Before starting with anything we need to install OpenVPN package. This is done via
Software Manager. Just type
OpenVPN and install first thing you get back (yep, this is great piece of security advice ;)).
First we can do the easy stuff. Download PIA’s OpenVPN configuration files and extract it to directory of your choice. I kept them in
Next easy step is setting up DNS resolving. For that we go to
Network Connections. Just click edit on connection you are using and go to
IPv4 Settings tab. Change
Automatic (DHCP addresses only). Under
DNS servers enter
188.8.131.52 184.108.40.206 (PIA’s DNS).
All other commands are to be executed in terminal and most of them require root privileges. It might be best if you just become root for a while:
$ su - root
Next step is getting configuration in place (replace
password with yours):
# cp /home/MyUserName/pia/ca.crt /etc/openvpn/ca.crt
# cp /home/MyUserName/pia/crl.pem /etc/openvpn/crl.pem
# cp /home/MyUserName/pia/US\ Midwest.ovpn /etc/openvpn/client.conf
# sed -i "s*ca ca.crt*ca /etc/openvpn/ca.crt*" /etc/openvpn/client.conf
# sed -i "s*crl-verify crl.pem*crl-verify /etc/openvpn/crl.pem*" /etc/openvpn/client.conf
# echo "auth-user-pass /etc/openvpn/login.pia" >> /etc/openvpn/client.conf
# echo "mssfix 1400" >> /etc/openvpn/client.conf
# echo "username" > /etc/openvpn/login.pia
# echo "password" >> /etc/openvpn/login.pia
# chmod 500 /etc/openvpn/login.pia
Now we can test our connection (after we restart network in order to activate DNS changes):
# /etc/init.d/networking restart
# openvpn --config /etc/openvpn/client.conf
Assuming that this last step ended with
Initialization Sequence Completed, we just need to verify whether this connection is actually used.
I found whatismyipaddress.com quite helpful here. If you see some mid-west town on map, you are golden (assuming that you don’t actually live in US mid-west :)).
Now you can stop test connection via
Ctrl+C in order to properly start it. In addition, you can specify it should start on each system startup:
# service openvpn start
# echo "AUTOSTART=all" >> /etc/default/openvpn
Lastly you can think about firewall and disabling default interface when VPN is not active. Of course, in order for things to work, we still need to allow port 1194 toward our VPN server and DNS:
# ufw default deny incoming
# ufw default deny outgoing
# ufw allow out on tun0
# ufw allow out 1194/udp
# ufw allow out on eth0 to 220.127.116.11 port 53 proto udp
# ufw allow out on eth0 to 18.104.22.168 port 53 proto udp
# ufw enable
And that is all.
PS: It is not a déjà vu, article is really close to how it was set on CentOS.
[2016-10-01: Removed auth-nocache directive as it didn’t play nice with auth-user-pass.]