Linux

Linux settings

Tested with Debian/Ubuntu and Fedora.

You can install and execute OpenVPN on the terminal as well as with a graphical user interface. In both cases you should download the appropriate configuration file for your system.

Download the configuration file by right clicking on the filename and then choosing "save as":

  • Debian/Ubuntu/Mint: kit.ovpn                                                         (Configuration for VPN2VLAN: kit-vpn2vlan.ovpn)
  • Fedora: kit.ovpn                                                                              (Configuration for VPN2VLAN: kit-vpn2vlan.ovpn)
  • other distributions: Use the file for Fedora and adjust the line “ca ...” for the file containing the CA certificate "T-TeleSec GlobalRoot Class 2" on your system.

Using the terminal

  1. Install the VPN client:

    The easiest way to install the OpenVPN client is using the package management system of the particular Linux distribution. Enter one of the following commands as root (or use sudo):

    • Fedora: (sudo) yum install openvpn
    • Ubuntu/Debian: (sudo) apt-get install openvpn
  2. Download the appropriate configuration file.

    Rightclick on the appropriate configuration file and choose “Save target as...”. Save the file in any folder (e.g. create a new folder in your user folder e.g. “VPN”).

  3. Start the OpenVPN client with the downloaded configuration file:

    The easiest way to install the OpenVPN client is using the - -config argument to specify the location of the configuration file. Run following command:

    • sudo openvpn --config /path/to/kit.ovpn
      (where /path/to/ is the folder you saved the configuration file in e.g. ~/VPN/)
    You will be asked to enter a user name. Log in with your KIT account (e.g. ab1234 or uxxxx). The VPN connection will be established. If you want to disconnect, press “Ctrl-C”.


Use KIT resolvers for DNS resolution

At KIT there exist a few DNS names which can only be resolved with the KIT DNS resolvers. The OpenVPN server pushes these to the client. In order to get them configured appropriate mechanisms must be set up. These are described in the following sections.

Debian/Ubuntu/Mint: resolvconf (without systemd-resolved)

On Debian/Ubuntu/Mint the package resolvconf is available. In the configuration files for Debian/Ubuntu/Mint the commands which configure the KIT resolvers on your system are already present.

But this only works if systemd-resolved is not activated on your system. It is activated starting from Ubuntu 16.10. What to do then is described in the next section. In case your operating system was upgraded from an earlier version systemd-resolved might not be activated.

If systemd-resolved is not activated on your system install the package resolvconf if necessary.

systemd-resolved

Starting from Ubuntu 16.10 and Fedora 33 systemd-resolved is activated by default. Of course you can also activate it manually.

With systemd-resolved you can use the script update-systemd-resolved in order to get your resolver configuration updated:
https://github.com/jonathanio/update-systemd-resolved

Invoke openvpn then as follows:
sudo openvpn --config kit.ovpn --config /etc/openvpn/update-systemd-resolved.conf

As the second OpenVPN configuration file /etc/openvpn/update-systemd-resolved.conf is containing the following lines:

script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

Further information on starting the OpenVPN client from terminal can be found here. .

 

Using a graphical user interface

There is an OpenVPN plug-in for NetworkManager. Instructions on installing it are found below

Debian/Ubuntu with GNOME

It is sufficient to install the package network-manager-openvpn-gnome, the rest will be installed automatically. The required ca certificate "T-TeleSec GlobalRoot Class 2" is contained in the package ca-certificates. To update the resolver configuration the package resolvconf must be installed. The configuration file above can then be imported to the NetworkManager. Click on "Add a VPN configuration..." and then scroll down to "import a saved VPN configuration...".

Fedora with GNOME 3 (tested with Fedora 19, OpenVPN 2.3, GNOME 3.8)

It is sufficient to install the package NetworkManager-openvpn-gnome, the rest will be installed automatically. The required ca certificate "T-TeleSec GlobalRoot Class 2" is contained in the package ca-certificates. The configuration file above can then be imported to the NetworkManager:

  • Start NetworkManager
  • Network settings
  • Click "+" icon (“add”)
  • VPN
  • “Import from file”
  • Select previously saved configuration file
  • Enter user name and password
  • Save
  • Then reboot

To start VPN click on the NetworkManger icon and switch “kit” from “0” to “1” (or from “Off” to “On”)

 

Note on VPN-split

If you use VPN-split, go to the NetworkManager →  both IPv4 Settings and IPv6 Settings → Routes... and check "Use this connection only for resources on its network".

Note on GNOME 3

When using GNOME 3 (gnome-shell), the interface of the NetworkManager sometimes doesn't provide the option to import configuration files. You can start the old interface “nm-connection-editor” instead and import the configuration file there. This will cause the VPN connection to be displayed in the GNOME 3 network applet in the system tray.