Configuring Linux VPN connecction

Advanced feature discussion, beta programs and unsupported "Labs" features.
17 posts Page 2 of 2
by forest » Mon Feb 20, 2017 11:41 pm
For anyone else who comes across this thread, various versions of NetworkManager-openvpn have various bugs that can cause failures when importing sonic's .ovpn files. Here are the ones I remember:

  • Old-ish versions failed to import these inline sections: <ca> <cert> <key> <tls-auth>. Workaround: Copy those sections into separate files and replace them in the .ovpn config with the equivalent one-line directives referring to those new files.
  • Recent versions fail to import comp-lzo no. Workaround: Either set "Use LZO data compression" to "yes" in NetworkManager's OpenVPN Advanced... dialog, or use nmcli to modify the VPN connection after it has been imported, setting the lzo option to no-by-default.
  • Current versions fail to import key-direction 1 under some circumstances. Workaround: Set "Key Direction" to "1" in NetworkManager's OpenVPN Advanced... dialog.

It's worth noting that DNS leaks have been widely reported by NetworkManager-openvpn users. Getting it right is especially tricky because of the interactions between NetworkManager bugs, differing system configurations, and ancillary resolver layers like Dnsmasq. If you're concerned about the domain names you visit being exposed even when you're on the VPN, you better run some tests to find out what's really happening on the wire.
by dennisobrien » Sat Apr 08, 2017 1:20 pm
dsgsonic wrote:
That worked like a charm, thanks.

I think I figured out how to use Network Manager (Ubuntu) -- by cutting/pasting various parts of client.ovpn file into separate user, cert, key and TLS files and direction 1. I may do a post showing this.


If you do have a solution I think a blog post would help a lot of people.

I have the command line version working fine, but I have not been able to get it working via an entry in network manager. Following some suggestions, I commented out the line in the .ovpn file:

Code: Select all

reneg-sec 604800

and was then able to import the key via network manager. (Without this line commented out, network manager gave a very unhelpful message that the plugin did not support import.)

Basic steps to create the VPN connection:
[list=]Open Network Manger
Add -> Interface VPN -> Create...
Choose a VPN Connection Type: Import a saved VPN configuration...
Browse the the modified .ovpn file.
Added my username to the entry but left the password blank.
[/list]

I now have a VPN entry "sonic.client" but when I choose it, I'm prompted for my password then I see the lock icon appear and disappear on the nm-applet icon. Following /var/log/syslog I see this:

Code: Select all

AUTH: Received control message: AUTH_FAILED


But I'm using the same credentials that work in the command line openvpn client. Adding the username password to the VPN entry does not work. In fact, the password seems to be forgotten after saving which makes me thing this is (yet another) bug in Network Manager.

I'm probably 95% of the way there. If anyone can help with this last 5% I'd appreciate it!

thanks,
Dennis
by drew.phillips » Wed Apr 12, 2017 7:59 pm
dennisobrien wrote:
I'm probably 95% of the way there. If anyone can help with this last 5% I'd appreciate it!


Hi Dennis,

Hopefully these screenshots will help. This is my exact setup (Mint 18.1 Serena, network-manager-openvpn version 1.1.93-1ubuntu1.1).

Connection settings for VPN tab (fill in username, optionally save password or prompt every time)
Image

Advanced menu

General Tab
Image

Security Tab
Image

TLS Authentication Tab
Image

Everything else is left at the default.

Just to re-iterate some basics for those who may stumble upon this.

The keys referenced in the first image are extracted from the client.ovpn file you get when going to https://ovpn.sonic.net, entering your credentials, selecting "Login" from the dropdown, and then downloading your user-locked profile (yourself).

Ignore all the lines beginning with a "#" - these are comments and irrelevant.

First, extract and save the contents of the CA certificate to a file. This is the data inside the <ca>...</ca> tags. The content saved to the file should include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. This is saved as sonic-ca.crt.

Next, extract the user certificate, found in the <cert></cert> tags. This is saved as ovpn.sonic.net.crt.

Then, get the user certificate private key found in the <key></key> tags. This is saved as ovpn.sonic.net.key.

Finally :) grab the TLS auth key found just below the "key-direction 1" line, inside the <tls-auth></tls-auth> tags. Save the content starting from -----BEGIN OpenVPN Static key V1----- and ending with -----END OpenVPN Static key V1-----.

With those certificates and the settings shown above, the connection should work.

One important thing to keep in mind is, the above certificate and key is locked to your Sonic account with the VPN server. All this means is, whatever user you logged in with and downloaded the VPN config with is who you should auth as. Auth will fail if you tried to use a different Sonic account name and password (even if it is correct).

I hope that helps, let me know if it works for you.

That said, I still like connecting the VPN from the command line more that NM by using "sudo openvpn --config client.ovpn". You can make it such that you don't have to type your account password every time if you want by adding a line to your config like "auth-user-pass /home/you/sonic-credentials.txt". In the credentials file, put your username on the first line and password on the second. chmod the file to 400 so no one else on the system can read it and you're set. The main reason for this is because I know the OpenVPN client honors every option in the file, connects security, and minimizes the risk of DNS leaks.

Good luck!
Drew Phillips
Programmer / System Operations, Sonic.net
by saturnine » Thu Jul 13, 2017 12:21 am
Thank you for the detailed help! That is just the kind of post we non-tech types need to configure our Linux systems; however, it didn't work. After following the steps I go to my network icon in the system try and click on it, turn on the new vpn connection, and my external ipaddress doesn't change, nor does my location or AT&T as my provider. If I launch open vpn from the command line these things all change. Any idea what I'm missing?
by drew.phillips » Thu Jul 13, 2017 9:01 am
Does it give any indication as to whether or not the connection failed or succeeded?

If you open a terminal and run the command "tail -f /var/log/syslog" (without quotes) and then try connecting you should see quite a bit of detail as to what's happening.

If you're still unable to connect do you mind posting that log output from syslog?

Thanks
Drew Phillips
Programmer / System Operations, Sonic.net
by tnturner » Mon May 28, 2018 5:48 pm
ubuntu 16.04
to recap, importing the ovpn file downloaded from sonic.net will give you errors. the solutions above are
. use the network manager and the info in the ovpn file, split into separate .pem files
. run it from the command line, $ sudo openvpn --config sonic-net-client.ovpn

this is for anyone looking for a solution that doesn't involve running things from the command line or using the network manager.

my /etc/NetworkManager/NetworkManager.conf has this:
[ifupdown]
managed=false
this prevents me from starting vpn from the system menu (tap on network in status bar ...)

i was able to get it to work with the command line option using the trick putting your credentials in a text file and referencing it in the ovpn file:
auth-user-pass vpnCreds.txt

once i knew the ovpn file was correct i moved on to setting it up as a service in ubuntu 16.04.

$ sudo mv sonic-net-client.ovpn /etc/openvpn/sonic.conf

edit /etc/default/openvpn and uncomment this line
AUTOSTART="all"

$ sudo systemctl daemon-reload
$ sudo service openvpn restart

it should be working. if not check /var/log/syslog
by craig.langman » Sat Aug 11, 2018 12:07 pm
tnturner wrote:
putting your credentials in a text file and referencing it in the ovpn file:
auth-user-pass vpnCreds.txt

once i knew the ovpn file was correct i moved on to setting it up as a service in ubuntu 16.04.

$ sudo mv sonic-net-client.ovpn /etc/openvpn/sonic.conf


This method works for me on an ubuntu 18.04 based distro.

I also disabled ipv6 completely cuz although openvpn seems to hide ipv6 under windows, it doesn't seem to in linux, as whatismyipaddress.com could still see my real isp thru ipv6.

However, if I loose my wifi etc I must "sudo service openvpn restart" to reconnect. Anyone know a way to make this automatic?
17 posts Page 2 of 2

Who is online

In total there are 3 users online :: 0 registered, 0 hidden and 3 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 3 guests