Using OpenVPN client with wicd

[James P. Wallen]

I loved wicd and used it for several years but finally gave up
and went with network-manager so that I could easily use a
private VPN when I'm out-and-about and connecting to access
points on the road.

I've never really been thrilled with network-manager, though at
least it works a lot better for me than it did years ago. Any
time following a distribution upgrade or doing a new
installation I can still count on some unpleasantness with
network-manager, but I always manage to get it straightened out
eventually.

I've seen a few comments by folks like Bob Proulx concerning
their appreciation of wicd, and I'm thinking of dropping the DE
I'm currently using and just using a window manager.

Under those circumstances, using wicd seems like a good idea.
But I've done a lot of searching on getting OpenVPN to work
without finding much that was of use to me.

For one thing, almost all of the how-to docs I can find are
explaining how to set up an OpenVPN server on a network at home.
Even the man pages seem to be all about that and not about what
I want to do. I want to find a way to use the OpenVPN client to
connect to a publicly available OpenVPN server.

The servers I use make use of a certificate downloaded to the
local machine and a shared secret. I'm already using the servers
via network-manager and the OpenVPN client.

If any of you has managed to do this in conjunction with wicd,
I'd really appreciate a pointer to information to help me get
started. The man pages are kicking me in the boinloins.

Heh.

Thanks,
JP


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: https://lists.debian.org/559AE3C0...@comcast.net

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 06, 2015 at 04:23:28PM -0400, James P. Wallen wrote:

[...]

> If any of you has managed to do this in conjunction with wicd, I'd
> really appreciate a pointer to information to help me get started.
> The man pages are kicking me in the boinloins.

FWIW -- I set up OpenVPN (don't like it much[1], but had to) without
either NetworkManager nor wicd. What's the functionality you expect
from those? Automatic route setting?

- - - - - - - - -
[1] What do I do when I have to pierce the corp firewall? Just use
socat on both sides, port 443 (corp firewalls believe in numbers),
TLS encapsulated (don't know if they do deep packet inspection and
don't want to find out). Yes, some consider me weird.

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlWbjQwACgkQBcgs9XrR2kb41wCfZG1Kgt2q8afUx5sJMYK60i3W
nmoAn1+1mEYq17BcaIo0G9BLOIxZktTj
=mAkd
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/20150707082...@tuxteam.de

[James P. Wallen]

On 07/07/2015 04:25 AM, to...@tuxteam.de wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> On Mon, Jul 06, 2015 at 04:23:28PM -0400, James P. Wallen
> wrote:
>
> [...]
>
>> If any of you has managed to do this in conjunction with
>> wicd, I'd really appreciate a pointer to information to
>> help me get started. The man pages are kicking me in the
>> boinloins.
>
> FWIW -- I set up OpenVPN (don't like it much[1], but had to)
> without either NetworkManager nor wicd. What's the
> functionality you expect from those? Automatic route
> setting?
>
> - - - - - - - - - [1] What do I do when I have to pierce the
> corp firewall? Just use socat on both sides, port 443 (corp
> firewalls believe in numbers), TLS encapsulated (don't know
> if they do deep packet inspection and don't want to find
> out). Yes, some consider me weird.
>

Hi, Tomas! Thanks for your reply.

No, my issue has nothing to do with corporate firewalls. I'm
retired and go to places like libraries and coffee shops and
hospitals where I connect to guest networks. I just use the
Internet-located VPN to encrypt my connection through the AP and
to prevent tracking by the service provider. At home I also use
it for the same reasons.

Network-manager, as you're aware, has plugins for various types
of VPN software. It's easy to use, but it just seems to be
awfully large and, occasionally, a little trouble-prone compared
to wicd.

I could generally just use /etc/network/interfaces and
associated stuff, but was looking for a fiddle-free way to make
my connections when I'm moving around while still enabling me to
use OpenVPN.

As I said, just about every write-up on using OpenVPN I can find
tells me how to set up the server. Not what I want. All of the
write-ups on OpenVPN client I've found tell me a) how to use
OpenVPN with network-manager, or b) how to import a setup.
Neither of those is of any use to me. I want to see if I can
figure out how to use OpenVPN from the CLI or via script using a
certificate and password to connect to my favorite VPN out on
the Internet.

Again, thank you for your reply.

JP

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559BBE2E...@comcast.net

[Petter Adsen]

https://wiki.debian.org/OpenVPN

Have you seen this? It doesn't contain anything particular to wicd, but
you could use what is there to set up a script.

There are a few links at the bottom that might also be of help.

Petter

--
"I'm ionized"
"Are you sure?"
"I'm positive."

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 07, 2015 at 07:55:26AM -0400, James P. Wallen wrote:

[...]

> Hi, Tomas! Thanks for your reply.

I wish I cold've been more helpful, but hey, you're welcome.

> No, my issue has nothing to do with corporate firewalls [...]

> Network-manager, as you're aware, has plugins for various types of
> VPN software. It's easy to use, but it just seems to be awfully
> large and, occasionally, a little trouble-prone compared to wicd.

This was my impression too. Since I tend for "simple", I try to
avoid NM altogether.

> I could generally just use /etc/network/interfaces and associated
> stuff, but was looking for a fiddle-free way to make my connections
> when I'm moving around while still enabling me to use OpenVPN.

Understood.

> [...] I want to see if I can figure out how to use

> OpenVPN from the CLI or via script using a certificate and password
> to connect to my favorite VPN out on the Internet.

I see.

Again, that's what I'm doing with socat: on the server there's a
socat process running as server (duh ;) -- which unwraps the SSL
layer and feeds its thing to the ssh server; on the client, a
socat opens a local port and I connect my ssh client (courtesy
of .ssh/config magic) to that: the socat wraps it in SSL and
connects to the server: voilà -- a VPN. To the outside world
it looks like any HTTPS connection. Since I have my own certificates,
I (hope!) would notice any attempt at MITM.

What turned me away from OpenVPN was that it wanted to be a
service started at boot time, with all that; besides it wants
to do magic to the routing tables and so on.

A tad too heavyweight for my taste.

But of course, it does many things automagically you'd otherwise
have to script.

Regards

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlWb0sAACgkQBcgs9XrR2ka8ZQCfYg3FXZuOGyx/szTt/D92peSf
S5wAn2nl4T511FKgVWiex+BfW590ISeJ
=npSQ
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/20150707132...@tuxteam.de

[James P. Wallen]

Thank you, Petter.

I'll try following that document through to a conclusion. I
should always remember to look at the debian.org onlin
documentation first.

However, the explanations seem to lean heavily toward explaining
how to set up a server and a client, so I have to try to pick
out carefully how to just do what I want to do.

I just need to connect a client to a publicly available VPN over
which I have no control. It surprises me that I haven't seen a
simple howto for that. Surely there are lots of people who use
such "private VPNs" but who don't want to use network-manager.

Still, I may be able to piece together what I need to build
scripts from the debian.org page. I remember that wicd has a
provision for launching scripts following establishment of a
network connection, so I may be able to use that capability to
get what I want.

Thank you for the pointer!

JP


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559C0A63...@comcast.net

[James P. Wallen]

So -- if I understand -- you have control of a server out there
on the Internet, and that's what makes this work for you. I know
nothing of socat, but it sounds interesting. I suppose I could
set up a server on the home network. That would protect my
traffic from prying eyes when I'm a visitor on another network,
but it wouldn't really keep my home ISP from snooping on me. Or
am I missing something?

Maybe I'm paranoid, but I really don't like the way Comcast (and
many other ISPs) seem to think that they own their customers.

I'm an activist of sorts, and I really do not like how cozy
businesses and government are about our communications. Some of
the people I communicate with have suffered greatly at the hands
of various governments, and I don't want to take any more risk
with their rights than is absolutely necessary when we contact
each other.

>
> What turned me away from OpenVPN was that it wanted to be a
> service started at boot time, with all that; besides it
> wants to do magic to the routing tables and so on.
>
> A tad too heavyweight for my taste.
>
> But of course, it does many things automagically you'd
> otherwise have to script.
>

Yes, I do prefer light(er) weight, but magic and ease of use are
nice, too.

Again, thank you.

JP

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559C0D25...@comcast.net

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 07, 2015 at 01:32:21PM -0400, James P. Wallen wrote:
> On 07/07/2015 09:23 AM, to...@tuxteam.de wrote:

[...]

> So -- if I understand -- you have control of a server out there on
> the Internet, and that's what makes this work for you.

Right. That rules this out in your case, since the server side is,
as I gather, out of your control.

> I know
> nothing of socat, but it sounds interesting.

Socat is like "nmap on steroids": a way of connecting streams
together -- be it network sockets, stdin, whatever. Quite useful
when deebugging things (as nmap is) -- but also for "production".

> I suppose I could set
> up a server on the home network. That would protect my traffic from
> prying eyes when I'm a visitor on another network, but it wouldn't
> really keep my home ISP from snooping on me. Or am I missing
> something?

There has to be a way to reach your network from outside (something
not all providers offer, alas -- they sometimes insert traffic
filters without telling you), and then you'd have to "find" the
address (something with can be done with DynDNS). But there's
a way to find out.

> Maybe I'm paranoid, but I really don't like the way Comcast (and
> many other ISPs) seem to think that they own their customers.

I think this doesn't have anything to do with paranoia, rather
with dignity and decency.

> I'm an activist of sorts, and I really do not like how cozy
> businesses and government are about our communications. Some of the
> people I communicate with have suffered greatly at the hands of
> various governments, and I don't want to take any more risk with
> their rights than is absolutely necessary when we contact each
> other.

Definitely.

[...]

> Yes, I do prefer light(er) weight, but magic and ease of use are
> nice, too.

Ah, the embarrasment of riches, I know, I know :-)

> Again, thank you.

The pleasure's on my side.

regards

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlWcJ8gACgkQBcgs9XrR2kbNVwCfR5bi+YCZflTlqLx7dZZK3VGl
D3IAnitA/FjWEWikpF/euFyPQhWHNq2o
=P/PH
-----END PGP SIGNATURE-----

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/20150707192...@tuxteam.de

[James P. Wallen]

On 07/07/2015 03:26 PM, to...@tuxteam.de wrote:
...

>> I suppose I could set up a server on the home network. That
>> would protect my traffic from prying eyes when I'm a
>> visitor on another network, but it wouldn't really keep my
>> home ISP from snooping on me. Or am I missing something?
>
> There has to be a way to reach your network from outside
> (something not all providers offer, alas -- they sometimes
> insert traffic filters without telling you), and then you'd
> have to "find" the address (something with can be done with
> DynDNS). But there's a way to find out.

I have a business account with Comcast, so I have a fixed IP and
(ostensibly) no filtering. I've used IP forwarding (and even
port knocking and other weird stuff like that, just for kicks)
on various routers over the years, so I'm acquainted with the
process.

>> Maybe I'm paranoid, but I really don't like the way Comcast
>> (and many other ISPs) seem to think that they own their
>> customers.
>
> I think this doesn't have anything to do with paranoia,
> rather with dignity and decency.

Yup, that too.

;)

Considering how much Comcast charges for its services, it's
annoying to find them trying to sell me and my views to every
nick-and-dime business partner.

Best regards,
JP

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559C3CFF...@comcast.net

[Petter Adsen]

On Tue, 07 Jul 2015 13:20:35 -0400
"James P. Wallen" <jpwa...@comcast.net> wrote:

> On 07/07/2015 08:34 AM, Petter Adsen wrote:
> > https://wiki.debian.org/OpenVPN
> >
> > Have you seen this? It doesn't contain anything particular to
> > wicd, but you could use what is there to set up a script.
> >
> > There are a few links at the bottom that might also be of
> > help.
> >
> > Petter
> >
>
> Thank you, Petter.
>
> I'll try following that document through to a conclusion. I
> should always remember to look at the debian.org onlin
> documentation first.
>
> However, the explanations seem to lean heavily toward explaining
> how to set up a server and a client, so I have to try to pick
> out carefully how to just do what I want to do.

I'm currently working on setting up a VPN myself, so I was just reading
that when I saw your message. It's perfect for what I want to do, but
of course it might not fit your needs. You should be able to pick out
enough from the examples given there to set up what you want, but of
course it's not a step-by-step guide.

The Arch wiki also has some useful information, you can find it at:

https://wiki.archlinux.org/index.php/Openvpn

It also has a few notes on connecting to a third party provider.

> I just need to connect a client to a publicly available VPN over
> which I have no control. It surprises me that I haven't seen a
> simple howto for that. Surely there are lots of people who use
> such "private VPNs" but who don't want to use network-manager.

Have you talked to the VPN provider, or looked at their site for hints
on configuration? Send their support team an email, maybe they have been
in that situation before.

If you would rather have control over the server, and depending on whom
you want to conceal your traffic from, you could consider paying for a
VPS, then setting up a VPN between that and your home or mobile devices.
One problem with that approach is that most VPS services come with
quite a limited amount of bandwidth per month, but depending on what
you want to do that may not be a big problem. I pay $10/month, and that
is for up to 2TB transfer. The VPS provider would of course be able to
snoop on your traffic, but that might be better than having your ISP
snoop, if you have a bad ISP and choose the right provider.

Just a thought. Good luck!

[James P. Wallen]

Yes, I should also remember to look at archlinux.org docs when I
have a project or issue like this. They're really good.

It's funny that neither the Debian nor the Archlinux docs show
up in the search engines I've been using. Either my choices of
search terms aren't so hot, or the engines are doing a very
superficial job of checking mostly commercial site and message
list content. Or both.

I think that I may be able to make this work if I just scrape
all the data from the Debian and Archlinux docs together and
sort through it.

>> I just need to connect a client to a publicly available
>> VPN over which I have no control. It surprises me that I
>> haven't seen a simple howto for that. Surely there are
>> lots of people who use such "private VPNs" but who don't
>> want to use network-manager.
>
> Have you talked to the VPN provider, or looked at their site
> for hints on configuration? Send their support team an email,
> maybe they have been in that situation before.
>

The most important of the VPN providers for my purposes is
riseup.net. They are a no-charge system that I donate to on a
monthly basis because they exist specifically to serve social
and political activism.

They are switching to a VPN system which uses bitmask.
Unfortunately, their specific configuration requires (at least
for now) use of a third party repository. I've tried it and had
quite a bit of trouble with its functionality.

I'll ask them about doing what I want to do with the old system,
but they weren't very responsive even when I was trying to get
help with the new system that they want everyone to use now. As
is usually the case with such entities, they are long on work
and short on workers.

> If you would rather have control over the server, and
> depending on whom you want to conceal your traffic from, you
> could consider paying for a VPS, then setting up a VPN
> between that and your home or mobile devices. One problem
> with that approach is that most VPS services come with quite
> a limited amount of bandwidth per month, but depending on
> what you want to do that may not be a big problem. I pay
> $10/month, and that is for up to 2TB transfer. The VPS
> provider would of course be able to snoop on your traffic,
> but that might be better than having your ISP snoop, if you
> have a bad ISP and choose the right provider.
>
> Just a thought. Good luck!
>
> Petter
>

I've considered this alternative, too. I might well fall back on
it -- especially if I can find a VPS provider which has
established a good reputation with some of the activist communities.

The trust factor is a big concern for me. I might have little or
nothing to lose by compromised communications, but some of these
folks hang on the hairy edge of disaster every day of their
lives. So far, the worst safety issues these communities have
faced have been the result of careless -- or worse, deliberately
compromised -- treatment of communications by some of the third
parties involved in the message path.

Many, many thanks for your help.

JP


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559D2854...@comcast.net

[James P. Wallen]

Between the Debian and Archlinux documentation and a little
pondering I was able to use the OpenVPN client manually with
wicd as the network manager.

However, I'm going to hold what I learned as a fall-back at
least for now. Curiosity got the better of me, and I tried the
bitmask/LEAP solution again. Over the past few months it has
been improved enormously. So, even though it is a very complex
system which actually works to strictly (I hope) manage the
OpenVPN client, it works very, very well. And it nicely manages
establishing the connection to the VPN automatically at the time
the user logs onto the system, which was at best an unreliable
function with network-manager.

Yeah, I didn't really get a simpler system despite replacing
network-manager with wicd. But at least I got a network manager
that I like better. And the new VPN interface and online
functionality is really nice.

Thanks all for your help.

JP


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559E7AC8...@comcast.net

[Chris Bannister]

On Thu, Jul 09, 2015 at 09:44:40AM -0400, James P. Wallen wrote:
>
> Between the Debian and Archlinux documentation and a little pondering I was
> able to use the OpenVPN client manually with wicd as the network manager.

Which you are going to keep a secret? People are going to see the solved
in the subject when they do an archive search thinking they're going to
find a solution.

--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/20150709155629.GA21464@tal

[James P. Wallen]

On 07/09/2015 11:56 AM, Chris Bannister wrote:
> On Thu, Jul 09, 2015 at 09:44:40AM -0400, James P. Wallen wrote:
>>
>> Between the Debian and Archlinux documentation and a little pondering I was
>> able to use the OpenVPN client manually with wicd as the network manager.
>
> Which you are going to keep a secret? People are going to see the solved
> in the subject when they do an archive search thinking they're going to
> find a solution.
>

I did consider posting what I had done. I actually experimented with
three ways to accomplish the task at hand. I simply used the CLI to
control the client in one instance, and I used a script in the other two
instances. In one of those I ran the script manually after getting the
network connection, and in the other I ran the script via wicd's ability
to run post-connection scripts to execute the script.

Easy. And reason enough why there aren't any write-ups specific to my
needs. The documentation Petter Adsen pointed me to was sufficient for
me with my limited grasp of the subject matter and my unusual
circumstance. As he indicated, that document should be enough for anyone
to accomplish the task.

The riseup.net VPN is different enough from every other publicly
available VPN I've seen that documenting my method wouldn't serve much
purpose. The folks at riseup.net are doing their best to encourage new
users to switch to the new system which uses bitmask/LEAP and is
self-configuring. And that's what I wound up doing.

I suppose I should have indicated all of this in my previous message as
an explanation for lack of inclusion of a how-to. I absent-mindedly used
the "Solved" indicator to indicate to the thread participants that I had
succeeded. Not to indicate that I really had any new information to
provide. Fuzzy thinking, I guess. (Hey, we let our world leaders get
away with it!)

In partial atonement for my misstep I provide the following links which
were, in turn, provided to me by Petter:

https://wiki.debian.org/OpenVPN

https://wiki.archlinux.org/index.php/Openvpn

The second link contains further links to other resources which might be
helpful to those connecting to the more "ordinary" types of VPNs, but
which weren't necessary for my purposes.

Sorry for the miscue, Chris.

Regards,
JP

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: https://lists.debian.org/559E9EBF...@comcast.net