OpenVPN on Linux

One challenge I encountered in my journey to ditch Windows was that my VPN provider didn’t support every flavor of Linux I wanted to use. The typical instructions for setting up a VPN connection in Linux involve using OpenVPN – which comes pre-installed in the vast majority of user-forward commercial-ready Linux distros. You’ll find it under Settings/Network – look for VPN.

The typical configuration involves using a username, password, and crt file which you download from your VPN provider.

Two ways to download the cert:


sudo wget https://address.of.cert /etc/openVPN/nameOfCert.cert

(if your computer doesn’t recognize the wget command you can install wget with

sudo apt-get install wget or sudo dnf install wget (depending on whether you’re using a debian or Fedora like flavor of Linux)


Just type the address of the cert into a web browser like firefox and it will download directly to your documents folder. Then, from the terminal copy the file to /etc/openvpn with

sudo cp ~/Downloads/filename.crt /etc/openvpn/filename.crt

With the cert installed you just need to match the settings of your VPN to whatever your VPN provider recommends.

This will probably just be your gateway, and under the advanced settings it might also include a compression format or other required settings.

For the Certificate, you’ll choose the certificate you downloaded earlier and put in your /etc/openvpn folder.

And 99% of the time – that’s all there is to it.

But 1% of the time … (this is just how Linux goes).

So your VPN doesn’t work – Now What?!

These kind of problems are par for the course. Linux is far better than Windows when it comes to privacy, but the tradeoff is that nothing is quite as easy. Lets run through some simple troubleshooting steps:

  1. Verify that your username, password, and gateway are correct – lets check off the low hanging fruit.
  2. Verify that the cert field is not empty and that it is, in fact, a cert.
  3. If your client attempts to connect and then just fails, chances are your provider requires a compression method to be selected (such as LZO) and you don’t have it selected. You’ll find this under the advanced tab, and in specific instructions given by your provider.
  4. If you are getting prompted for username and password over and over chances are you don’t have the right encryption selected. OpenVPN comes with defaults like AES256 and your client will try to negotiate with the server to use one that you both agree on. But if the server doesn’t accept the ones in your default settings, it won’t let you connect. Luckily there’s an easy way to check.

journalctl -u NetworkManager –no-pager –since today

This is the log of what your NetworkManager has been doing while you’ve been trying to connect. Any major errors might show up in red. For Instance:

OPTIONS ERROR: failed to negotiate cipher with server. Add the server’s cipher (‘BF-CBC’) to –data-ciphers (currently ‘AES-256-GCM:AES-128-GCM’) if you want to connect to this server.

This means that the server is asking me to use BF-CBC (blowfish) but it’s not one of the default ciphers in my client is configured to use. I could edit my config file to add it to the defaults but the easiest way to fix this problem is to just select it as the cipher for this VPN in the advanced settings in the VPN settings: