Arch Linux SSL VPN Client Configuration

calendar 2024-10-01 · 8 min read · Linux  ·
Share on: linkedin copy

Anheng Information is a company listed on the Science and Technology Innovation Board. It has multiple security products, some of which are integrated with SSL VPN functions.

When you use Linux, you will find that this VPN product does not have a Linux client by default, but Windows and MacOS have one. I use Mac at work and Linux at home. It is boring to carry a computer around every day.

The question is, what client can be used to connect to this VPN service under Linux? I checked that the Mac client is developed based on Tunnelblick, and Tunnelblick is the GUI client of OpenVPN. So in theory, you only need to configure the OpenVPN client in Linux.

1. Install OpenVPN client under Arch

It is very simple to install openvpn under Arch

1sudo pacman -S openvpn

The client and server share a set of programs, but the configuration directory is different, which is very scientific and powerful.

2. Configure the client

Because my scenario is just to connect to the server, I only need to configure the client-related files.

In general, how to connect the Mac client is similar to the Linux operation, but the client is different, maybe one is GUI and the other is command line. The company will give you a file ending with .ovpn, don't be afraid, it is just a normal text file.

The content is similar to the example file /usr/share/openvpn/examples/client.conf, except for the different suffix.

Assume that the company gives you client.ovpn, rename it to client.conf, and put it in the path /etc/openvpn/client/client.conf.

The example is as follows

 1[root@minipc ~]# cat /etc/openvpn/client/client.conf
 2client
 3proto tcp-client
 4remote your_server_ip_or_domain
 5port 1194
 6dev tun
 7nobind
 8verb 4
 9auth-nocache
10auth-user-pass /etc/openvpn/client/auth.txt
11push-peer-info
12
13keepalive 60 300
14static-challenge "two-factor" 1
15<ca>
16-----BEGIN CERTIFICATE-----
17Omitted here, key file
18-----END CERTIFICATE-----
19
20</ca>
21tun-mtu 1514
22reneg-sec 0

The key points are:

  • remote # vpn server address
  • port # port default 1194
  • auth-user-pass your_password_file # The file storing the user password, it is recommended to write the absolute path, this file is optional, if not filled in, you have to fill it in during the command line interaction. If you don't like to enter the user password, it is recommended to fill it in to save time.

Other configurations are also very simple, if you don't understand, please refer to the openvpn document.

Set the secret file permission to 600, it's safer.

1[root@minipc ~]# cat /etc/openvpn/client/auth.txt
2xiaomin
3xiaomin_password
4[root@minipc ~]# ls -al /etc/openvpn/client/auth.txt
5-rw------- 1 root root 19 Oct 1 13:34 /etc/openvpn/client/auth.txt

Username on one line, password on one line, don't ask me why it's like this, it's a rule, if you don't believe it, try to split it into space/tab on one line.

3. Start and run

On Mac, you can directly run the GUI software. There are also several OpenVPN GUI clients on Linux. Old readers know that I use the labwc environment, which is simple and plain, and the command line is more convenient.

12024-10-01 15:00:17 us=267349 mode = 0
2...10,000 lines omitted...
32024-10-01 15:02:45 us=238580 client = ENABLED
42024-10-01 15:02:45 us=238584 pull = ENABLED
52024-10-01 15:02:45 us=238588 auth_user_pass_file = '/etc/openvpn/client/auth.txt'
62024-10-01 15:02:45 us=238594 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
72024-10-01 15:02:45 us=238605 library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
82024-10-01 15:02:45 us=238613 DCO version: N/A
9CHALLENGE: two-factor

Because the company has enabled 2-step verification, you will be prompted to enter a verification code at the end. Generally, a software similar to Microsoft Authenticator is installed on the mobile phone. The 6-digit number changes over time. After entering it, you can dial normally. If two-step verification is not enabled, you can connect by running it directly.

After connecting, you will have multiple tun virtual network cards, layer 3, tun1 shown below is it, tun0 is sing-box, those who understand will understand.

 1➜  ~ ip a
 21: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 3    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 4    inet 127.0.0.1/8 scope host lo
 5       valid_lft forever preferred_lft forever
 6    inet6 ::1/128 scope host noprefixroute
 7       valid_lft forever preferred_lft forever
 82: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
 9    link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
103: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
11    link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
12    inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
13       valid_lft 75818sec preferred_lft 75818sec
14    inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
15       valid_lft forever preferred_lft forever
164: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
17    link/none
18    inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
19       valid_lft forever preferred_lft forever
20    inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
21       valid_lft forever preferred_lft forever
227: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1514 qdisc fq_codel state UNKNOWN group default qlen 500
23    link/none
24    inet 172.20.0.2/24 scope global tun1
25       valid_lft forever preferred_lft forever
26    inet6 fe80::352:fae8:59c6:8e92/64 scope link stable-privacy proto kernel_ll
27       valid_lft forever preferred_lft forever

4. Others

The above operation mode has been running in the foreground. What should I do if it is accidentally interrupted? I usually use tmux and open multiple terminals, which is not a big problem.

What if you don’t use tmux? Don’t want to run in the foreground? Just use systemd to take over.

Without further ado, let’s see the operation process below.

First cat to show you the configuration, then start and enter two-factor. If tun1 appears, it means it is successful. After stopping, tun1 disappears, which means it is shut down. I think you should be satisfied😅

 1➜  ~ sudo systemctl cat openvpn-client@.service
 2[sudo] password for mephisto:
 3# /usr/lib/systemd/system/openvpn-client@.service
 4[Unit]
 5Description=OpenVPN tunnel for %I
 6After=network-online.target
 7Wants=network-online.target
 8Documentation=man:openvpn(8)
 9Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
10Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
11
12[Service]
13Type=notify
14PrivateTmp=true
15WorkingDirectory=/etc/openvpn/client
16ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
17User=root
18Group=network
19AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
20CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
21LimitNPROC=10
22DeviceAllow=/dev/null rw
23DeviceAllow=/dev/net/tun rw
24ProtectSystem=true
25ProtectHome=true
26KillMode=process
27
28[Install]
29WantedBy=multi-user.target
30➜  ~ sudo systemctl start openvpn-client@client.service
31
32Broadcast message from root@minipc (Tue 2024-10-01 15:14:28 CST):
33
34Password entry required for 'CHALLENGE: two-factor' (PID 81068).
35Please enter password with the systemd-tty-ask-password-agent tool.
36
37🔐 CHALLENGE: two-factor 951053
38➜  ~ ip a
391: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
40    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
41    inet 127.0.0.1/8 scope host lo
42       valid_lft forever preferred_lft forever
43    inet6 ::1/128 scope host noprefixroute
44       valid_lft forever preferred_lft forever
452: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
46    link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
473: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
48    link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
49    inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
50       valid_lft 75458sec preferred_lft 75458sec
51    inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
52       valid_lft forever preferred_lft forever
534: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen q500
54    link/none
55    inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
56       valid_lft forever preferred_lft forever
57    inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
58       valid_lft forever preferred_lft forever
598: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1514 qdisc fq_codel state UNKNOWN group default qlen 500
60    link/none
61    inet 172.20.0.2/24 scope global tun1
62       valid_lft forever preferred_lft forever
63    inet6 fe80::a713:868:de2d:2bb0/64 scope link stable-privacy proto kernel_ll
64       valid_lft forever preferred_lft forever
65
66➜  ~ sudo systemctl stop  openvpn-client@client.service
67➜  ~ ip a
681: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
69    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
70    inet 127.0.0.1/8 scope host lo
71       valid_lft forever preferred_lft forever
72    inet6 ::1/128 scope host noprefixroute
73       valid_lft forever preferred_lft forever
742: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
75    link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
763: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
77    link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
78    inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
79       valid_lft 75259sec preferred_lft 75259sec
80    inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
81       valid_lft forever preferred_lft forever
824: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
83    link/none
84    inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
85       valid_lft forever preferred_lft forever
86    inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
87       valid_lft forever preferred_lft forever

I don't know if you, the reader, have noticed that I was writing this article on the afternoon of the National Day.

This means that I sacrificed my vacation time to contribute to the Chinese world. If you want to show your support, just follow my public account. There is nothing else to ask for. Public account advertising can make money.

Since I changed my job, I am much busier than before. I don't have any time to slack off. Of course, I can also learn knowledge. After all, my retirement has been delayed. What can I do? The frequency of writing articles has dropped sharply, and I can only sacrifice my spare time.

Keyword coding doesn't make money. I made more than 100,000 RMB a day in the recent bull market, but writing this article, the advertising income is almost 0. It takes at least 2 hours to write an article on average. The effort and income are completely disproportionate. I can't even make back the domain name fee.

On second thought, the Chinese information on the Internet is shrinking day by day. I have also found valuable Chinese content that solves problems, and others don't seem to make a lot of money. Why should I be so utilitarian? It's not impossible to simply make a contribution, which is simply Q to myself. What if one day there are more readers, and the quality of the content improves over time? Or is it that some suffering person just needs this?ss

Lastmod: Tuesday, October 1, 2024

Copyright statement:

  • All content that is not sourced is original., please do not reprint without authorization (because the typesetting is often disordered after reprinting, the content is uncontrollable, and cannot be continuously updated, etc.);
  • For non-profit purposes, to deduce any content of this blog, please give the relevant webpage address of this site in the form of 'source of original text' or 'reference link' (for the convenience of readers).

See Also:

Translations: