Software, electronics and anything else

Setting up Windscribe OpenVPN

msmith
Windscribe Page

I have a headless server where I want to run my Windscribe VPN on boot automatically. Unfortunately, their current client seems to require a GUI to function, which makes it impossible to use on such a server. However, we can use OpenVPN instead. I’m doing this on Ubuntu 22.04.

First, install Open VPN:

sudo apt install openvpn

Then, get the appropriate config file from OpenVPN’s page. Save this file into the /etc/openvpn folder, making sure it ends in .conf:

ls -lah /etc/openvpn
total 28K
drwxr-xr-x   4 root root 4.0K Mar 15 00:42 .
drwxr-xr-x 103 root root 4.0K Mar 15 00:36 ..
drwxr-xr-x   2 root root 4.0K Jul 14  2022 client
drwxr-xr-x   2 root root 4.0K Jul 14  2022 server
-rwxr-xr-x   1 root root 1.5K Jul 14  2022 update-resolv-conf
-rw-r--r--   1 root root 3.0K Mar 15 00:39 Windscribe.ovpn.conf

On the OpenVPN config page, use the “Get Credentials” button to…well, get your credentials. Save them as a file in /etc/openvpn; in my case, I named in Windscribe-pass.auth and put your username on the first line and password second line of that file e.g.

WINDSCRIBE_USERNAME
WINDSCRIBE_PASSWORD

I also recommend setting the permissions such that only root can read the file e.g. via chmod 600. When done, you should have two config files in /etc/openvpn:

/etc/openvpn# ls -lah
total 28K
drwxr-xr-x   4 root root 4.0K Mar 15 00:42 .
drwxr-xr-x 103 root root 4.0K Mar 15 00:36 ..
drwxr-xr-x   2 root root 4.0K Jul 14  2022 client
drwxr-xr-x   2 root root 4.0K Jul 14  2022 server
-rwxr-xr-x   1 root root 1.5K Jul 14  2022 update-resolv-conf
-rw-r--r--   1 root root 3.0K Mar 15 00:39 Windscribe.ovpn.conf
-rw-------   1 root root   28 Mar 15 00:42 Windscribe-pass.auth

Modify the main OpenVPN config file in /etc/openvpn you saved earlier (in my case, Windscribe.ovpn.conf) and add a line telling OpenVPN to look for the username and password in the other file. This is important, as in my case I want it to start on boot automatically and the password has to be saved somewhere. Your file should then look something like this:

client
dev tun
proto udp
remote yul-316.whiskergalaxy.com 1194
verify-x509-name yul-316.windscribe.com name

nobind
auth-user-pass

resolv-retry infinite

cipher AES-256-GCM
ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM
auth SHA512

auth-user-pass Windscribe-pass.auth

verb 2
mute-replay-warnings
remote-cert-tls server
persist-key
persist-tun
.....

Next, you’ll need to enable the VPN and start it. Note that the naming of this service will follow the name of the .conf file you created earlier.

systemctl daemon-reload
systemctl enable 
systemctl start

A word of warning. When starting OpenVPN, the VPN becomes the default route, and if you’re like me and keep this machine on its own subnet, this can interfere with normal routing (e.g. ssh to other machines), so you may have to add static routes before starting the VPN. For example, on Ubuntu with Netplan modify /etc/netplan/00-installer-config.yaml:

network:
  ethernets:
    enp6s18:
      addresses:
      - 192.168.80.1/24
      nameservers:
        addresses:
        - 192.168.80.100
      routes:
      - to: default
        via: 192.168.80.100
      - to: 192.168.0.0/16
        via: 192.168.80.100
  version: 2

In my case, the machine is on 192.168.80.0/24, but needs access to other subnets I have, so I just force routing of the entire 192.168.0.0/16 subnet to my router to include all of them. To apply, run

sudo netplan apply

If all goes well, you can verify your VPN connected by checking on the service status:

 - OpenVPN connection to Windscribe.ovpn
     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-03-15 00:57:44 UTC; 5min ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 2760 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 2233)
     Memory: 2.1M
        CPU: 23ms
     CGroup: /system.slice/system-openvpn.slice/
             └─2760 /usr/sbin/openvpn --daemon ovpn-Windscribe.ovpn --status /run/openvpn/Windscribe.ovpn.status 10 --c>

Mar 15 00:57:44 rake ovpn-Windscribe.ovpn[2760]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer >
Mar 15 00:57:44 rake ovpn-Windscribe.ovpn[2760]: [yul-316.windscribe.com] Peer Connection Initiated with [AF_INET]38.1

And see the IP assigned to the tunnel:

root@vm:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
......
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 10.123.123.123/23 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::de52:ad25:1b78:bab6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

And you can ping to a known server to see if the ping times increase over your normal connection. This isn’t foolproof but it’s a good quick check to make sure your connections are going through the VPN.

ping google.ca -c 3
PING google.ca (172.217.13.163) 56(84) bytes of data.
64 bytes from yul03s04-in-f3.1e100.net (172.217.13.163): icmp_seq=1 ttl=117 time=6.61 ms
64 bytes from yul03s04-in-f3.1e100.net (172.217.13.163): icmp_seq=2 ttl=117 time=6.47 ms
64 bytes from yul03s04-in-f3.1e100.net (172.217.13.163): icmp_seq=3 ttl=117 time=7.03 ms

--- google.ca ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 6.469/6.701/7.028/0.237 ms

Leave a Reply

Your email address will not be published. Required fields are marked *