How To Automate OpenVPN Client Connection On RHEL 8

For one of the most recent projects in my homelab, I had a requirement to ensure that a system would always be connected to my VPN service provider and that it would do so automatically on startup if it was ever rebooted.

The VPN provider I use is ExpressVPN, but these steps should work for any provider. I just needed to download the required configuration file (.ovpn) from the provider that contains their certificates and default connection settings.

Install OpenVPN package

1. The OpenVPN package is contained in the Extra Packages for Enterprise Linux (EPEL) repository, so the first step is to install the latest epel release to make the package available. The following commands are specific to RHEL 8, see the fedoraproject.org website for other distribution instructions.
   
   dnf update -y
   
   Enable the codeready-builder repository:
   subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
   
   Install the latest epel release:
   dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
   
   Install OpenVPN
   dnf install -y openvpn
   

Enable Forwarding and Open Firewall

2. Next step is to ensure the system can communicate with the vpn server.
   
   Enable IPv4 forwarding:
   echo 1 > /proc/sys/net/ipv4/ip_forward
   
   Add interface to trusted zone: (permanent after service restart, and immediately during runtime)
   firewall-cmd --zone=trusted --add-interface=tun0 --permanent
firewall-cmd --zone=trusted --add-interface=tun0

Configure OpenVPN Client

3. This step requires that you have a configuration file (.ovpn) downloaded from your VPN provider/server. My provider is ExpressVPN and probably similar to other vpn providers I can download the required file and get the required username and password credentials from their manual configuration page.

4. After you download the .opvn file, it needs to be copied or moved to the client configuration directory and renamed. An example of a typical command would be:
   cp ./my_expressvpn_usa_-_san_francisco_udp.ovpn /etc/openvpn/client/client.conf
   
   
5. The next step is to create a file for the provided credentials, placing the username on the firstline followed by the password on the second line. This command creates a file called ‘auth’ in the client configuration directory. I also ensure the file is read-only:
   echo -e "<username>\n<password>" > /etc/openvpn/client/auth
chmod 600 auth
   
   
6. Now we need to edit/add the following line in the client configuration file (client.conf) to reference the file with the credentials (auth):
   vi client.conf

auth-user-pass auth

# The directory tree for /etc/openvpn should look something like this:
.
├── client
│   ├── auth
│   └── client.conf
└── server

2 directories, 2 files

Enable the OpenVPN Client Service

7. Configuration of the client should now be complete. The only thing remaining is to enable the service to start automatically at boot. Use –now to also start the service in the current runtime:
   systemctl enable openvpn-client@client --now
   
   
8. Check the status of the connection with:
   ifconfig tun0