I have followed your instructions: I have downloaded and added ca.crt and free_client.conf to the /etc/openvpn folder.
I have certain doubts with respect to Step 6.
*** Where do I add “route DNS_IP 255.255.255.255 net_gateway” in free_client.conf? Should add it at the end or is there a particular place in the mentioned file where I have to add it?
*** and same thing with the log file… ?
I have added what you had asked - I copied two DNS IP from resolv.conf to free_client.conf at the end of the file but when I run sudo /etc/init.d/openvpn start I get “fail”.
I would greatly appreciate if you could help me with where to make changes in free-client.conf and in what order?
*** Where do I add "route DNS_IP 255.255.255.255 net_gateway" in free_client.conf? Should add it at the end or is there a particular place in the mentioned file where I have to add it?
You may put these lines anywhere in the free_client.conf, and at the end of the file, too. For example:
client
dev tap
proto tcp
remote uk2.vpn.comodo.com 443
remote-random
auth-user-pass
resolv-retry infinite
nobind
persist-key
persist-tun
pull
remap-usr1 SIGTERM
ca ca.crt
ns-cert-type server
tls-remote ComodoVPNS
mute-replay-warnings
mute 2
comp-lzo
verb 1
route 192.168.25.1 255.255.255.255 net_gateway
route 192.168.20.1 255.255.255.255 net_gateway
log /var/log/openvpn.log
Okay… I edited the free_client.conf as instructed; I started "sudo /etc/init.d/openvpn start, it asked for username and password which I provided (the one I used on CTC Client in Windows)… I got [ OK ], then I rechecked “sudo /etc/init.d/openvpn status”… and I get “* VPN ‘free_client’ is running”
And when I tried to browse to any website, Firefox says it did not find the SERVER at the respective website (SERVER NOT FOUND).
I had also disabled ufw via gufw and tried to connect to web but without any success.
What more do I need to do? or what am I doing wrongly? Please assist me in resolving this.
Seems like hostname cannot be resolved.
Please, start OpenVPN and try to ping some site from a console and give us the output. Also, please, give the output of the following commands:
Please, send me in private messages the following files:
free_client.conf
/etc/resolv.conf
Also, tell what OpenVPN client version you have. You can find this out with the following command:
openvpn --version
Also be so kind to tell me how do I ascertain that I am connected to CTC, if I am connected?
Start OpenVPN and enter route -nv
You should see something like on the screenshot. Red underlined - TrustConnect VPN default gateway. You will be able to access it: ping 172.20.2.1
Also, you may execute ifconfig command and see the TAP interface in the network interfaces list.
Setting up Trust Connect free on Linux using openVPN client
Login in your system as root.
Make shure that you have openVPN client installed in your system. Check it, for example, by command “which openvpn” (you should be root).
You should get the path to openvpn. If you don’t have openVPN client, install it : “yum install openvpn”
Put config and certificate into /etc/openvpn/ (for example)
To connect to TrustConnect enter the command: “openvpn --config /etc/openvpn/free_client.conf --ca /etc/openvpn/ca.crt”
You will be prompted for Service Login and Service Password.
To disconnect, press Ctrl-C in this console.
If you’ll get something like “Firefox can’t find the server at…” after connecting,
try to add the following line into /etc/openvpn/free_client.conf:
route DNS_IP 255.255.255.255 net_gateway
where DNS_IP - your DNS server’s IP (see /etc/resolv.conf)
and net_gateway - the pre-defined constant, which means in terms of openVPN-client the network default gateway.
I have installed Arch Linux 64bit on one of my PC. I am trying to configure CTC to work with OpenVPN. I know that CTC works with Fedora and Ubuntu- I have them them both on my other computers. I want to get it to work with Arch.
Here is what I have done so far; I have followed instructions on this thread to add free_client.conf and ca.crt to /etc/openvpn after which I tested by running openvpn and I get following ERRORS as reported in /var/log/openvpn.log:
Fri May 11 17:32:00 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jan 3 2012
Fri May 11 17:32:22 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri May 11 17:32:22 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 11 17:32:22 2012 LZO compression initialized
Fri May 11 17:32:22 2012 Attempting to establish TCP connection with 91.212.12.68:443 [nonblock]
Fri May 11 17:32:23 2012 TCP connection established with 91.212.12.68:443
Fri May 11 17:32:23 2012 TCPv4_CLIENT link local: [undef]
Fri May 11 17:32:23 2012 TCPv4_CLIENT link remote: 91.212.12.68:443
Fri May 11 17:32:23 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri May 11 17:32:26 2012 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=UA/L=Odessa/O=Comodo/OU=CSP/CN=Comodo_CA/emailAddress=csp[at]comodo.od.ua
Fri May 11 17:32:26 2012 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri May 11 17:32:26 2012 NOTE: --mute triggered...
Fri May 11 17:32:26 2012 2 variation(s) on previous 2 message(s) suppressed by --mute
Fri May 11 17:32:26 2012 Fatal TLS error (check_tls_errors_co), restarting
Fri May 11 17:32:26 2012 SIGTERM[soft,tls-error] received, process exiting
As you can see in the above log I am able to connect 91.212.12.68:443. I have also tried everything this WIKI had to offer and several times. And each time I get the exact same errors. I am afraid I am missing something or doing something wrong. Can you please take a look at it? Help me understand the issue and please guide me to the solution.
Sat May 12 21:25:06 2012 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jan 3 2012
Sat May 12 21:25:17 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat May 12 21:25:17 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat May 12 21:25:17 2012 LZO compression initialized
Sat May 12 21:25:18 2012 Attempting to establish TCP connection with 91.212.12.68:443 [nonblock]
Sat May 12 21:25:19 2012 TCP connection established with 91.212.12.68:443
Sat May 12 21:25:19 2012 TCPv4_CLIENT link local: [undef]
Sat May 12 21:25:19 2012 TCPv4_CLIENT link remote: 91.212.12.68:443
Sat May 12 21:25:19 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 12 21:25:24 2012 [ComodoVPNS-3] Peer Connection Initiated with 91.212.12.68:443
Sat May 12 21:25:26 2012 TUN/TAP device tap0 opened
Sat May 12 21:25:26 2012 /usr/sbin/ip link set dev tap0 up mtu 1500
Sat May 12 21:25:26 2012 /usr/sbin/ip addr add dev tap0 xxx.xx.2.8/24 broadcast xxx.xx.2.255
Sat May 12 21:25:26 2012 Initialization Sequence Completed
I had to create and execute update-resolv-conf and also redownloaded and replaced free_client.conf and ca.crt.
DEPRECATED OPTION: --tls-remote, please update your configuration
I am having problem connecting CTC because of the deprecated --tls-remote option.
I am on Ubuntu 15.04.
OpenVpn seems to have deprecated the ‘–tls-remote’ and consequently CTC is not connecting.
The following from openvpn manpage clarifies that:
--tls-remote name (DEPRECATED)
Accept connections only from a host with X509 name or common name equal to name. The remote host must also pass all other tests of verification.
NOTE: Because tls-remote may test against a common name prefix, only use this option when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option when your client certificates are signed by a third party, such as a commercial web CA.
Name can also be a common name prefix, for example if you want a client to only accept connections to "Server-1", "Server-2", etc., you can simply use --tls-remote Server
Using a common name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.
--tls-remote is a useful replacement for the --tls-verify option to verify the remote host, because --tls-remote works in a --chroot environment too.
[b]Please also note: This option is now deprecated. It will be removed either in OpenVPN v2.4 or v2.5. So please make sure you support the new X.509 name formatting described with the --compat-names option as soon as possible by updating your configurations to use --verify-x509-name instead.[/b]
–verify-x509-name name type
Accept connections only if a host’s X.509 name is equal to name. The remote host must also pass all other tests of verification.
Which X.509 name is compared to name depends on the setting of type. type can be "subject" to match the complete subject DN (default), "name" to match a subject RDN or "name-prefix" to match a subject RDN prefix. Which RDN is verified as name depends on the --x509-username-field option. But it defaults to the common name (CN), e.g. a certificate with a subject DN "C=KG, ST=NA, L=Bishkek, CN=Server-1" would be matched by:
--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1' and --verify-x509-name Server-1 name or you could use --verify-x509-name Server- name-prefix if you want a client to only accept connections to "Server-1", "Server-2", etc.
--verify-x509-name is a useful replacement for the --tls-verify option to verify the remote host, because --verify-x509-name works in a --chroot environment without any dependencies.
Using a name prefix is a useful alternative to managing a CRL (Certificate Revocation List) on the client, since it allows the client to refuse all certificates except for those associated with designated servers.
NOTE: Test against a name prefix only when you are using OpenVPN with a custom CA certificate that is under your control. Never use this option with type "name-prefix" when your client certificates are signed by a third party, such as a commercial web CA.</blockquote>
I am unable to connect to my free CTC account and I get the following feedback:
Sun Oct 4 15:52:59 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
I request the forum to help me make appropriate adjustment to the configuration and get the CTC going…
Hi,
Still need help in updating free_client.conf file to work with openvpn 2.4 in Linux.
Since the latest openvpn upgrade to 2.4 in Linux CTC is unuseable and requires me to upgrade the said file with relavent changes.
I hope someone at Comodo can help me now (my previous request went unanswered).
CTC is very valuable to me. Any help is gratefully welcome. Please.
Thanks.