Most Linux users will connect using either:

Terminal is the recommended method, because Network Manager hasn't yet implemented the latest OpenVPN features



Network Manager

  • Ubuntu's default Network Manager doesn't include OpenVPN support, so a plugin will need to be installed.
    First, open up the Terminal.

  • The first thing that needs to be done is update the apt sources with the command:
    sudo apt update
    Then, install OpenVPN:
    sudo apt install openvpn

  • Next, type in the following command:
    sudo apt-get install network-manager-openvpn
    Or if your desktop environment is GNOME, use the command:
    sudo apt-get install network-manager-openvpn-gnome

    Note: The Ubuntu Live CD/DVD by default has the "universe" repository disabled, and that's where the above two packages are.
    So if you're using the Live CD/DVD, you'll need to type these commands before the above two will work:
    sudo -s
    . /etc/lsb-release
    echo "deb http://archive.ubuntu.com/ubuntu $DISTRIB_CODENAME universe" >> /etc/apt/sources.list
    apt-get update

  • After that plugin is installed, you may need to restart Network Manager with the command:
    sudo service network-manager restart
    Check first if the plugin was installed successfully. Click on the Network Manager icon in the top right hand corner, then go to "Edit Connections"


    Then click "Add"


    Then click the drop down list. If the plugin installed correctly, you should see "OpenVPN" in the list, under "VPN"

  • The next step is to download the cryptostorm OpenVPN configs.
    For this example, my account is named "test", and I'll be putting the configs in /home/test/Documents/conf/
    Open up Terminal again and create the directory you'll be using:
    mkdir ~/Documents/conf
    cd ~/Documents/conf
    Then download and unzip the configs:
    wget https://cryptostorm.is/configs/rsa/configs.zip
    unzip configs.zip

    Note: only the RSA configs are supported in Network Manager, at least, until they add support for --tls-crypt and --compress (OpenVPN options used in the ECC configs)

  • The default Ubuntu includes a dnsmasq server that will overwrite /etc/resolv.conf, which will cause DNS leaks with OpenVPN.
    Fortunately, Ubuntu/Debian also has an /etc/openvpn/update-resolv-conf script to fix this leak.
    You'll need to add to all of your config files the three lines:
    • script-security 2
    • up /etc/openvpn/update-resolv-conf
    • down /etc/openvpn/update-resolv-conf
    To make things easier, so you don't have to edit each individual config file, you can use this command to add the above three lines to all configs at once:
    for conf in *.ovpn;do echo 'script-security 2' >> $conf;echo 'up /etc/openvpn/update-resolv-conf' >> $conf;echo 'down /etc/openvpn/update-resolv-conf' >> $conf;done

  • Next, import all of the configs into Network Manager using the command:
    for conf in *.ovpn;do nmcli connection import type openvpn file $conf;done

  • To save yourself from having to enter the username/password for every config, you can instead use these commands to add the user/pass to all the configs.
    First, become root, enter your password when prompted:
    sudo -s

    Next, add the user/pass to all the imported configs (replace CsTok-enGvX-F4b4a-j7CED with your cryptostorm token)
    The following commands should be ran while still in the configs directory.
    Note: It's recommended that you first hash your token using the token hasher at https://cryptostorm.is/#section6, under the teddy bear
    CSTOKEN=CsTok-enGvX-F4b4a-j7CED
    for conf in `ls *.ovpn|sed -e's/.ovpn//'`;do
    if [ -e "/etc/NetworkManager/system-connections/$conf.nmconnection" ];then
    conf="$conf.nmconnection"
    fi
    sed "/\[vpn\]/a username=$CSTOKEN" -i /etc/NetworkManager/system-connections/$conf
    sed -e"s/password-flags=.*/password-flags=0/" -i /etc/NetworkManager/system-connections/$conf
    sed "\$a\\\n[vpn-secrets]\npassword=whatever\n" -i /etc/NetworkManager/system-connections/$conf
    done


    And finally, one last restart of Network Manager:
    service network-manager restart

    You can now select a node to connect to from Network Manager:

  • You should see a notification once you're connected to the VPN:

  • You're done! Check with https://cryptostorm.is/test to verify that you're IP has changed.


Terminal

  • The OpenVPN in older Ubuntu apt repos is outdated, so first we'll need to add OpenVPN's repository.
    If you're on Debian 9 or Ubuntu 18.x (bionic), you can skip this step since they do include a later OpenVPN 2.4.x
    In Terminal, start a root shell with the command:
    sudo -s
    Enter your password when it asks. Next, add the OpenVPN repository:
    wget -O- https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
    Then add the OpenVPN repo to the local sources list:
    . /etc/lsb-release;echo "deb http://build.openvpn.net/debian/openvpn/stable $DISTRIB_CODENAME main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

  • After that, install the latest OpenVPN with:
    apt-get update && apt-get install openvpn
    When that's done, verify that you now have the latest OpenVPN with the command:
    openvpn --version|head -n1
    To see what the latest OpenVPN version is, visit: https://openvpn.net/index.php/open-source/downloads.html

  • Next, download and unzip the cryptostorm OpenVPN configs.
    The RSA ones are at https://cryptostorm.is/configs/rsa/configs.zip
    The ECC ones are at https://cryptostorm.is/configs/ecc/configs.zip
    The Ed25519 ones are at https://cryptostorm.is/configs/ecc/ed25519/configs.zip
    The Ed448 ones are at https://cryptostorm.is/configs/ecc/ed448/configs.zip
    See https://cryptostorm.is/config/ for details on the differences between these.

    OpenVPN 2.4.x is required for the ECC configs.
    OpenVPN 2.4.x AND OpenSSL 1.1.1 is required for the Ed25519 and Ed448 configs.

    So for ECC, the commands would be:
    wget https://cryptostorm.is/configs/ecc/configs.zip
    unzip configs.zip

  • So you don't have to enter your token every time you connect, store your token in a random file.
    (Replace CsTok-enGvX-F4b4a-j7CED with your token or your token's hash using the token hasher at https://cryptostorm.is/#section6, under the teddy bear
    And replace /home/test/cstoken with the location you want to save the token to. My username is "test", so I'm storing the file in /home/test/cstoken)
    echo CsTok-enGvX-F4b4a-j7CED > /home/test/cstoken;echo anythingcangohere >> /home/test/cstoken;chmod 600 /home/test/cstoken
    Then edit all the configs to use /home/test/cstoken:
    sed -e's_^auth-user-pass_auth-user-pass /home/test/cstoken_' -i *.ovpn

  • The default Ubuntu/Debian includes a dnsmasq server that will overwrite /etc/resolv.conf, which will cause DNS leaks with OpenVPN.
    Fortunately, Ubuntu/Debian also has an /etc/openvpn/update-resolv-conf script to fix this leak.
    You'll need to add to all of your config files the three lines:
    • script-security 2
    • up /etc/openvpn/update-resolv-conf
    • down /etc/openvpn/update-resolv-conf
    To make things easier, so you don't have to edit each individual config file, you can use this command to add the above three lines to all configs at once:
    for conf in *.ovpn;do echo 'script-security 2' >> $conf;echo 'up /etc/openvpn/update-resolv-conf' >> $conf;echo 'down /etc/openvpn/update-resolv-conf' >> $conf;done

  • Finally, connect with:
    sudo openvpn --config Paris_UDP.ovpn
    (Replace "Paris_UDP.ovpn" with whatever node you want to connect to)

  • Once you see "Initialization Sequence Completed", you're connected!
    Check with https://cryptostorm.is/test to verify that you're IP has changed.