Home > Linux, Tips and Tricks > Ubuntu openvpn with .ovpn file

Ubuntu openvpn with .ovpn file

This post explains how to connect to a VPN from Ubuntu when you are given a .ovpn file. We will use Ubuntu’s network manager to connect to the VPN.

This might look long – but its pretty simple 🙂

Install the required packages

sudo apt-get install network-manager network-manager-openvpn network-manager-openvpn-gnome

Creating individual files from client.ovpn file

Get the correct .ovpn file from your administrator ( the one in this post is called client.ovpn ).

Because there is a bug in the network manager ( https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/606365 ) we cannot import the file directly, we will have to chop up the file manually and do some minor workarounds

These files must be kept safe and private at all times

  1. Make a directory called openvpn in your home directory
  2. Copy the client.ovpn file into dir openvpn
  3. Optional: Keep an original copy of the file – call it client.ovpn.orig
  4. Next we will create 4 files under the openvpn directory. Open the client.ovpn file in a text editor
  5. Create a file called ca.crt – copy the text between <ca> and </ca> from client.ovpn into this file
  6. Create a file called client.crt – copy the text between <cert> and </cert> from client.ovpn into this file
  7. Create a file called client.key – copy the text between <key> and </key> from client.ovpn into this file
  8. Create a file called ta.key – copy the text between <tls-auth> and </tls-auth> from client.ovpn into this file
  9. At this point i have a total of 6 files under my openvpn directory

Modify the client.ovpn file

Just before the ## —–BEGIN RSA SIGNATURE—– line add the below lines and save

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key

Setting up the Network Manager

  1. Click on Ubuntu network icon on the top right
  2. Select VPN Connections -> Configure VPN ( the Network Connections window will open )
  3. Click on the VPN tab and click Import
  4. Select the client.ovpn file we just modified and it should automatically import some things into the next screen
  5. Connection Name will be = client – change this to something meaningful ( i set it to companyVPN )
  6. Gateway must be imported already
  7. Type is : Password with Certificates ( TLS ) – this was also set for me
  8. Provide the username and password for VPN
  9. User certificate will be client.crt
  10. CA certificate will be ca.crt
  11. Private Key will be client.key
  12. Click on Advanced -> TLS Authentication Tab
  13. Key file will be ta.key
  14. Key Direction must be set based on the key direction in your client.ovpn file
  15. Open the client.ovpn file and search for “key-direction” and note the number after that ( mine is key-direction 1 )
  16. Put this number in the Key Direction field in the TLS Authentication Tab
  17. Click save on all windows and close all windows.

Time to test connection

  1. Click on Ubuntu network icon on the top right
  2. Select VPN Connections and you should see your connection there – click it
  3. If successfully connected, you will see a message and then you can verify your IP address with ifconfig
  4. There is a Disconnect VPN under VPN Connection for obvious reasons
Advertisements
Categories: Linux, Tips and Tricks
  1. YouKnowMe :)
    March 22, 2013 at 10:21 PM

    Nice one , Good to be independent of thrid party apps like CISCO anyconnect .

    Btw do you know this solution ? : http://ubuntuforums.org/showthread.php?t=2127985&p=12568074#post12568074

    • March 22, 2013 at 11:11 PM

      CISCO vpn gave me some trouble as well – that’s why i wrote this on – though i don’t know the answer to the link you posted

  2. Ashish
    March 23, 2013 at 3:39 AM

    Hey I found it …

    /etc/resolv.conf .. dns poisoned … every query was going as site name . ufl.edu .. eg google.ufl.edu .
    when I connected to the vpn .. appending was stopped.

    Hence , I removed the DNS entries from that file . kept localhost and google dns server. 🙂

  3. gaurav
    July 2, 2013 at 5:23 PM

    hey naveen
    i am try your solution. but in config file there is no tls-auth part. please help me .. i am trying it for one week but not able to connect vpn server.

  4. July 2, 2013 at 5:39 PM

    Gaurav,

    I cannot guess much without looking at the .ovpn file. All such files i have dealt with always have a tls-auth section. Contact your system administrator and inquire about it.

    Cisco has updated their vpn client – I recommend trying that one first – http://software.cisco.com/download/navigator.html?mdfid=278875403

  5. Ebsoa
    August 2, 2013 at 1:02 PM

    Worked exactly as described. Many thanks.

  6. October 2, 2013 at 9:20 PM

    One more addition. Sometimes we may end up in being connected to corporate VPN but unable to access other websites.

    A quick fix for this is: Network Manager menu -> Configure VPN -> Select the created VPN connection -> Button “Edit” -> Tab “IPv4 Settings” -> Button “Routes…” -> Check “Use this connection only for resources on its network”. Done! Sites are back again.

  7. ahmed
    October 22, 2013 at 1:25 PM

    hi, thanks for this tutorial but the .ovpn file i have doesnt have the line and , so i cant create the ta.key. I dont know if i can do without it and continue with the remaining created files. thanks for your help once again

  8. Venki
    February 6, 2014 at 8:15 PM

    Thank you!!
    I just followed you post and It worked like charm :). Thank you!!! for the post.

  9. Tamsyn Michael
    March 26, 2014 at 6:59 AM

    Thanks a lot. I just used this in Cinnamon (on Ubuntu). A couple of things that were different is that you need to go into ‘Network Settings’ under the drop down menu in the Network Manager icon. Then press the + button (bottom left of the ‘Network Settings’ area. VPN will be there, so add it, and from there on follow your directions (however I didn’t need to enter my username or password).

    Thanks again, you saved me embarrassing myself in front of my more knowledgeable friends (at least this time). =)

  10. April 14, 2014 at 12:58 PM

    There is a problem getting dns address I solved this like this.
    sudo vim /etc/NetworkManager/NetworkManager.conf
    And commenting the dns masq line so it must be like this

    /*dns=dnsmasq*/

    Hope it helps

  11. Robin
    September 14, 2014 at 9:02 PM

    Gnome-ubuntu 14.04 has changed the method of setting up vpn and I am getting no where doing it. Do you have any guidance for their latest method?

  12. September 19, 2014 at 6:01 PM

    This is so close, but I can’t connect. I’m connecting to an OpenVPN served up by as Asus router.

    If I use “sudo openvpn client.ovpn” I connect without issue, but I would like to get this working with the network controls.

    I don’t have a ta.key, but everything I have read is that this is optional.

    My orginal client.ovpn is as below:

    client
    dev tun
    proto udp
    remote xxx.webhop.net 443
    float
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass

    —–BEGIN CERTIFICATE—–
    MIIDNDCCAp2gAwIBAgIJAMbTH300dCrMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
    ***REDACTED****vYC2rRDHEr7WYQ6nXbhwOb6bynAR+zw6xpfgYl
    bNHd5ypguMZGRkYzXJz6oHsw0hxdH61tW8MVsYT4mQB85A+oxImKXYDchMZOybIX
    XUTy4fx3C6Y=
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    MIIDejCCAuOgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJUVzEL
    MAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTENMAsGA1UEChMEQVNVUzERMA8G
    A***REDACTED***eBW
    xQfpM4uQVu5eQWOyqmPdSlSiMSKc7CVQQ/0D8iIk
    —–END CERTIFICATE—–

    —–BEGIN PRIVATE KEY—–
    MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMxs4bdG2XOG37Lw
    ***REDACTED***VAcTGktx85E
    F/Ol1qfs2Db4dQ==
    —–END PRIVATE KEY—–

    ns-cert-type server
    resolv-retry infinite
    nobind

    I’ve cut out the certificates as instructed, and I am wondering if I should keep “—–BEGIN PRIVATE KEY—–” etc? If I remove them, I just get a general error saying that the connection has failed. If I leave them in, I get error saying the connection failed because of “Invalid VPN Secrets”

    The client.ovpn I imported to create the connection is:

    client
    dev tun
    proto udp
    remote xxx.webhop.net 443
    float
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass
    ca ca.crt
    cert client.crt
    key client.key
    ns-cert-type server
    resolv-retry infinite
    nobind

    Any thoughts or ideas on how to get this working is greatly appreciated.

    Thanks

    Robert

    • September 19, 2014 at 6:12 PM

      so you are able to connect using the command line from your .ovpn file and its not working when you try to use the network GUI ?
      try not to “cut-out” – just copy paste the data into separate files. Use the original .ovpn file and just add the ca,cert and key entries. Sample .ovpn file should look like this
      http://lukasz.cepowski.com/devlog/32,sample-openvpn-client-config-ovpn
      so you should have this file ( with all the information ) + 3/4 files

  13. September 19, 2014 at 7:19 PM

    Hi

    Thanks for the quick reply.

    I tried your suggestion, and still not working. It just doesn’t like the certificates.

    The one possibility is that the built in client just doesn’t like the certificates generated automatically by the Asus router. I get a very similar error when I try to connect with my iPad. The Asus router just generates a set of random certificates without asking any questions.

    So right now, the Window’s client connects, Macbook (using Tunnelblick) connects, Android connects, and Lubuntu using the command line.

    What isn’t working are my iPad, and Lubuntu using the graphical network manager.

    One thing I could try is generating a new set of certificates using EasyRSA under Windows. That would mean reconfiguring things, but it is an option.

    Any thoughts?

    Robert

  14. September 19, 2014 at 7:27 PM

    hmm i dont know about iPad, but Lubuntu should be very similar to Ubuntu – if you can connect via the command line and not via Network Manager, then there might be a bug in the Network Manager in debian
    btw what version of Lubuntu are you on ? lots of people have complained that VPN is not working on 14.04
    Let me know if the Windows Certificate works

    • September 19, 2014 at 8:31 PM

      Hi

      You are probably right. I’m on 14.04, and I found the posts about the VPN problems.

      Given that I can get the VPN connected from the command line in a terminal, I will probably just live with that for now. Perhaps it will get fixed in one of the updates?

      Sometime when I have lots of free time I will try generating a new PKI environment. However for the moment 95% of everything I need is working, so I can live with the situation.

      Thank you for all of your help, and for the excellent set of instructions.

      Robert

  15. Sivabalan
    December 27, 2014 at 11:30 AM

    Thanks a lot. Itz helped me lot. While connected with vpn i was not able to browse internet. Now I can able to browase and at the same time able to connect VPN Servers. Thanks again dude.!

  16. sophie
    January 28, 2015 at 11:49 AM

    hi! I wonder if you could help me. There is no ## —–BEGIN RSA SIGNATURE—– line in my .ovpn file so I cannot do that part. I used your instructions once and (skipping the bit with te rsa signature line) managed to get two out of the three ovpn connections working. Now we received updated .ovpn files, I tried setting it up the same way but this time it looks like they don’t work (every time I try to connect, I get a “connection failed because of timeout”) error. Is this supposed to work if i skip the rsa signature line step?

    • January 28, 2015 at 5:09 PM

      @sophie – are you able to connect to the VPN via command line ? try that – if you cannot, then the problem is with your ovpn file
      Also what OS / version are you on ? ppl have reported that this does not work on Ubuntu 14.04 – may be the network manager got updated

      • sophie
        February 11, 2015 at 9:08 AM

        Hi, thanks a lot for your answer! I’m on 12.04. In the meantime, when I tried again through command line, I got the following error message. I’m an Ubuntu novice and will freely admit to not really knowing what to do with it, exactly… (Note: 37 is the name given to one of the three OVPN clients I’m trying to install, and the 37.crt file exists in the appropriate directory. As I mentioned, I’ve managed to make it work with the helpf of your instructions once before.)

        Wed Jan 28 13:09:20 2015 us=800739 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
        Wed Jan 28 13:09:20 2015 us=800796 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
        Wed Jan 28 13:09:20 2015 us=801733 Cannot load certificate file 37.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
        Wed Jan 28 13:09:20 2015 us=801791 Exiting

    • February 17, 2015 at 5:25 PM

      these two threads might help – else ask the question in the ovpn forum –
      also make sure you have the file path correct and file permissions correct – these are the cause of most problems
      https://forums.openvpn.net/topic16884.html
      https://forums.openvpn.net/topic8835.html

  17. April 28, 2015 at 6:59 PM

    Wow, thanks! That finally helped me to get OpenVPN running in Gnome again.

    As I found the manual editing of the config quite error prone and cumbersome I have created a short python script to do the job automatically… maybe it helps you, too.

    –> https://gist.github.com/seebk/bb94a7fd70d4cc454aaa

  18. Muhasin Rashid
    May 3, 2015 at 11:50 AM

    hey naveen..
    im usiing zenvpn.ovpn in my college, but now it is not working
    when i type
    openvpn –config zenvpn.ovpn
    it will show:
    Sun May 3 17:18:39 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
    Sun May 3 17:18:39 2015 Control Channel Authentication: tls-auth using INLINE static key file
    Sun May 3 17:18:39 2015 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Sun May 3 17:18:39 2015 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
    Sun May 3 17:18:39 2015 WARNING: normally if you use –mssfix and/or –fragment, you should also set –tun-mtu 1500 (currently it is 1300)
    Sun May 3 17:18:39 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
    Sun May 3 17:18:39 2015 UDPv4 link local (bound): [undef]
    Sun May 3 17:18:39 2015 UDPv4 link remote: [AF_INET]213.183.56.121:1194

    …………………………………………………
    TLS handshaking failing
    pls give me a solution…
    tnx

    • May 4, 2015 at 3:42 PM

      @ Muhasin Rashid – the first thing to make sure is you are not blocked by the vpn provider or your own firewall rules are not blocking the connection – check those settings

  19. David
    June 3, 2015 at 2:08 PM

    Thank You!!! This is how to connect to VPN using .ovpn file on Debian 8

  20. D Pal
    June 24, 2015 at 9:07 AM

    HI, I have client.ovpn file for vpn connection and configured my vpn gui client as discussed in post. one more thing we have configured is GOOGLE AUTHENTICATION on opnevpn server.

    while connecting my gui based vpn client is saying “vpn connection failed due to invalid vpn secrets ” please help in resolving the issue and connecting to VPN.

  21. June 24, 2015 at 7:37 PM

    Hi Naveen!
    I have client.ovpn for vpn connection. Do you know how can I check if my openvpn work succesffully or not?
    Because everytime I select VPN Connection from Network Icon, I see that my connection always time out after more or less 60 secs.

    The error log is:
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: Starting VPN service ‘openvpn’…
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ started (org.freedesktop.NetworkManager.openvpn), PID 4518
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ appeared; activating connections
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN plugin state changed: init (1)
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN plugin state changed: starting (3)
    Jun 24 21:31:53 tientham-VirtualBox NetworkManager[726]: VPN connection ‘VPN connection’ (Connect) reply received.
    Jun 24 21:31:53 tientham-VirtualBox nm-openvpn[4524]: OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
    Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: UDPv4 link local: [undef]
    Jun 24 21:31:54 tientham-VirtualBox nm-openvpn[4524]: UDPv4 link remote: [AF_INET]62.152.110.138:1194
    Jun 24 21:32:33 tientham-VirtualBox NetworkManager[726]: VPN connection ‘VPN connection’ (IP Config Get) timeout exceeded.
    Jun 24 21:32:33 tientham-VirtualBox NetworkManager[726]: Policy set ‘Wired connection 1’ (eth0) as default for IPv4 routing and DNS.
    Jun 24 21:32:33 tientham-VirtualBox nm-openvpn[4524]: SIGTERM[hard,] received, process exiting
    Jun 24 21:32:38 tientham-VirtualBox NetworkManager[726]: VPN service ‘openvpn’ disappeared

    My OS which uses OpenVPN is Linux Ubuntu 14.04 under virtual machine.
    Hope to hear from you, thank you so much!

  22. July 25, 2015 at 11:00 AM

    i cant seem to find my ca certificate when i try to import the file is missing but i can view it through the normal window

    • July 27, 2015 at 3:51 PM

      @prioritysoftwareng
      i dont understand the problem that you are facing – please provide more details on what you are trying to do – it may be a permission issue

  23. Nedy
    September 9, 2015 at 11:44 PM

    How to change password OpenVpn i aready find i google for 2day and try so much command but still not working

    • September 10, 2015 at 3:18 PM

      @Nedy
      Can you tell me what you are trying to do exactly ? what password are you trying to change ?

  24. Alan
    September 24, 2015 at 4:06 AM

    Dear all,

    Similar to Robert, I tried to connect to my Asus N66U OpenVPN server (I don’t have a ta.key too) but I can’t even connect by using “openvpn” command.
    The only different is changing default port from 1194 to TCP 443.
    The most interesting thing is that I can connect by using “OpenVPN Connect” App which installed on my iPhone with the same client.ovpn file.
    I tried both OpenVPN version 2.3.2 (which come with Ubuntu 14.04) and 2.3.8 (latest) on my Ubuntu 14.04.3 Desktop.
    Would anyone please help and have a look?

    I got the following error message from client side:
    =============================================================================
    Enter Auth Password:
    Thu Sep 24 11:40:06 2015 Attempting to establish TCP connection with [AF_INET][IP_ADDRESS]:443 [nonblock]
    Thu Sep 24 11:40:07 2015 TCP connection established with [AF_INET][IP_ADDRESS]:443
    Thu Sep 24 11:40:07 2015 TCPv4_CLIENT link local: [undef]
    Thu Sep 24 11:40:07 2015 TCPv4_CLIENT link remote: [AF_INET][IP_ADDRESS]:443
    Thu Sep 24 11:40:07 2015 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Thu Sep 24 11:40:08 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
    Thu Sep 24 11:40:08 2015 TLS Error: TLS object -> incoming plaintext read error
    Thu Sep 24 11:40:08 2015 TLS Error: TLS handshake failed
    Thu Sep 24 11:40:08 2015 Fatal TLS error (check_tls_errors_co), restarting
    Thu Sep 24 11:40:08 2015 SIGUSR1[soft,tls-error] received, process restarting
    Thu Sep 24 11:40:13 2015 Attempting to establish TCP connection with [AF_INET][IP_ADDRESS]:443 [nonblock]
    Thu Sep 24 11:40:14 2015 TCP connection established with [AF_INET][IP_ADDRESS]:443
    Thu Sep 24 11:40:14 2015 TCPv4_CLIENT link local: [undef]
    Thu Sep 24 11:40:14 2015 TCPv4_CLIENT link remote: [AF_INET][IP_ADDRESS]:443
    ^CThu Sep 24 11:40:14 2015 event_wait : Interrupted system call (code=4)
    Thu Sep 24 11:40:14 2015 SIGINT[hard,] received, process exiting
    =============================================================================

    The following is my client.ovpn content
    =============================================================================
    client
    dev tun
    proto tcp-client
    remote [IP_ADDRESS] 443
    float
    cipher AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass
    ns-cert-type server

    —–BEGIN CERTIFICATE—–
    …OMITTED
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    …OMITTED
    —–END CERTIFICATE—–

    —–BEGIN PRIVATE KEY—–
    …OMITTED
    —–END PRIVATE KEY—–

    resolv-retry infinite
    nobind
    =============================================================================

    Thanks again.

  25. Swiftor
    December 4, 2015 at 10:55 AM

    Thank you. Works like charm.

  26. Maxime
    December 24, 2015 at 3:04 PM

    Rock on! Thanks a lot!

  27. April 11, 2016 at 4:12 AM

    Now on Network Manager 1.1.93 .ovpn files with embedded certificates are recognized correctly. 🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: