How to install and configure OpenVPN?

Djalma Ribeiro

@tom

sh-4.4# ping google.com
PING google.com (142.250.79.238): 56 data bytes
64 bytes from 142.250.79.238: icmp_seq=0 ttl=114 time=63.395 ms
64 bytes from 142.250.79.238: icmp_seq=1 ttl=114 time=63.037 ms
64 bytes from 142.250.79.238: icmp_seq=2 ttl=114 time=62.547 ms
64 bytes from 142.250.79.238: icmp_seq=3 ttl=114 time=66.664 ms
64 bytes from 142.250.79.238: icmp_seq=4 ttl=114 time=63.391 ms
64 bytes from 142.250.79.238: icmp_seq=5 ttl=114 time=64.499 ms
64 bytes from 142.250.79.238: icmp_seq=6 ttl=114 time=68.028 ms
64 bytes from 142.250.79.238: icmp_seq=7 ttl=114 time=75.665 ms
^C--- google.com ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max/stddev = 62.547/65.903/75.665/4.099 ms

tom

@Djalma-Ribeiro Okay perfect, now what is the output when you attempt to connect to the VPN with openvpn --script-security 2 --config myfile.ovpn

Djalma Ribeiro

@tom

Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/connector01_sao_paulo.ovpn

tom

@Djalma-Ribeiro Looks like your path is wrong, you're in /etc/openvpn/openvpn

Djalma Ribeiro

@tom Hmm!!! Very well observed. I thought that was normal.

I copied the files to the openvpn folder and ran the command. Result:

/connector01_sao_paulo.ovpnpn# openvpn --script-security 2 --config /etc/openvpn/
Wed May  4 19:14:41 2022 OpenVPN 2.4.6 [git:HEAD/b3a7f452206607fb] aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  3 2022
Wed May  4 19:14:41 2022 library versions: OpenSSL 1.1.1  11 Sep 2018
Wed May  4 19:14:41 2022 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May  4 19:14:41 2022 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May  4 19:14:49 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]209.14.3.200:1194
Wed May  4 19:14:49 2022 Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]
Wed May  4 19:14:49 2022 NOTE: setsockopt TCP_NODELAY=1 failed
Wed May  4 19:14:49 2022 UDP link local: (not bound)
Wed May  4 19:14:49 2022 UDP link remote: [AF_INET]209.14.3.200:1194
Wed May  4 19:14:49 2022 TLS: Initial packet from [AF_INET]209.14.3.200:1194, sid=02821386 53542aca
Wed May  4 19:14:50 2022 VERIFY OK: depth=1, CN=CloudVPN Prod CA
Wed May  4 19:14:50 2022 VERIFY KU OK
Wed May  4 19:14:50 2022 Validating certificate extended key usage
Wed May  4 19:14:50 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May  4 19:14:50 2022 VERIFY EKU OK
Wed May  4 19:14:50 2022 VERIFY OK: depth=0, CN=br-gru-dc2-b1.cloud.openvpn.net
Wed May  4 19:14:50 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed May  4 19:14:50 2022 [br-gru-dc2-b1.cloud.openvpn.net] Peer Connection Initiated with [AF_INET]209.14.3.200:1194
Wed May  4 19:14:51 2022 SENT CONTROL [br-gru-dc2-b1.cloud.openvpn.net]: 'PUSH_REQUEST' (status=1)
Wed May  4 19:14:51 2022 PUSH: Received control message: 'PUSH_REPLY,route-gateway 100.96.1.33,ifconfig 100.96.1.34 255.255.255.240,ifconfig-ipv6 fd:0:0:8102::2/64 fd:0:0:8102::1,client-ip 200.173.248.124,ping 8,ping-restart 40,reneg-sec 3600,cipher AES-256-GCM,compress stub-v2,peer-id 71,topology subnet,explicit-exit-notify,remote-cache-lifetime 86400,block-outside-dns,route 100.96.0.0 255.224.0.0,route-ipv6 fd:0:0:8000::/49,route 100.80.0.0 255.240.0.0,route-ipv6 fd:0:0:4000::/50,dhcp-option DNS 100.96.1.33,auth-tokenSESS_ID,auth-token-user b25lc29sdmUvY29ubmVjdG9yL2I5YzdiMDVhLTY2ODUtNDNlMS05NTU5LTFkNTdhZWFjYzM4Nl9kY2M3ODY2Ny1hNDFkLTRiNWYtYWE1Ni02MGEwZjE3NzNiYjI='
Wed May  4 19:14:51 2022 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: client-ip (2.4.6)
Wed May  4 19:14:51 2022 Options error: option 'reneg-sec' cannot be used in this context ([PUSH-OPTIONS])
Wed May  4 19:14:51 2022 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:13: remote-cache-lifetime (2.4.6)
Wed May  4 19:14:51 2022 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:14: block-outside-dns (2.4.6)
Wed May  4 19:14:51 2022 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:21: auth-token-user (2.4.6)
Wed May  4 19:14:51 2022 OPTIONS IMPORT: timers and/or timeouts modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: compression parms modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: --ifconfig/up options modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: route options modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: route-related options modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May  4 19:14:51 2022 OPTIONS IMPORT: peer-id set
Wed May  4 19:14:51 2022 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed May  4 19:14:51 2022 OPTIONS IMPORT: data channel crypto options modified
Wed May  4 19:14:51 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed May  4 19:14:51 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May  4 19:14:51 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed May  4 19:14:51 2022 ROUTE_GATEWAY 10.46.46.117/255.255.255.248 IFACE=wwan0 HWADDR=00:00:00:00:00:00
Wed May  4 19:14:51 2022 GDG6: remote_host_ipv6=n/a
Wed May  4 19:14:51 2022 ROUTE6_GATEWAY fe80::6802:b8ff:fede:bb0a IFACE=wlan0
Wed May  4 19:14:51 2022 TUN/TAP device tun0 opened
Wed May  4 19:14:51 2022 TUN/TAP TX queue length set to 100
Wed May  4 19:14:51 2022 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Wed May  4 19:14:51 2022 /sbin/ifconfig tun0 100.96.1.34 netmask 255.255.255.240 mtu 1500 broadcast 100.96.1.47
Wed May  4 19:14:51 2022 /sbin/ifconfig tun0 add fd:0:0:8102::2/64
Wed May  4 19:14:51 2022 /sbin/route add -net 100.96.0.0 netmask 255.224.0.0 gw 100.96.1.33
Wed May  4 19:14:51 2022 /sbin/route add -net 100.80.0.0 netmask 255.240.0.0 gw 100.96.1.33
Wed May  4 19:14:51 2022 add_route_ipv6(fd:0:0:8000::/49 -> fd:0:0:8102::1 metric -1) dev tun0
Wed May  4 19:14:51 2022 /sbin/route -A inet6 add fd:0:0:8000::/49 dev tun0
Wed May  4 19:14:51 2022 add_route_ipv6(fd:0:0:4000::/50 -> fd:0:0:8102::1 metric -1) dev tun0
Wed May  4 19:14:51 2022 /sbin/route -A inet6 add fd:0:0:4000::/50 dev tun0
Wed May  4 19:14:51 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May  4 19:14:51 2022 Initialization Sequence Completed

tom

@Djalma-Ribeiro That looks promising! If you do an ifconfig in another terminal do you see a tun0 network interface? If so then you're all connected.

Djalma Ribeiro

@tom

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 100.96.1.34  netmask 255.255.255.240  destination 100.96.1.34
        inet6 fd:0:0:8102::2  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::da89:cbe9:b217:1ed7  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7  bytes 336 (336.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

But shouldn't I see the drone in the device list on the OpenVPN website?

Djalma Ribeiro

What else do I need to do to complete the OpenVPN setup? Do I need to send any certificate for the drone?

I also couldn't find how to connect the QGC to the drone using VPN. How to find the address to use etc.

tom

@Djalma-Ribeiro So the .ovpn file you used is the certificate that your drone is now using to connect to the VPN. You will also need to connect to the VPN with a different certificate using your ground control station that is running QGC.

tom

@Djalma-Ribeiro By looking at the tun0 interface you can see that the IP of your drone on the VPN is now 100.96.1.34

When you connect using your ground control station / PC you will also receive an IP there and those are the IPs you will use to communicate via. the VPN server

Djalma Ribeiro

@tom

Djalma Ribeiro

@tom Is this not my computer's ip?

tom

@Djalma-Ribeiro The fact that the IP is the same on that OpenVPN screenshot makes me think that you're attempting to use the same key file here as you are on your drone. If that's true, it won't work and the devices will keep kicking each other off the network. You need to use a unique key for each device.

The first test before you try to connect to QGC would be to connect both devices to the VPN with their unique keys and then attempt to ping from the drone to your pc or from pc to drone. That way you can ensure the two can communicate with each other before you try getting PX4 / QGC involved.

Once you have the pinging working, you can set the IP of the ground station on your drone in /etc/modalai/qgc-ip.cfg(file name may be slightly different)

Djalma Ribeiro

Now I understand a little more! By the way, thank you very much for your help.

I have both the pc and the drone online on OpenVPN:

But neither can find the other by ping.

Is there anything else I'm forgetting?

tom

@Djalma-Ribeiro Are you using a windows machine? All of our devices use Ubuntu 18.04 so I don't have much experience with it.

However on Windows, I know that some of our customers have had to disable all their firewalls in order to allow the traffic to come through.

Djalma Ribeiro

@tom I managed to make the ping work by putting the drone in host and the pc in network.

Do I have to use UDP or TCP to connect to the QGC?

tom

@Djalma-Ribeiro By default it'll use UDP. See this page for the next steps: https://docs.modalai.com/Qualcomm-Flight-RB5-user-guide-px4/

You will have to modify the rb5-net-check service and change the line ExecStart=/usr/bin/rb5-net-check wlan0 192.168 to ExecStart=/usr/bin/rb5-net-check tun0 100.96 in order to tell the drone to wait for the VPN network interface to come up before sending out PX4 packets.

Then you will have to modify the previously mentioned /etc/modalai/qgc-ip.cfg and adding the IP of your PC on the VPN in order to tell PX4 where to send packets.

You can also look at : /etc/modalai/full-m0052.config in order to see the PX4 startup config

Djalma Ribeiro

@tom I didn't find the file /etc/modalai/qgc-ip.cfg

tom

@Djalma-Ribeiro Okay you may have a slightly older version of the SDK. Go ahead and download the latest SDK from: https://developer.modalai.com/asset/4

and then follow the instructions here to install:
https://docs.modalai.com/Qualcomm-Flight-RB5-sdk-installation/

This way we know you're using the latest SDK. This qgc-ip file was added in a later release

Djalma Ribeiro

@tom

root@qrb5165-rb5:/home/rb5-flight-sdk-1.1.3# ./update-sdk.sh
bash: ./update-sdk.sh: Permission denied