VPN Manager for OpenVPN


  • It has been asked before and it's not going to happen as it's a problem largely unique to Nord. Most providers appear to provide a single domain name to encapsulate a bunch of servers across which they load balance (or at least give that option). Nord prefer to surface all of the servers via 1500 of opvn files, containing 1500 different IP addresses, which they frequently change. If they decide to move things around (maybe to avoid VPN blocking), then their users have to go refresh their ovpn files (or use the new IP addresses). If users don't want to use their app, then Nord should provide a better way of using their service (in my opinion) like other VPNs.


    If Nord are now doing things differently, I'll revisit how it's supported. If they're still doing this, then nothing is gonna change here.


    Yes I thought as much. :) I have been in touch with NordVPN and unfortunately they dont provide loadbalancers other than through their applications.

  • 2.7.1 is on the repo and GitHub. It's a minor update that allows some default files to be overridden.


    It's relatively uninteresting right now but will allow certs, etc to be updated when they change without waiting for me to update them within the add-on. Most users just shouldn't try and do this, but if you want to break things then it's documented on the wiki

  • - - - - openvpn.log start - - - -


    Thu Mar 2 20:50:35 2017 WARNING: file '/storage/.kodi/addons/service.vpn.manager/Windscribe/ta.key' is group or others accessible
    Thu Mar 2 20:50:35 2017 WARNING: file '/storage/.kodi/addons/service.vpn.manager/Windscribe/pass.txt' is group or others accessible
    Thu Mar 2 20:50:35 2017 OpenVPN 2.4.0 armv8a-libreelec-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on Feb 22 2017
    Thu Mar 2 20:50:35 2017 library versions: LibreSSL 2.4.4, LZO 2.09
    Thu Mar 2 20:50:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]207.244.67.1:443
    Thu Mar 2 20:50:35 2017 UDP link local: (not bound)
    Thu Mar 2 20:50:35 2017 UDP link remote: [AF_INET]207.244.67.1:443
    Thu Mar 2 20:50:35 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Thu Mar 2 20:50:35 2017 VERIFY ERROR: depth=1, error=format error in certificate's notAfter field: C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Operations, CN=Windscribe Node CA
    Thu Mar 2 20:50:35 2017 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Thu Mar 2 20:50:35 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Thu Mar 2 20:50:35 2017 TLS Error: TLS object -> incoming plaintext read error
    Thu Mar 2 20:50:35 2017 TLS Error: TLS handshake failed
    Thu Mar 2 20:50:35 2017 SIGUSR1[soft,tls-error] received, process restarting


    - - - - openvpn.log finish - - - -


    This is what I'm commonly getting when trying to connect via Windscribe. I'm able to use OpenVPN on Android. The CRT and KEY in your add-on match the ones Windscribe gave me. I try to google these errors and get really lost. I don't expect you to look deeply into this, but if there's a simple troubleshoot or two you can guess from this log ... then you would make my day.


    Cheers, and thank you for your hard work.

  • Windscribe are probably using a certificate with a validity date beyond 2038 which hits a known issue in LibreSSL on 32-bit platforms that will not be fixed (not seen as a bug according to LibreSSL devs). If my guess is correct, your options are a) picking another VPN provider, or b) asking Windscribe to issue a cert with shorter validity period.


  • - - - - SSH attempt - - - -


    LibreELEC:~ # openvpn --client --dev tun --proto udp --remote us-east.windscribe
    .com 80 --nobind --auth-user-pass --resolv-retry infinite --auth SHA512 --cipher
    AES-256-CBC --keysize 256 --comp-lzo --verb 2 --mute-replay-warnings --ns-cert-
    type server --persist-key --persist-tun --key-direction 1 --ca /storage/.kodi/us
    erdata/ca.crt
    Thu Mar 2 21:20:10 2017 OpenVPN 2.4.0 armv8a-libreelec-linux-gnueabi [SSL (Open SSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on Feb 22 2017
    Thu Mar 2 21:20:10 2017 library versions: LibreSSL 2.4.4, LZO 2.09
    Enter Auth Username:Crucial_hb58agwz
    Enter Auth Password:
    Thu Mar 2 21:20:58 2017 TCP/UDP: Preserving recently used remote address: [AF_I NET]207.244.67.1:80
    Thu Mar 2 21:20:58 2017 UDP link local: (not bound)
    Thu Mar 2 21:20:58 2017 UDP link remote: [AF_INET]207.244.67.1:80
    Thu Mar 2 21:21:58 2017 TLS Error: TLS key negotiation failed to occur within 6 0 seconds (check your network connectivity)
    Thu Mar 2 21:21:58 2017 TLS Error: TLS handshake failed
    Thu Mar 2 21:21:58 2017 SIGUSR1[soft,tls-error] received, process restarting


    - - - - /ssh - - - -


    S905X-based box. mali-450 gpu, 2/8gb, 10/100 lan (T95N Mini M8S Pro) Running LE 8.0c


    after I read up on the validity dates, and I'm only a monthly subscriber... it might be time to find a new vpn.

  • 1. The connection is handled by systemd before Kodi launches. It doesn't matter than the add-on is not running. When the add-on is up and running it'll look to see if there's a VPN connection active (based on whether the openvpn task is running) and then "guess" what it's connected to (ie the first validated connection).


    2. You can look at pushing a dhcp-option to set the DNS via an up script - using up scripts are documented on the add-on wiki and dhcp-option is documented in the openvpn docs. Or you can always use a particular DNS by setting it within Libreelec - I'm not in front of a box tho so you can google how to do that. You can either use the DNS that your VPN provider gives you or just use google's own DNS servers. I'd probably just set it up to use google's for simplicity like apc is suggesting above.


    Hi Zomboided,


    About point 1) when I restart Kodi, as soon as it starts booting up, I quickly SSH into it and I run "netstat -tn", I can see that there is a connection to the weather forecast server (triggered by Kodi's addon) which is carried out from the LAN IP address, and not from VPN's IP.


    Later refreshes of the weather forecast show that the connection is then made from the VPN's IP.


    I'm sorry to ask again, I just want to make sure I understand it correctly. Thanks in advance.

    Edited once, last by botafuco ().

  • I run with this option on myself. If I do a ps -ef, I see this:
    306 root 0:00 /usr/sbin/openvpn --daemon --config /storage/.config/openvpn.config
    which tells me that the VPN service has started as part of the systemd process. If you see a different --config, then systemd has not started it.
    The debug log tells me the same thing. And the routing table looks fine.


    The service waits for the network to be available and it uses 'WantedBy kodi.target' to request that Kodi waits for it to be run (I think...).
    However, the service is forked and if it takes ages for the VPN connection to start then I guess it's possible that there's a race condition and Kodi will go on to initialize and start running add-ons before the VPN is available. For my install it looks like Kodi spends 3-4 seconds starting before the weather add-on and VPN Mgr kicks in (which is ample time for my VPN connection to start). Yours might be starting quicker as it's doing different/less things.

    Edited once, last by zomboided ().

  • Thank you for the feedback, zomboided. I checked the process for openvpn and it matches yours. So all good!


    Indeed it seems to be a question of race condition and VPN taking a while to connect. Also maybe it's worth mentioning that I'm on WIFI only, which may add additional delay for the network to come up.


    I do want to say anyway that I'm very happy with the addon of course! :) I appreciate your work very much.

  • jahutchi from thread-4067-post-38733.html#pid38733


    It works like that by design, otherwise it switches at random(ish) times and switches back again.


    Your stop idea will only work if you quit out of the add-on too, which you could do using Kodi commands to go to the main window (I think). But it'd be crap if you wife was binge watching 'Call the Midwife' (check out my stereotyping). Otherwise next time the window changes it'll see it's iPlayer and catch the filter to disconnect.


    Likewise doing it on a timer won't work for the same reason as you've noted. Might be more friendly to force the window to the main window at 1am though.


    Having your scripts control it directly might work if you pause and restart the filtering around a connect (all using the API). There's also the fake option, which I added for when I wanted to control the VPN outside of Kodi myself without wanting to mess with settings inside Kodi. I can't think how you'd use that effectively here, but I don't really know what your scripts are doing.


    I started looking at IPTV recently and the right way is for the add-on to recognise where the source is and for me to add a filtering API for them to use. Probably won't happen as there seem to be lots of differing IPTV options.


    Maybe I'll look to see if I can detect Live TV and switch based on that. I think I looked at this before and concluded I couldn't.


    I'd also (I have) set up a cycle button and use that to reconnect or check, but I agree it's not wife-friendly.

    Edited once, last by zomboided ().

  • Hi zomboided, thanks for your great work on VPN add-on!
    I have a problem connecting to ExpressVPN. My configuration:
    ca.crt and ta.key inside the addons/service.vpn.manager/ExpressVPN folder user.key and user.crt (tried also alternatively with client.key and client.crt) into userdata/addon_data/service.vpn.manager/ExpressVPN
    These files were downloaded directly from my account from Expressvpn as well as the username and password.
    Trying to connect I always get this log:
    00:20:52.443 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 OpenVPN 2.4.0 armv7ve-libreelec-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [AEAD] built on Feb 17 2017
    00:20:52.443 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 library versions: LibreSSL 2.4.4, LZO 2.09
    00:20:52.443 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]136.0.2.195:1195
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 UDP link local: (not bound)
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 UDP link remote: [AF_INET]136.0.2.195:1195
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:49 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-1580-1a, [email protected]
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 TLS_ERROR: BIO read tls_read_plaintext error
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 TLS Error: TLS object -> incoming plaintext read error
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 TLS Error: TLS handshake failed
    00:20:52.444 T:1510994848 NOTICE: Tue Mar 7 00:20:51 2017 SIGUSR1[soft,tls-error] received, process restarting
    00:20:52.444 T:1510994848 NOTICE: VPN Mgr : (platform.py) <<< VPN log file end
    00:20:53.516 T:1510994848 ERROR: VPN Mgr : (common.py) Error connecting to VPN, could not estabilish connection.
    Check your username, password and network connectivity and retry.
    I'm using Libreelec 8.0.0 or Rasperry pi 3
    Using the same data with the normal OpenVPN client on a Windows 10 PC I can connect without any problem.


    Please help


    Mike

  • miketyson


    If you're trying to put random files in directories yourself, stop. Reinstall it. Let the add-on run, and when asked to supply a key, point the GUI at the the relevant ovpn.
    If it doesn't work after you've done this then get a FULL Kodi log (on pastebin) and I'll look.

    Edited once, last by zomboided ().


  • jahutchi from thread-4067-post-38733.html#pid38733


    Maybe I'll look to see if I can detect Live TV and switch based on that. I think I looked at this before and concluded I couldn't.


    That would be great if it were possible - I'm using TVHeadend here.


    In the meantime I've been looking at the API but can't find a way to achieve what I'm after.


    I only want to reconnect the VPN if I'm sure that one of the filtered addons is not running e.g. BBCiPlayer... but I can't see any way to reliably detect that. Also, obviously if the wife hits stop then she is still within BBCiPlayer and may then try playing another program... so forcing the VPN to reconnect when the stop button is pressed is probably not the way to go.


    Looks like we're in a bit of a catch 22 situation.... We do use Live TV all the time so if there's any way to detect that LiveTV is playing and re-establish the VPN connection at that point then I'm all ears.

    Edited once, last by jahutchi ().

  • jahutchi as you're clearly not a basic user, please do an experiment for me.


    ssh onto your Kodi box. cd /storage/.kodi/addons/service.vpn.manager
    Edit service.py


    Line 565(ish...) has this:
    current_name = xbmc.getInfoLabel("Container.FolderName")
    straight after it add
    window_id = xbmcgui.getCurrentWindowId()
    newPrint("Window ID is " + str(window_id))


    It's python, so you'll need to space out the indent (not tab) and line it up with the preceding line.


    Reboot (this bit is necessary to pick up the change), wait for the VPN to connect then go to live TV. Then stop with the GUI check out the Kodi log via SSH (/storage/.kodi/temp/kodi.log). You should multiple messages that look like this :
    22:53:56 T:10076 ERROR: Window ID is 10617


    I need you to identify the number shown after you switch to live TV. My guess is that it'll be the last one you see, and maybe there will be multiple, like one every 10 seconds or so. What's the number at the end? You'll also see a bunch of other messages with different numbers (likely 10000) before it. You can ignore these.


    Then back to the GUI and play around with Live TV, opening streams, going to records, whatever you do and then look at the log again. What other numbers do you see? I'm trying to establish if Live TV (and radio) always uses the 10600 - 10699 range.


    If they are in the range I'm guessing, then go back to the service.py file.
    Delete this line of the change you made above :
    newPrint("Window ID is " + str(window_id))
    and replace it with :
    if window_id > 10600 and window_id < 10699: current_name = "Live TV"


    Now reboot and try using your system. In my testing, I see this working fine, but I'm using the demo PVR and the simple PVR to test with, not TVheadend. If I use iVue, it doesn't work as it's not a PVR add-on and uses a custom window ID. Can you also do other stuff, like use other filtered add-ons that need a differnet VPN and check that the Live TV will always revert to your primary too please?


    Let me know what you find out. If this works you can keep running with it for the time being.

    Edited once, last by zomboided ().


  • Hi
    How can I stop and start the VPN from an ssh session?
    Thanks


    If you do this using kill and openvpn you'll be battling with the add-on doing the same thing in response to whatever is going on in Kodi. If you want to do this then you'll need to either not use the add-on or look at whether you can do what you need to do via the API (documented on the wiki), by suspending the filtering and disconnecting/reconnecting or by faking the connection and just using the openvpn commands directly (this is what I'd recommend)

  • zomboided


    I'll play around with the code as you suggest when I get chance... in the meantime this link http://kodi.wiki/view/Window_IDs does seem to confirm your theory that Window ID's in the range of 10600-10699 are for various PVR functions - though it looks like 10600-10610 are the only ones currently assigned. Looking at that list, I wonder whether we may want to also add 10700 -10799?

    Edited once, last by jahutchi ().