Anyone who has enjoyed the dubious benefits of working with IPSEC will find OpenVPN a delight, but what do you do with your client.ovpn file once you have it?

If you spend most of your time in a terminal anyway, then I would suggest just putting all your client.ovpn files into ~/.openvpn, renaming them in some appropriate way, and then using them simply by typing:

$ sudo openvpn client.ovpn

If, on the other hand, you live in a more graphically orientated world, then you might like to integrate them into Network Manager. Sadly, the Import feature in Ubuntu does not work, at least in the versions of Ubuntu that I have used, and you have to make a few changes first.

Firstly, I would always create a hidden directory into which to store your client files:

$ mkdir ~/.openvpn
$ cd ~/.openvpn
$ mv ~/Downloads/client.ovpn ./

Secondly, you need to ensure that you have installed openvpn for network-manager:

$ sudo apt-get install network-manager-openvpn-gnome

Thirdly, we need to extract some data out of the client.ovpn, and for this I followed these instructions, which I include below in case of link breakage:

1. Open client.ovpn in your favour text editor and copy the lines between the <ca> tags into a new file named client.ca.
2. Remove <ca> section including tags.
3. Now copy the lines between the <cert> tags into a new file named client.crt.
4. Remove <cert> section including tags.
5. Now copy the lines between <key> tags into a new file named client.key.
6. Remove <key> section including tags.
7. Now copy the lines between <tls-auth> tags into a new file named client.tls.
8. Remove <tls-auth> section including tags.
9. Remove the line “key-direction 1”.
10. Insert the following text above the line # —–BEGIN RSA SIGNATURE—– :

ca client.ca
cert client.crt
key client.key
tls-auth client.tls 1

Finally, save and close all the files and check that you now have all the above files sitting happily in your ~/.openvpn directory.

Go to Network Manager -> Edit Connections ->VPN and click Import, browse to the modified client.ovpn import that file.

Enter vpn username and password if prompted.

On the VPN page, select Advanced and on the General Tab, uncheck the first option, “Use custom gateway.

Configuration

• Host IP: 192.168.0.17
• TUN Interface IP: 192.168.0.18
• Guest Interface IP: 192.168.0.19

I went into windows and provisioned the emulated ethernet interface with an IP address of 192.168.0.19; along with appropriate DNS settings and default gateway settings. I’ve also reserved the address 192.168.0.18 for use by the tunnel device.

My /etc/qemu-ifup looks like this:

#!/bin/sh
# configure tun0 device (UML and newer versions of Qemu use tap0 here!)
sudo /sbin/ifconfig $1 192.168.0.18

# activate ip forwarding
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

# set up routing to the guest IP
sudo route add -host 192.168.0.19 dev tap0

# activate ARP proxy to "spoof" arp address
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp'

# set "spoofed" arp address
sudo arp -Ds 192.168.0.19 eth0 pub

Thats it… The bridging is done only for a single IP address by installing a proxy ARP.

Running

$ sudo kvm -hda w2k3.img -smp 2 -m 512 -no-acpi -k en-gb -net nic,model=rtl8139 -net tap,script=/etc/qemu-ifup -usb -usbdevice tablet -snapshot

• Note that you must sudo the command, as root priority is required for the qemu-ifup script.
• Note also that for some reason under KVM you need to specify the qemu-ifup script, as it does not default to that. I suspect that it defaults to kvm-ifup, but I have not looked into this further.
• The USB switch is useful in that it enables the mouse to leave the virtual window, and also seems to synchronise the host/guest cursors, which was a problem on our installation.

References

• QEMU
• QEMU Networking
  • QEMU Setup Hints