OpenVPN for Linux (NetworkManager)

This page explains how to use Informatics VPN with NetworkManager. See also OpenVPN for Linux (easy).

This probably works best if your distro already uses NetworkManager. If not, installing it may cause issues between it and netplan/systemd-networkd. Use your judgement.

Setting your OpenVPN password

Your password can be set in the Password Portal. This password must be unique. Your username looks like uun/ovpn.

Installing NetworkManager and OpenVPN

To install OpenVPN and the NetworkManager plugin:

sudo apt install openvpn network-manager-openvpn

(Or your distro’s equivalent of apt-get such as yum. Amend package names as appropriate.)

If you use a GNOME-based OS (like Ubuntu) you will want to install the following package as well:

sudo apt install network-manager-openvpn-gnome

You can now check that NetworkManager is running:

nmcli general status

If you want source, explore the repositories on the OpenVPN "Community" page.

Downloading configuration files

Next, download this configuration file or this one or both, and save them in a suitable location eg. a dedicated OpenVPN config folder. You only need one of these config files, unless you have multiple machines connecting with the same username. Additionally if you share a connection with, e.g., another Informatics flatmate, you will need to use different endpoints.
(Why is there more than one configuration file?)

OpenVPN Network Manager configuration

Continuing the instructions with the Informatics-EdLAN-AT1.ovpn config file as an example:

Import your .ovpn config file, substituting the correct filepath:

nmcli connection import type openvpn file path/to/file/Informatics-EdLAN-AT1.ovpn

It's then important to edit the configuration so that only traffic bound for the tunnel is routed through it. This is because of a bug in NetworkManager. Complete the following two modifications to the config:

nmcli connection modify Informatics-EdLAN-AT1 ipv4.never-default yes
nmcli connection modify Informatics-EdLAN-AT1 ipv6.never-default yes

And set your username, substituting [UUN] for your UUN:

nmcli connection modify Informatics-EdLAN-AT1 vpn.user-name [UUN]/ovpn

Controlling the VPN from CLI

Check for the config in nmcli using the following:

nmcli connection show

Connect to the VPN:

nmcli connection up Informatics-EdLAN-AT1

You will be prompted for your OpenVPN password.

To disconnect from the VPN:

nmcli connection down Informatics-EdLAN-AT1

Controlling the VPN from GUI

Generally, clicking on your networks icon (typically found in your tray) will bring up a list of connections, including the VPN connection(s) configured. You will be able to connect and disconnect from the vpn from here.

To bring up a GUI editor for adding, removing and editing a connection, use the following command:

nm-connection-editor

Troubleshooting

Parsing error, or "Error: No valid secrets"

Resolved by removing the OpenVPN config from Network Manager, and then re-adding the config, making sure filepaths are correct. This can be done through the GUI, or with the following:

nmcli connection delete Informatics-InfNets-AT1

If issues persist, you may need to download the EdUniCA2.crt and tls-auth-key files and store them in the same folder as your .ovpn config file. Then modify the connection so that these settings import correctly:

nmcli connection modify Informatics-EdLAN-AT1 vpn.ca /path/to/EdUniRootCA2.crt

nmcli connection modify Informatics-EdLAN-AT1 +vpn.data “tls-auth=/path/to/tls-auth-key,ta-dir=1”

Substituting the correct filepath.

If things don't work ...

You can always ask us for help, but you can also get more information in these ways:

• from NetworkManager's log. In modern distros this is usually in the journal which you can view with sudo journalctl
• The command ip a will display information on the network interfaces on your machine.
• ip r will show the routing tables in effect at the time.

These outputs can be very useful in helping to diagnose faults.

References

• OpenVPN FAQ