Linux Headless OpenVPN Client

On linux, you can run the client as a daemon but you have to jump through some hoops. Here's an example using PrivateInternetAccess.

# Install OpenVPN
apt-get install openvpn openresolv
# Download the TLS resources and sample config from the provider
cd /tmp
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip
sudo cp crl.rsa.2048.pem crl.rsa.2048.pem US\ Midwest.ovpn /etc/openvpn/client

Edit the config file and to the bottom,

cd /etc/openvpn
sudo vim US\ Midwest.ovpn

The change the auth-user-pass line to include a password file

auth-user-pass pass.txt

And then to the bottom, add

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Create the pass.txt file and set appropriate permissions.

sudo vim pass.txt
allen
mypassword
sudo chown own root:root pass.txt
sudo chmod 600 pass.txt

Give it a test run and then enable the service

# You should see it confirm you got an IP
sudo openvpn US\ Midwest

# The demon expects a .conf file and the systemctl enable doesn't handle spaces well
sudo vim US\ Midwest.ovpn US_Midwest.conf
sudo systemctl enable openvpn-client@US_Midwest.service
sudo systemctl start openvpn-client@US_Midwest.service
sudo systemctl status openvpn-client@US_Midwest.service

Reboot and make sure it sticks

Troubleshooting

/etc/resolv.conf not updated

Make sure openresolv is installed. Also, if you're using resolvd - as indicated by looking at the resolv.conf file, look below for the alternate script
When you test with the interactive openvpn command, you should see flash by
dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218
If you don't add those to your config file right above the up and down script indicators

In ubuntu 17.10 and newer, systemd-resolved handles DNS
https://github.com/jonathanio/update-systemd-resolved


Options error: -... No such file or directory

When we put all our stuff in the client directory you have to put the fully qualified script name of the update-resolv-conf in the script. Check your paths either way


Sources
https://wiki.debian.org/OpenVPN#Auto-start
https://wiki.archlinux.org/index.php/OpenVPN#Update_resolv-conf_script
https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219438247-Installing-OpenVPN-PIA-on-Linux
https://torguard.net/knowledgebase.php?action=displayarticle&id=138
http://serverfault.com/questions/458591/how-to-auto-start-openvpn-client-on-ubuntu-12-04-cli

Comments