Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (Not For Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (Not For Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 17th September 2016, 10:54 PM
picasso_1.2.13 Offline
Registered User
 
Join Date: Oct 2007
Posts: 110
linuxfedorafirefox
How to setup Private Internet Access VPN gateways on Fedora as OpenVPN server

If you want to use a VPN service like Private Internet Access (PIA), but intend on using it on a headless server rather than a desktop Linux OS, here is how you set it up in Fedora:

First, download the OpenVPN configuration files from PIA:

Code:
$ wget -O /tmp/PIA-openvpn.zip https://www.privateinternetaccess.com/openvpn/openvpn.zip
Next, unzip this file into /etc/openvpn:

Code:
$ cd /etc/openvpn
$ unzip /tmp/PIA-openvpn.zip
You should see several *.ovpn files and a .pem and .crt file:

Code:
# ls -l
total 156
-rw-r-----. 1 root root  297 Aug 29 14:35 AU Melbourne.ovpn
-rw-r-----. 1 root root  287 Aug 29 14:35 AU Sydney.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Brazil.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 CA North York.ovpn
-rw-r--r--. 1 root root 2025 Jul 16 07:42 ca.rsa.2048.crt
-rw-r-----. 1 root root  294 Aug 29 14:35 CA Toronto.ovpn
-rw-r--r--. 1 root root  869 Jul 16 07:42 crl.rsa.2048.pem
-rw-r-----. 1 root root  291 Aug 29 14:35 Denmark.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Finland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 France.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 Germany.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Hong Kong.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 India.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 Ireland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Israel.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Italy.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Japan.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Mexico.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Netherlands.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 New Zealand.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Norway.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Romania.ovpn
-rw-r-----. 1 root root  286 Aug 29 14:35 Singapore.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Sweden.ovpn
-rw-r-----. 1 root root  289 Aug 29 14:35 Switzerland.ovpn
-rw-r-----. 1 root root  290 Aug 29 14:35 Turkey.ovpn
-rw-r-----. 1 root root  293 Aug 29 14:35 UK London.ovpn
-rw-r-----. 1 root root  298 Aug 29 14:35 UK Southampton.ovpn
-rw-r-----. 1 root root  297 Aug 29 14:35 US California.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 US East.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Florida.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Midwest.ovpn
-rw-r-----. 1 root root  298 Aug 29 14:35 US New York City.ovpn
-rw-r-----. 1 root root  294 Aug 29 14:35 US Seattle.ovpn
-rw-r-----. 1 root root  323 Aug 29 14:35 US Silicon Valley.ovpn
-rw-r-----. 1 root root  315 Aug 29 14:35 US Texas.ovpn
-rw-r-----. 1 root root  291 Aug 29 14:35 US West.ovpn
By default, these OpenVPN configuration files are set to use AES-128-CBC and SHA1 for auth on UDP port 1198. I wanted to use AES-256-CBC and SHA256, but simply changing the ‘cipher’ and ‘auth’ setting resulted in a non-forwarding VPN connection. After some searching, I found out that PIA uses a different port if you want to use other encryption ciphers. From PIA’s website:

(source: https://helpdesk.privateinternetacce...your-gateways-)

So, in order to use the stronger ciphers, we have to also change our port from 1198 to 1197, download the 4096bit CA certificate, and reconfigure a few settings. We’ll do these steps using sed:

Download the 4096-bit certificate:
Code:
$ wget -O /etc/openvpn/ca.rsa.4096.crt \ 
http://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt
Edit all the *.ovpn configurations with sed
- replace port 1198 with 1197:
Code:
$ sed -i -e s/1198/1197/ /etc/openvpn/*.ovpn
- replace aes-128-cbc with aes-256-cbc:
Code:
$ sed -i -e s/aes-128-cbc/aes-256-cbc/ /etc/openvpn/*.ovpn
- replace sha1 with sha256:
Code:
$ sed -i -e s/sha1/sha256/ /etc/openvpn/*.ovpn
- reference the 4096-bit certificate instead of the 2048-bit one:
Code:
$ sed -i -e s/ca\.rsa\.2048\.crt/ca.rsa.4096.crt/ /etc/openvpn/*.ovpn
Now, since we’re running this on a server, we don’t intend to have to interact with it. We will need to put our PIA VPN credentials in a file. We’ll put this file in /etc/openvpn/PIA-cred.conf; the format is simple -1st line is your username, 2nd line is your password:

Start by creating a new file with your PIA username, which starts with a “p” followed by 7 digits:


Code:
$ echo “p1234567” > /etc/openvpn/PIA-cred.conf
Next, append the password:

Code:
$ echo “yourpassword” >> /etc/openvpn/PIA-cred.conf
Because this file has sensitive information, let’s make sure it has the right permissions to protect it:

Code:
$ chown root:root /etc/openvpn/PIA-cred.conf
$ chmod 400 /etc/openvpn/PIA-cred.conf
Next, we need the PIA OpenVPN configuration files to use these credentials, so we have to set ‘auth-user-pass’ to reference this file.

Code:
$ sed -i -e ‘s/auth-user-pass.*/auth-user-pass PIA-cred.conf/’ /etc/openvpn/*.ovpn
To be more secure, we’ll also tell OpenVPN not to cache the credentials in virtual memory by appending the ‘auth-nocache’ option right after auth-user-pass:

Code:
$ sed -i -e ‘/auth-user-pass PIA-cred.conf/a auth-nocache’ /etc/openvpn/*.ovpn
One more thing, if you have SELinux enabled, we should make sure that all the new files have the correct SELinux labels:

Code:
$ restorecon -r /etc/openvpn
Finally, before we start the VPN, we will pick a region and symlink it as “PIA.conf”. This will allow us to reference this particular OpenVPN configuration in systemd later. So, let’s say we wanted to use the Mexico.ovpn:

Code:
$ ln -s /etc/openvpn/Mexico.ovpn /etc/openvpn/PIA.conf
Now we can finally start the VPN using systemctl:

Code:
$ systemctl start openvpn@PIA.service
And to have this VPN start on boot, let’s enable it too:

Code:
$ systemctl enable openvpn@PIA.service
If the VPN connected successfully, you should see a tun network interface device (see “ip link” or “ifconfig” command) and your routing table should have default gateway pointing to the tun interface (see “ip route show” command). If you have any problems, I recommend looking at your openvpn logs to see what might have gone wrong.

As a final verification, check your public IP address. You can do this by using ipify or equivalent:

Code:
$ curl https://api.ipify.org
Finally, I actually wrote a script that will do all of the above and also setup VPN profiles for NetworkManager. If you're interested in using the script instead of the step-by-step above, you can find it on github: https://github.com/ezonakiusagi/setup-PIA-OpenVPN
Reply With Quote
Reply

Tags
access , fedora , gateways , internet , openvpn , private , server , setup , vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN Access Server will not Start on System Boot FedoraFanDavid Servers & Networking 10 21st June 2016 02:09 AM
No internet access in Fedora 22 Server edition tech291083 Using Fedora 11 22nd July 2015 08:57 AM
OEL5.4 OS, eth0 has private IP, eth0:0 has routable IP, internet access don't work Hiroshi Servers & Networking 0 27th May 2010 09:20 PM
Openvpn client, after joined, can not ping/access the internet ip kiddiedoll Servers & Networking 3 31st December 2008 05:45 PM
How do you setup a Web Server for Use on a Private Network? BainsG Servers & Networking 5 12th December 2006 01:25 PM


Current GMT-time: 13:45 (Sunday, 22-10-2017)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat