Mageia forum

[FPar]

Hi ,

I'm currently trying to configure a VPN connection to the network of my company. I am provided with some certificates and an OpenVPN config file. I tried to create that VPN connection with the assistant, but I can't get it really working. Maybe I'm not entering everything correctly (despite walking through all steps multiple times), so I thought, that I could maybe use the provided config file directly.

How can I tell Mageia to use that OpenVPN configuration file?
And not directly belonging to this question, but still relevant: how can I remove existing OpenVPN connections? I didn't find a button in the UI.

Help is very appreciated (I don't want to boot Windows every time I want to use VPN )

Fabian

[doktor5000]

Hi there,

it may be helpful if you could add the information what assistant you refer to in particular.
Do you mean this one? http://doc.mageia.org/mcc/5/en/content/drakvpn.html
And removing the created VPN connections ... good question. AFAICT they should be located under /etc/sysconfig/network-scripts/vpn.d/ with one file per VPN connection.

Apart from that, there are some old topics on this matter that should still apply:
https://web.archive.org/web/20111122130 ... index.html
which has a section for the client configuration:
https://web.archive.org/web/20111122130 ... figuration

Another option would be to switch to networkmanager, as there are more plugins for popular VPN types for it
and it's also much more standard and widespread, you'll find more documentation on networkmanager overall.
I've described how to switch from Mageia's default net_applet to networkmanager here: viewtopic.php?f=25&t=5782

This is what it offers - yeah, german screenshot and only the plasma applet, but should still be understandable

Bildschirmfoto2_190.png (29.56 KiB) Viewed 9112 times

[FPar]

Hi doktor,

yes, I'm using drakvpn.

Thanks for the tip, where the config files are located, that helps a lot.

I'm still struggling with openvpn, but now with direct access I should be able to resolve that.

Thanks again and have a nice evening

Fabian

PS: German screenshots shouldn't be that a big problem as I'm from Germany, too

[doktor5000]

PS: German screenshots shouldn't be that a big problem as I'm from Germany, too

Feel free to use the german forum, too: https://forums.mageia.org/de

[doktor5000]

FWIW, further related links, including some Mageia openvpn users you could ask. The first link seems to refer to the same sort of configuration profiles you seem to be using. Looks pretty easy

viewtopic.php?f=25&t=5386

viewtopic.php?f=8&t=5033
viewtopic.php?f=25&t=3401
viewtopic.php?f=25&t=8693
http://comments.gmane.org/gmane.linux.mageia.user/5253

[doktor5000]

Had a quick chat with the OP. Seems the openvpn setup is working now in general,
although some connectivity issues remain. His ISP uses DSlite aka dual stack lite,
which means he gets a native external IPv6 adress, but traffic to IPv4 devices is (or should be) translated by a gateway on ISP side.

That means for him sites which are accessible natively via IPv6 are working normally when the VPN is active,
and sites that are accessible via IPv4 are not working when the VPN is active. At least not on linux, under windows seems to be working in both cases.

For some further reading on ds lite see
http://serverfault.com/questions/609478 ... a-ipv4-how
http://superuser.com/questions/742042/h ... onnections
http://superuser.com/questions/955628/h ... dress-only

https://www.isc.org/downloads/lwds-lite ... tup-guide/ (this is more about the setup on the ISP side)

@Fabian: For a complicated workaround see http://www.unitymediakabelbwforum.de/vi ... 53&t=23849

[wintpe]

what i tend to do, and im using openvpn very successfully is , use the wizard under mcc for adding the vpn entry, but then
go down to /etc/sysconfig/network-scripts/vpn.d/openvpn and edit the added file so that it contains the settings i want, not what the wizard adds
and with this its always worked for me.

just answer anything you like for the wizard, dont be too concerned wether its right or not. its whats in the file that counts.

i then use the popup in the kdenetapplet to enable one or more vpn's as i need them, and it pops up and asks me for the password as needed.

I dont use network manager, I have real problems with the way it fights with everything i try to do, and unlike some have reported ive never had any issues with the netapplet.

ill post some working vpn configs.

my vpn server runs on an asus ac56-ac running DWRT this way i keep it off all my other systems, so it runs even if i have a major failure, and thats all the
ac56 does, and as its very low powered device it does not have the overhead of some other machines, although you could set this up on a RPie, or any other arm based machine, DDWRT already has openvpn already configured, all you have to do is add your certs.

But i also use virtually the same config for TorGuard vpn, which is handy is circumventing geoblocking, when im on hols.

posts of configs comming up.

regards peter

[wintpe]

the three openvpn keys and certificates are all generated using the linux key generation utilities

Code: Select all

client
dev tun
tun-mtu 1500
remote VPNSERVERIPADDRESS PORTNUMBER(1194, usualy)
resolv-retry infinite
nobind
user openvpn
group openvpn
persist-key
persist-tun
ca /pathtoca/ca.crt
cert /pathtoca/device.crt
key /pathtoca/device.key
ns-cert-type server
cipher AES-256-CBC
auth sha512
comp-lzo
verb 3


and torguard

Code: Select all

client
dev tun
proto tcp
remote 83.170.97.173 443
remote 77.92.68.146 443
remote 83.170.119.53 443
remote 83.170.119.52 443
remote 83.170.119.28 443
remote 83.170.84.124 443
remote 176.227.213.58 443
remote 88.150.212.74 443
remote 37.220.20.130 443
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
ns-cert-type server
mssfix 1450
persist-key
persist-tun
fast-io
auth-user-pass
comp-lzo
verb 3
ca /pathtoservercert/master.crt
ns-cert-type server


[Myles]

winpe, me again. (I think you responded to another one of my issues previously).
I'm trying to get ExpressVPN working using OpenVPN and a supplied config file. I used to be in IT and IT security so I'm familiar with certificates etc but no genius! (and also a bit rusty since retiring many years ago).

Anyway, I sort of did what you suggested in your reply to this issue but I just replaced the MCC generated file in /etc/sysconfig//vpn-scripts/vpn.d/openvpn/ExpressVPN.conf with the one I got supplied - but starting it failed and I didn't even get to put in a username or anything.

Do I have to define something in the Network setting or something?

Would you, or anyone else be able to help me?

Any help is gratefully accepted.

[wintpe]

i use kde/plasma and the network applet, and either associate my wifi nic with my vpn config, or just select the vpn i want to open

I then store the password file

i use this entry in my conf file to specify the password file

auth-user-pass login.conf

and in login.conf just have

username
password

also make sure you remove the firewall in MCC, then start the vpn, then re-enable the firewall, it will then recognise tun0 as a device and give you the option to include it in the firewall rules.

remember tun0/ openvpn is like ssh, it has to establish a connection with the vpn server and if the device tun0 is not allowed through the firewall it wont ever establish a link.

success will be seen when tun0 has an ip address of something like 10.0.8.1



regards peter

[Myles]

winTpe (AKA Peter), sorry I put winpe (I didn't have my glasses on at the time, sorry!)

Thanks for that info, much appreciated.

But unfortunately it's all for nought!!! I booted my system this morning and; had to leave my study for 5 mins, came back and the system was not responding, on reboot - "NO BOOT MANAGER found". I think my SSD (5 years old) has died so until I get a new one; re-install my system and get everything back together again I can't try this action out!

[wintpe]

before you jump to that conclusion make sure your bios has not rearranged the devices.

my 5 year old asus crosshair v formula does that once in a blue moon, and i get the same.

SSD's in theory should last as long as motherboards and processors.

regards peter

[Myles]

Peter,
Wise words, and that is indeed what occurred - yet again! My video card died about a month ago; got new one installed, got home booted fine...next morning powered up and "no Boot MGR"! So yes it had somehow - for the first time ever - been reset. Then again this morning! I was booted into my Windows partition taking an image of my entire SSD - funnily enough - and my /var (on internal drive), had to have a pit stop, returned to an unresponsive system then got a BSOD! VERY strange goings on. I tested my SSD in an 2.5" enclosure I had and it was fine - phew! So got the boot order sorted out and back in business. So I'll indeed try out your suggestions and see how I go. At the moment taking some more images - just in case! Then back to working on getting OpenVPN working!
I'll update this when I get try the settings.

[wintpe]

check your onboard battery

maybe its low

and also check out my doc i wrote

http://www.linuxpc.co.uk/download/vpnse ... server.odt

it shows the whole process of creating a vpnserver and client.

I know a colleague of mine has followed this successfully with no help from me.

so it works

you may only follow the client bit, if you want, but overall it might give you a better understanding of how it all works

regards peter

[Myles]

Wow, thanks Peter, very much appreciated. I do know how VPN's wotk - I have used them in the past for private use in Windows but not Linux. But having the ins and outs set out is much better.
And the tip about the firewall may turn out to be the cause as I didn't think about that aspect.
I have saved your document to peruse at an later date (it's getting late to start the process here in OZ!)-

Thanks for the tip on the battery - the motherboard (as well as the whole system) is 5 years old - not just the SSD so that could be an issue.

[AlyssaOween]

Hi,
I am on Porteus LXDE x64 and I have configured a OpenVPN connection with user/ password authentication.
When I'm importing the *.ovpn file only field found filled is the gateway. I have fields remain empty for user certificate, CA certificate, Private Key.
I have tried extracting those keys from *.ovpn and put the keys into separate files but is not working. I think this is also because no user/ password fields filled.

I am still searching the solution. I'll appreciate any advice.
Many thanks,

[wintpe]

Porteus LXDE is based on slackware, and while i was a slackware user many years ago before i got into redhat based linux o's i never looked into openvpn at the time.

so ive no idea where the openvpn config files are.

I stopped using slackware because i at each release i spent about a month getting the OS back to where it was on the previous version, (some mageia users still spend about a month getting their systems back to where it was prior to an upgrade , but it usually takes me no more than a couple of hours.)

As a result I would recommend that you try mageia instead.

This is a very friendly community, and its on the whole a very stable OS.

regards peter

[doktor5000]

When I'm importing the *.ovpn file only field found filled is the gateway. I have fields remain empty for user certificate, CA certificate, Private Key.
I have tried extracting those keys from *.ovpn and put the keys into separate files but is not working. I think this is also because no user/ password fields filled.

Dumb question, you import the .ovpn file under Mageia or how that is meant ?

[Myles]

wintpe (Peter),
Sorry for the long delay in replying - had yet more problems with the SSD and other things!
Anyway, for a laugh, I just tried the method of using the OpenVPN with config file as set out on the ExpressVPN website - but, for some reason, this time, it worked! It asked me for my userid and password and eventually connected.........BUT I immediately lost all access to the internet! I have started a chat session with the support team, so I'll see how it goes and let you know. I haven't tried your method as yet. that is still up my sleeve.

[wintpe]

loosing access to the internet happens when your vpn is set as your default route, and you cant establish comunications down that route.
exactly the symptom, that not having tun0 in the firewall config gives.
regards peter

[Myles]

Whoo hoo! I'm now a very happy camper! Thanks to whomever I was chatting to at ExpressVPN support (but unfortunately dropped the session when I connected to OpenVPN).

Anyway, upshot was they gave a DNS to define, and hey presto! - Internet access via OpenVPN/ExpressVPN!

So, at this stage it all seems to be working correctly (but who knows what tomorrow will bring!)

Okay, I'll have to review your advice on the tun0 business, but at the moment it's working.

Thanks for all of your help and advice Peter (and the doco - still a stand-by!), most appreciated!

[Myles]

Peter,
Just followed your advice RE: firewall and tun0 - worked like a charm. Now can I re-establish my original DNS settings or do I keep the DNS definition that ExpressVPN gave me (that worked)???

[wintpe]

so there is an issue called DNS leakage that many people dont realize when they are doing something they thought was private

if all your comms to the site that you are looking at is going down the VPN, no one can see what it is you are browsing.

if your DNS is also going down that VPN thats fine.

but if you set your dns to your ISP's dns, or you let your router automaticly set your DNS, or you even set it to 8.8.8.8 which are all common scenarios,

then every c call of gethostbyname( hostname ) will reveal a dns lookup of "www.xxx.50shades.com/pics/" down your cleartext dns connection , and not down through the vpn.

Now im not suggesting that that is what you want to remain private, but it does demonstrate what some people might want to keep private.

So its quite important to ensure that you use a dns tht is routable down your vpn, and does not sidestep it.

regards peter

[Myles]

Yes, after posting that (and going through yet ANOTHER issue with the SSD disappearing last week which tied me up for a couple of days) I thought about it and thought that it wasn't a good idea to use the ISP DNS settings, so I haven't.
Thanks, once again for your valuable insight, really, really appreciate it.

[AlyssaOween]

When I'm importing the *.ovpn file only field found filled is the gateway. I have fields remain empty for user certificate, CA certificate, Private Key.
I have tried extracting those keys from *.ovpn and put the keys into separate files but is not working. I think this is also because no user/ password fields filled.

Dumb question, you import the .ovpn file under Mageia or how that is meant ?

It means i didn't config files, i also read openvpn reviews guide for this issue..