.2 I was able to connect with the exactly same .ovpn file.

    I hope in your help.
    Thanks.

    Edited once, last by outcave (September 14, 2016 at 10:20 AM).


  • The error says the certificate notAfter time is invalid, so either there is bad data in the certificate (unlikely if the same cert works on 7.0.2) or maybe the device date/time is incorrect which causes an odd result.

    The DATE and TIME of RPI2 are correct (via NTP)

  • The DATE and TIME of RPI2 are correct (via NTP)

    Hi again.
    The problem is LibreSSL 2.3.x (inside LibreELEC v7.90.004 ALPHA and next versions) that on the Raspberry Pi (and also on all 32 bit operating system) will not works with certificate that will expires after 2038 due to "Year 2038 bug".

    See here: LibreELEC Testbuilds for RaspberryPi (Kodi 17.0)

    Hope in a FIX.

    Edited once, last by outcave (September 12, 2016 at 10:32 AM).

  • Hi outcave,

    I am struggling with the same problem. Did you have any success with contacting hide.me?
    I already contacted my vpn IPVanish and sadly they can not provide me with a crt ending before y2038..
    so i am looking for one who can but at the moment without success

  • Hello,

    for an long time i got the same problems on hide.me

    On the openelec forum there is an addon developer "zomboided".
    He create an vpnmanager which got a lot of vpn provider inside.

    Here is the thread:
    OpenELEC Mediacenter - OpenELEC Forum - VPN Manager for OpenVPN (1/63)

    I was a long time in contact with him to gettin work with hide.me. But without success. Provider says the system wont working with this
    addon.

    Now i am at torguard and all working perfect.

    IPVanish are working too with this addon.

    Read please the thread of zomboided. There is an good tut how it works.


    P.S. addon works in libreelec too. I got it on Krypton. Works perfect

    Edited once, last by hackbird (September 11, 2016 at 4:57 PM).

  • hey,
    im using the vpnmanager from zomboided, but after the krypton update ipvanish couldnt connect any more.
    They told me they can not change their certificate.. I found AirVPN today and theirs is only valid until 2024 so everything it working again now

  • Hi guys.
    Please no make confusion :) .

    The Certificate problem is on all versions of LibreELEC v7.90.004 ALPHA and next versions because these versions has inside the newest version of LibreSSL. These new versions of LibreSSL does not work with Certificate that will expire after year 2038 on 32 bit operating system (such as Raspberry Pi 2). It seems that LibreSSL does not want to solve this issue and it seems that also LibreELEC does not want to switch to OpenSSL (OpenSSL works fine also on 32 bit operating system, so OpenSSL is OK on Raspberry Pi).

    So the problem is not Hide.me, is not IPVanish, is not VPNManager addon. The problem is only LibreSSL on 32 bit operating system.

    Now you have various way to follow to solve the issue:

    1. Contact your VPN "provider" and ask to have a new Certificate (CA) that will expire before 2038. Hide.me is "friendly" and I'm quite sure that will give you a new Certificate if you will explain the problem. So open a Support Ticket on Hide.me website.
    2. Contact LibreELEC team to ask to use OpenSSL instead to use LibreSSL (see these my posts and later: LibreELEC Testbuilds for RaspberryPi (Kodi 17.0))
    3. Contact LibreSSL to ask to solve the issue (I think this is useless, see here: Year 2038 bug on LibreSSL 32bit regression between 2.2.x and 2.3.x · Issue #207 · libressl-portable/portable · GitHub)
    4. Use a more old version of LibreELEC (version 7.0.2 works fine because it uses an old version of LibreSSL) or use OpenELEC 6.0.3 that uses OpenSSL

    Actually I'm using LibreELEC version 7.0.2 with the last version of VPNManager addon made by zomboided and I can connect to Hide.me VPN without problems.

    About Hide.me, there WAS a problem on routing table on OpenELEC / LibreELEC (VPN was connected but all traffic does not go via VPN) now solved since VPNManager addon version 1.9 ("redirect-gateway def1" option was added into VPNManager addon).

    More info about my analysis on routing table for Hide.me see this my post: OpenELEC Mediacenter - OpenELEC Forum - VPN Manager for OpenVPN (38/63)


    Enjoy.

    Edited once, last by outcave (September 12, 2016 at 11:18 AM).


  • So the problem is not Hide.me, is not IPVanish, is not VPNManager addon. The problem is only LibreSSL on 32 bit operating system.

    Actually those providers are a big part of a problem. VPNs are meant to increase security, but certificates with a lifetime spanning decades are ridiculously stupid in a security context.

    About OpenSSL, that is one big pile of a shitty mess and a gigantic bug-fest. Moving away from OpenSSL was one of the best decisions the LE developers have made, so far.

    Edited once, last by Grimson (September 12, 2016 at 1:50 PM).

  • i understood your problem, but im telling you now, i switched from ipvanish to another vpn (they used a >2038 expiry date and couldnt change it) and it works again on LibreELEC v7.90.005 and on the latest kodi 17 millhouse alphas

    i gathered some information about other vpn's if you want to leave hide.me

    these are all in the openvpn manager:
    vpn unlimited - openvpn cert valid until 2023
    ibVPN - 2020
    celo - every 2 years
    AirVPN - 2024

  • i understood your problem, but im telling you now, i switched from ipvanish to another vpn (they used a >2038 expiry date and couldnt change it) and it works again on LibreELEC v7.90.005 and on the latest kodi 17 millhouse alphas

    i gathered some information about other vpn's if you want to leave hide.me

    these are all in the openvpn manager:
    vpn unlimited - openvpn cert valid until 2023
    ibVPN - 2020
    celo - every 2 years
    AirVPN - 2024

    I don't want to leave Hide.me, now I'm using it without problems with LibreELEC version 7.0.2. For the future? May be I will compile OpenSSL and overwrite to LibreSSL ;)


  • I don't want to leave Hide.me, now I'm using it without problems with LibreELEC version 7.0.2. For the future? May be I will compile OpenSSL and overwrite to LibreSSL ;)

    It will fix your VPN, but will also break binary compatibility with everything else that uses SSL (and expects LibreSSL). Not impossible, but not a quick change either. You energies would be more productive figuring out the patch/hack for LibreSSL ..

  • It will fix your VPN, but will also break binary compatibility with everything else that uses SSL (and expects LibreSSL). Not impossible, but not a quick change either. You energies would be more productive figuring out the patch/hack for LibreSSL ..

    Should I find a patch for LibreSSL? And how? LibreSSL actually do not want to resolve it.... How Can I do?
    I expect LibreELEC should take charge and find a solution for it! As it is now LibreELEC do not "work" for certificate with year after 2038: it's a fact...

    Edited once, last by outcave (September 12, 2016 at 8:30 PM).


  • hey,
    im using the vpnmanager from zomboided, but after the krypton update ipvanish couldnt connect any more.
    They told me they can not change their certificate.. I found AirVPN today and theirs is only valid until 2024 so everything it working again now

    Sorry to bug you but do you have instructions on how to get AirVPN working on LibreELEC ? I just installed it and wanted to get my AirVPN connection setup but I'm not having much luck in finding how to set this up on LibreELEC for my pi3.

    Thank you

  • Also got the same issue with my VPN [certificate expiring in 2040] . I asked them if they can provide a certificate that is a bit shorter.

    In meantime, is possible to switch temporarily to openssl ? How difficult for me would be to create a patched version that uses openssl instead of libresssl [considering that I have never built the libreelec but I know linux :P ]?

    Edited once, last by davo22 (February 7, 2017 at 12:53 PM).