28-mar-2016: Welcome to our new server! Faster and less prone to crashing.

Welcome to the Slackware Documentation Project

OpenVPN

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

How to use OpenVPN

It's very simple if you already got a ready-to-go config by any openvpn provider.

# openvpn --config yourconfig.ovpn

If you don't have a config that you can use you should have a look in /etc/openvpn. Slackware has a example config with some good hints in there.

Using OpenVPN with the i3 status bar

I'm using the i3 window manager with dmenu and the i3statusbar. You can configure the bar to show you if you're running openvpn or not. The i3status.conf lies in /etc/ if installed with the SlackBuild.

You have to start openvpn with an additional –writepid /path/to/your.pid.

For example:

openvpn --config /etc/openvpn/vpn.ovpn --writepid /var/run/pid/openvpn.pid

To use the build in feature you have to edit the config file. Look for the

run_watch VPN {
        pidfile = "/var/run/something.pid"
}

block and change the something into your choosen pid name. In this case:

run_watch VPN
        pidfile = "/var/run/openvpn.pid"
}

Rebuilding OpenVPN to read your login from file

Since I wanted my openvpn connection to start automatically when I connect my Thinkpad to the dock I thought it would be usefull to add the 'password safe' feature. ('password safe' setting allows you to store your username and password in a file for scripting) This feature is not installed by default. You have to add it to the slackbuild and recompile the package.

Start by grabbing the source and slackbuild from one of the Slackware mirrors.

http://mirrors.slackware.com/slackware/slackware64-14.0/source/n/openvpn/

Change the mirror for your needs, for example -current.

In the next step we will change the openvpn.SlackBuild file.

Open the slackbuild file with you editor of choice.

For vim do:

$ vim openvpn.SlackBuild

Now look for this block of code:

./configure \
    --prefix=/usr \
    --libdir=/usr/lib${LIBDIRSUFFIX} \
    --sysconfdir=/etc/openvpn \
    --localstatedir=/var \
    --docdir=/usr/doc/openvpn-${VERSION} \
    --enable-lzo \
    --enable-iproute2 \
    --build=$ARCH-slackware-linux

Add the marked line to it.

./configure \
    --prefix=/usr \
    --libdir=/usr/lib${LIBDIRSUFFIX} \
    --sysconfdir=/etc/openvpn \
    --localstatedir=/var \
    --docdir=/usr/doc/openvpn-${VERSION} \
    --enable-lzo \
    --enable-iproute2 \
    --enable-password-save \ #add this line!
    --build=$ARCH-slackware-linux

Save the file, make it executable and rebuild the package with

$ chmod +x openvpn.SlackBuild && ./openvpn.SlackBuild

The new package should be in the /tmp directory.

Install it with:

# upgradepkg --install-new /tmp/yourpackage.tgz

Now you are able to load your login and password from a file. The file should contain two lines of text:

username
password

Save the file and make it only readable for the owner.

$ chmod 700 yourfile

Lastly add the line below to your openvpn config.

auth-user-pass /path/to/your/passwordfile

Now you should be able to login without typing your password everytime.

Sources


In Other Languages
Translations of this page?:
QR Code
QR Code howtos:security:openvpn (generated for current page)