From charlesreid1

Up: Ubuntu/Bespin

Previous: Ubuntu/Bespin/Ansible

Next: Ubuntu/Bespin/DNS

In this section we set up a VPN tunnel using OpenVPN and a pre-existing OpenVPN server. For this specific example we cover the use of Private Internet Access, a third-party VPN provider.

Install software

sudo apt-get -y install openvpn

Obtain OpenVPN profile

For PIA:

cd /tmp
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip -d openvpn openvpn.zip
cd openvpn

This directory contains multiple OpenVPN profiles for each of PIA's server regions.

RUN THE FOLLOWING COMMANDS AS ROOT.

To use the openvpn profile, server cert, and client key:

PROFILE="Belgium"
cp ca.rsa.2048.crt /etc/openvpn/.
cp crl.rsa.2048.pem /etc/openvpn/.
cp ${PROFILE}.ovpn /etc/openvpn/.

Now add login credentials to a login file:

touch /etc/openvpn/login
echo "USERNAME" >> /etc/openvpn/login
echo "PASSWORD" >> /etc/openvpn/login

Modify the OpenVPN profile to use the credentials file we just made, and to point to the correct locations of the certificate and key.

Also modify the OpenVPN profile to name the tunnel device it will create. We will set the tunnel device name as tun1:

sed -i 's+^auth-user-pass+& /etc/openvpn/login+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^ca ca.rsa.2048.crt+& /etc/openvpn/ca.rsa.2048.crt+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+^crl-verif crl.rsa.2048.pem+& /etc/openvpn/crl.rsa.2048.pem+' /etc/openvpn/${PROFILE}.ovpn
sed -i 's+dev tun$+dev tun1+' /etc/openvpn/${PROFILE}.ovpn

Testing OpenVPN Tunnel

Test the VPN connection by running curl -4 icanhazip.com before and after you bring the VPN up to verify your IP has changed:

openvpn --config /etc/openvpn/${PROFILE}.ovpn

Note that you may have a config file (.conf) instead, in which case, use the config file instead of the .ovpn file.

Use curl -6 icanhazip.com to test whether your IPv6 address has changed.

You can also run ifconfig and you should see a tun1 device with an IP address like 10.X.Y.Z. This is the VPN connection. To run curl using specifically that network interface, use the --interface flag with curl:

curl --interface 10.96.10.6 -4 icanhazip.com

The VPN should be capturing and routing ALL traffic through the VPN tunnel. Double check by running this command, which should fail to do anything:

curl --interface 192.168.0.199 -4 icanhazip.com

where 192.168.0.199 is the IP address of bespin on the wifi network.

Modifying OpenVPN Service

Before we can automatically start OpenVPN, we need to modify the startup service to look for .ovpn files instead of .conf files. Use this sed one-liner to do that:

sed -i 's|\.conf|.ovpn|' /lib/systemd/system/openvpn@.service

Enabling OpenVPN Service

To start the process automatically in the background, and on boot, enable the OpenVPN service. It will be called openvpn@${PROFILE}. So, to use the example of Belgium.ovpn,

sudo service openvpn@Belgium start

This will look for a file named Belgium.ovpn and start an OpenVPN client process connecting to that server.

Once again you can check your public IP with

curl -4 icanhazip.com

and look up the IP address location to determine whether your traffic is being routed properly through Belgium, or wherever you chose.

Related

Also see: Ubuntu/OpenVPN Server