OpenVPN on Linux

The ZIH operates an OpenVPN service as an alternative for accessing the TU Dresden intranet. The instructions explain the installation and setup of the OpenVPN client under Linux. This guide is primarily for currently supported Ubuntu/Debian versions with Network Manager.

Table of contents

    1. Installation
      1. Debian 10 (Buster)/Ubuntu 18.04 (Bionic Beaver) or newer
      2. Debian 9 (Stretch)
    2. Debian 8 (Jessie)/Ubuntu 16.04 (Xenial Xerus) or older
    3. Other Linux variants
    4. Import into Network Manager
      1. Import profile
      2. Set username
    5. Known errors
      1. Error: unsupported blob/xml element
      2. Missing IP address/routes

Installation

Debian 10 (Buster)/Ubuntu 18.04 (Bionic Beaver) or newer

  • Install the OpenVPN software and the Network Manager plugin.
    sudo apt-get update
    sudo apt-get install openvpn network-manager-openvpn
  • Installing the graphical components:
    • GNOME: Users of the Gnome desktop need to install one more component to be able to make settings through the user interface:
      sudo apt-get install network-manager-openvpn-gnome
    • KDE: The KDE Plasma Network Manager program (plasma-nm) already includes support for OpenVPN.
    • Other desktop environments: Other desktop environments mostly use the Gnome user interface of the NetworkManager. Here, the additional installation of the corresponding component is also required:
      sudo apt-get install network-manager-openvpn-gnome

Debian 9 (Stretch)

The versions of the OpenVPN program and the corresponding integrations for the Network Manager contained in the regular package sources are too old. However, newer versions are included in the so-called backports.

  •     If you do not use backports yet, add the following line
    deb http://deb.debian.org/debian stretch-backports main
    to the file /etc/apt/sources.list.
  • Install OpenVPN software and Network Manager plugin from backports:
    sudo apt-get update
    sudo apt-get install openvpn/stretch-backports network-manager-openvpn/stretch-backports
  • Installing the graphical components:
    • GNOME: Install the graphical editor plugin component from the backports:
      sudo apt-get install network-manager-openvpn-gnome/stretch-backports
    • KDE: Unfortunately, there is no sufficiently up-to-date version of plasma-nm in the backports either. However, starting and stopping the VPN connection should still be possible. However, you have to import the OpenVPN profile on the command line as described below using nmcli. Alternatively, you can also use the GNOME Network Manager interface under KDE.

Debian 8 (Jessie)/Ubuntu 16.04 (Xenial Xerus) or older

The versions of the OpenVPN program and the related integrations for the Network Manager included in the official package sources are too old. However, at least current versions of the OpenVPN program can be obtained as a package from the OpenVPN project, but unfortunately you have to do without the Network Manager integration.

  • Add the release key of the OpenVPN project to your package management:
    wget -O - https://build.openvpn.net/debian/openvpn/stable/pubkey.gpg | sudo apt-key add -
  • Add the repository of the OpenVPN project to your package manager:
    echo "deb http://build.openvpn.net/debian/openvpn/stable $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/openvpn.net.list
  • Install the OpenVPN program
    sudo apt-get update
    sudo apt-get install openvpn

Other Linux variants

Of course, the OpenVPN service also works with other Linux variants, provided that sufficiently up-to-date software is available there. You need

  • Version 2.4 or newer of the OpenVPN program.
  • Version 1.8.10 or newer of the Network Manager OpenVPN plugin for Network Manager support (optional).
  • For the graphical user interface (optional):
    • GNOME: Version 1.8.10 or newer of the Network Manager OpenVPN GNOME plugin.
    • KDE: Version 5.11.95 or newer of KDE Plasma.

Import into Network Manager

Obtain an appropriate profile from the OpenVPN profile generator in the Self-Service Portal and save it. Remember the folder in which the file is located.

Import profile

Then import the downloaded file with the command:
sudo nmcli connection import type openvpn file <path to>/TUD.ovpn
Alternatively, you can import the file using the Network Manager graphical interface.

Set username

After that, open the Network Manager. In the VPN connections there should now be a new entry with the same name as the downloaded file. You can edit the entry in the Network Manager, to save your username with your profile. The username will be your ZIH login without extensions like @tu-dresden.de or similar. When you start the VPN connection you may be asked for username and password. Always use the ZIH login and the password for the ZIH login.

Known errors

Error: unsupported blob/xml element

If the following error occurs when starting OpenVPN:
"Error: failed to import "<path to>/TUD.ovpn': configuration error: unsupported blob/xml element (line 32).",
your version of Network Manager is too old and you cannot use Network Manager to manage OpenVPN. This occurs among others in Ubuntu 16.04 (Xenial Xerus) or older, Debian 8 (Jessie) or older and Debian 9 (Stretch) without backports. However, you can then still start OpenVPN manually on the command line:

sudo openvpn --config <path to>/TUD.ovpn

Missing IP address/routes

If the OpenVPN interface (idR. tun0) has no IP address or routes despite successful connection establishment, i.e. the following output is empty:

ip -4 route show dev tun0 table all

check if the package netscript-2.4 should be installed, please follow these steps

apt list --installed netscript-2.4

We do not recommend using this package and recommend using ifupdown instead:

sudo apt install ifupdown

About this page

Michael Kluge
Last modified: Feb 17, 2023