Connecting to Access Server with Linux
Connecting to OpenVPN Access Server from Linux requires a client program. It will capture the traffic you wish to send through the OpenVPN tunnel, encrypting it and passing it to the OpenVPN server. And of course, the reverse, to decrypt the return traffic.
Linux Packages Discussed
| OpenVPN Access Server | openvpn-as |
| OpenVPN 3 Linux Client | openvpn3 |
| OpenVPN open source | openvpn |
OpenVPN 3 Linux Client
The OpenVPN 3 Linux project is a new client built on top of the OpenVPN 3 Core Library. This client is the official OpenVPN Linux Client program. You can find an overview of the features, frequently asked questions, and instructions on installing the openvpn3 package on our OpenVPN 3 for Linux site.
After following the instructions there to install the client, you’ll need a connection profile. This is a file generated by your OpenVPN Access Server installation for your specific user account. It contains the required certificates and connection settings. Go to the Client web interface of your Access Server (the main address, not the /admin portion). Log in with your user credentials. You will be shown a list of files available to download. Pick the user-locked profile or the auto-login profile, and you will be sent a client.ovpn file. Save this file to your Linux operating system.
Once you’ve moved the file to your Linux system, you can import it.
openvpn3 config-import —config $
You can start a new VPN session:
openvpn3 session-start —config $
You can manage a running VPN session:
And so on. More details can be found here: OpenVPN3Linux.
OpenVPN open source OpenVPN CLI program
The open source project client program can also connect to the Access Server. The package is available in most distributions and is known simply as openvpn. It supports the option to connect to multiple OpenVPN servers simultaneously, and it comes with a service component that can automatically and silently start any auto-login profiles it finds in the /etc/openvpn folder, even before a user has logged in. This service component can be set to automatically start at boot time with the tools available in your Linux distribution if supported. On Ubuntu and Debian, when you install the openvpn package, it is automatically configured to start at boot time.
To install the OpenVPN client on Linux, it is possible in many cases to just use the version that is in the software repository for the Linux distribution itself. If you run into any connectivity problems when using outdated software, it may be due to a possible lack of support for higher TLS versions in older versions of OpenVPN. Follow the instructions found on the open source openvpn community wiki if you wish to install the OpenVPN client on your Linux system.
After installing, you will need a connection profile. This is a file generated by your OpenVPN Access Server installation for your specific user account. It contains the required certificates and connection settings. Go to the Client web interface of your Access Server (the main address, not the /admin portion). Log in with your user credentials. You will be shown a list of files available to you for download. Pick the user-locked profile or the auto-login profile, and you will be sent a client.ovpn file. Save this file to your Linux operating system somewhere. OpenVPN Access Server supports server-locked, user-locked, and auto-login profiles, but the OpenVPN command line client is only able to connect with user-locked or auto-login connection profiles.
We are assuming you are going to start the connection through either the command line as a root user, or via the service daemon. If you want unprivileged users to be able to make a connection, take a look at the community wiki for more information on how to implement that. Here we are going to focus on the simplest implementation; run the connection as root user directly, or via the service daemon.
Start a connection with an auto-login profile manually:
openvpn --config client.ovpn
Start a connection with a user-locked profile manually:
openvpn --config client.ovpn --auth-user-pass
If you use Google Authenticator or another extra factor authentication, add the auth-retry parameter:
openvpn --config client.ovpn --auth-user-pass --auth-retry interact
To start an auto-login connection via the service daemon, place client.ovpn in /etc/openvpn/ and rename the file. It must end with .conf as file extension. Ensure the service daemon is enabled to run after a reboot, and then simply reboot the system. The auto-login type profile will be picked up automatically and the connection will start itself. You can verify this by checking the output of the ifconfig command; you should see a tun0 network adapter in the list.
One major feature that is missing with the command line client is the ability to automatically implement DNS servers that are pushed by the VPN server. It is possible, but it requires you to install a DNS management program such as resolvconf or openresolv, and it may or may not clash with existing network management software in your OS. The idea here, however, is that you use a script that runs when the connection goes up, and when it goes down, that uses resolvconf or openresolv to implement the DNS servers for you. The reason why this client is not able to manage it completely by itself is mainly because in an operating system like Windows, Macintosh, Android, or iOS, there is already an established single method of handling DNS management. It is therefore easy for us to create a software client for those operating systems that already knows how to handle DNS. But Linux is available in so many variations and also supports different programs and methods of implementing DNS servers, and so it was only reasonable to leave built-in DNS support out of the OpenVPN program and instead to provide, where possible, a script that handles DNS implementation. Such a script could even be written by yourself to do whatever tasks are necessary to implement the DNS servers in your unique situation.
Fortunately on Ubuntu and Debian, for example, there is the /etc/openvpn/update-resolv-conf script that comes with the openvpn package that handles DNS implementation for these operating systems. You need only to activate the use of these by following the instructions:
Open your client.ovpn file in a text editor:
At the very bottom simply add these lines:
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
The first line enables the use of external scripts to handle the DNS implementation tasks. The up and down lines are there to implement DNS servers pushed by the VPN server when the connection goes up, and afterwards to undo it, when the connection goes down.
Ubuntu network management program
There is also the option of connecting through the GUI using the openvpn extension for the Gnome network manager plugin. But this is currently a bit tricky to set up. There is for example the incorrect assumption that all VPNs will be able to redirect Internet traffic, and older versions might not understand the .ovpn file format, requiring you to split up the certificate embedded in it into separate file. And you would likely have to dig into the options to ensure that a default Internet traffic route going through the VPN server is not always enabled by default, especially for servers where you only give access to some internal resources, and not the entire Internet. However the advantage of using the GUI component is that you can start/stop the connection from the desktop environment on Linux.
Ubuntu → Настраиваем OpenVPN клиент Linux на примере Ubuntu
Здравствуйте.
Как и обещал, в выкладываю статью по настройке OpenVPN клиента Linux, мы с вами уже настроили OpenVPN сервер, и нам осталось настроить подключение к нему, иначе для чего он нам нужен, если к нему никто не подключается… С данным мануалом настройка будет весьма проста, эта схема была успешно оттестирована в условиях IT компании и работает по сей день.
sudo apt-get install openvpnТеперь нам необходимо создать конфигурационный файл клиента.
nano /etc/openvpn/client.conf# Тип подключения -клиент client # Через какое устройстов подлючаемся dev tun0 # Через какой протокол работаем, такойже как на сервере proto tcp # Адрес OpenVPN сервера и его порт (можно указать IP или URL) remote openvpn.example.org 1194 # Тип шифрования, как на OpenVPN сервере cipher AES-256-CBC # Сертификат удостоверяющего центра ca ca.crt # Сертификат и ключ клиента cert user.crt key user.key # Клиент поддерживает шифрование tls-client # Указываем путь к ключу TLS tls-auth ta.key 1 # Включаем компрессию данных comp-lzo persist-key persist-tun # В документации рекомендуется этот пункт для клиентов с нестабильым доступом, например Wi-Fi resolv-retry infinite # Не использовать специфический порт для работы nobind # Скрипт работает при подключении, он обновляет записи в resolv.conf при подключении к серверу и очищает их при отколючении от OpenVPN сервера script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf # Статус-лог переданные данные и т.п. status /var/log/openvpn-status.log # Лог клиента log /var/log/openvpn.log # Уровень логирования 0 в лог попадают только записи о критических ошибках, если нужно подробнее, то выставляем 9 для дебагинга verb 0 # Количество записей после которых будет производиться запись в лог mute 20Нам остаётся скачать c OpenVPN сервера, где живет наш удостоверяющий центр, 4 файла:
ca.crt user.crt user.key ta.keyИ положить их в директорию /etc/openvpn рядом с файлом client.conf
т.к. это у нас обычный пользователь, то он должен ходить в нашу локальную сеть, а в интрнет через свое подключение, выясним как ходят пакеты для этого выполним трассировку пакета в локальную сеть:
traceroute 172.16.1.20
traceroute to 172.16.1.20 (172.16.1.20), 30 hops max, 60 byte packets
1 172.16.10.1 (172.16.10.1) 4.066 ms 8.001 ms 7.974 ms
2 172.16.1.20 (172.16.1.20) 7.952 ms 7.931 ms 7.910 ms
Видно что пакет ушел на адрес 172.16.10.1 и с интерфеса eth1 в локальную сеть к целевому IP
Выполним трассировку к google.ru, получаем ответ вида:
traceroute google.ru
traceroute to google.ru (173.194.32.159), 30 hops max, 60 byte packets
1 111.111.111.111 (111.111.111.111) 1.360 ms 1.252 ms 1.177 ms
2 46.61.227.225 (46.61.227.225) 1.865 ms 1.271 ms 1.707 ms
3 95.167.90.39 (95.167.90.39) 18.209 ms 95.167.90.37 (95.167.90.37) 18.170 ms 95.167.90.39 (95.167.90.39) 18.496 ms
4 74.125.146.86 (74.125.146.86) 17.827 ms 17.984 ms 17.946 ms
5 216.239.42.97 (216.239.42.97) 17.771 ms 18.058 ms 18.319 ms
6 216.239.42.83 (216.239.42.83) 17.765 ms 216.239.42.49 (216.239.42.49) 19.130 ms 19.004 ms
7 72.14.236.242 (72.14.236.242) 19.287 ms 18.554 ms 18.802 ms
8 173.194.32.159 (173.194.32.159) 18.025 ms 18.269 ms 18.224 ms
Видно что ответ вылетел черз шлюз сети к которой подключен клиент, а не через наш VPN канал
Для обычного пользователя все работает как надо, чтобы проверить под пользователем supersuer нам необходимо положить ключи в директорию openvpn и поменять запись в client.conf указывающих на названия ключа и сертификата
перезапустить OpenVPN клиента и повторить трасисровку пакетов
traceroute 172.16.1.20
traceroute to 172.16.1.20 (172.16.1.20), 30 hops max, 60 byte packets
1 172.16.10.1 (172.16.10.1) 4.066 ms 8.001 ms 7.974 ms
2 172.16.1.20 (172.16.1.20) 7.952 ms 7.931 ms 7.910 ms
В локальную сеть пакеты ходят без изменений, тут ничего не поменялось
traceroute google.ru
traceroute to google.ru (173.194.122.248), 30 hops max, 60 byte packets
1 172.16.10.1 (172.16.10.1) 6.115 ms 11.448 ms 11.500 ms
2 222.222.222.222 (222.222.222.222) 11.614 ms 11.649 ms 11.676 ms
3 10.158.192.1 (10.158.192.1) 11.691 ms 11.705 ms 11.719 ms
4 v811.m9-3.caravan.ru (212.24.42.49) 11.729 ms 11.744 ms 11.751 ms
5 msk-ix-gw1.google.com (195.208.208.232) 11.736 ms 15.341 ms 15.350 ms
6 66.249.94.100 (66.249.94.100) 15.346 ms 5.884 ms 8.451 ms
7 72.14.252.22 (72.14.252.22) 49.777 ms 49.787 ms 49.796 ms
8 173.194.122.248 (173.194.122.248) 49.510 ms 49.620 ms 49.671 m
А тут видно что пакет попал на наш OpenVPN сервер и вылетел во внешний мир через интерфейс eth0
Значит и эта маршрутизация работает правильно
На этом я свой опус пожалуй и закончу, если нашли ошибку пишите в личку, возникли вопросы оставляйте их в комментариях.