27.800.000 hits when Googling “Linux OpenVPN server autostart” and just 663 hits with the required word combinations to the query “linux OpenVPN client autostart” to make it work…
Do you know what the best server solution is? The one without any users active. Never a problem-child, zero problems, plenty of performance and always running fine…
A quick guide how to set up your Linux system with an automatically connecting openvpn-client without the use of network-manager or other fancy GUI in Linux Server style.
Installing it on Debian / Ubuntu
sudo apt-get install openvpn
One package for the client and server application.
Create your .conf file
You will probably have a .ovpn or .conf file provided by the server admin. With the recent OpenVPN versions there needs to be a config files placed in the /etc/openvpn/client directory. I got .ovpn files in my case and they look like this:
client dev tun proto udp remote benelux.myvpnservice.net.org.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-384-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass comp-lzo verb 1 reneg-sec 0 crl-verify crl.rsa.9216.pem ca ca.rsa.9126.crt disable-occ
In this case the .ovpn file is a decent config file and can be copied to a .conf file.
sudo cp Benelux.ovpn /etc/openvpn/client/Benelux.conf
Modify you .conf file
With the .conf file as it stands now there are few issues. Username and password are unknown and the .pem and .crt file are probably not going to be found.
The username and password can be put into a plain text file. 1st line should be your username and the second line your password, nothing more, nothing less.
The .pem and .crt file should be supplied by your OpenVPN administrator. Use the files matching your VPN provider.
The changed made to my /etc/openvpn/client/Benelux.conf are marked in red
client dev tun proto udp remote benelux.myvpnservice.net.org.com 1198 resolv-retry infinite nobind persist-key persist-tun cipher aes-384-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass /home/user/openvpn-config-files/auth.txt auth-nocache comp-lzo verb 1 reneg-sec 0 crl-verify /home/user/openvpn-config-files/crl.rsa.9216.pem ca /home/user/openvpn-config-files/ca.rsa.9126.crt disable-occ
Test the .conf file before making it a service.
Lets test the .conf file we made interactively to check if it works before we make it a service and have to dig through log files to get a hint what possibly could have gone wrong if it doesn’t start.
The OpenVPN client has to be run with sudo.
sudo openvpn /etc/openvpn/client/Benelux.conf
I your lucky enough you will see Initialization Sequence Completed at the bottom and Started OpenVPN tunnel.
Press ctrl-c to quit the VPN connection.
Lets daemonize the thing and make it a service.
My .conf file is /etc/openvpn/client/Benelux.conf
To make your openvpn-client run as a service you need to use systemctl.
sudo systemctl enable openvpn-client@Benelux
This step is required on recent Linux distro’s with openvpn 2.4.x and later versions. Other methods like editing a init.d/openvpn or whatever qualify’s more in the hacks category then tweak or tricks.
What about the /etc/default/openvpn ?
I’ve read many guides on the internet to make this work and almost every guide mentions to uncomment the AUTOSTART=”all” line to make it start automatically.
All I can say is READ THE TEXT people
# Start only these VPNs automatically via init script.
# Allowed values are “all”, “none” or space separated list of
# names of the VPNs. If empty, “all” is assumed.
# The VPN name refers to the VPN configutation file name.
If empty, “all” is assumed. No need to make changes here unless you have an exotic configurations or requirements. With just one config files there is no need to make changes here.
I do not need the openvpn-server so feel free to disable it on boot.
If you do not need to run the openvpn-server you can disable the service.
sudo systemctl disable openvpn.service
It won’t save you a ton of resources or shave off minutes at boot but every little bit helps.
Good luck with your OpenVPN client.