VPN client for Gentoo

Message

Aranycsapat · Post by **Aranycsapat** » Mon Apr 25, 2022 12:09 pm

I am looking for a working VPN client for Gentoo.
As far as I know the standard ebuilds like net-vpn/openvpn, net-vpn/wireguard and so on are barely useful without a server. I do not have a server, I am only an end user who just wants to open some blocked sites.
I tried several commercial services such as expressvpn, protonvpn, windscribe. All they offer linux users is debs and rpms. (Protovpn offers a gentoo package, too, but unmasking it is a true hell.) As for installation of rpms it failed since they require systemd which I do not use at all.
A browser extension could be a partial solution, but it is not helpful while using bittorrent, torbrowser.
So, how one can have a full-fledged VPN client on gentoo?

alamahant · Post by **alamahant** » Mon Apr 25, 2022 12:23 pm

So, how one can have a full-fledged VPN client on gentoo?

Openvpn is the answer.But you will need to connect to a free or paid vpn server.
They will provide you with a .ovpn file that openvpn client will use to connect with.
In case of proton see
https://protonvpn.com/support/linux-openvpn/
Then connect using the provided file(s) by issuing

Code: Select all

openvpn --config /path/to/*.ovpn

Post by **Juippisi** » Tue Apr 26, 2022 5:32 am

Many vpn provides provide a "configuration tool" where you can just generate a config and feed that to openvpn. Then it works when you start openvpn service in Gentoo.
https://wiki.gentoo.org/wiki/OpenVPN

WireGuard works in a similar fashion, but less providers support it yet.
https://wiki.gentoo.org/wiki/Wireguard

And then yes we have some specific clients in the repo, these usually aren't needed to actually run the vpn, but they provide a nicer GUI and maybe some nice features like changing servers with a mouse click. Do note that managing vpn connections is also easy with networkmanager.

And the final note I want to give is, some vpn providers offer browser extensions where you don't have to install / configure anything in your machine, just get the extension to your web browsing. Obviously this doesn't hide your traffic outside web browser. As you said yourself.

Aranycsapat · Post by **Aranycsapat** » Thu Apr 28, 2022 2:47 pm

Thank you, guys. I successfully established vpn on my laptop and phone. However the desktop is a different story. On desktop I prefer to use openvpn directly, unlike laptop, where I establish a vpn connection via a Network manager GUI configuration tool.
On desktop I use

Code: Select all

openvpn --config /path/to/*.ovpn

command. It requests username and password, and I have no problems with that. However it is too exhausting to enter them once I want vpn. I would like to automatize the process. I tried to write my login data into an auth file and then type its position into ovpn under auth-user-pass (as specified on Gentoo handbook), but in this case the command above crashes. Any suggestions?

alamahant · Post by **alamahant** » Thu Apr 28, 2022 5:21 pm

Code: Select all

auth-user-pass ~/vpn-login.conf

and

Code: Select all

cat ~/vpn-login.conf
some-username
some-password

but in this case the command above crashes

How exactly?
Plz post terminal output.
and

Code: Select all

ls -l /dev/tun

Which kernel are you using?
Is it home made?

Aranycsapat · Post by **Aranycsapat** » Fri Apr 29, 2022 12:41 pm

Oops... It seems that my auth file contained extra spaces.

I fixed it and everything is just fine.
However having terminal open is not convenient. Is it possible to launch openvpn with my data at boot? Also is it safe to keep login data and certificates as is, without encryption?

Post by Hu » Fri Apr 29, 2022 4:08 pm

Yes, you could choose to start OpenVPN at boot. You can keep the login data unencrypted in a file if you have other measures to maintain the security of that data, such as full disk encryption, or if you have a high level of confidence in the physical security of your computer, or if you don't care about whether the data is stolen.

szatox · Post by **szatox** » Fri Apr 29, 2022 4:13 pm

You can start openvpn as a service.
Whether or not it's safe to keep passwords without encryption depends on your setup, use case, and threat model. I was fine with encrypted disk and making the file with credentials readable only by root. This way either full disk encryption makes it unreadable by 3rd parties or kernel keeps applications from prying.

alamahant · Post by **alamahant** » Fri Apr 29, 2022 6:35 pm

If you are using openrc then create a file

Code: Select all

echo '#!/bin/bash' > /etc/local.d/openvpn.start
echo "openvpn --config /path/to/*.ovpn" >> /etc/local.d/openvpn.start
chmod +x /etc/local.d/openvpn.start
rc-update add local default

Then this script will run @boot.
You could use the main config openvpn.conf to specify client|server config but not necessary.
This way you dont even need to enable openvpn service.
Dont worry too much about vpn username|password being unecrypted.I wouldnt.
In case it is compromised then issue a new pair from your proton mail dashboard.
But its up to you.

szatox · Post by **szatox** » Fri Apr 29, 2022 11:13 pm

This way you dont even need to enable openvpn service.

And how is adding it manually to local better than enabling a service via an already provided script?
It gives you less control, and also by the time you have to change something, you're likely to forget you did it this way, so will have to reverse-engineer it in the future.

alamahant · Post by **alamahant** » Fri Apr 29, 2022 11:27 pm

And how is adding it manually to local better than enabling a service via an already provided script?

The OP apparently needs the client aspect of openvpn.
So its not necessary to start the openvpn service.
GRANTED he can rename his .ovpn to openvpn.conf.
What if he has 30 .ovpn files.
To me it seems "neater" via local.d.
The ideal would be a script to let him choose among multiple vpn connections.
This is what i use.
Plz see
viewtopic-t-1149662-highlight-.html