Setting up a VPN client on Arch Linux
There are many uses for VPNs, from creating a secure connection to a business netork to accessing your home server to accessing online shows in your home country. When I'm travelling away from home and want to prevent the local network of "free WiFi" users sniffing my web traffic, I use Private Internet Access. They provide OpenVPN access (which is more secure) and offer plenty of automated setup methods for various operating systems. With Arch, however, we like to do things the manual way...
Once we've installed the
openvpn package, the basic VPN setup is very straight forward.
Downloading the config
Assuming you have already signed up for a PIA account, simply download the OpenVPN config files, unzip and move everything to
unzip openvpn.zip && cd openvpn mv * /etc/openvpn
Connecting to the VPN
At this point you could simply
sudo openvpn --config /etc/openvpn/UK\ London.conf and enter your username and password, but why not add some security steps and also make connecting even easier.
Limiting read/write access
We should change the owner/group and read/write access to root for extra security.
sudo chown -R root:root /etc/openvpn sudo chmod -R 600 /etc/openvpn/*
Preventing DNS leaks
Make sure that you edit your
/etc/resolv.conf with some nameservers you trust, so that you don't get any DNS leaks (where the lookup is performed on your local connection instead on the remote VPN). You could also set this to your VPN service provider's DNS servers in the connection script.
Optional extras for an easy life
sudo vim /etc/openvpn/creds.conf
Edit the file with username on the first line and password on the second, then
sudo chmod 600 it and follow either the relative file paths or dmenu section below, according to taste.
Relative file paths
If you'd rather keep your configs and certificates in separate directories, you can do some batch renaming on the config files. First let's create a temporary environment variable to make the substitutions easy:
Now we can use this with the
sed tool to replace various things in all the config files.
sed can use any delimiter for replacement (not just /) so we'll use % to make things play well with paths. Also, we'll use double quotes so the environment variable is read properly.
# If you're not there already: cd /etc/openvpn # Use file for user/password instead of being prompted sed -i "s%auth-user-pass%auth-user-pass $OPENVPN_DIR/creds.conf%" * # Point to correct certificate locations sed -i "s%ca.crt%$OPENVPN_DIR/ca.crt%" * sed -i "s%crl.pem%$OPENVPN_DIR/crl.pem%" *
I love to use dmenu for everything. It makes my life very easy. First let's rename the config files so we don't have to worry about those spaces in the filenames:
sudo rename ' ' '-' /etc/openvpn/*
You can use this dmenu script or modify as required. In this case I'm also telling openvpn to write a pid too so I can tell when VPN is connected (using i3bar etc.)
#!/bin/sh VPNDIR=/etc/openvpn/ VTERM="urxvtc -hold -e" cd $VPNDIR vpn=`ls $VPNDIR | grep -Ev "ca.crt|crl.pem|creds.conf" | dmenu -p 'select vpn:'`&& eval "$VTERM sudo openvpn --config $vpn --writepid /var/run/vpn.pid --auth-user-pass creds.conf"