First of all, my setup. This guide should work for you if you have something similar. With Ubuntu, Debian and other Linuxes, the package names could vary slightly. The end result is a sane solution, where you can connect and disconnect to your VPN server of choice from your system tray. You can even set up your VPN to connect automatically with your internet connection.
OS: Arch Linux
Packages used: openvpn, networkmanager-openvpn, openvpn-update-resolv-conf, openresolv + optional: seahorse,
VPN service: TigerVPN Lite
VPN configuration files: OpenVPN compatible, .ovpn
I assume you have set up your networkmanager and network-manager-applet packages already, because these two fall outside of the scope of this article. If you have not, a thorough guide can be found on Arch Wiki. You are also expected to have a tray area, such as the one in tint2-git.
If your NetworkManager and its tray applet are good and running, continue by installing the openvpn and networkmanager-openvpn packages. These two do not require additional configuration to work. If you need to, you can test plain OpenVPN by navigating to the folder of your VPN configuration file (.ovpn format) in your terminal and running the following command as superuser (sudo):
openvpn --config "config file name.ovpn"
You will be asked your VPN username and password. Enter them and you will be connected to your VPN. The terminal window will remain active and you can cancel the process with Ctrl+C. OpenVPN from the terminal could be handy for debugging purposes when your networkmanager-openvpn refuses to work. If the terminal works, you will know the problem is somewhere in NetworkManager.
It is highly recommended to use openresolv + openvpn-update-resolv-conf to avoid DNS leaks. You can read more on this issue in the Arch Wiki. If you skip this simple step, your VPN connection will be vulnerable. First, install openresolv, no configuration needed. Then install openvpn-update-resolv-conf from the AUR. Now use a text editor to open your VPN configuration file you got from your VPN service provider. Add the following lines, save, and you're done (mine already had the script-security 2 line, so I omitted that line):
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
On to the main part. Do a right click on your NetworkManager tray applet. Select Edit Connections. Select Add. Choose Import a saved VPN configuration. Choose your .ovpn configuration file. Enter your VPN username and password and don't forget other configuration options if your VPN provider requires them. With TigerVPN, I only needed to set the username and password. If you're done, click save. Your VPN connection has been added and you can connect to it by doing a single click on the NetworkManager tray applet then going to VPN Connections and then clicking on your connection. If you need to add more servers, repeat this process with the rest of your configuration files.
Optional: To connect to a VPN automatically, do a right click on your NetworkManager tray applet, select Edit Connections, choose your connection, select Edit, go to the General tab, tick the box Automatically connect to VPN when using this connection. Click Save and you're done.
Optional: If you're using TigerVPN, there is one more tweak you need. In all of your .ovpn files, remove the following line:
remote vie.tigervpn.com 443 tcp-client
Otherwise, NetworkManager will try to connect to both UDP and TCP and the connection will timeout every time. There are probably other ways around this and if you need to connect to TCP you can replace the UDP line in the configuration file with the TCP line. Regardless, it will not work with the default configuration. The configuration with both lines works with terminal OpenVPN, so it seems to be a NetworkManager applet or NetworkManager OpenVPN bug.
Optional: Every time you connect to your VPN with your Gnome Keyring locked (for example, after a reboot), you will be asked for your keyring password. From what I know, there is no way to remember or save the password. What you can do to circumvent this is install seahorse, right click on your keyring, select Change Password, enter your old password and then leave your new password blank. Seahorse will warn you of having unencrypted passwords on your storage and after you agree, you won't be asked your keyring password anymore. This solution comes with a security risk as your VPN passwords will be kept in plain text. Anyone that has access to your storage will be able to read them.
This should be about it. This configuration works beautifully for me. If it doesn't for you, you can always drop a comment below and maybe we can find a solution.
No comments:
Post a Comment