Using OpenVPN with Ubuntu

[innogen]

I am new to using Ubuntu and OpenVPN.

Below are my questions:

1. In Microsoft Windows, the files in the config folder have the file extension ovpn. I understand that in Ubuntu, I will have to change it to conf. Is that correct?

2. What are the sudo commands to launch OpenVPN service, supposing I open and use a terminal window?

3. During the time when OpenVPN program connects to a gateway/exit node, I would like to see the verbose log as in the following example (part of the log is displayed):

Code: Select all

Sat Jul 06 21:50:38 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jun  3 2013
Sat Jul 06 21:50:38 2013 MANAGEMENT: TCP Socket listening on [AF_INET]
Sat Jul 06 21:50:38 2013 Need hold release from management interface, waiting...
Sat Jul 06 21:50:38 2013 MANAGEMENT: Client connected from [AF_INET]
Sat Jul 06 21:50:38 2013 MANAGEMENT: CMD 'state on'
Sat Jul 06 21:50:38 2013 MANAGEMENT: CMD 'log all on'
Sat Jul 06 21:50:38 2013 MANAGEMENT: CMD 'hold off'
Sat Jul 06 21:50:38 2013 MANAGEMENT: CMD 'hold release'
Sat Jul 06 21:50:38 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jul 06 21:50:38 2013 MANAGEMENT: >STATE:1234567890,RESOLVE,,,
Sat Jul 06 21:50:42 2013 Attempting to establish TCP connection with [AF_INET]123.456.789.012:443
Sat Jul 06 21:50:42 2013 MANAGEMENT: >STATE:1234567890,TCP_CONNECT,,,
Sat Jul 06 21:50:45 2013 TCP connection established with [AF_INET]123.456.789.012:443
Sat Jul 06 21:50:45 2013 TCPv4_CLIENT link local: [undef]
Sat Jul 06 21:50:45 2013 TCPv4_CLIENT link remote: [AF_INET]123.456.789.012:443
Sat Jul 06 21:50:45 2013 MANAGEMENT: >STATE:1373291445,WAIT,,,
Sat Jul 06 21:50:46 2013 MANAGEMENT: >STATE:1373291446,AUTH,,,
Sat Jul 06 21:50:46 2013 TLS: Initial packet from [AF_INET]123.456.789.012:443, sid=6c8b3036 7002cb48

What sudo command should I use?

[mwandelaar]

1. In Microsoft Windows, the files in the config folder have the file extension ovpn. I understand that in Ubuntu, I will have to change it to conf. Is that correct?

For autostart[*], yes. For manual start: It does not matter

2. What are the sudo commands to launch OpenVPN service, supposing I open and use a terminal window?

For manual start:

Code: Select all

sudo openvpn <configfile>

For autostart[*]:

Code: Select all

sudo service openvpn restart

3. During the time when OpenVPN program connects to a gateway/exit node, I would like to see the verbose log as in the following example (part of the log is displayed):

Code: Select all

sudo openvpn --verb 4 --config <configfile>

[*]autostart: Means all configfiles are correctly placed in /etc/openvpn

[innogen]

[*]autostart: Means all configfiles are correctly placed in /etc/openvpn

Thanks for taking the time to answer my questions.

4. What do you mean by "all config files are correctly placed...."? Is there a correct order or rules of hierarchy of placing config files?

5. Suppose I have two sets of config files, the reason being that each set is provided by a different commercial VPN service provider. What is a neat way of accommodating the two sets of config files in Ubuntu? (In Microsoft Windows, whenever I need to change to a different VPN service provider, I will access C:\Program Files\OpenVPN\ and manually rename the folder to config whose VPN I wish to connect to.)

6. When I first install OpenVPN on Ubuntu, does OpenVPN autostart by default? If yes, what are the ways to disable it?

[mwandelaar]

4. What do you mean by "all config files are correctly placed...."? Is there a correct order or rules of hierarchy of placing config files?

Please see my postings in this topic for that.

5. Suppose I have two sets of config files, the reason being that each set is provided by a different commercial VPN service provider. What is a neat way of accommodating the two sets of config files in Ubuntu? (In Microsoft Windows, whenever I need to change to a different VPN service provider, I will access C:\Program Files\OpenVPN\ and manually rename the folder to config whose VPN I wish to connect to.)

I suggest to not place them in /etc/openvpn as they will start automatically. You can consider using the openvpn-networkmanager-plugin for this, or start the required vpn using the commandline.

6. When I first install OpenVPN on Ubuntu, does OpenVPN autostart by default? If yes, what are the ways to disable it?

Yes, it starts automatically. But when there are no configfiles, it actually doesn't do a thing, other then looking for configfiles. So don't bother about it too much.

[innogen]

Code: Select all

sudo openvpn --verb 4 --config <configfile>

In your last post at topic12714.html, you wrote:

sudo openvpn --verb 3 --config your-config-file.conf

What is the difference between --verb 4 and --verb 3 ?

[innogen]

Hi mwandelaar,

Thanks for answering my questions.

Please have a look at one of my config files:

Code: Select all

setenv FORWARD_COMPATIBLE 1
setenv UV_SERVERID 123
client
dev tun
proto udp
remote 123.456.789.012 1194
nobind
persist-key
persist-tun
ns-cert-type server
key-direction 1
push-peer-info
comp-lzo
explicit-exit-notify
verb 3
mute 20
reneg-sec 86400
mute-replay-warnings
max-routes 1000
<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>

The above config file is to be used only for Microsoft Windows platform. (According to some forum members, the above config file contains inline authentication keys.)

Below are my questions:

8. If I wish to use the above config file on Ubuntu, I would have to extract the authentication keys into separate files such as ca.crt, username.crt, ta.key and/or tls-auth.key, am I right?

9. Based on the above sample config file, am I right to state that:

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</ca>

belongs to ca.crt

Code: Select all

<cert>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
</cert>

belongs to username.crt

Code: Select all

<key>
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----
</key>

belongs to ta.key and

Code: Select all

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>

belongs to tls-auth.key

10. What are the locations (file paths) in Ubuntu of these authentication keys?

[mwandelaar]

8. If I wish to use the above config file on Ubuntu, I would have to extract the authentication keys into separate files such as ca.crt, username.crt, ta.key and/or tls-auth.key, am I right?

Ubuntu (as all other OS-es) work fine with inline certificates. If you wish you can extract them but there's no need for that.

Code: Select all

setenv FORWARD_COMPATIBLE 1
setenv UV_SERVERID 123

The above config file is to be used only for Microsoft Windows platform. (According to some forum members, the above config file contains inline authentication keys.)

I'm not familiair with these 2 settings and would remove them first from my config. I don't think you need to change anything else in the configfile.

9. Based on the above sample config file, am I right to state that:

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
<snip>
-----END OpenVPN Static key V1-----
</tls-auth>

belongs to tls-auth.key

10. What are the locations (file paths) in Ubuntu of these authentication keys?

Your assumptions are right. As i wrote in my other topic there are no predefined paths in openvpn.
You could point to (for example) the ca-certificate using:

Code: Select all

ca /etc/openvpn/certs/ca.crt

or whatever path you wish to use.

For the difference between --verb 3 and --verb 4, please review the manpage. it's slight more verbose

[innogen]

Ubuntu (as all other OS-es) work fine with inline certificates. If you wish you can extract them but there's no need for that.

The reason for extracting authentication data from inline certificates and creating individual authentication key files is when I wish to use the network-manager-openvpn-gnome plugin. Apparently the plugin requires one to specify the locations of the ca.crt, username.crt, ta.key and tls-auth.key files.

[mwandelaar]

OK, that's specific for the network-manager plugin. In that case you need to make files for the certs and key to make this work.
If you follow the earlier mentioned steps, it will work.