FedoraForum.org - Fedora Support Forums and Community
Results 1 to 5 of 5
  1. #1
    Join Date
    Oct 2007
    Posts
    118

    How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

    If you want to use a VPN service like Private Internet Access (PIA), but intend on using it on a headless server rather than a desktop Linux OS, here is how you set it up in Fedora:

    First, download the OpenVPN configuration files from PIA:

    Code:
    $ wget -O /tmp/PIA-openvpn.zip https://www.privateinternetaccess.com/openvpn/openvpn.zip
    Next, unzip this file into /etc/openvpn:

    Code:
    $ cd /etc/openvpn
    $ unzip /tmp/PIA-openvpn.zip
    You should see several *.ovpn files and a .pem and .crt file:

    Code:
    # ls -l
    total 156
    -rw-r-----. 1 root root  297 Aug 29 14:35 AU Melbourne.ovpn
    -rw-r-----. 1 root root  287 Aug 29 14:35 AU Sydney.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 Brazil.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 CA North York.ovpn
    -rw-r--r--. 1 root root 2025 Jul 16 07:42 ca.rsa.2048.crt
    -rw-r-----. 1 root root  294 Aug 29 14:35 CA Toronto.ovpn
    -rw-r--r--. 1 root root  869 Jul 16 07:42 crl.rsa.2048.pem
    -rw-r-----. 1 root root  291 Aug 29 14:35 Denmark.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Finland.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 France.ovpn
    -rw-r-----. 1 root root  291 Aug 29 14:35 Germany.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Hong Kong.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 India.ovpn
    -rw-r-----. 1 root root  291 Aug 29 14:35 Ireland.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 Israel.ovpn
    -rw-r-----. 1 root root  289 Aug 29 14:35 Italy.ovpn
    -rw-r-----. 1 root root  289 Aug 29 14:35 Japan.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 Mexico.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Netherlands.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 New Zealand.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Norway.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Romania.ovpn
    -rw-r-----. 1 root root  286 Aug 29 14:35 Singapore.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 Sweden.ovpn
    -rw-r-----. 1 root root  289 Aug 29 14:35 Switzerland.ovpn
    -rw-r-----. 1 root root  290 Aug 29 14:35 Turkey.ovpn
    -rw-r-----. 1 root root  293 Aug 29 14:35 UK London.ovpn
    -rw-r-----. 1 root root  298 Aug 29 14:35 UK Southampton.ovpn
    -rw-r-----. 1 root root  297 Aug 29 14:35 US California.ovpn
    -rw-r-----. 1 root root  291 Aug 29 14:35 US East.ovpn
    -rw-r-----. 1 root root  294 Aug 29 14:35 US Florida.ovpn
    -rw-r-----. 1 root root  294 Aug 29 14:35 US Midwest.ovpn
    -rw-r-----. 1 root root  298 Aug 29 14:35 US New York City.ovpn
    -rw-r-----. 1 root root  294 Aug 29 14:35 US Seattle.ovpn
    -rw-r-----. 1 root root  323 Aug 29 14:35 US Silicon Valley.ovpn
    -rw-r-----. 1 root root  315 Aug 29 14:35 US Texas.ovpn
    -rw-r-----. 1 root root  291 Aug 29 14:35 US West.ovpn
    By default, these OpenVPN configuration files are set to use AES-128-CBC and SHA1 for auth on UDP port 1198. I wanted to use AES-256-CBC and SHA256, but simply changing the ‘cipher’ and ‘auth’ setting resulted in a non-forwarding VPN connection. After some searching, I found out that PIA uses a different port if you want to use other encryption ciphers. From PIA’s website:

    (source: https://helpdesk.privateinternetacce...your-gateways-)

    So, in order to use the stronger ciphers, we have to also change our port from 1198 to 1197, download the 4096bit CA certificate, and reconfigure a few settings. We’ll do these steps using sed:

    Download the 4096-bit certificate:
    Code:
    $ wget -O /etc/openvpn/ca.rsa.4096.crt \ 
    http://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt
    Edit all the *.ovpn configurations with sed
    - replace port 1198 with 1197:
    Code:
    $ sed -i -e s/1198/1197/ /etc/openvpn/*.ovpn
    - replace aes-128-cbc with aes-256-cbc:
    Code:
    $ sed -i -e s/aes-128-cbc/aes-256-cbc/ /etc/openvpn/*.ovpn
    - replace sha1 with sha256:
    Code:
    $ sed -i -e s/sha1/sha256/ /etc/openvpn/*.ovpn
    - reference the 4096-bit certificate instead of the 2048-bit one:
    Code:
    $ sed -i -e s/ca\.rsa\.2048\.crt/ca.rsa.4096.crt/ /etc/openvpn/*.ovpn
    Now, since we’re running this on a server, we don’t intend to have to interact with it. We will need to put our PIA VPN credentials in a file. We’ll put this file in /etc/openvpn/PIA-cred.conf; the format is simple -1st line is your username, 2nd line is your password:

    Start by creating a new file with your PIA username, which starts with a “p” followed by 7 digits:


    Code:
    $ echo “p1234567” > /etc/openvpn/PIA-cred.conf
    Next, append the password:

    Code:
    $ echo “yourpassword” >> /etc/openvpn/PIA-cred.conf
    Because this file has sensitive information, let’s make sure it has the right permissions to protect it:

    Code:
    $ chown root:root /etc/openvpn/PIA-cred.conf
    $ chmod 400 /etc/openvpn/PIA-cred.conf
    Next, we need the PIA OpenVPN configuration files to use these credentials, so we have to set ‘auth-user-pass’ to reference this file.

    Code:
    $ sed -i -e ‘s/auth-user-pass.*/auth-user-pass PIA-cred.conf/’ /etc/openvpn/*.ovpn
    To be more secure, we’ll also tell OpenVPN not to cache the credentials in virtual memory by appending the ‘auth-nocache’ option right after auth-user-pass:

    Code:
    $ sed -i -e ‘/auth-user-pass PIA-cred.conf/a auth-nocache’ /etc/openvpn/*.ovpn
    One more thing, if you have SELinux enabled, we should make sure that all the new files have the correct SELinux labels:

    Code:
    $ restorecon -r /etc/openvpn
    Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:

    Code:
    $ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf
    Now we can finally start the VPN using systemctl:

    Code:
    $ systemctl start openvpn@PIA.service
    And to have this VPN start on boot, let’s enable it too:

    Code:
    $ systemctl enable openvpn@PIA.service
    If the VPN connected successfully, you should see a tun network interface device (see “ip link” or “ifconfig” command) and your routing table should have default gateway pointing to the tun interface (see “ip route show” command). If you have any problems, I recommend looking at your openvpn logs to see what might have gone wrong.

    As a final verification, check your public IP address. You can do this by using ipify or equivalent:

    Code:
    $ curl https://api.ipify.org
    Finally, I actually wrote a script that will do all of the above and also setup VPN profiles for NetworkManager. If you're interested in using the script instead of the step-by-step above, you can find it on github: https://github.com/ezonakiusagi/setup-PIA-OpenVPN

  2. #2
    Join Date
    Mar 2018
    Location
    Ottawa, Canada
    Posts
    3

    Re: How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

    Hey there,

    I followed your little tutorial and, although it's very easy and very explanatory, I am stuck.

    sudo systemctl start openvpn@PIA.service
    Failed to start openvpn@PIA.service: Unit openvpn@PIA.service not found.

    lrwxrwxrwx. 1 root root 29 Mar 11 14:07 PIA.conf -> '/etc/openvpn/CA Montreal.ovpn'
    -r--------. 1 root root 20 Mar 9 18:12 PIA-cred.conf

    As you can see I have the symlink in place. I have also read other tutorials where people have just renamed/copied their chosen .ovpn file to have the .conf extension. I tried both methods and each time I get the "not found" error.

    Where does the service name come from?

    p.s. I can start the VPN manually using this setup but I would like it to auto-start on bootup.

    Cheers, Duncan



    Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:

    Code:
    $ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf
    Now we can finally start the VPN using systemctl:

    Code:
    $ systemctl start openvpn@PIA.service
    And to have this VPN start on boot, let’s enable it too:

    Code:
    $ systemctl enable openvpn@PIA.service

  3. #3
    Join Date
    Oct 2007
    Posts
    118

    Re: How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

    Quote Originally Posted by duncang92
    Hey there,

    I followed your little tutorial and, although it's very easy and very explanatory, I am stuck.

    sudo systemctl start openvpn@PIA.service
    Failed to start openvpn@PIA.service: Unit openvpn@PIA.service not found.

    lrwxrwxrwx. 1 root root 29 Mar 11 14:07 PIA.conf -> '/etc/openvpn/CA Montreal.ovpn'
    -r--------. 1 root root 20 Mar 9 18:12 PIA-cred.conf

    As you can see I have the symlink in place. I have also read other tutorials where people have just renamed/copied their chosen .ovpn file to have the .conf extension. I tried both methods and each time I get the "not found" error.

    Where does the service name come from?
    To answer your question, the name comes from this openvpn systemd file:

    /usr/lib/systemd/system/openvpn@.service

    Make sure you have that file, it should be part of the openvpn RPM. The contents look like this:

    Code:
    [Unit]
    Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
    After=network.target
    
    [Service]
    Type=notify
    PrivateTmp=true
    ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
    
    [Install]
    WantedBy=multi-user.target
    So, as you can see, it uses the part after the '@' sign to look for a %i.conf file in /etc/openvpn.

  4. #4
    Join Date
    Mar 2018
    Location
    Ottawa, Canada
    Posts
    3

    Re: How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

    Thanks for the reply.

    I was having a bit of a nightmare at the end ..... it seems that things have changed since you wrote your little tutorial. I am running Fedora 27.

    /etc/openvpn also contains two folders, client and server. The .conf file goes into the client folder and because it is in a folder I also had to edit the .conf file and change the following to have the full path:

    auth-user-pass /etc/openvpn/PIA-cred.conf
    crl-verify /etc/openvpn/crl.rsa.2048.pem
    ca /etc/openvpn/ca.rsa.2048.crt

    AND to top it all off the service is now called openvpn-client e.g.

    [duncx@kitchen-pc ~]$ systemctl status openvpn-client@PIA.service
    openvpn-client@PIA.service - OpenVPN tunnel for PIA
    Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; vendor preset: disabled)
    Active: active (running) since Sun 2018-03-11 16:04:55 EDT; 1h 51min ago

    Package version, in case you're interested:

    sudo dnf info openvpn
    Installed Packages
    Name : openvpn
    Version : 2.4.5
    Release : 1.fc27
    Arch : x86_64
    Size : 1.2 M
    Source : openvpn-2.4.5-1.fc27.src.rpm
    Repo : @System
    From repo : updates
    Summary : A full-featured SSL VPN solution
    URL : https://community.openvpn.net/
    License : GPLv2
    Description : OpenVPN is a robust and highly flexible tunneling application that uses all
    : of the encryption, authentication, and certification features of the
    : OpenSSL library to securely tunnel IP networks over a single UDP or TCP
    : port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
    : for compression.

  5. #5
    Join Date
    Oct 2007
    Posts
    118

    Re: How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

    @duncang92 : you may be right, I'm still using Fedora 26, so I'm not aware of the changes in 27 yet. what's the contents of the file /usr/lib/systemd/system/openvpn@.service in Fedora 27?

Similar Threads

  1. OpenVPN Access Server will not Start on System Boot
    By FedoraFanDavid in forum Servers & Networking
    Replies: 10
    Last Post: 21st June 2016, 02:09 AM
  2. No internet access in Fedora 22 Server edition
    By tech291083 in forum Using Fedora
    Replies: 11
    Last Post: 22nd July 2015, 08:57 AM
  3. Replies: 0
    Last Post: 27th May 2010, 09:20 PM
  4. Openvpn client, after joined, can not ping/access the internet ip
    By kiddiedoll in forum Servers & Networking
    Replies: 3
    Last Post: 31st December 2008, 05:45 PM
  5. How do you setup a Web Server for Use on a Private Network?
    By BainsG in forum Servers & Networking
    Replies: 5
    Last Post: 12th December 2006, 01:25 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •