How-to: openvpn-client and systemd

27.800.000 hits when Googling “Linux OpenVPN server autostart” and just 663 hits with the required word combinations to the query “linux OpenVPN client autostart” to make it work…

Do you know what the best server solution is? The one without any users active. Never a problem-child, zero problems, plenty of performance and always running fine…

A quick guide how to set up your Linux system with an automatically connecting openvpn-client without the use of network-manager or other fancy GUI in Linux Server style.

Installing it on Debian / Ubuntu

sudo apt-get install openvpn

One package for the client and server application.


Create your .conf file

You will probably have a .ovpn or .conf file provided by the server admin. With the recent OpenVPN versions there needs to be a config files placed in the /etc/openvpn/client directory. I got .ovpn files in my case and they look like this:

client
dev tun
proto udp
remote benelux.myvpnservice.net.org.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-384-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.9216.pem
ca ca.rsa.9126.crt
disable-occ

In this case the .ovpn file is a decent config file and can be copied to a .conf file.

sudo cp Benelux.ovpn /etc/openvpn/client/Benelux.conf

Modify you .conf file

With the .conf file as it stands now there are few issues. Username and password are unknown and the .pem and .crt file are probably not going to be found.

The username and password can be put into a plain text file. 1st line should be your username and the second line your password, nothing more, nothing less.

The .pem and .crt file should be supplied by your OpenVPN administrator. Use the files matching your VPN provider.

The changed made to my /etc/openvpn/client/Benelux.conf are marked in red

client
dev tun
proto udp
remote benelux.myvpnservice.net.org.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-384-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /home/user/openvpn-config-files/auth.txt
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify /home/user/openvpn-config-files/crl.rsa.9216.pem
ca /home/user/openvpn-config-files/ca.rsa.9126.crt
disable-occ

Test the .conf file before making it a service.

Lets test the .conf file we made interactively to check if it works before we make it a service and have to dig through log files to get a hint what possibly could have gone wrong if it doesn’t start.

The OpenVPN client has to be run with sudo.

sudo openvpn /etc/openvpn/client/Benelux.conf

I your lucky enough you will see Initialization Sequence Completed at the bottom and  Started OpenVPN tunnel.

Press ctrl-c to quit the VPN connection.


Lets daemonize the thing and make it a service.

My .conf file is /etc/openvpn/client/Benelux.conf

To make your openvpn-client run as a service you need to use systemctl.

sudo systemctl enable openvpn-client@Benelux

This step is required on recent Linux distro’s with openvpn 2.4.x and later versions. Other methods like editing a init.d/openvpn or whatever qualify’s more in the hacks category then tweak or tricks.


What about the /etc/default/openvpn ?

I’ve read many guides on the internet to make this work and almost every guide mentions to uncomment the AUTOSTART=”all” line to make it start automatically.

All I can say is READ THE TEXT people

#
# Start only these VPNs automatically via init script.
# Allowed values are “all”, “none” or space separated list of
# names of the VPNs. If empty, “all” is assumed.
# The VPN name refers to the VPN configutation file name.

If empty, “all” is assumed. No need to make changes here unless you have an exotic configurations or requirements. With just one config files there is no need to make changes here.

I do not need the openvpn-server so feel free to disable it on boot.

If you do not need to run the openvpn-server you can disable the service.

sudo systemctl disable openvpn.service

It won’t save you a ton of resources or shave off minutes at boot but every little bit helps.

Good luck with your OpenVPN client.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s