A Virtual Private Network establishes a secure encrypted connection between your system and a server. It allows you to connect to an untrusted network and tunnel all your network traffic so that it emerges from the VPN server to its destination. In this howto, we will configure the OpenVPN client to connect to the VPN servers hosted by Private Internet Access.
I’ve chosen to use Private Internet Access only because I already have an account with them and they support the OpenVPN client to connect to their VPN servers. I’m sure other VPN service providers would work the same way.
Although I initially tested this on Raspbian Stretch on a Raspberry Pi, I have since used the same steps on Debian Stretch and achieved the same results.
Installing all the prerequisites
To accomplish this task we are going to need to install openvpn, unzip, wget, curl and openresolv. We can do this by using the following command:
apt -y install openvpn unzip wget curl openresolv
Setting up the directory structure
Just to keep things organized we will create a set of directories. This will help if we ever need to alter the configuration by only requiring the change of a couple of linked files. First we need to switch to “/etc/openvpn/client directory”.
Once there we create several directories by issuing the following commands:
mkdir certs-available mkdir confs-available mkdir login-available mkdir certs-enabled mkdir login-enabled mkdir vpn-bundles
Setting up all the configurations
Private Internet Access (as well as other VPN providers) provide configuration bundles for the OpenVPN default client. We are going to download those configurations, alter them a bit and use them to connect to the PIA VPN server as soon as our system finishes booting up.
Switch to the directory we created to store the configuration bundle by issuing the following command:
Once in /etc/openvpn/client/vpn-bundles we can proceed to download the configuration bundle with wget by issuing the following:
Now that we have the zipped file with all the configurations we need to unzip it by using the following command:
unzip openvpn.zip -d "$(date +"%d-%m-%Y")"-PIA-openvpn
This command will unzip the openvpn.zip file into a directory whose name starts with the date followed by “-PIA-openvpn”. We are doing this so that in the future if there is a need to download a new set of configurations we can easily tell which directory contains the newly downloaded ones.
Once the file is unzipped we can start moving the configurations to the directories we previously created.
cd "$(date +"%d-%m-%Y")"-PIA-openvpn mkdir /etc/openvpn/client/certs-available/PIA cp *.crt /etc/openvpn/client/certs-available/PIA/ cp *.pem /etc/openvpn/client/certs-available/PIA/ mkdir /etc/openvpn/client/confs-available/PIA cp *.ovpn /etc/openvpn/client/confs-available/PIA/
Because we want the OpenVPN client to start without user interaction, we need to add a couple of settings to all VPN configuration files we just downloaded. Change to the directory where we stored them by issuing the following command:
We need to alter all the configuration files so that they can get the user name and password from a file named “login” located at “/etc/openvpn/client/login-enabled/”. This can be accomplished by issuing the following command:
sed -i 's/auth-user-pass/auth-user-pass \/etc\/openvpn\/client\/login-enabled\/login/g' *.ovpn
We also need to add the following settings to all the configuration files. These settings deal with changing the DNS servers in order to prevent DNS leaks when the VPN is up.
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf down-pre
Going into each file to add the aforementioned settings would be too tedious, it is better to use a small script that goes into each file and adds the settings. The script is simple, just create a file named add_vpn_settings.sh with the following content:
#/bin/bash cd /etc/openvpn/client/confs-available/PIA for file in * do echo "script-security 2" >> "$file" echo "up /etc/openvpn/update-resolv-conf" >> "$file" echo "down /etc/openvpn/update-resolv-conf" >> "$file" echo "down-pre" >> "$file" done
Next step is to make executable by issuing the following:
chmod +x add_vpn_settings.sh
And finally we run the add_vpn_settings.sh script by issuing:
Now we need to backup the original update-resolv-conf file, this is because we are going to use a replacement that is better able to update the DNS servers in /etc/resolv.conf when they are pushed in by the VPN server. We can do this be issuing the following commands:
cd /etc/openvpn mv update-resolv-conf update-resolv-conf-ORIG
If we ever need to return to the default script we just rename “update-resolv-conf-ORIG” back to “update-resolv-conf “.
Next we need to download the replacement update-resolv-conf file from https://github.com/masterkorp/openvpn-update-resolv-conf. We can issue the following commands to accomplish this:
cd /etc/openvpn wget https://github.com/masterkorp/openvpn-update-resolv-conf/raw/master/update-resolv-conf.sh
Now we rename it and make it executable:
mv update-resolv-conf.sh update-resolv-conf chown root:root update-resolv-conf chmod 555 update-resolv-conf
Next we need to create a the file that contains the actual username and password for the PIA VPN server. Issuing the following three commands should do the job:
cd /etc/openvpn/client/login-available echo "YOUR_PIA_USERNAME" > PIA-Login echo "YOUR_PIA_PASSWORD" >> PIA-Login
Now we create a link from /etc/openvpn/client/login-available to /etc/openvpn/client/login-enabled/login by issuing the following:
ln -s /etc/openvpn/client/login-available/PIA-Login /etc/openvpn/client/login-enabled/login
Finally we link one of the configurations available to be the default one (I’ve used the UK London configuration as an example below, you can use whichever configuration you desire).
ln -s /etc/openvpn/client/confs-available/PIA/UK\ London.ovpn /etc/openvpn/default.conf
After a reboot, the openvpn client should be up and everything should be flowing through the vpn tunnel.