OpenVPN is a popular open source cross platform VPN protocol. Of all the platforms Linux probably has the most possible methods of installing and running an OpenVPN client or server. There are a great many flavors of Linux out there (e.g. Mint, Ubuntu, Debian, Fedora, CentOS, Arch) just to name a few of the more popular ones. One of the biggest differences between many of the Linux distributions is how they handle package management, but nearly all distros are capable of installing directly from source code.
There are advantages to rolling your own and compiling directly from the official source code. One of the biggest advantages is that you can ensure you are using a binary that has not been compromised with any back doors. However, most distros have safeguards in place to help ensure that their official packages can be trusted. However, nothing is fool proof and when dealing with a security focused application such as a VPN client or an encryption client, some people prefer to compile their own application from the official source code.
Installing from Source Code
If you are going to install from source, then you probably don’t need my help. The process follows the familiar GNU Autoconf process. But for those of you who have never compiled from source, and are curious, the steps are basically;
- Make sure you have a development environment installed on your system. (e.g. GCC, Autoconf, Make, Libtool, etc.) Many distributions have a package group to install the common development tools. On Arch Linux for example, the command “pacman -S –needed base-devel” will install the packages needed to compile source code.
- Get the source tar ball or Git sources.
- Verify GPG signature; why would you go to all the trouble of compiling from source without checking the signature?
- Unpack the source.
- Make any customizations.
- Ensure you have all the required libraries. (e.g. OpenSSL, easy-rsa, LZO)
- ./configure; make; make install
- Configure your particular client or server and run!
For those who are interested in this process the OpenVPN Wiki entry for building is a great place to start. Most users will probably just want to install pre-compiled binary packages from their distribution’s official repositories or their VPN provider.
Installing from Repositories
Whatever your Linux distribution, odds are that there is an OpenVPN package in your official repositories. Installation will vary from distro to distro. Often software is modified slightly to match the idiosyncrasies of your chosen distribution. Often these are minor changes such as where the configuration or binary files are installed.
Another nice feature of installing from distro repositories is most package managers will install the required dependencies. So, if you do not have the OpenSSL library installed on your system, your package manager should take care of that for you when you install OpenVPN. The following are a few examples, but you should refer to your distro’s documentation on how to install packages.
On Arch it is a simple as running:
$ sudo pacman -S openvpn
and then configuring your install.
Debian based distros
On distros that use Debian packages it should be as simple as running the command:
$ sudo apt-get install openvpn
RPM based distros
Many modern RPM based distros make use of the yum front-end. For example, to install OpenVPN on CentOS all one needs to do is type “sudo yum install openvpn” and on Fedora it is the same. If you have acquired the RPM package and do not wish to use yum then you can always use RPM, “rpm -ivh openvpn-[details].rpm“. You will need to make sure the lzo, pam, and openssl packages are installed yourself if using rpm.
Running the Command Line Client
After you have installed the OpenVPN client/server (the binary is both the client and the server) then it is almost as easy to execute it. You will almost always need root privileges. This is because OpenVPN needs to create a TUN/TAP device to route the VPN through, which on most systems will require root access.
You will need an OpenVPN configuration file, typically they have a *.ovpn extension. It is probably best if you start with your VPN providers supplied *.ovpn file. You can always modify it later if you wish.
Running the client is as simple as entering:
$ sudo openvpn ./myvpnserver.ovpn
from the command line. Replacing myvpnserver.ovpn with the name of your config file of course.
Now, most non-technical users are not very comfortable working with the command line. Rather, casual users are more comfortable with some sort of GUI. Lately, I have been using Linux Mint for my clients. It is one of the most popular Linux distros and my clients have had no troubles learning to use it. Since Linux Mint is so popular and more likely to have less technical users, the rest of this article is a Linux Mint tutorial with screenshots.
Linux Mint Cinnamon Desktop Tutorial
Linux Mint can use many of the popular desktops including KDE, Xfce and Cinnamon. The following tutorial is using the Linux Mint 17.2 Cinnamon edition.
1. Install the OpenVPN package.
The first thing we need to do is install the OpenVPN package which is part of the official Mint repositories. So, click on the menu and then click on the Software Manager.
You will probably be prompted for your administrator or root password to allow the software manager permissions to install the package.
Once the Software Manager window opens, type “openvpn” into the search box and hit enter. You’ll probably get a number of hits but the red circled one is the one you want.
When you double-click on the openvpn package it will open up a description that also has an install button you can click to install the package.
The Software Manager will give you some feedback and the Install button will change to a Remove button when the install is complete. That’s it, you just installed OpenVPN on your Linux Mint system.
3. Install NetworkManager
As much as I love Linux and other UNIX variants, I have to admit that configuring networks can be a real pain. Whilst command line tools are powerful, they can have complicated and esoteric syntaxes. To make matters worse, different distros can use different tools and services to manage network connections. Some variants use tools like ifconfig while others use systemd or the ip tools. On one Arch Linux system, I accidentally configured multiple network configuration methods at the same time, causing me all sorts of sporadic network problems. This is where NetworkManager can really save you some grief.
NetworkManager is a lovely framework originally developed by Red Hat but is now managed by the GNOME project. NetworkManager is a open source and distribution agnostic framework. It runs well on a variety of desktops (e.g. KDE, Cinnamon, Gnome, Xfce, etc.) and on many distros (e.g. Fedora, Gentoo, Debian, Mint, Arch, etc.). NetworkManager also makes use of plug-ins for configuration of networks like OpenVPN.
So, let’s make life easier and install the NetworkManager.
It looks like on my install I have the choices of network-manager-openvpn and network-manager-openvpn-gnome. Since network-manager-openvpn is a dependency of network-manager-openvpn-gnome we will install the latter and get them both.
We do this the same way we installed openvpn by double-clicking on the package and choosing the Install button.
Interestingly, when I went back to look at the network-manager-openvpn package in the Software Manager it didn’t show it as installed. However, a quick check of the /var/log/dpkg.log did show it as being installed before the network-manager-openvpn-gnome package. Once I closed the Software Manager and reopened it, it did then show network-manager-openvpn as being installed. Perhaps I should file a bug with the Software Manager?
Just to make sure that the Network Manager has picked up the plug-ins you should restart it with the following command:
$ sudo restart network-manager
If you find it easier you could always reboot your machine instead.
4. Configure your VPNs
Click on the Network Manager applet on the panel.
Then select the Network Connections option.
This will open up a new window in which you will want to click the Add button to add a new connection.
After clicking the Add button you will get a pull-down list of what type of connection. Look under the VPN section and select OpenVPN. Then click on the Create… button.
You can also choose the Import a saved VPN configuration… option from the pull-down menu. When you click the Create… button a file browser window will open allowing you to choose your *.ovpn file. Depending on how your provider’s OpenVPN config file is set up, this may or may not work for you. It may also partially fill in the config allowing you to enter the rest of your connection information. In any case, knowing how to dissect your OpenVPN config file and filling in the settings manually will work if the import does not.
Your VPN provider should provide OpenVPN configuration files. Often they come with many different configuration files in a ZIP or TAR file. Once you have some config files downloaded open one up, they are just text files and any text editor should work fine.
So, you will notice that the first line contains:
remote uk1.vpn.ac 1194 udp
This is the FQDN (uk1.vpn.ac) for the VPN server, the port (1194), and the protocol (UDP). Unless you are using the same provider, yours will be different.
Fill in the Connection name: with something that will help you remember what it is.
Fill in the Gateway: with FQDN or IP address of your VPN server.
Under the Authentication Type: pull-down you will probably want to select Password. Most VPN providers use a username / password authentication method and this can be seen in the config file as the line:
Most providers also utilize a Certificate Authority (CA). In my example, it is embedded into the OpenVPN config file. I could cut the section starting with the
“—–BEGIN CERTIFICATE—–“and ending with the “—–END CERTIFICATE—–” and save that as a file but my provider also included a ca.crt file in their tar ball, and so that is what I am going to use.
When you click on the CA Certificate: button it will pull up a file browser allowing you to select your certificate file. Browse to where your file is and select it. Normally, a certificate file will have a *.crt, *.pem, or *.key file extension.
Now we want to click the Advanced… button. You may or may not have to set any of the options in here, but I find that you normally have to set something.
A common setting here is the Use custom gateway port: but in my case my server is using the official OpenVPN port of 1194 so I do not need to set anything. Another common option is the Use LZO data compression. However, you can often leave this alone and the server will push this setting to your client if needed. A less common option is the Use a TCP connection and in my config file you will notice my provider is using UDP port 1194. Sometimes you will need to use TCP in order to get around restrictive firewalls or if your network connection is particularly unreliable. However, TCP is usually not as efficient due to the TCP meltdown effect.
If you see the option:
cipher AES-256-CBC auth SHA1
In this example my provider is also using TLS authentication. So I am going to click the TLS Authentication tab.
The configuration file line for this option looks like this:
tls-auth Wdc.key 1
In my case Wdc.key is the name of the key file and 1 is the Key Direction. Unless you are using the same provider yours will likely be different. Just like with the CA cert file click Key File: button and browse to and select your key file. You can also click the Key Direction: button to select the proper direction.
That is all the options that need to be set up for this particular configuration. So, click the OK button and then you will be brought back to the main configuration window and click the Save… button to save the new connection.
5. Connect to your VPN
Once again you will want to click on the Network Manager applet on the panel.
You will notice that there is now a VPN Connections section on the applet. In the above image I have three different VPN connections configured. Click on the connection you wish to use and when the connection is established you should get a pop-up message like this:
The Network Manager applet should also change to show a lock.
That’s it! You now have your VPN connection set up in Network Manager. The setup should be similar on any flavor of Linux and any desktop using Network Manager. Enjoy!