VPN on OpenSUSE & CentOS

I have earlier made a How-To for setting up SecurityKiss VPN on OpenSUSE, but it was GUI based. The GUI way of setting up VPN is fairly same for all providers and there are plenty of tutorials available online.

As users of CentOS 7.5 will know, there is a way to add VPN from the Gnome top menu/Settings. However it supports only L2TP over IPSEC from the GUI. My attempts to import an openvpn configuration file failed repeatedly. If you have found a way too add openVPN connections from GUI on CentOS, please let me know. [Also, no IPSEC vs OpenVPN discussions please]

So, if you have a VPN subscription, (mine is Cyberghost and SecurityKiss), you should have your configuration bundle in your account. Look in your VPN provider's site or contact the customer support. Here's Cyberghost's to get you started. VPN providers support multiple protocols, some open-sourced, some proprietary. But I have used the openvpn protocol.

The configuration bundle consists of these -
a. An openvpn configuration file, generally ends with '.ovpn' suffix.
b. A Certificate issued by a CA, named ca.crt
c. A certificate to identify the client, named client.crt
d. A private key for the Client, named client.key

The VPN provider should also provide your own username and password to authenticate. This is not the norm everywhere. I have looked through the .ovpn configuration file of both providers and the following directive was found in Cyberghost -

Code:

auth-user-pass

The SecurityKiss config file did not have such a directive and it did not ask for a username/password.

Your OS should have NetworkManager & openvpn installed. Verify with the following -

Code:

yum list installed NetworkManager* openvpn*               <--- for CentOS
zypper search --installed-only NetworkManager* openvpn*   <--- for OpenSUSE

To create a openvpn tunnel from CLI -

Code:

$ sudo openvpn --config /Path/to/*.ovpn  --ca /Path/toca.crt --key /Path/toclient.key --cert /Path/toclient.crt

Based on you VPN provider, you may be challenged to authenticate with a username & passowrd. If all goes well, you should see a new connection called tun0 such as this -

On OpenSUSE

Code:

acer-SUSE:~ # ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:26:2d:81:68:fb brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c4:17:fe:c2:51:2f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.7/24 brd 192.168.0.255 scope global noprefixroute dynamic wlan0
       valid_lft 82700sec preferred_lft 82700sec
    inet6 fe80::4c64:adf4:3b01:348b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.248.204.42 peer 10.248.204.41/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::2a73:6c18:1275:2d6b/64 scope link flags 800 
       valid_lft forever preferred_lft forever
acer-SUSE:~ # nmcli con show
NAME                UUID                                  TYPE      DEVICE 
GETOWNCONNECTION    df639b35-d90b-4751-9a3a-7f8ca72124e0  wifi      wlan0  
tun0                600db5e5-5794-4277-8d15-0bd605cc5ce6  tun       tun0   
Wired connection 1  63989c5f-66f7-3921-ba39-908fab527967  ethernet  --

On CentOS 7

Code:

[root@AB-Cent7OS ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 1c:1b:0d:c1:07:72 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.12/24 brd 192.168.0.255 scope global noprefixroute dynamic enp0s31f6
       valid_lft 83343sec preferred_lft 83343sec
    inet6 fe80::33fc:891e:8f86:bded/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp3s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 18:d6:c7:c6:74:af brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.8/24 brd 192.168.0.255 scope global noprefixroute dynamic wlp3s1
       valid_lft 83280sec preferred_lft 83280sec
    inet6 fe80::9372:a78b:2029:97b6/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:d2:49:78 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:d2:49:78 brd ff:ff:ff:ff:ff:ff
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.11.0.242 peer 10.11.0.241/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f030:84a4:1fc9:eb04/64 scope link flags 800 
       valid_lft forever preferred_lft forever
[root@AB-Cent7OS ~]# nmcli con show
NAME                  UUID                                  TYPE      DEVICE    
GETOWNCONNECTION      16f9b28e-aa30-4f51-ad0d-1197869e2c92  wifi      wlp3s1    
enp0s31f6             6782d3c1-e1be-4102-90f5-024fe97cbb66  ethernet  enp0s31f6 
tun0                  0f319f56-a2b8-402c-a166-6265c22e565d  tun       tun0      
virbr0                48a6894f-6559-4f51-9566-3c179660247a  bridge    virbr0    
GETOWNCONNECTION_2EX  0285d876-aa41-4a89-90af-865b279431e2  wifi      --        
GJN                   21881e86-df5d-491a-a354-93fe7e8c7b03  wifi      --        
Getownconnection      a5907de3-abaa-4ebd-977d-4c086189bb1a  wifi      --        
Getownconnection_2EX  caf68d34-ab27-497b-aa93-6ec34d49bcbd  wifi      --        
TP-LINK_ADF6          f6f6121e-4546-4b79-9e6b-154fb6bc02f3  wifi      --        
edimax.setup          33e63af6-27a1-4e65-be46-f4baed89f459  wifi      --

Check out your geolocation on whatismyip(dot)com.

To stop the connection, press 'ctrl+c' on your terminal.

Note 1 - Verified on OpenSUSE Leap 15 & CentOS 7.5
Note 2 - Not endorsing any of the VPN providers that I have mentioned. I am just a happy customer.
Note 3 - It should be possible to make a script that feeds the username & password to the prompt of openvpn. If I get around to make one, I'll update the post.
Note 4 - This works on my machine, your mileage may vary.
Note 5 - It's okay to edit the .ovpn file and put a different IP (of the same provider). Just take care of the protocol used (tcp/udp).
Note 6 - DigitalOcean has a great tutorial if you want to set-up your own Openvpn server.

Quote:

Originally Posted by Honest Abe ~ I have looked through the .ovpn configuration file of both providers and the following directive was found in Cyberghost - Code: auth-user-pass ~~ Note 3 - It should be possible to make a script that feeds the username & password to the prompt of openvpn. If I get around to make one, I'll update the post. ~

Found it..

Create a file and put your username & password such as -

Code:

yourusername
Topsecretpassword

Open your openvpn config file and append -

Code:

auth-user-pass /path/to/file

Source - here

Tested with wicked.service on OpenSUSE Leap 15 and it works too.