Convenient launch of the OpenVPN tunnel on a laptop

    The last couple of months I’ve been traveling in India and I have to connect to the Internet anywhere — in an Internet cafe, through someone’s passwordless WiFi, through GPRS. Anticipating this, before leaving home I decided to set up a VPN for myself to my server. The choice fell on OpenVPN. Of course, I wanted to start the VPN not through the command line, but conveniently, with one or two clicks of the mouse. Ubuntu 8.10 was on the laptop, and without thinking network-manager-openvpntwice , I installed the package , hoping for simple integration with the network manager. It turned out that this plugin is unusable.

    I decided to use OpenVPN in the mode of working with static keys (pre-shared key), because it has an important advantage: … it is a handshake-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random-looking data.Or, speaking in Russian, the encrypted data looks like a random set of bytes and it is impossible to determine what it is.

    And the mentioned plug-in simply stupidly launches OpenVPN with the parameters that are rigidly prescribed in the code, without letting you specify the necessary ones. At first I began to write a patch, but then I realized that it is easier to throw out and find an alternative solution.

    After some searches, the tuntun applet for Gnome was discovered , which works with OpenVPN in a completely different way using the latter's control interface.

    So, first I installed OpenVPN on my laptop, then I wrote this config:

    dev ovpn
    dev-type tun

    remote 10.10.10.10 5555 udp
    nobind

    secret /etc/openvpn/vpn.key 1
    cipher AES-256-CBC
    mlock

    link-mtu 500
    #mtu-test

    mode p2p

    ifconfig 192.168.1.2 192.168.1.1
    route-up /etc/openvpn/vpn.routeup.sh

    comp-lzo

    up-delay
    down /etc/openvpn/vpn.down.sh
    down-pre

    persist-key
    persist-tun

    ping 30

    daemon

    verb 1

    management 127.0.0.1 4444
    management-hold
    management-signal


    And he wrote two scripts. The first one /etc/openvpn/vpn.routeup.sh, sets the correct routing when raising the tunnel and enters the local DNS in resolv.conf:

    #!/bin/sh

    vpn="10.10.10.10"
    ns="127.0.0.1"
    routedown="/etc/openvpn/$dev.routedown.sh"

    [ -z "$dev" ] && { echo "should be run by openvpn" >&2; exit 1; }

    origgw=`ip route get $vpn |grep ' via ' |sed -re 's/^.*via +([^ ]+).*$/\1/'`
    origdev=`ip route get $vpn |grep ' dev ' |sed -re 's/^.*dev +([^ ]+).*$/\1/'`

    [ -z "$origdev" ] && { echo "no route to VPN server, something wrong" >&2; exit 1; }

    sed -i -e "1 s/^/nameserver $ns # added for OpenVPN\n/" /etc/resolv.conf

    if [ -z "$origgw" ]; then
        ip route replace $vpn dev $origdev
    else
        ip route replace $vpn via $origgw dev $origdev
    fi
    ip route replace default dev $dev

    # Assume route to VPN is equal to default route.
    if [ -z "$origgw" ]; then
        echo "ip route replace default dev $origdev" >$routedown
    else
        echo "ip route replace default via $origgw dev $origdev" >$routedown
    fi
    echo "ip route del $vpn" >>$routedown
    echo "sed -i -e '/# added for OpenVPN/ d' /etc/resolv.conf" >>$routedown


    The second /etc/openvpn/vpn.down.sh,, returns routing and DNS to its original state:

    #!/bin/sh

    routedown="/etc/openvpn/$dev.routedown.sh"

    if [ -f $routedown ]; then
        . $routedown
        rm -f $routedown
    fi


    Next, the simplest thing remains: run OpenVPN on the server and laptop, add the tuntun applet to the gnome panel in the standard way, it will look like this (marked with the mouse pointer):


    Then add VPN to tuntun settings (right mouse button -> Preferences -> Add):


    and the result is something like this:


    Starting VPN - left-click on the applet, then select the required VPN from the list:


    Repeated click on the desired VPN in the list disconnects.

    I will not write about setting up OpenVPN on the other side, because this is beyond the scope of this article.

    Who liked it, please help with karma - then I will transfer the article to a thematic blog.

    Also popular now: