My desktop O/S of choice these days is OpenSuse Leap 15 running KDE Plasma. My preferred VPN provider is Private Internet Access, who shall hereafter be referred to as simply 'PIA'.
So the question is: how do you get PIA working on desktop OpenSuse, especially since PIA declare that they only support “Ubuntu 16.04+, Mint 18+, Arch and Debian”?
Well, I worked it out and thought I'd better write it down so I don't forget for the future!
Obviously, you need to sign up with PIA first, pay them a reasonable amount of money and get a username and password; this much is assumed to have happened before you get any further!
You may not need to do this step at all, since automatic network management is usually switched on by default. For some reason I now forget, I had switched it off -at which point, nothing about PIA worked at all! So, first click Start → System → Yast and supply the root password when prompted.
In the left-most panel, click System; in the right-most panel, then click the Network Settings option:
If, after a moment's thinking about it, you see this message:
…then you don't need to do anything further. Your network settings are already managed appropriately and you don't need to alter that in any way.
In my case, however, I didn't see that message, but instead got taken directly to this screen:
However, that's not the place of interest you actually need to be at. Just click on the 'Global Options' tab there:
The problem I originally had was that I'd chosen to set my 'network setup method' shown here to 'Wicked' (which essentially means, 'configure manually'). What you really need for PIA to work smoothly is for this to be set to NetworkManager Service, which will mean your network is managed automatically for you. It also means you should see a network connection icon appear in your 'system tray' area. So select the 'NetworkManager Service' option, click [OK], click [OK] when prompted about the need for the KDE plasma widget or nm-applet to be running (assuming one or other of them is actually running, of course!) and let the new configuration take effect.
Incidentally, if you need to run the KDE plasma widget manually, right-click an area of the system tray and select Panel Options → Add Widgets. Scroll down to find the “Networks” widget and click on it, so that an icon appears in your system tray area like so:
The icon over on the far-right, looking a bit like a TV screen with a plug attached to it, is the network icon you need to see! Once you see it, and once your network settings are managed by the automatic service, you can close Yast down, since you won't need it further for the purposes of getting PIA working.
Once you can see that Network Connection icon in your system tray area, click this link to download a ZIP file. Save it anywhere you like (I chose my Downloads folder).
Open a terminal and type:
…to become root. Then type:
cd /etc/openvpn mkdir privateinternetaccess cd privateinternetaccess cp /home/hjr/Downloads/openvpn.zip . unzip openvpn.zip
Obviously, in the fourth command shown above, replace the location where you downloaded the openvpn.zip file with one that is appropriate to you! I also assume you have an /etc/openvpn folder to start with; I did, so I believe it is there by default and entirely automatically. But if you don't, then add a 'mkdir -p /etc/openvpn' to the above commands to create the openvpn directory to start with.
If you then take a moment to look at the contents of the privateinternetaccess folder, you'll see lots of different “.ovpn” files and a “ca.rsa.2048.crt” file.
The country files are there to provide multiple different 'identities' for your external network address. For example, if you want to appear as if you are using an IP address that belongs to somewhere in Australia, you might choose to use the “AU Sydney.ovpn” connection details. If you wanted to look more French, then the “France.ovpn” file contains the connection details you will need, and so on. The 'ca.rsa.2048.crt' file contains the encryption keys needed to make secure connections to any of these foreign network entry points.
So, now you've downloaded the PIA files and unpacked them. You now right-click that network connection icon we established earlier (Section 2.0) was displayed in your system tray area. Click on the Configure Network Connections menu option when it is displayed:
To begin with, the screen will display the network connections it already knows about -in my case, the single Ethernet (wired) connection I make to my home network. Your job is to click the '+' icon you see at the bottom of the left-hand pane in that screen, to add a new network connection:
Here, you define the type of connection you're making and, as you can see, the correct type to select at this point is the 'OpenVPN' one. Click the [Create] button when you've done that. You then get taken to the screen that defines the characteristics of the new connection, like so:
I've started filling in this screen by typing in a 'friendly name' for it. In this case, I've said it's “VPN - Sydney Australia” because I'm intending to create a new network connection that, when selected, will route my network traffic via Australia, so that it will look as if I'm connecting to the Internet from there. The rest of the screen will need to be filled in with very specific information, as I'll now explain.
First, there's the question of what the Gateway for this connection should be. The answer will be found within one of the those .ovpn files we created earlier in the /etc/openvpn/privateinternetaccess.com folder. If, for example, you open the 'AU Sydney.ovpn' file in the text editor of your choice, you'd see this sort of thing:
Notice the line which begins remote au-sydney.private….? That is the Gateway to use when making this connection. Note, too, that it runs on a non-standard port of 1198. Also note that the cipher it uses is aes-128-cbc and authorisation is done using the sha1 cryptographic hash function.
In other words, open the .ovpn folder of the 'connection destination' you're interested in and make a note of the Gateway, port, cipher and auth details. With those to hand, back to our network connection screen:
I've now filled in the screen with some of these technical details. For starters, the Gateway field has been filled in with “au-sydney.privateinternetaccess.com”, which is what the .ovpn file told me was the way to connect to Sydney. The Connection Type field has been set to “Password”, and I've then filled in the Username and Password with the PIA username/password details I got when I signed up with PIA as their customer. We do not, in other words, use certificates to connect to the PIA gateways.
Now, to finish the screen, I need to tell it where the CA Certificate is that will allow PIA to encrypt and decrypt my network traffic when I connect to its gateways. That's the .crt file that was extracted earlier into the /etc/openvpn/privateinternetaccess.com folder. So, click the button on the right of the 'CA Certificate; field and navigate to that folder, select the ca.rsa.2048.crt folder found there:
Once selected, click [Open] and your new network connection screen will be complete like so:
Now, we're almost done. But there are some advanced connection properties we need to set before things will actually work. So click the Advanced button now.
There are four tabs in the Advanced Properties dialog, and to begin with, you are placed on the 'General' tab:
As you can see, there are two things to set here. First, the custom gateway port needs to be switched on and the port number changed to be whatever was mentioned in the .ovpn file for this gateway. Mine was, if you recall, 1198 rather than the default of 1194. So that's what I've typed here.
I've then switched on Use LZO compression, without which nothing will work.
Once those two things are set, I can switch to the Security tab:
Two things need to be set here: the Cipher and the HMAC Authentication. The correct values for both are again found within the .ovpn file for this gateway and we saw earlier that, for “AU Sydney”, they are “AES-128-CBC” and “SHA-1”. The “128” bit in the middle of the first of those options tells you that “128” is also the correct 'custom size for the cipher key', which probably will be correct anyway, and thus won't need to be changed.
Next, click on the TLS Settings tab:
There's only one thing to change here. That's to switch on the option to Verify peer certificatie usage signature. As with all this stuff, you don't particularly need to understand what any of it does or means, provided you've switched the right options on!
Once your TLS Settings are correct, click [OK] then [Save]. You should now have a new network connection listed:
You can click [OK] at this point to make the Network Connections dialog disappear completely. Or you could click the '+' sign once more and perform the whole process all over again to add another possible VPN Gateway connection into the mix. You can have as many VPN connections as you like, after all, depending on how many different places you want your Internet connection to appear to be coming from.
When you're done and have clicked the [OK] button to dismiss the Network Connections configuration dialog, you are going to want to be able to use one of your new VPN connections from time to time.
To do that, just left-click the Network icon in your system tray area:
Here, you see that I've added the Australia - Sydney VPN connection I described above, but I've also added another connection to Denmark, too. (I'll probably have a USA one added later, too: the three of them give good geographic coverage of the entire planet!)
If you click on one of those VPN connections, you'll see that a connection via the Gateway details you specified when creating it will be made:
Once that's done, you could visit a website that infers your geographical location from your public IP address, such as this one, and get it to tell you where it thinks you're coming from:
…which, in my case, is pleasingly inaccurate!
Left-click the system tray Network icon again and hover over your switched-on VPN connection:
This time, a [Disconnect] button will appear. Click that to stop using that VPN connection and then refresh the earlier web page to see what it now thinks your location is:
…which happens also to be not very accurate, because my ISP has offices in Manchester and not Nottingham! But you can see that by switching the VPN on, I can appear to be connected from the other side of the globe, which is handy for all sorts of reasons.
For example, currently, I am unable to read the Chicago Tribune as a UK resident:
(As an aside, the Chicago Tribune is large enough to be able to do GDPR compliance properly, and it's a shame that nearly a year on from GDPR's introduction, it still hasn't got its act together! But I digress…) One switch of my VPN connection to Australia, though, and a browser refresh later:
The ability to 'teleport' around the globe is definitely handy. The fact that your Internet traffic is encrypted whilst you do so is also rather comforting.