This document is oriented towards OpenVPN Client on Debian Wheezy, connecting to an IPFire firewall/router, but can be adapted to most versions of Linux. The default behaviour of openvpn under Wheezy is to use all files ending in .conf which are located in /etc/openvpn. This behaviour can be modified via /etc/default/openvnp.
OpenVPN on Linux is fairly easy to set up, but sometimes the helper applications can be a little cranky. Some machines are only used for vpn access, and in that case a less secure, but more convenient way is to remove the private key on your pkcs12 file, then tell openvpn to automatically start it.
NOTE: I strongly recommend you do the following only on a secure system. A strong password, and an encrypted file system are a minium. If you step away from your desktop, lock the screen (GUI) or log out (CLI) while you're gone. This howto removes the basic security of OpenVPN and, if bypassed, gives an unauthorized user access to a remote site.
With IPFire, the client package has two files in the zip file you download. For this, I will call them myvpn.ovpn and myvpn.p12, and they are in a client package, myvpn.zip. So, when you see myvpn.ovpn and myvpn.p12, insert your real name here.
First, install openvpn on your computer. Under Debian
sudo apt-get install openvpn
Conversion and installation
Let's remove the password from the p12 file. At the same time, we'll copy the unprotected file to /etc/openvpn so it will be autorun on boot. There is nothing magical about the name auto in the following. You could just as easily use the actual connection name, or anything else. Just make sure the .ovpn file is renamed with a .conf and inside it the pkcs12 file is pointed to.
# get your IPFire client package contents into a temporary directory
cd /tmp # remember,this is a secure system, right?
unzip ~/myvpn.zip # get the files out of the package
# extract the pem file openssl pkcs12 -in myvpn.p12 -nodes -out temp.pem # -> Enter password # following must be run as root since it is copying into /etc/openvpn
# so either su or sudo to get there
sudo su # Convert pem back to p12 openssl pkcs12 -export -in temp.pem -out /etc/openvpn/auto.p12 # -> Just press [return] twice for no password # Remove temporary certificate rm temp.pm # now, copy the ovpn file (configuration file) to /etc/openvpn,
# changing the p12's name while we're at it. Be sure to rename myvpn.ovpn and myvpn.p12 (inside the sed command) sed 's|pkcs12 myvpn.p12|pkcs12 /etc/openvpn/auto.p12|' myvpn.ovpn > /etc/openvpn/auto.conf # secure it a little more chown root:root /etc/openvpn/* chmod 0600 /etc/openvpn/*
At this point, when you reboot your computer, the vpn connection should be made automatically. You can see this by looking for its status file in /var/run
NOTE: if you want to autostart more than one connection, simply repeat the above but name the results something other than auto (ie, auto2.conf & auto2.p12)
- Autorunning a connection
- removing the passphrase from a pkcs12 file