I’m a bit curious to start an openVPN, but when I looked into some of the VPN suppliers (Mullvad and privateinternetaccess) they don’t have any preconfigured scripts nor rpms for openSUSE that one can run and have things ‘just work’ ((as opposed to Ubuntu, OS-X, and MS-Windows, where it appears such). Instead I found the initial research that I did to be very discouraging.
I read a bit from surfing this openSUSE forum openVPN threads and also read guides such as https://en.opensuse.org/SDB:OpenVPN_Installation_and_Setup#Client_Configuration where it reads like I have a large learning curve, needing to setup multiple configuration files, enter custom ip-addresses, setup RSA Key files/generation, firewall setups, port forwarding etc … some of which I know nothing and it is a learning curve/path I am very VERY reluctant to follow here. This is not that important to me that I’m will to waste hours on this.
Am I correct that there is no very simple/easy solution to setup such ?, and hence if a simple approach is my criteria, I should simply stop now and not bother spending my time (given this is more a passing curiousity than a need) or is there a simple/easy way to setup an openVPN with openSUSE ?
Do you want to setup and OpenVPN server so that it is visible on a public IP and you can connect to it using OpenVPN client to have encrypted access to some of your internal servers ? ( think this is called OpenVPN access server)
If that is the case then it was very straight forward to set up such a server on CentOS. And right now I see they have software packages for openSUSE as well : https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
The limitation of the completely free version is (or was a the time I was using it) that you can have 2 clients connected to the access server at a given time. A previous version of this guide was used by me to set it up 3 or 4 years ago : https://openvpn.net/index.php/access-server/docs/quick-start-guide.html
In my case, its driven more by curiousity to see what a VPN can provide for the average person … ie no server of my own, but used for nominal Internet access. I’m curious to see what sort of speed limitations. Curious to see how multimedia streams. Curious to see, after setup, if possible to have my (primative) home router access the VPN for all PCs in our home LAN, or only just my desktop PC. Curious to see if setup on my laptop, how it works in different countries that I visit on vacation and on business. Curious to see if I can download Linux distributions via ftp and via torrent and what the speed impact may be.
Ideally I would like to do more than just read the answer to the above, but rather experience this for myself first hand.
But ‘curiousity’ is the ‘operative word’ and hence there is a limitation as to the time and effort I am willing to spend.
No, I don’t think oldcpu wants to set up a server. Instead, he is interested in VPN internet providers, and investigating what is needed to connect to them. Then, he’d like to evaluate their performance.
I’ve only ever had experience with connecting to remote servers via PPTP connectivity, so this is new territory for me as well. (I note that Mullvad support PPTP connectivity as well, but I understand that this type of VPN tunnel has security disadvanatges.) Anway, I think the easiest way to start would be using NM to create the required openVPN connection.
Even though they mention Debian/Ubuntu, I think it should still be relevant
Log in
Install network-manager-openvpn (sudo apt-get install network-manager-openvpn)
Extract the configuration files
Import mullvad_linux.conf using the Network Manager menu
From the tarball I downloaded, I note that there is a ca.crt (CA certificate) and master.mullvad.net.crt (user certificate) provided. The gateway should be set to ‘openvpn.mullvad.net’. There is a ‘client.conf.linux’ file which some pages refer to as ‘mullvad_linux.conf’. From the archlinux wiki reference, it mentions the use of a script ‘update-resolv-conf’ which relies on the ‘resovconf’ command. I managed to find an openSUSE script which does not rely on this command.
I have been using privateinternetaccess for several years and I too was intimidated by the lack of openSUSE support. But it was much simpler than anticipated and the support team were helpful. I only have moderate computing skills so I am sure you will manage. If you like I can post you some examples of my config files. A script to start the process and select a server is easy to write.
This is all good advice. I must admit I never looked into this kind of solution because I’m honestly not convinced how trusting your whole internet traffic with a commercial company is better than potentially being exposed to NSA or some other government organization. All NetworkManager plugins advice is good as those NM plugins really do their job well (I’ve also been using openvpn plugin for NM to connect to that openvpn access server I mentioned initially).
What I think we really need is encryption everywhere on application level. I’ve heard that NSA is not exactly happy with the latest stuff Apple or Google is doing with their phones since more and more things are encrypted there and not trivial to decrypt. Of course you are still subject to the company that produces phone or application but it seems to be better than the current state of the internet
> I’m a bit curious to start an openVPN, but when I looked into some of
> the VPN suppliers (Mullvad and privateinternetaccess) they don’t have
> any preconfigured scripts nor rpms for openSUSE that one can run and
> have things ‘just work’ ((as opposed to Ubuntu, OS-X, and MS-Windows,
> where it appears such). Instead I found the initial research that I did
> to be very discouraging.
>
> I read a bit from surfing this openSUSE forum openVPN threads and also
> read guides such as http://tinyurl.com/d8sowpd where it reads like I
> have a large learning curve, needing to setup multiple configuration
> files, enter custom ip-addresses, setup RSA Key files/generation,
> firewall setups, port forwarding etc … some of which I know nothing
> and it is a learning curve/path I am very VERY reluctant to follow here.
> This is not that important to me that I’m will to waste hours on this.
>
> Am I correct that there is no very simple/easy solution to setup such ?,
> and hence if a simple approach is my criteria, I should simply stop now
> and not bother spending my time (given this is more a passing curiousity
> than a need) or is there a simple/easy way to setup an openVPN with
> openSUSE ?
The way I handle this is with the OpenVPN Access Server virtual machine
on the server end. It was pretty straightforward to set up, and once I
forwarded port 1194 (IIRC) from my router to the VM and made sure the
secondary NIC in the VM was connected to my private network, everything
was set to go.
Then just create a configuration and use NetworkManager (or just the
openvpn CLI) to connect.
I put this on hold for a while, as I was working on other areas. But a colleague setup their vpn earlier today with IPVanish on their Mac, and they noted there was what appeared to be a pretty basic guide for Ubuntu users, and they suggested I take a look at it - in case it was also applicable to openSUSE. I was skeptical at first, so I took a look, and I am now thinking my colleage may be correct, although it may be a week or two before I follow through and try.
The IPVanish website Ubuntu guide has the user:
download from IPVanish web site, with wget a ca.ipvanish.com.crt file (which appears to be a certificate) and also wget a ipvanish-somecountry.ovpn file, which appears to be some sort of configuration file
.
install the program “network-manager-openvpn” which also for Ubuntu users pulls in liblzo2-2, libpkcs11-helper1, network-manager-openvpn-gnome, openvpm and resolvconf.
.
I note my openSUSE already has network-manager-openvpn, openvpnn, liblzo2, and libpkcs11-helper1 already installed. Only network-manager-openvpn-gnome and resolvconf are not installed. Given my PC is openSUSE-13.2 with KDE, I am not convinced those are required. Hence I may already have the necessary apps.
.
I do note, that after those are installed in Ubuntu, the Ubuntu package for network-manager-openvpn then tries to start the openvpn private network daemon, and gives the Ubuntu user a message that “No VPN is running”, which makes sense as nothing is setup yet. In comparison with openSUSE, I note in my openSUSE there are no vpn daemons started. In fact the only vpn I note is called " openvpn@" in YaST services manager. I suspect I may need to start some daemon (not sure what) there. This is a puzzle currently to me.
.
Then in Ubuntu one simply starts the Ubuntu Network Manager, and under configure VPN select the abovementioned “ipvanish-somecountry.ovpn” configuration file. That automatically populates the vpn gateway, and one then simply enters their IPVanish username and password.
And at that point, one has a VPN connection.
It reads to be pretty painless to me, albeit I am scratching my head as to the best way in openSUSE to start the openvpn network daemon. Do I just activate “openvpn@” in YaST ?
I thought I would post here, to see if anyone has suggestions on this.
Is this as simple as it appears, or have I missed some major aspects wrt the encryption and/or starting the openvpn daemon ?
I’m still in the research phase - and it may be a couple of weeks before I try this.
I should note the openSUSE-13.2 Network manager also allows one to import the above mentioned “ipvanish-somecountry.ovpn” file, and then one has an openvpn option in Network Manager, properly populated (best I can determine). I did not test further as one need to register an account with IPVanish (which I have not yet done) and one also needs I believe to start an openvpn daemon on their PC, which I also have not yet done.
Still, if starting the openvpn daemon is easy, then this entire process is very simple and straight forward.
.
There are several types of vpn service provider afaik the most common is the ones with username and password. Now in 13.2 KDE There are two entries under the VPN category PPTP and OpenVPN. imo the first step is to determine which one you are going to use or rather which one your provider is using. I have some experience with the OpenVPN setup only but still it has some options that you can choose from, if and when you need to configure it.
Now when you choose OpenVPN it defaults to X.509 Certificates don’t be confused if you cannot find the place to enter your username and password, there is a dropdown menu that you can choose from.
Gateway can be a octets or dotted quad which is an ip address of the VPN server or it can be a hostname.
CAfile is the one with the name ca.crt
Certificate the other one that ends in .crt
key is the one that ends in .key
Keypassword you can leave it empty if your provider does not requires it.
Username and Password is pretty obvious here
Those files are provided by your VPN provider, this setup you can put those files in any directory you like.
Importing VPN config file works as well HOWEVER you need to watch out for the NetworkManager bug which was pointed out on this forum.
It automatically checks the use only resources for this connection under the ipv4 tab → Routes
Doing it my way does not check that entry by default. One last thing i want to add is you should check out your provider if they have the so called DNS balancing. In my setup you can just change the GATEWAY from dotted quad/octet to a hostname. DNS balancing according to the provider what it does is, it does not only select a random server in the country/region you want to connect/use but it also selects the Least Loaded server so unless you have a specific reason to use a static vpn server/router IMO you can use some balancing technique , and before i forgot i do not have openvpn service running on this side. Thats all what i can share and about VPN using KDE and NetworkManager.
Thanks for the input. I have not yet booked with a VPN service provider, but it does appear to me that IPVanish may be easy to setup … assuming that I do not get bit by the Network-Manager bug you referred to. A perenial problem with any bug, is if a user is new to a subject (such as me being new to VPN) then when one encounters a bug, one never knows if this is one’s configuration setup problem, or if it is a bug, and a lot of time can be wasted trying to figure out the cause for non-functionality while one gradually learns about the new (to the user) functionality.
The IPVanish provided .ovpn file for one country (Amsterdam I believe) has this content:
client
dev tun
proto udp
remote ams-a07.ipvanish.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
ca ca.ipvanish.com.crt
tls-remote ams-a07.ipvanish.com
auth-user-pass
comp-lzo
verb 3
auth SHA256
cipher AES-256-CBC
keysize 256
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
and then after importing this .ovpn file with the openSUSE-13.2 (KDE) Network Manager, one can observe these menus (note IPVanish Amsterdam server):
I note port 443 mentioned - it makes me think I need to check my router firewall to see if it is necessary to open that port. Or possibly this is PC specific. < not sure >
Again, I have not actually tried to connect. I need to open an account with the Service provider first, and I also want to understand how I start the openVPN daemon on my PC(s).
Thankyou for that input. I saw those options as a different way to configure (instead of importing the .opn file) but without experience in using them, one can be a bit uncertain as to what goes in each and every field.
As near as I can determine (without further research) IPVanish provide a ca.somename.crt file, which appears to be a certificate, but the difference between the ca.somename.crt file and a othername.crt file is lost on me. I also do not see provision of a .key file.
My VPN understanding is too weak currently to understand that. Presumeably the first time I try to actually use the VPN, I will encounter such.
I don’t believe they (IPVanish) do provide DNS balancing (but I could be wrong) … I think they have a separate .ovpn file for each server in a country, and one then needs to manual select the server / country-region one wishes to use.
wrt the openVPN daemon… did you need to do anything special to have it started upon boot ?
After a quick surf I see port 443 is the standard https port . Hence I believe my router and firewall should already be configured to handle that, and nothing extra required on my side for that port.
I don’t start any vpn service at boot nor do i need it in my use case i only use NetworkManager manually. Now with systemd the default so
systemctl status NetworkManager.service
should show you the long magic openvpn options once you have vpn connection via networkmanager, unless of course you have syslog installed or whatever it is called then you need to check
/var/log/*
Also i did not do anything in my router or to SuSEfirewall everything is just default. My vpn provider also has some *.vpn files and you can also use it for starting/connecting to vpn via cli. Another bug that i have noticed is when you are using networkmanager and you want to connect via cli then networkmanager does something else, traffic is not routed to your vpn which is mentioned as well in the forums. To me that is not a surprise because during my umts/usb modem tethering i already encounter that bug because back then network manager does not have an option for usb modems. Note that Im not a weed user so the default network manager version is what Im using but some folks mention in the forum as well that they have luck with a higher version of netowrk manager.
