Linux Headless OpenVPN Client

On linux, you can run the client as a daemon but you have to jump through some hoops. Here's an example using PrivateInternetAccess.

# Install OpenVPN
apt-get install openvpn openresolv
# Download the TLS resources and sample config from the provider
cd /tmp
sudo cp crl.rsa.2048.pem crl.rsa.2048.pem US\ Midwest.ovpn /etc/openvpn/client

Edit the config file and to the bottom,

cd /etc/openvpn
sudo vim US\ Midwest.ovpn

The change the auth-user-pass line to include a password file

auth-user-pass pass.txt

And then to the bottom, add

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Create the pass.txt file and set appropriate permissions.

sudo vim pass.txt
sudo chown own root:root pass.txt
sudo chmod 600 pass.txt

Give it a test run and then enable the service

# You should see it confirm you got an IP
sudo openvpn US\ Midwest

# The demon expects a .conf file and the systemctl enable doesn't handle spaces well
sudo vim US\ Midwest.ovpn US_Midwest.conf
sudo systemctl enable openvpn-client@US_Midwest.service
sudo systemctl start openvpn-client@US_Midwest.service
sudo systemctl status openvpn-client@US_Midwest.service

Reboot and make sure it sticks


/etc/resolv.conf not updated

Make sure openresolv is installed. Also, if you're using resolvd - as indicated by looking at the resolv.conf file, look below for the alternate script
When you test with the interactive openvpn command, you should see flash by
dhcp-option DNS
dhcp-option DNS
If you don't add those to your config file right above the up and down script indicators

In ubuntu 17.10 and newer, systemd-resolved handles DNS

Options error: -... No such file or directory

When we put all our stuff in the client directory you have to put the fully qualified script name of the update-resolv-conf in the script. Check your paths either way