I’m using KDE and LEAP 42.2…and was wondering whether it’s possible to set up a VPN for the entire system. I use “Private Internet Access” plug in in Chromium and also their software for my Windows desktop but they don’t support LEAP, just Ubuntu it would seem.
It’s great having their browser plugin but I’d like the entire connection over VPN if possible, for using ktorrent and the like.
Its fairly straightforward to set up a system-wide VPN, and you don’t need the PIA client.
Private Internet Access (PIA) uses the OpenVPN protocol so two approaches are available to you depending on how comfortable you are with manually editing configuration files and basic scripting.
The simplest approach is to use NetworkManager:
make sure NetworkManager, NetworkManager-openvpn and plasma-nm5-openvpn are installed, then
right-click the NetworkManager icon in the panel and bring up the Connection Editor
click Add in the Connection Editor menu and from the drop-down list choose either OpenVPN to configure the PIA connection manually, or
click Import VPN to have NetworkManager configure the connection from the PIA config file.
The other approach is to install OpenVPN so you can use the OpenVPN client. You would then have to:
to prepare and install a configuration file in /etc/openvpn/, together with the certificates provided by PIA and a credentials file (containing your PIA username and password).
set up a means of starting and stopping the OpenVPN client. This could be done automatically on login using the provided systemd service file openvpn@user.service, or
on demand using a script or .desktop file that you would have to prepare yourself.
Thanks for taking the time to reply. If I choose “open VPN” then I have literally no idea what to use as any of my settings…and I’m not sure how I can take the data from the PIA config file when I’m not using PIA in Linux, only in windows?
First,
For most commercial services, you’d be advised to use their support, but asking a question how to set up a VPN is an exception… For various reasons, it appears that unlike other OS, VPN services don’t provide an installable client (although they probably could write generic RPM and DEB packages).
So,
You should realize that the steps to set up a VPN are generally agnostic across all distros… If your VPN service doesn’t provide an adequate article how to set up, you can generally use another distro’s… Just modify the package management if necessary (like use zypper instead of apt-get).
For what you’re asking, there are two solutions… Either use the command line to set up and initiate your VPN or use Network Manager. The command line method is really the simplest and easiest no matter how comfortable you are using the command line console, and then you can place a script command on your Desktop for “one click” starting your VPN whenever you wish.
An easy guide to setting up using the command line (applies to all Linux including all versions of openSUSE). The only difference is that you need to download and install certificates from your Provider instead of PureVPN
The alternative is to set up using Network Manager, which might not be so easy because Network Manager looks different, and sometimes organizes functionality slightly differently depending on your Desktop and Distro. You should start by downloading the same certificates from your VPN Provider mentioned above. Then create a VPN connection using the Connection Editor… but unless you describe what your Desktop is, no one can describe <exactly> what you need to do.
I changed apt-get to zypper and ran through those commands and all went well until the end…where it says TLS authentication failed within 60 seconds (check network connection)
yet I am connected to the internet. I then tried via network manager, by choosing import VPN and then chose a UK .ovpn file and it opened that ok, but when I click connect (and enter my username and password for PIA, it says “starting the service providing the VPN failed”
Invoke from the command line and then read <exactly> what the error says.
If necessary post that <exact> error so we can know whether TLS failed because of something unsupported or if authentication failed due to something missing or credentials were rejected.
The handshake stage is usually (but not necessarily) done using SHA-1 to maximize compatibility, and is likely relevant to the version of TLS.
Determine what version of TLS the VPN Provider is using, and then match with the version of TLS in your openSSL package.
Something else to check (hopefully not an issue) is whether their version of TLS is patched against the major vulnerabilities this past year (openSUSE is patched, so may not work with other machines using unpatched TLS)
It’s possible that the Ubuntu LTS version (and whatever Private Internet Access is using) is older than what openSUSE distributes, generally speaking we are more current than Ubuntu. You may have to use your Provider’s support to get this information. The alternative probably would be to deploy an Ubuntu in a virtual machine to do your own investigation.
client
dev tun
proto udp
remote uk-london.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/pia-credentials
comp-lzo
verb 1
reneg-sec 0
crl-verify /etc/openvpn/pia-crl.rsa.2048.pem
ca /etc/openvpn/pia-ca.rsa.2048.crt
auth-nocache
link-mtu 1542
Name it something like piaLondon.conf and put it in /etc/openvpn/.
The piaLondon.conf file references 3 other files (blue text above) which also need to be placed in the /etc/openvpn/ directory.
pia-crl.rsa.2048.pem and pia-ca.rsa.2048.crt are certificate files provided by PIA, and
a file you will create named pia-credentials which contains
piaUserName
piaPassword
Now run
sudo systemctl start openvpn@piaLondon.service
and you should have a working VPN.
You can check the status by running
sudo systemctl status openvpn@piaLondon.service
● openvpn@piaLondon.service - OpenVPN tunneling daemon instance using /etc/openvpn/piaLondon.conf
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Apr 07 10:38:09 xxxx.home.net openvpn[28249]: TUN/TAP device tun0 opened
Apr 07 10:38:09 xxxx.home.net openvpn[28249]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Apr 07 10:38:09 xxxx.home.net openvpn[28249]: /bin/ip link set dev tun0 up mtu 1484
Apr 07 10:38:09 xxxx.home.net openvpn[28249]: /bin/ip addr add dev tun0 local 10.20.10.6 peer 10.20.10.5
Apr 07 10:38:09 xxxx.home.net openvpn[28249]: Initialization Sequence Completed
Hi,I got an email back from PIA and they suggested trying different config files and…hey presto, success! My only question is…obviously to get it up and running I need to open a console window, is there some way to get it to do this automatically? It’s no big deal to be honest…but once it is up, how do I stop the VPN? Is it a case of closing the console window which contains the code? Sometimes I may want to change my output server so would I simply close the console window, open another and then just do cd /etc/openvpnsudo openvpn ‘Germany.ovpn’ for example?IFinally…I use Ktorrent for downloading torrents, is this a sensible option? When using magnet links, where does it store torrent files? I’d like to be able to delete them…do they get automatically deleted once you remove the download?Thank you so much for all of your help!Ross