Configuring the service OpenVPN + LDAP authentication
Purpose of the article
The main purpose of the article is to show one of the possible scenarios for setting up a VPN access system based on OpenVPN with LDAP authentication (FreeIPA)
Lecture hall
This article is intended for Linux system administrators.
Introduction
Remote access to the infrastructure is necessary to perform many tasks such as remote support and the use of end services for remote services.
')
About OpenVPN
OpenVPN is a free, open source implementation of virtual private network (VPN) technology for creating encrypted point-to-point channels or server clients between computers. It allows you to establish connections between computers behind a NAT and a firewall, without the need to change their settings.
On the Internet there are a great many articles describing OpenVPN and its configuration.
Initial data
We have an infrastructure that includes several servers, where all services are implemented as LXC containers. This infrastructure will already include the following configured servers:
| Server | IP | OS | Description |
|---|---|---|---|
| server1 | 10.209.102.10 | CentOS 7.x | Hypervisor for LXC containers. |
| freeIPA1 | 10.209.102.11 | CentOS 7.x | IDM system for centralized management of user accounts and service access rights. |
All containers are managed via LXC driver for libvirt. It is assumed that we will also deploy all subsequent services in the LXC driver for libvirt.
On server1, container access to the network is performed via a network bridge called br0.
An account is given to connect to the LDAP server.
Tasks
We should organize a system of remote access for employees to the infrastructure. An obligatory condition is additional verification of the user by the username / password pair. In our infrastructure, user accounts are stored in FreeIPA, so we should configure the OpenVPN authentication system integration with FreeIPA.
On a large scale, we should solve the following tasks:
• Install and configure the LXC container for servicing OpenVPN requests
• Installing and configuring OpenVPN server
• Configure LDAP (FreeIPA based) authentication on the OpenVPN server
• Setting up an OpenVPN client
Installing an LXC Container
• Connect to server1 hypervisor
• We create infrastructure of the container with the description of repositories
[root@server1 /]# mkdir -p /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d/ [root@server1 /]# cp /etc/yum.repos.d/CentOS-Base.repo /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d/ [root@server1 /]# cd /var/lib/libvirt/lxc/openvpn1/etc/yum.repos.d [root@server1 yum.repos.d]# sed -ie 's/\$releasever/7/g' CentOS-Base.repo The essence of these operations is to install CentOS via yum, which will necessarily require the indication of the path to the repositories. The yum configuration file must be created before the installation process begins, so that yum knows where to download the packages from. It is assumed that the container files openvpn1 will be located in the directory / var / lib / libvirt / lxc / openvpn1. You should provide enough disk space in this file system.
• Install the CentOS 7 base files using the option to specify the installation location (--installroot):
[root@server1 yum.repos.d]# yum groupinstall core --installroot=/var/lib/libvirt/lxc/openvpn1/ --nogpgcheck -y • Set root password in container
[root@server1 yum.repos.d]# chroot /var/lib/libvirt/lxc/openvpn1/ /bin/bash -c "/bin/echo RootPasswordhere | /usr/bin/passwd --stdin root" Changing password for user root. passwd: all authentication tokens updated successfully. • We allow the terminal to connect as root
[root@server1 ssh]# echo pts/0 >> /var/lib/libvirt/lxc/openvpn1/etc/securetty • Set the hostname
[root@server1 ssh]# echo openvpn1.cloud.bellintegrator.com > /var/lib/libvirt/lxc/openvpn1/etc/hostname • Create a file with a network connection configuration
[root@server1 /]# touch /var/lib/libvirt/lxc/openvpn1/etc/network [root@server1 /]# echo -e "DEVICE=eth0\nONBOOT=yes\nBOOTPROTO=static\nIPADDR=10.209.102.12\nNETMASK=255.255.255.0\nGATEWAY=10.209.102.1" >/var/lib/libvirt/lxc/openvpn1/etc/sysconfig/network-scripts/ifcfg-eth0 • Configure resolv.conf. In our version of FreeIPA provides a DNS service, for this reason, IPA is the first DNS.
[root@server1 /]# echo -e "search cloud.bellintegrator.com\nnameserver 10.209.102.11\nnameserver 8.8.8.8" >/var/lib/libvirt/lxc/openvpn1/etc/resolv.conf • Create LXC container via libvirt
[root@server1 yum.repos.d]# virt-install --connect lxc:// --name openvpn1 --ram 512 --os-variant rhel7 --network bridge=br0 --filesystem /var/lib/libvirt/lxc/openvpn1/,/ Starting install... Creating domain... | 0 B 00:00 Connected to domain openvpn1 Escape character is ^] systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization lxc-libvirt. Detected architecture x86-64. Welcome to CentOS Linux 7 (Core)! Initializing machine ID from container UUID. Failed to install release agent, ignoring: No such file or directory Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Configuration file /usr/lib/systemd/system/ebtables.service is marked executable. Please remove executable permission bits. Proceeding anyway. Cannot add dependency job for unit display-manager.service, ignoring: Unit display-manager.service failed to load: No such file or directory. [ OK ] Reached target Remote File Systems. [ OK ] Reached target Encrypted Volumes. [ OK ] Reached target Swap. [ OK ] Created slice Root Slice. [ OK ] Created slice User and Session Slice. [ OK ] Listening on Journal Socket. [ OK ] Created slice System Slice. Mounting POSIX Message Queue File System... [ OK ] Reached target Slices. Mounting Huge Pages File System... Starting Configure read-only root support... Starting Load/Save Random Seed... [ OK ] Reached target Local File Systems (Pre). Starting Journal Service... Mounting FUSE Control File System... Mounting Configuration File System... Starting Rebuild Hardware Database... Mounting Debug File System... [ OK ] Created slice system-getty.slice. [ OK ] Listening on /dev/initctl Compatibility Named Pipe. [ OK ] Listening on Delayed Shutdown Socket. Starting Rebuild Dynamic Linker Cache... [ OK ] Mounted Debug File System. [ OK ] Mounted Configuration File System. [ OK ] Mounted FUSE Control File System. [ OK ] Mounted POSIX Message Queue File System. [ OK ] Mounted Huge Pages File System. [ OK ] Started Load/Save Random Seed. [ OK ] Started Configure read-only root support. [ OK ] Started Journal Service. Starting Flush Journal to Persistent Storage... [ OK ] Reached target Local File Systems. Starting Mark the need to relabel after reboot... Starting Tell Plymouth To Write Out Runtime Data... Starting Rebuild Journal Catalog... [ OK ] Started Rebuild Dynamic Linker Cache. [ OK ] Started Mark the need to relabel after reboot. [ OK ] Started Flush Journal to Persistent Storage. Starting Create Volatile Files and Directories... [ OK ] Started Rebuild Journal Catalog. [ OK ] Started Create Volatile Files and Directories. Starting Security Auditing Service... [ OK ] Started Tell Plymouth To Write Out Runtime Data. [FAILED] Failed to start Security Auditing Service. See 'systemctl status auditd.service' for details. Starting Update UTMP about System Boot/Shutdown... [ OK ] Started Update UTMP about System Boot/Shutdown. [ OK ] Started Rebuild Hardware Database. Starting Show Plymouth Boot Screen... Starting Update is Completed... [ OK ] Started Update is Completed. [ OK ] Reached target System Initialization. [ OK ] Reached target Timers. [ OK ] Listening on D-Bus System Message Bus Socket. [ OK ] Reached target Sockets. Starting Cleanup of Temporary Directories... [ OK ] Started Cleanup of Temporary Directories. [ OK ] Started Show Plymouth Boot Screen. [ OK ] Reached target Paths. [ OK ] Reached target Basic System. [ OK ] Started D-Bus System Message Bus. Starting D-Bus System Message Bus... Starting firewalld - dynamic firewall daemon... Starting System Logging Service... Starting Permit User Sessions... Starting Dump dmesg to /var/log/dmesg... Starting OpenSSH Server Key Generation... [ OK ] Started irqbalance daemon. Starting irqbalance daemon... Starting Login Service... [ OK ] Started Permit User Sessions. Starting Terminate Plymouth Boot Screen... [ OK ] Started Command Scheduler. Starting Command Scheduler... Starting Wait for Plymouth Boot Screen to Quit... [ OK ] Started System Logging Service. [ OK ] Started Dump dmesg to /var/log/dmesg. CentOS Linux 7 (Core) Kernel 3.10.0-327.18.2.el7.x86_64 on an x86_64 openvpn1 login: CTRL + ] ^]Domain creation completed. • We try to connect to the server console (exit through the combination CTRL + “]“)
[root@server1 /]# virsh -c lxc:/// console openvpn1 Connected to domain openvpn1 Escape character is ^] CentOS Linux 7 (Core) Kernel 3.10.0-327.18.2.el7.x86_64 on an x86_64 openvpn1 login: root Password: <RootPasswordhere> Last login: Wed May 18 11:40:58 on pts/0 [root@openvpn1 ~]# reboot Sending SIGTERM to remaining processes... Sending SIGKILL to remaining processes... Rebooting. [root@server1 /]# • Connect to the LXC container via SSH (further actions are performed inside the container)
• Install the client and configure it for FreeIPA to centrally manage user accounts.
[root@openvpn1 ~]# yum install ipa-client -y [root@openvpn1 ~]# ipa-client-install --mkhomedir Discovery was successful! Client hostname: openvpn1.cloud.bellintegrator.com Realm: CLOUD.BELLINTEGRATOR.COM DNS Domain: cloud.bellintegrator.com IPA Server: freeipa1.cloud.bellintegrator.com BaseDN: dc=cloud,dc=bellintegrator,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Attempting to sync time using ntpd. Will timeout after 15 seconds Attempting to sync time using ntpd. Will timeout after 15 seconds Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for admin@CLOUD.BELLINTEGRATOR.COM: adminpassword Successfully retrieved CA cert Subject: CN=Certificate Authority,O=CLOUD.BELLINTEGRATOR.COM Issuer: CN=Certificate Authority,O=CLOUD.BELLINTEGRATOR.COM Valid From: Fri Apr 15 10:01:10 2016 UTC Valid Until: Tue Apr 15 10:01:10 2036 UTC Enrolled in IPA realm CLOUD.BELLINTEGRATOR.COM Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm CLOUD.BELLINTEGRATOR.COM trying https://freeipa1.cloud.bellintegrator.com/ipa/json Forwarding 'ping' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' Forwarding 'ca_is_enabled' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' Systemwide CA database updated. Added CA certificates to the default NSS database. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://freeipa1.cloud.bellintegrator.com/ipa/json' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring cloud.bellintegrator.com as NIS domain. Client configuration complete. • By default, the LXC driver for libvirt does not forward the / dev / net / tun device to the container. To solve this problem, you need to change the settings of the capabilities in the virtual machine configuration. This will require turning it off:
[root@openvpn1 ~]# shutdown -h now • Next, edit the configuration
[root@server1 ~]# virsh -c lxc:// edit openvpn1 • You need to insert text into the container configuration (hostdev block) in order to be able to raise tun interfaces
<devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/var/lib/libvirt/lxc/openvpn1/'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='00:16:3e:20:de:5a'/> <source bridge='br0'/> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> <hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> • We start the container
[root@server1 ~]# virsh -c lxc:// start openvpn1 Basic setting service OpenVPN
On the Internet there are a large number of interesting and detailed articles describing the installation of OpenVPN. Here we look at the installation moments very briefly.
• We connect EPEL repository
[root@openvpn1 ~]# yum install epel-release -y • Install openvpn packages
[root@openvpn1 ~]# yum install openvpn easy-rsa -y • Copy demo config
[root@openvpn1 ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ • The configuration file is correct (for example, since the configuration file is shown below):
[root@openvpn1 ~]# cat /etc/openvpn/server.conf port 1194 proto udp #tun-mtu 1400 dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem tls-auth ta.key 0 server 192.168.233.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.209.102.0 255.255.255.0" push "route 10.209.101.0 255.255.255.0" push "route 10.209.105.0 255.255.255.0" push "dhcp-option DNS 10.209.102.11" duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 • Enable packet routing
[root@openvpn1 ~]# echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf [root@openvpn1 ~]# sysctl -p • Open the required ports to work through the firewalld interface
[root@openvpn1 ~]# firewall-cmd --permanent --add-service=openvpn success [root@openvpn1 ~]# firewall-cmd --add-service=openvpn Success Generating certificates and required security files
• Generate a Diffie-Hellman file.
[root@openvpn1 ~]# openssl dhparam -out /etc/openvpn/dh2048.pem 2048 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............+......................................................................................................................................................... ........................................................................................................................................................................+..................................................................................+.......................................................................................................................................................................................................................................................................................................++*++* • Generate ta.key file
[root@openvpn1 ~]# openvpn --genkey --secret /etc/openvpn/ta.key • Set up the environment for easy-rsa
[root@openvpn1 ~]# mkdir -p /etc/openvpn/easy-rsa/keys [root@openvpn1 ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa [root@openvpn1 ~]# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf • Rules the / etc / openvpn / easy-rsa / vars file
[root@openvpn1 ~]# cat /etc/openvpn/easy-rsa/vars |egrep -v "^#|^$" export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanJose" export KEY_ORG="BellIntegrator" export KEY_EMAIL="some@e.mail" export KEY_OU="CloudComputing" export KEY_NAME="server" export KEY_CN="openvpn1.cloud.bellintegrator.com" • Create a certificate authority (CA) using the easy-rsa infrastructure
[root@openvpn1 ~]# cd /etc/openvpn/easy-rsa [root@openvpn1 ~]# source ./vars [root@openvpn1 ~]# ./clean-all [root@openvpn1 ~]# ./build-ca Generating a 2048 bit RSA private key .......+++ ......+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: <ENTER> State or Province Name (full name) [CA]: <ENTER> Locality Name (eg, city) [SanJose]: <ENTER> Organization Name (eg, company) [BellIntegrator]: <ENTER> Organizational Unit Name (eg, section) [CloudComputing]: <ENTER> Common Name (eg, your name or your server's hostname) [openvpn1.cloud.bellintegrator.com]: <ENTER> Name [server]: <ENTER> Email Address [some@e.mail]: <ENTER> • : [root@openvpn1 ~]# ./build-key-server server [root@openvpn2 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ............+++ .......................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanJose]: Organization Name (eg, company) [BellIntegrator]: Organizational Unit Name (eg, section) [CloudComputing]: Common Name (eg, your name or your server's hostname) [server]: Name [server]: Email Address [akropachev@bellintegrator.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanJose' organizationName :PRINTABLE:'BellIntegrator' organizationalUnitName:PRINTABLE:'CloudComputing' commonName :PRINTABLE:'server' name :PRINTABLE:'server' emailAddress :IA5STRING:' some@e.mail ' Certificate is to be certified until May 21 14:40:30 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated • Copy certificates to the OpenVPN server configuration directory:
[root@openvpn1 ~]# cd /etc/openvpn/easy-rsa/keys [root@openvpn1 ~]# cp ca.crt server.crt server.key /etc/openvpn Setting up authentication via FreeIPA (ldap auth)
The main idea is to increase the security of a remote connection service using, in addition to key authentication, a username / password pair. It is assumed that the FreeIPA service is already configured and running. Users of the vpnusers group will have remote access rights
• Create a vpnusers group in the IPA server and assign users to it who should have remote access rights via OpenVPN
• Build an openvpn-auth-ldap package
There is a problem with the lack of an openvpn-auth-ldap build for CentOS 7. The problem is easily solved with the use of src.rpm from Fedora 23 packages (of course, it’s not a good idea to collect packages from the root user). Here I highly recommend installing dependency packages and building an RPM package on another host. To simplify the instructions, we build on the same server.
[root@openvpn1 ~]# yum install wget rpm-build re2c doxygen openldap-devel check-devel gcc-objc gnustep-base-devel autoconf -y [root@openvpn1 ~]# wget http://mirror.yandex.ru/fedora/linux/releases/22/Everything/source/SRPMS/o/openvpn-auth-ldap-2.0.3-16.fc22.src.rpm [root@openvpn1 ~]# rpm -ivh openvpn-auth-ldap*.rpm [root@openvpn1 ~]# cd /root/rpmbuild/SPECS/ [root@openvpn1 SPECS]# rpmbuild -bb /root/rpmbuild/SPECS/openvpn-auth-ldap.spec • Install the openvpn-auth-ldap package
[root@openvpn1 ~]# rpm -ivh /root/rpmbuild/RPMS/x86_64/openvpn-auth-ldap-2.0.3-16.el7.centos.x86_64.rpm • Rule the authentication file. It should be noted that an account on the ldap server has already been created with the required password.
[root@openvpn1 SPECS]# cat /etc/openvpn/auth/ldap.conf |egrep -v "^$|^$" <LDAP> # LDAP server URL URL ldaps://freeipa1.cloud.bellintegrator.com # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN uid=system,cn=sysaccounts,cn=etc,dc=cloud,dc=bellintegrator,dc=com # Bind Password Password YourLdapPassword # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "cn=users,cn=accounts,dc=cloud,dc=bellintegrator,dc=com" # User Search Filter #SearchFilter "(&(uid=%u)(accountStatus=active))" SearchFilter "(&(uid=%u)(memberOf=cn=vpnusers,cn=groups,cn=accounts,dc=cloud,dc=bellintegrator,dc=com)(!(nsaccountlock=TRUE)))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # # Add group members to a PF table (disabled) # #PFTable ips_vpn_eng # </Group> </Authorization> • Rule openvpn configuration file
[root@openvpn1 ~]# cat /etc/openvpn/server.conf port 1194 proto udp #tun-mtu 1400 dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem tls-auth ta.key 0 #cipher AES-256-CBC plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so auth/ldap.conf #client-cert-not-required username-as-common-name server 192.168.233.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.209.102.0 255.255.255.0" push "route 10.209.101.0 255.255.255.0" push "route 10.209.105.0 255.255.255.0" push "dhcp-option DNS 10.209.102.11" duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 • Restart the OpenVPN service
[root@openvpn1 ~]# systemctl restart openvpn@server <H1 <Client Access Setup
• We generate client certificate
[root@openvpn1 ~]# cd /etc/openvpn/easy-rsa [root@openvpn1 ~]# ./build-key client • Copy the necessary files in one place
[root@openvpn1 ~]# mkdir /root/client; cp /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/client.key /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/ca.crt /root/client/ [root@openvpn1 /]# ls /root/client/ ca.crt client.crt client.key ta.key • Create a configuration file
[root@openvpn1 ~]# cat /root/client/client.ovpn client dev tun proto udp remote 10.209.102.12 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca ca.crt cert client.crt key client.key auth-user-pass tls-auth ta.key 1 #cipher AES-256-CBC • Transfer files from the / root / client directory to the client
• Connect from Linux:
[root@client ~]# openvpn --config /root/client/client.ovpn Source: https://habr.com/ru/post/301554/
All Articles