Objective

Connect to a VPN automatically on booth with a service.

Distributions

This will work on almost any Linux distribution.

Requirements

A working Linux install with root privileges and a VPN subscription.

Difficulty

Easy

Conventions

  • # - requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given command to be executed as a regular non-privileged user

Introduction

VPNs are great. They protect people from all sorts of threats and snooping online. Sometimes, they can be a real pain to set up, or the set up procedure doesn't exactly fit the way you use your computer. That's why it's a great solution to run a VPN connection as a service at startup. You don't need to remember to turn it on, and it will keep running even if you don't have a desktop environment up. Plus, it will usually run before your desktop and any of your other connections, helping to keep your data from leaking.

The OpenVPN client is designed to run as a service for just this reason. You only need to set it up that way. What's even better; the configuration is usually provided for you by your VPN service.

Install OpenVPN

First, you need to install OpenVPN on your system. It's a very popular piece of software, so it's available on most distributions. Ubuntu/Debian
$ sudo apt install openvpn
Fedora
# dnf -y install openvpn
OpenSUSE
# zypper install openvpn
Arch Linux
# pacman -S openvpn
Gentoo
# emerge --ask openvpn

Get VPN Configuration Files

Most quality VPN services provide OpenVPN configuration files so that you can use them to set up your own connection. It's not possible to cover every VPN, but here are the locations of the OpenVPN files for several popular ones. If you're using a different VPN look around your user dashboard or their documentation. They should be available.

AirVPN AirVPN generates OpenVPN files for your from your customer dashboard. These files are unique to you, so there isn't a universal link.

ExpressVPN ExpressVPN provides the OpenVPN files through the "Downloads" page in your dashboard.

IVPN IVPN provides their files publicly here.

NordVPN NordVPN provides their OpenVPN configuration files publicly here.

Private Internet Access Private Internet Access also releases their configurations publicly. You can find them here.

Modify The Configuration

There isn't a whole lot of modification that needs to be done. Most of the time, these files are designed to be turn-key. There are just a couple of things that are better to do for convenience.

Select a server that you want to connect to. The files should all end in the .ovpn extension. That's perfect for running them manually from the command line, but wont work when running them as a service. Copy the file in the OpenVPN service directory and rename it.
$ sudo cp ~/Downloads/vpn-configs/'USA New_York-1194.ovpn' /etc/openvpn/openvpn.conf
That name is made up, but they usually look something like that, so make sure that you have the right one for your VPN.

Now that the file is in the right place, there are a few more things that you probably want to do. Since you're running this as a service, entering your login info isn't really possible. You need to put that in a file. If you're using AirVPN, this doesn't apply. The generated file contains your login info. Create a file in /etc/openvpn called auth.txt. Put your username on the first line and password on the second. You should change the permissions of the file to restrict access.
$ sudo chmod 400 auth.txt
In this case the owner is root, so only root(the user running OpenVPN) can read the file with your password.

Next, open the openvpn.conf file. Find the line that contains auth-user-pass and add auth.txt after it.

Most of these don't including logging. You can add a couple of lines to the file so it logs to a predictable location.
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
That's all you need. If you're comfortable messing around with it, feel free.

Start The Service

You're finally ready to start up the service and test it out. Systemd
$ sudo systemctl start openvpn
OpenRC
# /etc/init.d/openvpn start
If everything looks good, enable OpenVPN at startup. Systemd
$ sudo systemctl enable openvpn
OpenRC
# rc-update add openvpn default

Closing Thoughts

Running OpenVPN as a service is ultimately more convenient and more secure than running it through a VPN client or even your desktop environment. It's not something a regular user can set up and do, and it does apply system-wide, so you need to be absolutely committed to that VPN and that server.