Setting up OpenVPN in FatDog

[Neo_78]

FatDog has a repository to install OpenVPN, correct?

Which location would you recommend to store the .ovpn files supplied by your VPN provider?

In Debian you would normally run the installation script in the following way to provide your VPN credentials:

sudo apt install openvpn resolvconf

And then to launch the VPN, you would run the following:

Code: Select all

sudo openvpn --config /[path to file]/my_expressvpn_[server location].ovpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf

How does this work in FatDog?

Is it possible to start the VPN in the terminal from a non-root account?

Is there a way to manage VPN connections from the network management tool for easier handling?

Thanks for your feedback!

[JakeSFR]

How does this work in FatDog?

Install openvpn and openresolv packages, and download this script:
https://github.com/alfredopalhares/open ... lv-conf.sh

Make it executable and put it in /etc/openvpn dir.
You may also want to remove the .sh extension, because in all examples I've seen, it's invoked without this extension.

[EDIT] Oh, I forgot that you'll probably need to load the tun kernel module as well:

Code: Select all

modprobe tun

And then:

Code: Select all

openvpn --config /[path to file]/my_expressvpn_[server location].ovpn --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf

should just work.

Btw, you can embed the extra options in the .ovpn files themselves:

Code: Select all

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Which location would you recommend to store the .ovpn files supplied by your VPN provider?

I'm not aware of any official/dedicated location for OVPN files.
I keep them in my home dir, in a subfolder.

Is it possible to start the VPN in the terminal from a non-root account?

No idea, but hopefully it is. Please report back if you try.

Is there a way to manage VPN connections from the network management tool for easier handling?

It doesn't seem to have this option.

Greetings!

[Neo_78]

Thanks @JakeSFR. Will try that out and report back.

[Neo_78]

Script setup and vpn work if you run it under the root account @JakeSFR.

However, if I try to start openvpn in the terminal from a non-root user account, I get the following error:

Code: Select all

ERROR: Cannot ioctl TUNSETIF tun: Operation not permitted (errno=1)

I tried to run sudo modprobe tun but I get the same error.

Is there a way around this to get OpenVPN working on a normal user account?

Thanks for your feedback!

[JakeSFR]

sudo modprobe tun works for me for a non-root user, but there were some changes to the sudo script, so maybe that's why.

Anyway, you can always use the /etc/modules file - you'll find instructions inside of it.

Greetings!

[Neo_78]

Testing this further, the only way to get the vpn going under a non-root user account is to start it as sudo openvpn or start the respective script with tmux as sudo with a dettached session to leave it running in the background @JakeSFR.

Not sure if that has any critical implications or if there is a solution to run openvpn completely unprivileged.

Most graphical network managers in other distributions would allow vpn sessions for non-root users without having to type the root password.

[JakeSFR]

Not sure if that has any critical implications or if there is a solution to run openvpn completely unprivileged.

This might help, although it looks complicated: https://community.openvpn.net/openvpn/w ... ilegedUser

I guess you could also try starting the VPN (as root) in /etc/rc.d/rc.local, but this way the non-root user won't have any control over it, once it's started.

Greetings!

[Neo_78]

Thanks @JakeSFR. The guide looks indeed complicated.

I think the core permissions problem is that a normal user is not allowed to create a new tun device, when openvpn is started, correct? Could those permissions be adjusted?

I remember that with Gnome network manager in Ubuntu it was pretty easy for a normal non-root user to setup and control a vpn via openvpn.

Isn't there a comparable graphical network management tool for Openbox that sets the required permissions for OpenVPN so that normal users can use a VPN without too much tinkering?

[jamesbond]

OpenVPN needs to be started as root.
But in its config file, you have the option to drop privileges and run as another "user" or "group".

https://github.com/OpenVPN/openvpn/blob ... erver.conf

This is the standard way to run system-wide daemons.

[Neo_78]

Thanks @jamesbond.

Where exactly in the server.conf do you see the options to define a specific openvpn user and / or add a custom group of allowed users?

[jamesbond]

Where exactly in the server.conf do you see the options to define a specific openvpn user

See screenshot

and / or add a custom group of allowed users?

This is more of an OpenVPN configuration question than a Fatdog question. I refer you to these:
https://openvpn.net/community-resources ... le-clients

and

https://community.openvpn.net/openvpn/w ... nVPN-Howto