Install and connect OpenVPN on Linux



1. Installing OpenVPN client dependencies on Linux
2. Installing OpenVPN client without elliptic curve cryptography (ECC) support
3. Installing OpenVPN client with elliptic curve cryptography (ECC) support
3.1. OpenSSL installation
3.2. OpenVPN installation
4. Importing configs to OpenVPN client on Linux
5. Connecting OpenVPN on Linux

All described below actions have to execute in Linux terminal only.

Commands beginning with the # prompt are executed as the root user, the $ prompt means the execution is from a regular user.

Use commands sudo or su to get the root user rights. For example, enter sudo su to login as root in a desktop Debian-based distros (Ubuntu, Linux Mint and others). And use su in a RedHat-based distros (RHEL, Fedora, CentOS and others) and server Debian-based distros.


1. Installing dependencies


You have to install dependencies before installing OpenSSL and OpenVPN. In Debian-based Linux (Ubuntu, Debian, Linux Mint and others) use next command for it.
$ sudo apt-get update
$ sudo apt-get install gcc "autoconf*" "libtool*" "snappy*" "openssl-dev*" "lzo*" "libreadline-gplv2*" git libpam0g-dev

Use this command for RedHat-based Linux (RHEL, CentOS, Fedora and others).
# yum install gcc* autoconf* libtool* snappy* openssl-dev* lzo* libpam* pam-devel* -y

DeepWebVPN RSA config is OpenVPN config file, which has "RSA" in the filename. DeepWebVPN ECC (Elliptic Curve Cryptography) config is OpenVPN config file, which has "ECC" in the filename. For example: SingleRSA_US1.ovpn is a RSA config, but DoubleECC_GB2_US2.ovpn is a ECC config.


2. Installing OpenVPN client without ECC support



OpenVPN client without ECC support works correctly with RSA configs only. Miss this step and go to the section Installing OpenVPN client with ECC support if you need OpenVPN client, which is compatible with ECC and RSA configs.

It is enough setup packet from repositories to install OpenVPN client without ECC support. In Debian-based Linux use this command.
$ sudo apt-get install openvpn

And use the next command in RedHat-based Linux.
# yum install openvpn


3. 2. Installing OpenVPN client with ECC support


Don't forget install dependencies before installing OpenVPN client with ECC support.

3.1. Installing OpenSSL


Memorize the current version of the OpenSSL library if it is installed.
# openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015

Download the latest version of OpenSSL source code archive from the official site.
The OpenSSL version in the example below is openssl-1.0.1p.tar.gz, but you'll have to understand that your downloaded OpenSSL may be newer.

Use the next commands to downloading, unzipping the archive and changing path to the unzipped tarball directory.
$ wget https://www.openssl.org/source/openssl-1.0.1p.tar.gz
$ tar -xvzf openssl-1.0.1p.tar.gz
$ cd openssl-1.0.1p

Execute this in the unzipped archive directory to compiling the OpenSSL library.
$ ./config --prefix=/usr --openssldir=/usr/ssl
$ make
$ make test
# make install
$ ./config shared --prefix=/usr --openssldir=/usr/ssl
$ make clean
$ make
# make install

Check the OpenSSL version again.
# openssl version
OpenSSL 1.0.1p 9 Jul 2015


3.2. Installing OpenVPN


Memorize the current version of the OpenVPN client if it is installed.
$ openvpn --version
OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015
library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

Download the latest version of the OpenVPN client source code and change directory to the source code directory.
$ git clone https://github.com/OpenVPN/openvpn.git
$ cd openvpn

In the source code folder, enter the following commands to install the OpenVPN client.
$ autoreconf -i -v -f
$ ./configure
$ make
# make install

Make sure that the OpenVPN client is updated/installed correctly.
$ openvpn --version
OpenVPN 2.3_git [git:master/7546cba4761b24f2] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Nov 17 2015
library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08


4. Importing configs


Make sure that the directory /etc/openvpn is existed or create it with the command below.
# mkdir /etc/openvpn

Download and unzip the archive of the OpenVPN configs. And move the OpenVPN configs to the directory /etc/openvpn.
# wget https://cabinet.deepwebvpn.net/downloads/openvpn/all.zip
# unzip all.zip -d /etc/openvpn

It is not necessary download archive of all OpenVPN configs, you may select and download a specific configs (Single chains and Double chains).

You can use torsocks to download configs via Tor.
# torsocks wget http://deepwebvpnvvotmw.onion/downloads/openvpn/all.zip

In Debian-based Linux (Debian, Ubuntu, Linux Mint and others) to install torsocks use command like this.
# apt-get install torsocks
In RedHat-based Linux (RHEL, Fedora, CentOS and others) use the next command.
# yum install torsocks
.

Make sure that the configs are in the correct directory.
# ls /etc/openvpn
all.zip DoubleECC_GB1_FR1.ovpn DoubleRSA_FR1_GB1.ovpn SingleECC_DE1.ovpn SingleECC_NL1.ovpn SingleRSA_FR1.ovpn SingleRSA_RU2.ovpn
DoubleECC_DE1_NL1.ovpn DoubleECC_NL1_DE1.ovpn DoubleRSA_GB1_FR1.ovpn SingleECC_FR1.ovpn SingleECC_RU2.ovpn SingleRSA_GB1.ovpn
DoubleECC_FR1_GB1.ovpn DoubleRSA_DE1_NL1.ovpn DoubleRSA_NL1_DE1.ovpn SingleECC_GB1.ovpn SingleRSA_DE1.ovpn SingleRSA_NL1.ovpn
...


5. Connecting


Connecting to OpenVPN must be executed with the root rights always.

Run the OpenVPN client with a config file path as argument to connect. Enter the username and password when the client will ask it.
The username and password are the same as the username and password of the DeepWebVPN Cabinet.

For example, use the following command to connect to the chain SingleRSA_DE1.
# openvpn /etc/openvpn/SingleRSA_DE1.ovpn
Mon Jan 8 01:29:25 2018 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Mon Jan 8 01:29:25 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Enter Auth Username: ********
Enter Auth Password: ********
Mon Jan 8 01:29:32 2018 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jan 8 01:29:32 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:32 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:32 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jan 8 01:29:47 2018 Attempting to establish TCP connection with [AF_INET]104.238.177.127:255 [nonblock]
Mon Jan 8 01:29:48 2018 TCP connection established with [AF_INET]104.238.177.127:255
Mon Jan 8 01:29:48 2018 TCPv4_CLIENT link local: [undef]
Mon Jan 8 01:29:48 2018 TCPv4_CLIENT link remote: [AF_INET]104.238.177.127:255
Mon Jan 8 01:29:48 2018 TLS: Initial packet from [AF_INET]104.238.177.127:255, sid=445a6902 d3ec551d
Mon Jan 8 01:29:48 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 8 01:29:49 2018 VERIFY OK: depth=1, CN=de1-rsa
Mon Jan 8 01:29:49 2018 Validating certificate key usage
Mon Jan 8 01:29:49 2018 ++ Certificate has key usage 00a0, expects 00a0
Mon Jan 8 01:29:49 2018 VERIFY KU OK
Mon Jan 8 01:29:49 2018 Validating certificate extended key usage
Mon Jan 8 01:29:49 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 8 01:29:49 2018 VERIFY EKU OK
Mon Jan 8 01:29:49 2018 VERIFY OK: depth=0, CN=de1-ecc-server
Mon Jan 8 01:29:59 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 8 01:29:59 2018 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:59 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 8 01:29:59 2018 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:59 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Mon Jan 8 01:29:59 2018 [de1-rsa-server] Peer Connection Initiated with [AF_INET]104.238.177.127:255
Mon Jan 8 01:30:01 2018 SENT CONTROL [de1-rsa-server]: 'PUSH_REQUEST' (status=1)
Mon Jan 8 01:30:02 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.101.0.1,redirect-gateway def1,route-gateway 10.111.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.111.0.2 255.255.255.0,peer-id 0'
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: route options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: route-related options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: peer-id set
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: adjusting link_mtu to 1607
Mon Jan 8 01:30:02 2018 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp3s0 HWADDR=44:6d:57:b7:8e:7e
Mon Jan 8 01:30:02 2018 TUN/TAP device tun0 opened
Mon Jan 8 01:30:02 2018 TUN/TAP TX queue length set to 100
Mon Jan 8 01:30:02 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jan 8 01:30:02 2018 /usr/sbin/ip link set dev tun0 up mtu 1500
Mon Jan 8 01:30:02 2018 /usr/sbin/ip addr add dev tun0 10.111.0.2/24 broadcast 10.111.0.255
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 104.238.177.127/32 via 192.168.0.1
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 0.0.0.0/1 via 10.111.0.1
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 128.0.0.0/1 via 10.111.0.1
Mon Jan 8 01:30:02 2018 Initialization Sequence Completed

To avoid DNS leaks and for correctly working of the Internet, don't forget to set the DNS after a successfully connecting.

Press Ctrl+C in the terminal window to disconnect.