GUI VPN Client for Debian Linux

newUser2pfSense · Nov 11, 2020, 4:42 PM

I have my pfSense OpenVPN server setup. I use Viscosity on my MacBook Pro to connect with no issues. Now, for a family member who isn't completely computer literate, could anyone recommend a GUI VPN Client for Debian Linux that can use the OpenVPN client export in pfSense? Any suggestions would be most helpful. Thank you.

viragomann · Nov 11, 2020, 5:41 PM

You can use the NetworkManager. It works fine.

Install the NM OpenVPN plugin.
In the client export utility check PKCS#11 Certificate Storage and set a certificate password and export the archive. Then unpack it into the users home.
The NM gives you an option to import the .ovpn file.
Ensure that all the paths for CA, key and user cert are pointing to the .p12 file.

newUser2pfSense · Nov 11, 2020, 11:15 PM

viragomann...Thank you for the reply. I've never tried the PKCS#11 Certificate Storage method before. When I followed your directions, I received two error messages:

You must provide the PKCS#11 providers. [Enter the client local path to the PKCS#11 provider(s) (DLL, module), multiple separated by a space character.]
You must provide the PKCS#11 ID. [Enter the object's ID on the PKCS#11 device.]

To be honest, I don't know what to populate in these fields. Would you happen to have any guidance on what to enter in these two fields? Thank you.

viragomann · Nov 12, 2020, 12:21 AM

@newUser2pfSense
When do you get this? In the client export utility or on the client computer?

newUser2pfSense · Nov 12, 2020, 9:16 AM

I should have been more specific - sorry. I actually received the error message when using the client export utility in pfSense.

viragomann · Nov 12, 2020, 9:16 AM

@newUser2pfSense
Sorry, my mistake. PKCS#11 is not to check. The goal is to get out a .p12 file (PKCS#12), assumed the server uses SSL auth, I've mixed this.
The .p12 file is default in the archive export.

newUser2pfSense · Nov 12, 2020, 2:10 PM

Ok, I was able to export out the archive and create the VPN connection as you suggested in network manager, however, it asked for a Gateway before I could even save the connection. I used my dynamic dns address for the Gateway - is this correct?

The only way I can test the connection is by using my iPhone Personal Hotspot. I basically connect to the wireless hotspot and then once connected I choose the VPN connection I created. I receive an error message that states it times out so I've been unable to connect. I'm wondering if the wireless hotspot gets disconnected when I change to the VPN connection which is why it's timing out? I tried tethering my iPhone using USB but Debian didn't recognize it for this purpose which is why I had to use the hotspot instead.

Alas, I'm probably doing something incorrect but I can't see what it is. Any suggestions?

viragomann · Nov 12, 2020, 3:16 PM

@newUser2pfSense said in GUI VPN Client for Debian Linux:

however, it asked for a Gateway before I could even save the connection. I used my dynamic dns address for the Gateway - is this correct?

You can add your dynamic DNS name to the clients config by selecting Other at Host Name Resolution and entering the hostname below in the export utility.

@newUser2pfSense said in GUI VPN Client for Debian Linux:

I receive an error message that states it times out so I've been unable to connect. I'm wondering if the wireless hotspot gets disconnected when I change to the VPN connection which is why it's timing out?

I don't think so. You will see in the NetworkManager applet if its connected to the wifi hotspot.
I have successfuly established an OpenVPN over my iphones hotspot several times (with NetworkManager on OpenSUSE).

Check /var/log/NetworkManager for hints what is failing.

newUser2pfSense · Nov 12, 2020, 5:44 PM

I actually have my dynamic DNS entered in the Host Name Resolution Field on the Client Export page of pfSense. But in order to save the VPN connection in network manager on my Linux laptop, a Gateway entry is required. Would you happen to know what the Gateway should be if it's not my dynamic DNS? This could be the reason the connection is timing out when I attempt to connect.

At the time of this post, my searching is finding that there is an issue with USB tethering an iPhone with iOS 14.x to Linux; apparently something changed from iOS 13 to iOS 14. I don't know what the issue is but I'll have to continue using my wireless hotspot at present.

I'm using Linux Mint Debian Edition (LMDE) 4 and there is no log for the network manager to be found, at least in /var/log/.

As a side note, in the created VPN connection, in the Authentication section for Type, I've selected all of the dropdowns [Certificates (TLS), Password, Password with Certificates (TLS)] with still no luck connecting. I'm not quite sure what I'm doing incorrectly. As well, in the created VPN connection, it asks for a User key password which I don't ever remember creating. I certainly have a VPN user/password but I just don't remember creating a User key password.

viragomann · Nov 12, 2020, 5:49 PM

I guess I did that at least on iOS 13.

It's hard to say, what's wrong, if you have no log.
Is there no possibility to enable NM logging?

Are You sure, that your OpenVPN server works and is accessible from outside?

@newUser2pfSense said in GUI VPN Client for Debian Linux:

I certainly have a VPN user/password but I just don't remember creating a User key password.

That is the password you enter in the client export at Certificate Password.
Newer NM versions don't connect without setting a password.

newUser2pfSense · Nov 14, 2020, 3:01 PM

Ok, so I did a little more searching around and came upon this site:
https://www.ceos3c.com/pfsense/pfsense-openvpn-linux-client/

I followed the steps from that page and low and behold, I was able to connect to my pfSense OpenVPN server with no issues even using my wireless hotspot. Success.

Thanks for getting me headed in the right direction. I appreciate your time.