Setting up a VPN client
In this tutorial, you learn how to set up your VPN client and connect to the VPN server.
Before you begin
Obtain the following information from your VPN server administrator:
-
Client profile file (
<vpn_server>.ovpn) -
The type of authentication that was configured for the VPN server
Choices are client certificate, user ID and passcode, or both. If client certificate-based authentication was implemented, make sure that you also received the client certificate.
-
If the VPN server certificate was ordered from a public Certificate Authority (CA), make sure that you have the CA certificate number.
Install a VPN client
First, you must download and install an OpenVPN client. The following client software versions are supported.
- For macOS Catalina and later: OpenVPN Connect v3, OpenVPN Connect v2, and Tunnelblick 3.8.4
- Windows 8 and later: OpenVPN Connect v3, OpenVPN Connect v2
- RHEL 7.x and later: OpenVPN Connect v3, OpenVPN Connect v2, and OpenVPN command-line client (version 2.4.4 and later)
- Ubuntu 18.04 and later: OpenVPN Connect v3, OpenVPN Connect v2, and OpenVPN command-line client (version 2.4.10 and later)
You can choose other OpenVPN-2.4-compatible client software. However, software that is not listed is not guaranteed to work.
Set up client authentication
Your VPN server administrator can choose to set up a client certificate, a user ID and passcode, or both types of authentication. Depending on what your administrator instructs you to do, complete one or both of the following procedures.
Configure a client certificate
If your administrator provided a client certificate for certificate-based authentication, you must edit the client profile file (<vpn_server>.ovpn), and then add the client certificate into the file using any ASCII editor.
If your administrator used a private certificate, they might have provided you with a client profile that already includes your client certificate and private key. If so, save the client profile file on your system and skip to step 4 to open the OpenVPN client UI and import the file.
-
Save the client profile (
<vpn_server>.ovpn) on your system. -
Open the file in an ASCII editor and add the client certificate to the end of the client profile. For example, use one of the following methods:
-
Enter the paths to both the client public key and the client private key:
cert /path/client_public_key.crt key /path/client_private_key.key
OR
-
Wrap
client_public_key.crtbetween the<cert></certs>tags and encloseclient_private_key.keybetween<key></key>as shown.<cert> -----BEGIN CERTIFICATE----- place your VPN client certificate -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- place your VPN client private key -----END PRIVATE KEY----- </key>
-
-
If the VPN server certificate was ordered from a public Certificate Authority (CA), you must also update the
<ca>section with the public CA certificate.<ca> ----BEGIN CERTIFICATE----- MIID...................... .......................... .......................... .......................... ----END CERTIFICATE----- </ca> -
Open the OpenVPN client UI and import the
.ovpnprofile file. Depending on the OpenVPN client you installed, the instructions vary. OpenVPN Connect and Tunnelblick examples are provided.OpenVPN Connect example:
- Click the Plus icon on the lower right of the window.
Profiles window - Click Browse to select and import the
.ovpnfile (client profile).
Import Profile window
Tunnelblick example:
- Click VPN Details.
Tunnelblick UI - Drag and drop the
.ovpnfile in the Configurations section.
Configurations window - Click OK.
Add a Configuration window - Select Only Me and provide your system username and system password. This is typically your IBMid and password. Then, click OK.
Install Configuration For All Users window
- Click the Plus icon on the lower right of the window.
-
If you are only configuring a client certificate, skip to Step 3: Connect to the VPN server. If you are also configuring a user ID and passcode, complete the steps in the next section.
Configure a user ID and passcode
If your administrator configured user ID and passcode authentication on the VPN server, follow these steps:
Your VPN server administrator invites you to the account that the VPN server resides in so that you can connect to the VPN server. Your administrator already assigned your ID an IBM Cloud Identity and Access Management (IAM) permission.
-
Go to this website to generate a passcode for your user ID:
https://iam.cloud.ibm.com/identity/passcode -
If a VPN server certificate was ordered from a public Certificate Authority (CA), save the client profile (
<vpn_server>.ovpn) on your system, and then update the<ca>section with the public CA certificate. If you configured a client certificate, skip this step.For example:
<ca> ----BEGIN CERTIFICATE----- MIID...................... .......................... .......................... .......................... ----END CERTIFICATE----- </ca> -
Open the OpenVPN UI and import the file.
Do not select Save password.
OpenVPN Connect example:
-
In the OpenVPN Connect client, enter your IAM username, then click CONNECT.
Imported Profile window -
Add the one-time passcode generated in step 1, then click OK.
Enter password window
Tunnelblick example:
-
After you import the
.ovpnfile, click Connect.
Configurations window -
In the pop-up window, enter your IAM username and one-time passcode generated using the link in step 1. Then, click OK.
Login window
-
-
Continue to the next section.
Connect to the VPN server
When ready to connect to the VPN server, click Connect.
OpenVPN Connect example:
If you encounter a warning message, such as one of the following, select not to be warned again. Then, click Continue or OK depending on your OpenVPN client.
Missing external certificateThis computer's apparent public IP address was not different after connecting to xxx...One or more possible problems with DNS were found:
You are now connected to the client-to-site VPN server.
OpenVPN Connect example:
