I have a headless server where I want to run my Windscribe VPN on boot automatically. Unfortunately, their current client seems to require a GUI to function, which makes it impossible to use on such a server. However, we can use OpenVPN instead. I’m doing this on Ubuntu 22.04.
First, install Open VPN:
sudo apt install openvpn
Then, get the appropriate config file from OpenVPN’s page. Save this file into the /etc/openvpn folder, making sure it ends in .conf:
ls -lah /etc/openvpn total 28K drwxr-xr-x 4 root root 4.0K Mar 15 00:42 . drwxr-xr-x 103 root root 4.0K Mar 15 00:36 .. drwxr-xr-x 2 root root 4.0K Jul 14 2022 client drwxr-xr-x 2 root root 4.0K Jul 14 2022 server -rwxr-xr-x 1 root root 1.5K Jul 14 2022 update-resolv-conf -rw-r--r-- 1 root root 3.0K Mar 15 00:39 Windscribe.ovpn.conf
On the OpenVPN config page, use the “Get Credentials” button to…well, get your credentials. Save them as a file in /etc/openvpn; in my case, I named in Windscribe-pass.auth and put your username on the first line and password second line of that file e.g.
I also recommend setting the permissions such that only root can read the file e.g. via chmod 600. When done, you should have two config files in /etc/openvpn:
/etc/openvpn# ls -lah total 28K drwxr-xr-x 4 root root 4.0K Mar 15 00:42 . drwxr-xr-x 103 root root 4.0K Mar 15 00:36 .. drwxr-xr-x 2 root root 4.0K Jul 14 2022 client drwxr-xr-x 2 root root 4.0K Jul 14 2022 server -rwxr-xr-x 1 root root 1.5K Jul 14 2022 update-resolv-conf -rw-r--r-- 1 root root 3.0K Mar 15 00:39 Windscribe.ovpn.conf -rw------- 1 root root 28 Mar 15 00:42 Windscribe-pass.auth
Modify the main OpenVPN config file in /etc/openvpn you saved earlier (in my case, Windscribe.ovpn.conf) and add a line telling OpenVPN to look for the username and password in the other file. This is important, as in my case I want it to start on boot automatically and the password has to be saved somewhere. Your file should then look something like this:
client dev tun proto udp remote yul-316.whiskergalaxy.com 1194 verify-x509-name yul-316.windscribe.com name nobind auth-user-pass resolv-retry infinite cipher AES-256-GCM ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM auth SHA512 auth-user-pass Windscribe-pass.auth verb 2 mute-replay-warnings remote-cert-tls server persist-key persist-tun .....
Next, you’ll need to enable the VPN and start it. Note that the naming of this service will follow the name of the .conf file you created earlier.
systemctl daemon-reload systemctl enable systemctl start
A word of warning. When starting OpenVPN, the VPN becomes the default route, and if you’re like me and keep this machine on its own subnet, this can interfere with normal routing (e.g. ssh to other machines), so you may have to add static routes before starting the VPN. For example, on Ubuntu with Netplan modify /etc/netplan/00-installer-config.yaml:
network: ethernets: enp6s18: addresses: - 192.168.80.1/24 nameservers: addresses: - 192.168.80.100 routes: - to: default via: 192.168.80.100 - to: 192.168.0.0/16 via: 192.168.80.100 version: 2
In my case, the machine is on 192.168.80.0/24, but needs access to other subnets I have, so I just force routing of the entire 192.168.0.0/16 subnet to my router to include all of them. To apply, run
sudo netplan apply
If all goes well, you can verify your VPN connected by checking on the service status:
● - OpenVPN connection to Windscribe.ovpn Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2023-03-15 00:57:44 UTC; 5min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 2760 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 (limit: 2233) Memory: 2.1M CPU: 23ms CGroup: /system.slice/system-openvpn.slice/ └─2760 /usr/sbin/openvpn --daemon ovpn-Windscribe.ovpn --status /run/openvpn/Windscribe.ovpn.status 10 --c> Mar 15 00:57:44 rake ovpn-Windscribe.ovpn: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer > Mar 15 00:57:44 rake ovpn-Windscribe.ovpn: [yul-316.windscribe.com] Peer Connection Initiated with [AF_INET]38.1
And see the IP assigned to the tunnel:
root@vm:~# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ...... 4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.123.123.123/23 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::de52:ad25:1b78:bab6/64 scope link stable-privacy valid_lft forever preferred_lft forever
And you can ping to a known server to see if the ping times increase over your normal connection. This isn’t foolproof but it’s a good quick check to make sure your connections are going through the VPN.
ping google.ca -c 3 PING google.ca (126.96.36.199) 56(84) bytes of data. 64 bytes from yul03s04-in-f3.1e100.net (188.8.131.52): icmp_seq=1 ttl=117 time=6.61 ms 64 bytes from yul03s04-in-f3.1e100.net (184.108.40.206): icmp_seq=2 ttl=117 time=6.47 ms 64 bytes from yul03s04-in-f3.1e100.net (220.127.116.11): icmp_seq=3 ttl=117 time=7.03 ms --- google.ca ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 6.469/6.701/7.028/0.237 ms