ovpn.to on Archlinux: An Idiot's Guide

March 20, 2016

So as I now have a PC at home (besides my MacBook) running Archlinux it is self explanatory to use vpn, because security and privacy and stuff. But it’s not that simple as it is for mac. Because I can remember things like I was a sieve (so not at all) so I’ll jot it down. Maybe it is helpful for someone else out there.

Installing Stuff

We need openvpn first:

sudo pacman -Sy openvpn

And as I also like to use NetworkManager:

sudo pacman -Sy networkmanager networkmanager-applet networkmanager-editor networkmanager-openvpn

(Skip the applet if you don’t need the NetworkManager in the systray.)

Certificates and Configurations

Now head over to ovpn.to and download the certificates and config files (for linux).

We’ll prepare them to make things easier. We merge the two directories we obtain from the unzipped files by moving the config ($SERVER.ovpn) of the config directory into the respective subdirectory of the server certificates (containing at least two .crt and one .key).

Now we move them to /etc/openvpn (of course inside the directory with all the subdirectories of servers):

sudo cp -R * /etc/openvpn

Running ovpn

ovpn relies on tun devices which we’ll need to load into the kernel:

modprobe tun

Now let’s try if ovpn is working (check if the server exists before!):

sudo openvpn bg1.ovpn.to/BG1.ovpn.to.ovpn

Using NetworkManager

Either use the editor (networkmanager-editor) or click on VPN connections > Configure VPN in the applet. This should open a dialog. Click on add. A window should appear at which on the very bottom an option should state “import vpn configurations” or something similar. After a click and another one on the create button we can start adding one server at a time (yay).

For each server you want to use open up the .ovpn config file. The authorization art should say *certificate (TLS) and the 3 fields bellow that should each list either a certificate or key file. If not, choose client$yournumber.crt as the user certificate, the $server.crt as the ca cert and client$yournumber.crt as the private key.

This is per server. So each server has a set of 4 files: config, two certificates and one private key. Choose the ones of the server you are adding, otherwise it won’t work.

Goodie: conky

I use conky on my arch box to indicate that I am connected (I’m really anxious about not being connected!). conky

… which is simply produced by this line:

Status: ${execi 30 curl http:/ovpn-ip.info | grep -q "You are connected" \
    && echo "connected" || "NOT connected" }

Quickfix for networkmanager-openvpn

I couldn’t really use said plugin right away because of this bug. The solution is rather simple. We need to create the file /etc/tmpfiles.d/nm-openvpn.conf and insert the following:

d /var/lib/openvpn/chroot - nm-openvpn nm-openvpn -
d /var/lib/openvpn/chroot/tmp - nm-openvpn nm-openvpn -

After a reboot the errors like the following should disappear:

(nm-openvpn-service:29276): nm-openvpn-WARNING **: Directory '/var/lib/openvpn/chroot' not usable for chroot by 'nm-openvpn', openvpn will not be chrooted.


comments powered by Disqus