Today I had a case where a coworker wanted a Linux server to connect to a particular VPN, and we didn’t want to make it use some hacky way like putting a script in /etc/rc.local for it to run on boot. By using systemd we learned how to use it to control connecting to the VPNs, using the OpenVPN client.

Steps

Install the OpenVPN client

Verify the `openvpn` client is installed

Debian/Ubuntu

1
apt-get install openvpn

RHEL/CentOS

1
yum install openvpn

Get VPN keys, certifiates and configs

From your remote host, get the files or zip file that includes your VPN keys, certificates and configs
Place the files (unzipping any archives) into /etc/openvpn on your client

Configure OpenVPN session

In the directory /etc/openvpn copy the .opvn file to .conf (renaming .conf with the host or filename of the .opvn file - openvpn is looking for any .conf file in this directory)

1
cd /etc/openvpn
2
cp file.opvn file.conf

The new file.conf will be identical to file.opvn, and will include all connection steps. It will look somemthing like this (yours will be different, but should have similar steps):

1
client
2
dev tun
3
proto udp
4
remote 106.132.15.101 1876
5
resolv-retry infinite
6
nobind
7
persist-key
8
persist-tun
9
ca ca.crt
10
cert default.crt
11
key default.key
12
tls-auth tlsauth.key 1
13
ns-cert-type server
14
cipher AES-128-CBC
15
comp-lzo
16
verb 4
17
script-security 3
18
route 10.122.17.0 255.255.255.0
19
route 10.122.120.0 255.255.255.0

Enable this config in OpenVPN, so systemd can use it

edit /etc/default/openvpn, and uncomment the following line

1
AUTOSTART="all"

exit and save /etc/default/openvpn
NOTICE: I’m just choosing all but if you had the files with different names you could call out specific ones. So for example, if you had /etc/openvpn/worksucks.conf you’d have:

1
AUTOSTART="worksucks"

haha!

Reload / Restart services to use the new files

Reload systemd daemon so it will pickup the changes

1
systemctl daemon-reload

Restart OpenVPN so it will automatically connect to the VPN listed in file.conf

1
systemctl restart openvpn

Debug

check logs to verify everything worked

1
tail -f /var/log/syslog

look for success messages, you should see something like:

1
Feb 22 13:01:03 localhost NetworkManager[996]: <info>  [1487790063.9729] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/43)
2
Feb 22 13:01:03 localhost ovpn-host[2915]: /sbin/ip addr add dev tun0 local 10.255.59.14 peer 10.255.59.13
3
Feb 22 13:01:03 localhost ovpn-host[2915]: /sbin/ip route add 10.122.17.0/24 via 10.255.59.13
4
Feb 22 13:01:03 localhost ovpn-host[2915]: /sbin/ip route add 10.122.120.0/24 via 10.255.59.13
5
Feb 22 13:01:03 localhost ovpn-host[2915]: /sbin/ip route add 10.102.59.0/24 via 10.255.59.13
6
Feb 22 13:01:03 localhost ovpn-host[2915]: /sbin/ip route add 10.255.59.1/32 via 10.255.59.13
7
Feb 22 13:01:03 localhost ovpn-host[2915]: Initialization Sequence Completed
8
Feb 22 13:01:03 localhost NetworkManager[996]: <info>  [1487790063.9801] devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)

Done

Now systemd is handling your VPN connections, and will keep them up for you. Notice you can stop/start them on demand, instead of just having them start at boot, by:

1
service openvpn@worksucks restart

Pretty fly, so that’s it for now, have fun out there, but stay safe!

Use Systemd to Control VPN Connections