Ubuntu/Bespin/PIA
From charlesreid1
Up: Ubuntu/Bespin
Previous: Ubuntu/Bespin/Ansible
Next: Ubuntu/Bespin/DNS
In this section we set up a VPN tunnel using OpenVPN and a pre-existing OpenVPN server. For this specific example we cover the use of Private Internet Access, a third-party VPN provider.
Contents
Install software
sudo apt-get -y install openvpn
Obtain OpenVPN profile
For PIA:
cd /tmp wget https://www.privateinternetaccess.com/openvpn/openvpn.zip unzip -d openvpn openvpn.zip cd openvpn
This directory contains multiple OpenVPN profiles for each of PIA's server regions.
RUN THE FOLLOWING COMMANDS AS ROOT.
To use the openvpn profile, server cert, and client key:
PROFILE="Belgium" cp ca.rsa.2048.crt /etc/openvpn/. cp crl.rsa.2048.pem /etc/openvpn/. cp ${PROFILE}.ovpn /etc/openvpn/.
Now add login credentials to a login file:
touch /etc/openvpn/login echo "USERNAME" >> /etc/openvpn/login echo "PASSWORD" >> /etc/openvpn/login
Modify the OpenVPN profile to use the credentials file we just made, and to point to the correct locations of the certificate and key.
Also modify the OpenVPN profile to name the tunnel device it will create. We will set the tunnel device name as tun1
:
sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn sed -i 's+dev tun$+dev tun1+' /etc/openvpn/${PROFILE}.ovpn
Testing OpenVPN Tunnel
Test the VPN connection by running curl -4 icanhazip.com
before and after you bring the VPN up to verify your IP has changed:
openvpn --config /etc/openvpn/${PROFILE}.ovpn
Note that you may have a config file (.conf) instead, in which case, use the config file instead of the .ovpn file.
Use curl -6 icanhazip.com
to test whether your IPv6 address has changed.
You can also run ifconfig
and you should see a tun1
device with an IP address like 10.X.Y.Z. This is the VPN connection. To run curl using specifically that network interface, use the --interface
flag with curl:
curl --interface 10.96.10.6 -4 icanhazip.com
The VPN should be capturing and routing ALL traffic through the VPN tunnel. Double check by running this command, which should fail to do anything:
curl --interface 192.168.0.199 -4 icanhazip.com
where 192.168.0.199 is the IP address of bespin on the wifi network.
Modifying OpenVPN Service
Before we can automatically start OpenVPN, we need to modify the startup service to look for .ovpn files instead of .conf files. Use this sed one-liner to do that:
sed -i 's|\.conf|.ovpn|' /lib/systemd/system/openvpn@.service
Enabling OpenVPN Service
To start the process automatically in the background, and on boot, enable the OpenVPN service. It will be called openvpn@${PROFILE}
. So, to use the example of Belgium.ovpn,
sudo service openvpn@Belgium start
This will look for a file named Belgium.ovpn and start an OpenVPN client process connecting to that server.
Once again you can check your public IP with
curl -4 icanhazip.com
and look up the IP address location to determine whether your traffic is being routed properly through Belgium, or wherever you chose.
Related
Also see: Ubuntu/OpenVPN Server