Connecting to Access Server with Linux

Client software choice

The OpenVPN protocol is not one that is built into Linux. Therefore a client program is required that can handle capturing the traffic you wish to send through the OpenVPN tunnel, and encrypting it and passing it to the OpenVPN server. And of course, the reverse, to decrypt the return traffic. So a client program is required, and there are some options here. As far as a choice of a graphical interface goes, there are some interesting projects out there but none yet officially released by OpenVPN Inc., although this will be coming soon.

OpenVPN open source OpenVPN CLI program

The open source project client program is the main method of getting your Linux system connected to the Access Server. The package is available in most distributions and is known simply as openvpn. Note that this is a different package from the OpenVPN Access Server, which is titled openvpnas or openvpn-as. The openvpn package supports the option to connect to multiple OpenVPN servers at the same time, and it also comes with a service component that can automatically and silently start any auto-login profiles it finds in the /etc/openvpn folder, even before a user has logged in yet. This service component can be set to automatically start at boot time with the tools available in your Linux distribution, if supported. On Ubuntu and Debian, when you install the openvpn package, it is automatically configured to start at boot time.

To install the openvpn client on Linux, it is possible in a lot of cases to just use the version that is in the software repository for the Linux distribution itself. While this may work for most scenarios, you may run into some connectivity problems when using outdated software, due to a possible lack of support for higher TLS versions in older versions of OpenVPN. We therefore advise you to follow the instructions found on the open source openvpn community wiki below when you wish to install the openvpn client on your Linux system. It is also possible to compile from source, but that is something that we only advise for advanced users to attempt. For ordinary use the page below should be referenced:

In order to get connected you will need a connection profile. This is a file generated by your OpenVPN Access Server installation for your specific user account that contains the required certificates and connection settings in order to make a connection. OpenVPN Access Server supports server-locked, user-locked, and auto-login profiles, but the openvpn command line client is only able to connect with user-locked or auto-login connection profiles. In order to obtain one of these from your Access Server simply go to the web interface of your Access Server (the main address, not the /admin portion) and make sure the dropdown menu says “LOGIN" and not “CONNECT". Change it if necessary. Then enter your user credentials and click ‘go’. You will be shown a list of files available to you for download. Pick the user-locked profile or the auto-login profile and you will be sent a client.ovpn file. Save this file to your Linux operating system somewhere.

We are assuming you are going to be starting the connection either through the command line as a root user, or via the service daemon. If you want unprivileged users to be able to make a connection we refer you to the community wiki for more information on how to implement that. Here we are going to focus on the simplest implementation; run the connection as root user directly, or via the service daemon.

Start a connection with an auto-login profile manually:

openvpn --config client.ovpn

Start a connection with a user-locked profile manually:

openvpn --config client.ovpn --auth-user-pass

If you use Google Authenticator or another extra factor authentication, add the auth-retry parameter:

openvpn --config client.ovpn --auth-user-pass --auth-retry interact

To start an auto-login connection via the service daemon, place client.ovpn in /etc/openvpn/ and rename the file. It must end with .conf as file extension. Make sure the service daemon is enabled to run after a reboot, and then afterwards, simply reboot the system. The auto-login type profile will automatically be picked up and the connection will be started by itself. You can verify this by checking for example the output of the ifconfig command, you should see a tun0 network adapter in the list then.

One major feature that is missing with the command line client is the ability to automatically implement DNS servers that are pushed by the VPN server. It is possible but it requires you to install a DNS management program such as resolvconf or openresolv, and it may or may not clash with existing network management software in your OS. The idea here however is that you use a script that runs when the connection goes up, and when it goes down, that uses resolvconf or openresolv to implement the DNS servers for you. The reason why this client is not able to manage it completely by itself is mainly because in an operating system like Windows, Macintosh, Android, or iOS, there is already an established single method of handling DNS management. It is therefore easy for us to create a software client for those operating systems that already knows how to handle DNS. But Linux is available in so many variations and also supports different programs and methods of implementing DNS servers, and so it was only reasonable to leave built-in DNS support out of the OpenVPN program and instead to provide, where possible, a script that handles DNS implementation. Such a script could even be written by yourself to do whatever tasks are necessary to implement the DNS servers in your unique situation.

Fortunately on Ubuntu and Debian, for example, there is the /etc/openvpn/update-resolv-conf script that comes with the openvpn package that handles DNS implementation for these operating systems. You need only to activate the use of these by following the instructions:

Open your client.ovpn file in a text editor:

nano client.ovpn

At the very bottom simply add these lines:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

The first line enables the use of external scripts to handle the DNS implementation tasks. The up and down lines are there to implement DNS servers pushed by the VPN server when the connection goes up, and afterwards to undo it, when the connection goes down.

Ubuntu network management program

There is also the option of connecting through the GUI but this is currently a bit painful to set up. We hope to have a better solution soon but if you’re interested in this option check out this community guide;