Installing and Running our Client on Linux (and *BSD)

The following instructions apply to 64-bit Linux systems, especially Debian and Ubuntu. You may also find them useful on Knoppix, FreeBSD, and other *nix operating systems, although the precise details may vary from what is said here.


I. Installing the Client Software

First, you need to obtain the latest OpenVPN client built for your system. Unfortunately, the standard distribution repositories are frozen at the time of each Linux release, and while they may receive security patches to libraries, they do not get updates to newer versions of the openvpn package itself. Because of this, all Debian/Ubuntu repositories are seriously out of date, even the most recent (Jessie and Trusty, respectively). The versions in these standard distro repositories are not secure to use, and will not connect to our VPN server. This is because our configurations require a number of new leading edge features such as full IPv6 support, TLS1.2 ciphers, and wildcarded DNS entries.

Therefore, in order to install the latest openvpn client you must follow the instructions given here:
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

That page describes how to add the official OpenVPN repository for your Linux release to your APT configuration. Here is the TL;DR version:

  1. Open a shell as root, either from your GUI's menu or by using the command "su -" (or "sudo -s") in a terminal or xterm window, and supplying your superuser password.
  2. In your root shell window, install the signing key which the OpenVPN project uses to sign its packages:
    # wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
  3. Now add the OpenVPN repository to your APT sources list:
    # echo "deb http://swupdate.openvpn.net/apt {osrelease} main" > /etc/apt/sources.list.d/swupdate.openvpn.net.list
    (replacing {osrelease} with the name of your Debian or Ubuntu release, such as wheezy)
  4. Update your sources list and install openvpn, along with any dependencies:
    # apt-get update && apt-get install openvpn
    Note: if you are someone who prefers to compile your binaries from original source, you may do so by following the instructions given here.

In order to prevent DNS leakage, you need to let our server gateway "PUSH" a list of DNS servers and tell your system to use them, whenever you're connected to ElanVPN. The package that does this is called openresolv. Make sure that you have it installed:
# apt-get install openresolv
(An older package that does the same job is resolvconf.)



II. Installing the ElanVPN Max Configuration and Connecting to the VPN

We deliver a your account credentials to you in the form of a .zip file. This ZIP contains a directory structure supplying VPN configurations and associated files for each supported platform. After unzipping the file, navigate to the ./linux subdirectory. The files there which are important are:

ElanVPN-Max.conf
this is the configuration file for use with our Max network
README
contains your login credentials, along with a text version of the instructions on this page
elanvpn_auth
automatic login/authorization script invoker
elanvpn_auth_real
the actual automatic login/authorization script (also contains your VPN login credentials)
elanclient1.crt
the client security certificate
elanclient1.key
the client private key
elanca.crt
the CA certificate
elanhmac.dat
TLS auth key
ElanVPN-Max.ovpn
this is the configuration file with certs and keys inlined

On Linux there are two ways to manage your VPN connections:

  1. By using direct (manual) invocation of the init scripts.
  2. By using the Network Manager GUI.

Unfortunately, the Network Manager GUI is even more out of date than the stock OpenVPN client version, in all Debian and Ubuntu distributions. Consequently it cannot handle the 'remote-random-hostname' directive, among other problems. This means that you even if you import our distributed config into the Manager successfully, it will not be able to connect to the network. (The symptom for this is experiencing a DNS lookup failure on the gateway.)

Therefore, we are going to describe first how to run the ElanVPN Max config from the console (i.e. in a superuser shell window), because this method works.


1. Using the Init Scripts (manual operation)

  1. As root, copy all of the config files from the unzipped credentials ./linux subdirectory to your /etc/openvpn directory. (Copying README is optional.)
    # cp ElanVPN-Max.conf elan* /etc/openvpn
  2. To start up the VPN and connect to ElanVPN Max using your credentials, simply give the following command in a shell window with root privileges:
    # service openvpn start ElanVPN-Max
  3. If our VPN is the only one you plan to use, you may omit the "ElanVPN-Max" argument by setting the auto-start default in /etc/default/openvpn to read:
    AUTOSTART="ElanVPN-Max"
    Note that setting this default means that your system will attempt to connect to our VPN immediately after connecting to the internet (just like ticking the "Connect automatically" box does with the GUI method).
  4. To stop your client and disconnect from the VPN, simply do (as root):
    # service openvpn stop


2. Using the Network Manager GUI Tool

This method is not recommended due to the age and lack of maintenance of the Network Manager GUI. However, if you want to try it, here is what to do.

A. First, make sure that you have these packages installed:
network-manager
network-manager-openvpn
network-manager-gnome
network-manager-openvpn-gnome

This command (issued as root) does this:
# apt-get install network-manager network-manager-openvpn network-manager-gnome network-manager-openvpn-gnome

B. Start the Network Manager. This can be done either through the menu system or by right-clicking your wireless (or wired) connection icon. Select the menu item "Edit Connections."

C. You will see a tab toward the right labeled "VPN" with a padlock icon. Go to this tab. Use the "Import" menu item, and navigate to the directory where your config files are stored. You will then choose the config file, ElanVPN-Max.conf. Open this file.

Next you will see a page showing the results of the import. You may check the box at the top for "Connect automatically" if you wish, but please do not make any changes elsewhere, including on the Advanced screens. Save the config.

D. Finally, as root, copy the auto-login authorization scripts to the /etc/openvpn directory:
# cp elanvpn_auth elanvpn_auth_real /etc/openvpn

E. You should now be able to tell the GUI to start and stop the VPN connection. Do this by left-clicking on your wireless or wired connection icon, and accessing the VPN sub-menu, where you will select ElanVPN-Max and connect.

If the VPN does not connect, examine the logfile. If you see problems reported related to no DNS for the VPN gateway, this is because the "Import" function in the Network Manager's VPN plugin is too old to understand the directives in our .conf file, which require dynamic DNS. (The stock OpenVPN version in existing Debian and Ubuntu distributions exhibits the same problem.) If this happens, your system's Network Manager is broken and thus cannot be used with a modern VPN configuration. Please refer to the instructions above for using manual script operation.


3. Troubleshooting Connections

Our configuration defines the destination log file as:
/var/log/openvpn.elanvpn-max.log
This is where you will find output related to connect attempts to our VPN. If you are having trouble getting connected, you may find it useful to run a tail on this file:
# tail -f /var/log/openvpn.elanvpn-max.log
in a root shell window.

To increase the level of detail reported in this log, you may edit the file /etc/openvpn/ElanVPN-Max.conf using your favorite text editor (run as the superuser) and change the line "verb 1" (near the top) to "verb 3". You may also change the log file location by editing the line beginning with "log". Commenting it out (with a leading ';' or '#' character) will force the use of the default logfile, /var/log/openvpn.log. We ask that you do not edit or comment out any other settings in the file, as these are set very precisely as they need to be for maximum security.

If the auto-login procedure fails, you should see some indication of this in the logfile. Another symptom is that all surfing fails after you connect to the VPN. This can happen if, for example, your subscription has expired or you have exhausted your monthly bandwidth allotment. For a description of how to proceed with a manual login to the VPN, please see this page.