PDA

View Full Version : How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server



picasso_1.2.13
17th September 2016, 10:54 PM
If you want to use a VPN service like Private Internet Access (PIA), but intend on using it on a headless server rather than a desktop Linux OS, here is how you set it up in Fedora:

First, download the OpenVPN configuration files from PIA:


$ wget -O /tmp/PIA-openvpn.zip https://www.privateinternetaccess.com/openvpn/openvpn.zip

Next, unzip this file into /etc/openvpn:


$ cd /etc/openvpn
$ unzip /tmp/PIA-openvpn.zip

You should see several *.ovpn files and a .pem and .crt file:


# ls -l
total 156
-rw-r-----. 1 root root 297 Aug 29 14:35 AU Melbourne.ovpn
-rw-r-----. 1 root root 287 Aug 29 14:35 AU Sydney.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Brazil.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 CA North York.ovpn
-rw-r--r--. 1 root root 2025 Jul 16 07:42 ca.rsa.2048.crt
-rw-r-----. 1 root root 294 Aug 29 14:35 CA Toronto.ovpn
-rw-r--r--. 1 root root 869 Jul 16 07:42 crl.rsa.2048.pem
-rw-r-----. 1 root root 291 Aug 29 14:35 Denmark.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Finland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 France.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 Germany.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Hong Kong.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 India.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 Ireland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Israel.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Italy.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Japan.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Mexico.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Netherlands.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 New Zealand.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Norway.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Romania.ovpn
-rw-r-----. 1 root root 286 Aug 29 14:35 Singapore.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Sweden.ovpn
-rw-r-----. 1 root root 289 Aug 29 14:35 Switzerland.ovpn
-rw-r-----. 1 root root 290 Aug 29 14:35 Turkey.ovpn
-rw-r-----. 1 root root 293 Aug 29 14:35 UK London.ovpn
-rw-r-----. 1 root root 298 Aug 29 14:35 UK Southampton.ovpn
-rw-r-----. 1 root root 297 Aug 29 14:35 US California.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 US East.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Florida.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Midwest.ovpn
-rw-r-----. 1 root root 298 Aug 29 14:35 US New York City.ovpn
-rw-r-----. 1 root root 294 Aug 29 14:35 US Seattle.ovpn
-rw-r-----. 1 root root 323 Aug 29 14:35 US Silicon Valley.ovpn
-rw-r-----. 1 root root 315 Aug 29 14:35 US Texas.ovpn
-rw-r-----. 1 root root 291 Aug 29 14:35 US West.ovpn

By default, these OpenVPN configuration files are set to use AES-128-CBC and SHA1 for auth on UDP port 1198. I wanted to use AES-256-CBC and SHA256, but simply changing the ‘cipher’ and ‘auth’ setting resulted in a non-forwarding VPN connection. After some searching, I found out that PIA uses a different port if you want to use other encryption ciphers. From PIA’s website:

(source: https://helpdesk.privateinternetaccess.com/hc/en-us/articles/225274288-Which-encryption-auth-settings-should-I-use-for-ports-on-your-gateways-)

So, in order to use the stronger ciphers, we have to also change our port from 1198 to 1197, download the 4096bit CA certificate, and reconfigure a few settings. We’ll do these steps using sed:

Download the 4096-bit certificate:

$ wget -O /etc/openvpn/ca.rsa.4096.crt \
http://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt

Edit all the *.ovpn configurations with sed
- replace port 1198 with 1197:

$ sed -i -e s/1198/1197/ /etc/openvpn/*.ovpn
- replace aes-128-cbc with aes-256-cbc:

$ sed -i -e s/aes-128-cbc/aes-256-cbc/ /etc/openvpn/*.ovpn
- replace sha1 with sha256:

$ sed -i -e s/sha1/sha256/ /etc/openvpn/*.ovpn
- reference the 4096-bit certificate instead of the 2048-bit one:

$ sed -i -e s/ca\.rsa\.2048\.crt/ca.rsa.4096.crt/ /etc/openvpn/*.ovpn

Now, since we’re running this on a server, we don’t intend to have to interact with it. We will need to put our PIA VPN credentials in a file. We’ll put this file in /etc/openvpn/PIA-cred.conf; the format is simple -1st line is your username, 2nd line is your password:

Start by creating a new file with your PIA username, which starts with a “p” followed by 7 digits:



$ echo “p1234567” > /etc/openvpn/PIA-cred.conf

Next, append the password:


$ echo “yourpassword” >> /etc/openvpn/PIA-cred.conf

Because this file has sensitive information, let’s make sure it has the right permissions to protect it:


$ chown root:root /etc/openvpn/PIA-cred.conf
$ chmod 400 /etc/openvpn/PIA-cred.conf

Next, we need the PIA OpenVPN configuration files to use these credentials, so we have to set ‘auth-user-pass’ to reference this file.


$ sed -i -e ‘s/auth-user-pass.*/auth-user-pass PIA-cred.conf/’ /etc/openvpn/*.ovpn

To be more secure, we’ll also tell OpenVPN not to cache the credentials in virtual memory by appending the ‘auth-nocache’ option right after auth-user-pass:


$ sed -i -e ‘/auth-user-pass PIA-cred.conf/a auth-nocache’ /etc/openvpn/*.ovpn

One more thing, if you have SELinux enabled, we should make sure that all the new files have the correct SELinux labels:


$ restorecon -r /etc/openvpn

Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:


$ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf

Now we can finally start the VPN using systemctl:


$ systemctl start openvpn@PIA.service

And to have this VPN start on boot, let’s enable it too:


$ systemctl enable openvpn@PIA.service

If the VPN connected successfully, you should see a tun network interface device (see “ip link” or “ifconfig” command) and your routing table should have default gateway pointing to the tun interface (see “ip route show” command). If you have any problems, I recommend looking at your openvpn logs to see what might have gone wrong.

As a final verification, check your public IP address. You can do this by using ipify or equivalent:


$ curl https://api.ipify.org

Finally, I actually wrote a script that will do all of the above and also setup VPN profiles for NetworkManager. If you're interested in using the script instead of the step-by-step above, you can find it on github: https://github.com/ezonakiusagi/setup-PIA-OpenVPN

duncang92
11th March 2018, 07:21 PM
Hey there,

I followed your little tutorial and, although it's very easy and very explanatory, I am stuck.

sudo systemctl start openvpn@PIA.service
Failed to start openvpn@PIA.service: Unit openvpn@PIA.service not found.

lrwxrwxrwx. 1 root root 29 Mar 11 14:07 PIA.conf -> '/etc/openvpn/CA Montreal.ovpn'
-r--------. 1 root root 20 Mar 9 18:12 PIA-cred.conf

As you can see I have the symlink in place. I have also read other tutorials where people have just renamed/copied their chosen .ovpn file to have the .conf extension. I tried both methods and each time I get the "not found" error.

Where does the service name come from?

p.s. I can start the VPN manually using this setup but I would like it to auto-start on bootup.

Cheers, Duncan



Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:


$ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf

Now we can finally start the VPN using systemctl:


$ systemctl start openvpn@PIA.service

And to have this VPN start on boot, let’s enable it too:


$ systemctl enable openvpn@PIA.service

picasso_1.2.13
11th March 2018, 10:30 PM
Hey there,

I followed your little tutorial and, although it's very easy and very explanatory, I am stuck.

sudo systemctl start openvpn@PIA.service
Failed to start openvpn@PIA.service: Unit openvpn@PIA.service not found.

lrwxrwxrwx. 1 root root 29 Mar 11 14:07 PIA.conf -> '/etc/openvpn/CA Montreal.ovpn'
-r--------. 1 root root 20 Mar 9 18:12 PIA-cred.conf

As you can see I have the symlink in place. I have also read other tutorials where people have just renamed/copied their chosen .ovpn file to have the .conf extension. I tried both methods and each time I get the "not found" error.

Where does the service name come from?


To answer your question, the name comes from this openvpn systemd file:

/usr/lib/systemd/system/openvpn@.service

Make sure you have that file, it should be part of the openvpn RPM. The contents look like this:



[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target


So, as you can see, it uses the part after the '@' sign to look for a %i.conf file in /etc/openvpn.

duncang92
11th March 2018, 10:58 PM
Thanks for the reply.

I was having a bit of a nightmare at the end ..... it seems that things have changed since you wrote your little tutorial. I am running Fedora 27.

/etc/openvpn also contains two folders, client and server. The .conf file goes into the client folder and because it is in a folder I also had to edit the .conf file and change the following to have the full path:

auth-user-pass /etc/openvpn/PIA-cred.conf
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt

AND to top it all off the service is now called openvpn-client e.g.

[duncx@kitchen-pc ~]$ systemctl status openvpn-client@PIA.service
● openvpn-client@PIA.service - OpenVPN tunnel for PIA
Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2018-03-11 16:04:55 EDT; 1h 51min ago

Package version, in case you're interested:

sudo dnf info openvpn
Installed Packages
Name : openvpn
Version : 2.4.5
Release : 1.fc27
Arch : x86_64
Size : 1.2 M
Source : openvpn-2.4.5-1.fc27.src.rpm
Repo : @System
From repo : updates
Summary : A full-featured SSL VPN solution
URL : https://community.openvpn.net/
License : GPLv2
Description : OpenVPN is a robust and highly flexible tunneling application that uses all
: of the encryption, authentication, and certification features of the
: OpenSSL library to securely tunnel IP networks over a single UDP or TCP
: port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
: for compression.

picasso_1.2.13
12th March 2018, 07:22 PM
@duncang92 : you may be right, I'm still using Fedora 26, so I'm not aware of the changes in 27 yet. what's the contents of the file /usr/lib/systemd/system/openvpn@.service in Fedora 27?