Arch Linux SSL VPN Client Configuration
Anheng Information is a company listed on the Science and Technology Innovation Board. It has multiple security products, some of which are integrated with SSL VPN functions.
When you use Linux, you will find that this VPN product does not have a Linux client by default, but Windows and MacOS have one. I use Mac at work and Linux at home. It is boring to carry a computer around every day.
The question is, what client can be used to connect to this VPN service under Linux? I checked that the Mac client is developed based on Tunnelblick, and Tunnelblick is the GUI client of OpenVPN. So in theory, you only need to configure the OpenVPN client in Linux.
1. Install OpenVPN client under Arch
It is very simple to install openvpn under Arch
1sudo pacman -S openvpn
The client and server share a set of programs, but the configuration directory is different, which is very scientific and powerful.
2. Configure the client
Because my scenario is just to connect to the server, I only need to configure the client-related files.
In general, how to connect the Mac client is similar to the Linux operation, but the client is different, maybe one is GUI and the other is command line. The company will give you a file ending with .ovpn, don't be afraid, it is just a normal text file.
The content is similar to the example file /usr/share/openvpn/examples/client.conf
, except for the different suffix.
Assume that the company gives you client.ovpn, rename it to client.conf, and put it in the path /etc/openvpn/client/client.conf
.
The example is as follows
1[root@minipc ~]# cat /etc/openvpn/client/client.conf
2client
3proto tcp-client
4remote your_server_ip_or_domain
5port 1194
6dev tun
7nobind
8verb 4
9auth-nocache
10auth-user-pass /etc/openvpn/client/auth.txt
11push-peer-info
12
13keepalive 60 300
14static-challenge "two-factor" 1
15<ca>
16-----BEGIN CERTIFICATE-----
17Omitted here, key file
18-----END CERTIFICATE-----
19
20</ca>
21tun-mtu 1514
22reneg-sec 0
The key points are:
- remote # vpn server address
- port # port default 1194
- auth-user-pass your_password_file # The file storing the user password, it is recommended to write the absolute path, this file is optional, if not filled in, you have to fill it in during the command line interaction. If you don't like to enter the user password, it is recommended to fill it in to save time.
Other configurations are also very simple, if you don't understand, please refer to the openvpn document.
Set the secret file permission to 600, it's safer.
1[root@minipc ~]# cat /etc/openvpn/client/auth.txt
2xiaomin
3xiaomin_password
4[root@minipc ~]# ls -al /etc/openvpn/client/auth.txt
5-rw------- 1 root root 19 Oct 1 13:34 /etc/openvpn/client/auth.txt
Username on one line, password on one line, don't ask me why it's like this, it's a rule, if you don't believe it, try to split it into space/tab on one line.
3. Start and run
On Mac, you can directly run the GUI software. There are also several OpenVPN GUI clients on Linux. Old readers know that I use the labwc environment, which is simple and plain, and the command line is more convenient.
12024-10-01 15:00:17 us=267349 mode = 0
2...10,000 lines omitted...
32024-10-01 15:02:45 us=238580 client = ENABLED
42024-10-01 15:02:45 us=238584 pull = ENABLED
52024-10-01 15:02:45 us=238588 auth_user_pass_file = '/etc/openvpn/client/auth.txt'
62024-10-01 15:02:45 us=238594 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
72024-10-01 15:02:45 us=238605 library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
82024-10-01 15:02:45 us=238613 DCO version: N/A
9CHALLENGE: two-factor
Because the company has enabled 2-step verification, you will be prompted to enter a verification code at the end. Generally, a software similar to Microsoft Authenticator is installed on the mobile phone. The 6-digit number changes over time. After entering it, you can dial normally. If two-step verification is not enabled, you can connect by running it directly.
After connecting, you will have multiple tun virtual network cards, layer 3, tun1 shown below is it, tun0 is sing-box, those who understand will understand.
1➜ ~ ip a
21: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4 inet 127.0.0.1/8 scope host lo
5 valid_lft forever preferred_lft forever
6 inet6 ::1/128 scope host noprefixroute
7 valid_lft forever preferred_lft forever
82: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
9 link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
103: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
11 link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
12 inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
13 valid_lft 75818sec preferred_lft 75818sec
14 inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
15 valid_lft forever preferred_lft forever
164: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
17 link/none
18 inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
19 valid_lft forever preferred_lft forever
20 inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
21 valid_lft forever preferred_lft forever
227: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1514 qdisc fq_codel state UNKNOWN group default qlen 500
23 link/none
24 inet 172.20.0.2/24 scope global tun1
25 valid_lft forever preferred_lft forever
26 inet6 fe80::352:fae8:59c6:8e92/64 scope link stable-privacy proto kernel_ll
27 valid_lft forever preferred_lft forever
4. Others
The above operation mode has been running in the foreground. What should I do if it is accidentally interrupted? I usually use tmux and open multiple terminals, which is not a big problem.
What if you don’t use tmux? Don’t want to run in the foreground? Just use systemd to take over.
Without further ado, let’s see the operation process below.
First cat to show you the configuration, then start and enter two-factor. If tun1 appears, it means it is successful. After stopping, tun1 disappears, which means it is shut down. I think you should be satisfied😅
1➜ ~ sudo systemctl cat openvpn-client@.service
2[sudo] password for mephisto:
3# /usr/lib/systemd/system/openvpn-client@.service
4[Unit]
5Description=OpenVPN tunnel for %I
6After=network-online.target
7Wants=network-online.target
8Documentation=man:openvpn(8)
9Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/
10Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
11
12[Service]
13Type=notify
14PrivateTmp=true
15WorkingDirectory=/etc/openvpn/client
16ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
17User=root
18Group=network
19AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
20CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE
21LimitNPROC=10
22DeviceAllow=/dev/null rw
23DeviceAllow=/dev/net/tun rw
24ProtectSystem=true
25ProtectHome=true
26KillMode=process
27
28[Install]
29WantedBy=multi-user.target
30➜ ~ sudo systemctl start openvpn-client@client.service
31
32Broadcast message from root@minipc (Tue 2024-10-01 15:14:28 CST):
33
34Password entry required for 'CHALLENGE: two-factor' (PID 81068).
35Please enter password with the systemd-tty-ask-password-agent tool.
36
37🔐 CHALLENGE: two-factor 951053
38➜ ~ ip a
391: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
40 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
41 inet 127.0.0.1/8 scope host lo
42 valid_lft forever preferred_lft forever
43 inet6 ::1/128 scope host noprefixroute
44 valid_lft forever preferred_lft forever
452: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
46 link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
473: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
48 link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
49 inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
50 valid_lft 75458sec preferred_lft 75458sec
51 inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
52 valid_lft forever preferred_lft forever
534: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen q500
54 link/none
55 inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
56 valid_lft forever preferred_lft forever
57 inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
58 valid_lft forever preferred_lft forever
598: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1514 qdisc fq_codel state UNKNOWN group default qlen 500
60 link/none
61 inet 172.20.0.2/24 scope global tun1
62 valid_lft forever preferred_lft forever
63 inet6 fe80::a713:868:de2d:2bb0/64 scope link stable-privacy proto kernel_ll
64 valid_lft forever preferred_lft forever
65
66➜ ~ sudo systemctl stop openvpn-client@client.service
67➜ ~ ip a
681: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
69 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
70 inet 127.0.0.1/8 scope host lo
71 valid_lft forever preferred_lft forever
72 inet6 ::1/128 scope host noprefixroute
73 valid_lft forever preferred_lft forever
742: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
75 link/ether 70:70:fc:06:ac:aa brd ff:ff:ff:ff:ff:ff
763: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
77 link/ether e4:c7:67:3f:6a:06 brd ff:ff:ff:ff:ff:ff
78 inet 192.168.124.5/24 brd 192.168.124.255 scope global dynamic noprefixroute wlp2s0
79 valid_lft 75259sec preferred_lft 75259sec
80 inet6 fe80::a531:de1c:800e:ed07/64 scope link noprefixroute
81 valid_lft forever preferred_lft forever
824: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
83 link/none
84 inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
85 valid_lft forever preferred_lft forever
86 inet6 fe80::ed5c:8b63:307:ee6a/64 scope link stable-privacy proto kernel_ll
87 valid_lft forever preferred_lft forever
I don't know if you, the reader, have noticed that I was writing this article on the afternoon of the National Day.
This means that I sacrificed my vacation time to contribute to the Chinese world. If you want to show your support, just follow my public account. There is nothing else to ask for. Public account advertising can make money.
Since I changed my job, I am much busier than before. I don't have any time to slack off. Of course, I can also learn knowledge. After all, my retirement has been delayed. What can I do? The frequency of writing articles has dropped sharply, and I can only sacrifice my spare time.
Keyword coding doesn't make money. I made more than 100,000 RMB a day in the recent bull market, but writing this article, the advertising income is almost 0. It takes at least 2 hours to write an article on average. The effort and income are completely disproportionate. I can't even make back the domain name fee.
On second thought, the Chinese information on the Internet is shrinking day by day. I have also found valuable Chinese content that solves problems, and others don't seem to make a lot of money. Why should I be so utilitarian? It's not impossible to simply make a contribution, which is simply Q to myself. What if one day there are more readers, and the quality of the content improves over time? Or is it that some suffering person just needs this?ss
Copyright statement:
- All content that is not sourced is original., please do not reprint without authorization (because the typesetting is often disordered after reprinting, the content is uncontrollable, and cannot be continuously updated, etc.);
- For non-profit purposes, to deduce any content of this blog, please give the relevant webpage address of this site in the form of 'source of original text' or 'reference link' (for the convenience of readers).
See Also:
- How to install and use the iNode client under Arch linux
- Openvpn Example
- Maintaining WeChat public account records in Linux environment
- Linux environment key detection
- Snipe it asset management system installation and use
- Hysteria Science Internet Brief
- Raspberry Pi Running Distribution Agent
- Solve the problem that network configuration cannot be changed and saved under Linux
- labwc environment enables wlogout
- Solving the stuck problem under Atuin ZFS