Ubuntu openvpn with .ovpn file
This post explains how to connect to a VPN from Ubuntu when you are given a .ovpn file. We will use Ubuntu’s network manager to connect to the VPN.
This might look long – but its pretty simple 🙂
Install the required packages
sudo apt-get install network-manager network-manager-openvpn network-manager-openvpn-gnome
Creating individual files from client.ovpn file
Get the correct .ovpn file from your administrator ( the one in this post is called client.ovpn ).
Because there is a bug in the network manager ( https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/606365 ) we cannot import the file directly, we will have to chop up the file manually and do some minor workarounds
These files must be kept safe and private at all times
- Make a directory called openvpn in your home directory
- Copy the client.ovpn file into dir openvpn
- Optional: Keep an original copy of the file – call it client.ovpn.orig
- Next we will create 4 files under the openvpn directory. Open the client.ovpn file in a text editor
- Create a file called ca.crt – copy the text between <ca> and </ca> from client.ovpn into this file
- Create a file called client.crt – copy the text between <cert> and </cert> from client.ovpn into this file
- Create a file called client.key – copy the text between <key> and </key> from client.ovpn into this file
- Create a file called ta.key – copy the text between <tls-auth> and </tls-auth> from client.ovpn into this file
- At this point i have a total of 6 files under my openvpn directory
Modify the client.ovpn file
Just before the ## —–BEGIN RSA SIGNATURE—– line add the below lines and save
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key
Setting up the Network Manager
- Click on Ubuntu network icon on the top right
- Select VPN Connections -> Configure VPN ( the Network Connections window will open )
- Click on the VPN tab and click Import
- Select the client.ovpn file we just modified and it should automatically import some things into the next screen
- Connection Name will be = client – change this to something meaningful ( i set it to companyVPN )
- Gateway must be imported already
- Type is : Password with Certificates ( TLS ) – this was also set for me
- Provide the username and password for VPN
- User certificate will be client.crt
- CA certificate will be ca.crt
- Private Key will be client.key
- Click on Advanced -> TLS Authentication Tab
- Key file will be ta.key
- Key Direction must be set based on the key direction in your client.ovpn file
- Open the client.ovpn file and search for “key-direction” and note the number after that ( mine is key-direction 1 )
- Put this number in the Key Direction field in the TLS Authentication Tab
- Click save on all windows and close all windows.
Time to test connection
- Click on Ubuntu network icon on the top right
- Select VPN Connections and you should see your connection there – click it
- If successfully connected, you will see a message and then you can verify your IP address with ifconfig
- There is a Disconnect VPN under VPN Connection for obvious reasons
Now on Network Manager 1.1.93 .ovpn files with embedded certificates are recognized correctly. 🙂
Rock on! Thanks a lot!
Thank you. Works like charm.
Dear all,
Similar to Robert, I tried to connect to my Asus N66U OpenVPN server (I don’t have a ta.key too) but I can’t even connect by using “openvpn” command.
The only different is changing default port from 1194 to TCP 443.
The most interesting thing is that I can connect by using “OpenVPN Connect” App which installed on my iPhone with the same client.ovpn file.
I tried both OpenVPN version 2.3.2 (which come with Ubuntu 14.04) and 2.3.8 (latest) on my Ubuntu 14.04.3 Desktop.
Would anyone please help and have a look?
I got the following error message from client side:
=============================================================================
Enter Auth Password:
Thu Sep 24 11:40:06 2015 Attempting to establish TCP connection with [AF_INET][IP_ADDRESS]:443 [nonblock]
Thu Sep 24 11:40:07 2015 TCP connection established with [AF_INET][IP_ADDRESS]:443
Thu Sep 24 11:40:07 2015 TCPv4_CLIENT link local: [undef]
Thu Sep 24 11:40:07 2015 TCPv4_CLIENT link remote: [AF_INET][IP_ADDRESS]:443
Thu Sep 24 11:40:07 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Thu Sep 24 11:40:08 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Thu Sep 24 11:40:08 2015 TLS Error: TLS object -> incoming plaintext read error
Thu Sep 24 11:40:08 2015 TLS Error: TLS handshake failed
Thu Sep 24 11:40:08 2015 Fatal TLS error (check_tls_errors_co), restarting
Thu Sep 24 11:40:08 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 24 11:40:13 2015 Attempting to establish TCP connection with [AF_INET][IP_ADDRESS]:443 [nonblock]
Thu Sep 24 11:40:14 2015 TCP connection established with [AF_INET][IP_ADDRESS]:443
Thu Sep 24 11:40:14 2015 TCPv4_CLIENT link local: [undef]
Thu Sep 24 11:40:14 2015 TCPv4_CLIENT link remote: [AF_INET][IP_ADDRESS]:443
^CThu Sep 24 11:40:14 2015 event_wait : Interrupted system call (code=4)
Thu Sep 24 11:40:14 2015 SIGINT[hard,] received, process exiting
=============================================================================
The following is my client.ovpn content
=============================================================================
client
dev tun
proto tcp-client
remote [IP_ADDRESS] 443
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
—–BEGIN CERTIFICATE—–
…OMITTED
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
…OMITTED
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
…OMITTED
—–END PRIVATE KEY—–
resolv-retry infinite
nobind
=============================================================================
Thanks again.
Just found a solution by myself…
http://www.asus.com/tw/Forum/List?AID=38941&PageNumber=2
The thread mentioned the problem is caused by Asus,
as Asus router OpenVPN server generates short dh key by default and the OpenVPN clients used is after 2.3.6 which require long db key.
Solution 1: Use OpenVPN client 2.3.6 or before
Solution 2: Manually regenerate a long dh key http://www.snbforums.com/threads/asus-rt-87u-merlin-openvpn-server-fails-diffie-helmann-dh-key-too-small.25326/ and put it on the router
How to change password OpenVpn i aready find i google for 2day and try so much command but still not working
@Nedy
Can you tell me what you are trying to do exactly ? what password are you trying to change ?
i cant seem to find my ca certificate when i try to import the file is missing but i can view it through the normal window
@prioritysoftwareng
i dont understand the problem that you are facing – please provide more details on what you are trying to do – it may be a permission issue
Hi Naveen!
I have client.ovpn for vpn connection. Do you know how can I check if my openvpn work succesffully or not?
Because everytime I select VPN Connection from Network Icon, I see that my connection always time out after more or less 60 secs.
The error log is:
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: Starting VPN service ‘openvpn’…
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ started (org.freedesktop.NetworkManager.openvpn), PID 4518
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ appeared; activating connections
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN plugin state changed: init (1)
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN plugin state changed: starting (3)
Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN connection ‘VPN connection’ (Connect) reply received.
Jun 24 21:31:53 tientham-VirtualBox nm-openvpn[4524]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: UDPv4 link local: [undef]
Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: UDPv4 link remote: [AF_INET]62.152.110.138:1194
Jun 24 21:32:33 tientham-VirtualBox NetworkManager[726]: VPN connection ‘VPN connection’ (IP Config Get) timeout exceeded.
Jun 24 21:32:33 tientham-VirtualBox NetworkManager[726]: Policy set ‘Wired connection 1’ (eth0) as default for IPv4 routing and DNS.
Jun 24 21:32:33 tientham-VirtualBox nm-openvpn[4524]: SIGTERM[hard,] received, process exiting
Jun 24 21:32:38 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ disappeared
My OS which uses OpenVPN is Linux Ubuntu 14.04 under virtual machine.
Hope to hear from you, thank you so much!
this might help
http://askubuntu.com/questions/411976/how-to-debug-vpn-connection-issues-13-10
HI, I have client.ovpn file for vpn connection and configured my vpn gui client as discussed in post. one more thing we have configured is GOOGLE AUTHENTICATION on opnevpn server.
while connecting my gui based vpn client is saying “vpn connection failed due to invalid vpn secrets ” please help in resolving the issue and connecting to VPN.
what OS are you running ? – this might be a known bug – https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/738849
google the words “vpn connection failed due to invalid vpn secrets” and you will see some solutions
Thank You!!! This is how to connect to VPN using .ovpn file on Debian 8
hey naveen..
im usiing zenvpn.ovpn in my college, but now it is not working
when i type
openvpn –config zenvpn.ovpn
it will show:
Sun May 3 17:18:39 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Sun May 3 17:18:39 2015 Control Channel Authentication: tls-auth using INLINE static key file
Sun May 3 17:18:39 2015 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun May 3 17:18:39 2015 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun May 3 17:18:39 2015 WARNING: normally if you use –mssfix and/or –fragment, you should also set –tun-mtu 1500 (currently it is 1300)
Sun May 3 17:18:39 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun May 3 17:18:39 2015 UDPv4 link local (bound): [undef]
Sun May 3 17:18:39 2015 UDPv4 link remote: [AF_INET]213.183.56.121:1194
…………………………………………………
TLS handshaking failing
pls give me a solution…
tnx
@ Muhasin Rashid – the first thing to make sure is you are not blocked by the vpn provider or your own firewall rules are not blocking the connection – check those settings
Wow, thanks! That finally helped me to get OpenVPN running in Gnome again.
As I found the manual editing of the config quite error prone and cumbersome I have created a short python script to do the job automatically… maybe it helps you, too.
–> https://gist.github.com/seebk/bb94a7fd70d4cc454aaa
Nice !
I made a bash script to do this as well.
https://github.com/ryanniehaus/useful_scripts/blob/master/openvpn_conversion_for_network-manager/update_vpnprovidersinfo_and_extract_certs.sh
hi! I wonder if you could help me. There is no ## —–BEGIN RSA SIGNATURE—– line in my .ovpn file so I cannot do that part. I used your instructions once and (skipping the bit with te rsa signature line) managed to get two out of the three ovpn connections working. Now we received updated .ovpn files, I tried setting it up the same way but this time it looks like they don’t work (every time I try to connect, I get a “connection failed because of timeout”) error. Is this supposed to work if i skip the rsa signature line step?
@sophie – are you able to connect to the VPN via command line ? try that – if you cannot, then the problem is with your ovpn file
Also what OS / version are you on ? ppl have reported that this does not work on Ubuntu 14.04 – may be the network manager got updated
Hi, thanks a lot for your answer! I’m on 12.04. In the meantime, when I tried again through command line, I got the following error message. I’m an Ubuntu novice and will freely admit to not really knowing what to do with it, exactly… (Note: 37 is the name given to one of the three OVPN clients I’m trying to install, and the 37.crt file exists in the appropriate directory. As I mentioned, I’ve managed to make it work with the helpf of your instructions once before.)
Wed Jan 28 13:09:20 2015 us=800739 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jan 28 13:09:20 2015 us=800796 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Wed Jan 28 13:09:20 2015 us=801733 Cannot load certificate file 37.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Jan 28 13:09:20 2015 us=801791 Exiting
these two threads might help – else ask the question in the ovpn forum –
also make sure you have the file path correct and file permissions correct – these are the cause of most problems
https://forums.openvpn.net/topic16884.html
https://forums.openvpn.net/topic8835.html
Thanks a lot. Itz helped me lot. While connected with vpn i was not able to browse internet. Now I can able to browase and at the same time able to connect VPN Servers. Thanks again dude.!
hmm i dont know about iPad, but Lubuntu should be very similar to Ubuntu – if you can connect via the command line and not via Network Manager, then there might be a bug in the Network Manager in debian
btw what version of Lubuntu are you on ? lots of people have complained that VPN is not working on 14.04
Let me know if the Windows Certificate works
Hi
You are probably right. I’m on 14.04, and I found the posts about the VPN problems.
Given that I can get the VPN connected from the command line in a terminal, I will probably just live with that for now. Perhaps it will get fixed in one of the updates?
Sometime when I have lots of free time I will try generating a new PKI environment. However for the moment 95% of everything I need is working, so I can live with the situation.
Thank you for all of your help, and for the excellent set of instructions.
Robert
Hi
Thanks for the quick reply.
I tried your suggestion, and still not working. It just doesn’t like the certificates.
The one possibility is that the built in client just doesn’t like the certificates generated automatically by the Asus router. I get a very similar error when I try to connect with my iPad. The Asus router just generates a set of random certificates without asking any questions.
So right now, the Window’s client connects, Macbook (using Tunnelblick) connects, Android connects, and Lubuntu using the command line.
What isn’t working are my iPad, and Lubuntu using the graphical network manager.
One thing I could try is generating a new set of certificates using EasyRSA under Windows. That would mean reconfiguring things, but it is an option.
Any thoughts?
Robert
This is so close, but I can’t connect. I’m connecting to an OpenVPN served up by as Asus router.
If I use “sudo openvpn client.ovpn” I connect without issue, but I would like to get this working with the network controls.
I don’t have a ta.key, but everything I have read is that this is optional.
My orginal client.ovpn is as below:
client
dev tun
proto udp
remote xxx.webhop.net 443
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
—–BEGIN CERTIFICATE—–
MIIDNDCCAp2gAwIBAgIJAMbTH300dCrMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
***REDACTED****vYC2rRDHEr7WYQ6nXbhwOb6bynAR+zw6xpfgYl
bNHd5ypguMZGRkYzXJz6oHsw0hxdH61tW8MVsYT4mQB85A+oxImKXYDchMZOybIX
XUTy4fx3C6Y=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIDejCCAuOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJUVzEL
MAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTENMAsGA1UEChMEQVNVUzERMA8G
A***REDACTED***eBW
xQfpM4uQVu5eQWOyqmPdSlSiMSKc7CVQQ/0D8iIk
—–END CERTIFICATE—–
—–BEGIN PRIVATE KEY—–
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMxs4bdG2XOG37Lw
***REDACTED***VAcTGktx85E
F/Ol1qfs2Db4dQ==
—–END PRIVATE KEY—–
ns-cert-type server
resolv-retry infinite
nobind
I’ve cut out the certificates as instructed, and I am wondering if I should keep “—–BEGIN PRIVATE KEY—–” etc? If I remove them, I just get a general error saying that the connection has failed. If I leave them in, I get error saying the connection failed because of “Invalid VPN Secrets”
The client.ovpn I imported to create the connection is:
client
dev tun
proto udp
remote xxx.webhop.net 443
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
resolv-retry infinite
nobind
Any thoughts or ideas on how to get this working is greatly appreciated.
Thanks
Robert
so you are able to connect using the command line from your .ovpn file and its not working when you try to use the network GUI ?
try not to “cut-out” – just copy paste the data into separate files. Use the original .ovpn file and just add the ca,cert and key entries. Sample .ovpn file should look like this
http://lukasz.cepowski.com/devlog/32,sample-openvpn-client-config-ovpn
so you should have this file ( with all the information ) + 3/4 files
Gnome-ubuntu 14.04 has changed the method of setting up vpn and I am getting no where doing it. Do you have any guidance for their latest method?
There is some info here about running openvpn from command line – it basically uses this post for the first part, but runs the command instead of using the GUI – try it
http://askubuntu.com/questions/450493/openvpn-cant-import-configurations-on-new-14-04-installation
There is a problem getting dns address I solved this like this.
sudo vim /etc/NetworkManager/NetworkManager.conf
And commenting the dns masq line so it must be like this
/*dns=dnsmasq*/
Hope it helps
Thanks a lot. I just used this in Cinnamon (on Ubuntu). A couple of things that were different is that you need to go into ‘Network Settings’ under the drop down menu in the Network Manager icon. Then press the + button (bottom left of the ‘Network Settings’ area. VPN will be there, so add it, and from there on follow your directions (however I didn’t need to enter my username or password).
Thanks again, you saved me embarrassing myself in front of my more knowledgeable friends (at least this time). =)
Thank you!!
I just followed you post and It worked like charm :). Thank you!!! for the post.
hi, thanks for this tutorial but the .ovpn file i have doesnt have the line and , so i cant create the ta.key. I dont know if i can do without it and continue with the remaining created files. thanks for your help once again
One more addition. Sometimes we may end up in being connected to corporate VPN but unable to access other websites.
A quick fix for this is: Network Manager menu -> Configure VPN -> Select the created VPN connection -> Button “Edit” -> Tab “IPv4 Settings” -> Button “Routes…” -> Check “Use this connection only for resources on its network”. Done! Sites are back again.
Worked exactly as described. Many thanks.
Gaurav,
I cannot guess much without looking at the .ovpn file. All such files i have dealt with always have a tls-auth section. Contact your system administrator and inquire about it.
Cisco has updated their vpn client – I recommend trying that one first – http://software.cisco.com/download/navigator.html?mdfid=278875403
hey naveen
i am try your solution. but in config file there is no tls-auth part. please help me .. i am trying it for one week but not able to connect vpn server.
Hey I found it …
/etc/resolv.conf .. dns poisoned … every query was going as site name . ufl.edu .. eg google.ufl.edu .
when I connected to the vpn .. appending was stopped.
Hence , I removed the DNS entries from that file . kept localhost and google dns server. 🙂
Nice one , Good to be independent of thrid party apps like CISCO anyconnect .
Btw do you know this solution ? : http://ubuntuforums.org/showthread.php?t=2127985&p=12568074#post12568074
CISCO vpn gave me some trouble as well – that’s why i wrote this on – though i don’t know the answer to the link you posted