Install and connect OpenVPN on Linux

1. Installing OpenVPN client dependencies on Linux
2. Installing OpenVPN client without elliptic curve cryptography (ECC) support
3. Installing OpenVPN client with elliptic curve cryptography (ECC) support
3.1. OpenSSL installation
3.2. Mbed TLS installation
3.3. OpenVPN installation
4. Importing configs to OpenVPN client on Linux
5. Connecting OpenVPN on Linux
All actions described below have to execute in Linux terminal only.
Commands beginning with the prompt # are executed as the root user, the prompt $ means the execution is from a regular user.
Use commands sudo or su to get the root user permissions. For example, enter sudo su to login as root in a desktop Debian-based distros (Ubuntu, Linux Mint and others). And use su in a RedHat-based distros (RHEL, Fedora, CentOS and others) and server Debian-based distros.

1. Installing dependencies

You have to install dependencies before installing OpenSSL and OpenVPN. In Debian-based Linux (Ubuntu, Debian, Linux Mint and others) use the next commands for it.
$ sudo apt-get update
$ sudo apt-get install make gcc g++ liblzo2-dev libpam0g-dev curl
Use this command for RedHat-based Linux (RHEL, CentOS, Fedora and others).
# dnf install lzo lzo-devel pam-devel gcc gcc-c++ libcurl curl perl
DeepWebVPN RSA config is OpenVPN config file, which has "RSA" in the filename. DeepWebVPN ECC (Elliptic Curve Cryptography) config is OpenVPN config file, which has "ECC" in the filename. For example: SingleRSA_US1.ovpn is RSA config, but DoubleECC_GB2_US2.ovpn is ECC config.

2. Installing OpenVPN client without ECC support

OpenVPN client without ECC support works correctly with RSA configs only. Miss this step and go to the section Installing OpenVPN client with ECC support if you need OpenVPN client, which is compatible with ECC and RSA configs.
It is enough setup packet from repositories to install OpenVPN client without ECC support. In Debian-based Linux use this command.
$ sudo apt-get install openvpn
And use the next command in RedHat-based Linux.
# dnf install openvpn

3. Installing OpenVPN client with ECC support

The manual below was tested in Debian 11 x64 (Debian-based) and Fedora 37 x64 (RedHat-based). DeepWebVPN doesn't sure that the manual is suited for another versions and distributions of Linux.
Don't forget install dependencies before installing OpenVPN client with ECC support.

3.1. Installing OpenSSL

Memorize the current version of the OpenSSL library if it is installed.
# openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015
Download the archive of OpenSSL source code from the site of DeepWebVPN.
The OpenSSL source code archive in the example below is openssl-3.0.7.tar.gz, but you have to understand that the official site of OpenSSL could have the newer version at the moment your installing.
Use the next commands to download, unpack the archive and enter to the directory with the sources.
$ wget https://data.dwv.one/client/openvpn-linux-ecc/x64/openssl-3.0.7.tar.gz
$ tar -zxvf openssl-3.0.7.tar.gz
$ cd openssl-3.0.7
Execute this in the directory with the sources to compile the OpenSSL library.
$ chmod a+x config
# ./Configure && make && make install
# ldconfig /usr/local/lib64/
Check the OpenSSL version again.
# openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

3.2. Installing Mbed TLS

The next step is the installing Mbed TLS that supports ECC and suited for OpenVPN. Use the next commands to download, unpack and enter the folder with the source code.
$ wget https://data.dwv.one/client/openvpn-linux-ecc/x64/mbedtls-2.28.0.tar.gz
$ tar -zxvf mbedtls-2.28.0.tar.gz
# cd mbedtls-2.28.0 && make && make install

3.3. Installing OpenVPN

The OpenVPN source code archive in the example below is openvpn-2.5.8.tar.gz, but you have to understand that the official site of OpenVPN could have the newer version at the moment your installing.
Memorize the current version of the OpenVPN client and be sure that the client is compiled with not suited OpenSSL library version.
$ openvpn --version
OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015
library versions: OpenSSL 1.0.1k-fips 8 Jan 2015, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_pthread=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
Download the archive of OpenVPN client source code from our site, unpack it and enter to the source code directory.
$ wget https://data.dwv.one/client/openvpn-linux-ecc/x64/openvpn-2.5.8.tar.gz
$ tar -zxvf openvpn-2.5.8.tar.gz
# cd openvpn-2.5.8 && ./configure --with-crypto-library=mbedtls && make && make install
Make sure that the OpenVPN client is installed correctly.
$ openvpn --version
OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 19 2022
library versions: mbed TLS 2.28.0, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=mbedtls with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

4. Importing configs

Make sure that the directory /etc/openvpn is existed or create it with the command below.
# mkdir /etc/openvpn
Download and unzip the archive of the OpenVPN configs. And move the OpenVPN configs to the directory /etc/openvpn.
# unzip all.zip -d /etc/openvpn && cp single/* /etc/openvpn/ && cp double/* /etc/openvpn/
It is not necessary download archive of all OpenVPN configs, you may select and download a specific configs (Single chains and Double chains).
Make sure that the configs are in the correct directory.
# ls /etc/openvpn
all.zip DoubleECC_GB1_FR1.ovpn DoubleRSA_FR1_GB1.ovpn SingleECC_DE1.ovpn SingleECC_NL1.ovpn SingleRSA_FR1.ovpn SingleRSA_RU2.ovpn
DoubleECC_DE1_NL1.ovpn DoubleECC_NL1_DE1.ovpn DoubleRSA_GB1_FR1.ovpn SingleECC_FR1.ovpn SingleECC_RU2.ovpn SingleRSA_GB1.ovpn
DoubleECC_FR1_GB1.ovpn DoubleRSA_DE1_NL1.ovpn DoubleRSA_NL1_DE1.ovpn SingleECC_GB1.ovpn SingleRSA_DE1.ovpn SingleRSA_NL1.ovpn
...

5. Connecting

Connecting to OpenVPN must be executed with the root permissions always.
Run OpenVPN client with a config file path as argument to connect. Enter the username and password when the client will ask it.
The username and password are the same as the username and password of the DeepWebVPN Cabinet.
For example, use the following command to connect to the chain SingleRSA_DE1.
# openvpn /etc/openvpn/SingleRSA_DE1.ovpn
Mon Jan 8 01:29:25 2018 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
Mon Jan 8 01:29:25 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Enter Auth Username: ********
Enter Auth Password: ********
Mon Jan 8 01:29:32 2018 Control Channel Authentication: tls-auth using INLINE static key file
Mon Jan 8 01:29:32 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:32 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:32 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jan 8 01:29:47 2018 Attempting to establish TCP connection with [AF_INET]104.238.177.127:255 [nonblock]
Mon Jan 8 01:29:48 2018 TCP connection established with [AF_INET]104.238.177.127:255
Mon Jan 8 01:29:48 2018 TCPv4_CLIENT link local: [undef]
Mon Jan 8 01:29:48 2018 TCPv4_CLIENT link remote: [AF_INET]104.238.177.127:255
Mon Jan 8 01:29:48 2018 TLS: Initial packet from [AF_INET]104.238.177.127:255, sid=445a6902 d3ec551d
Mon Jan 8 01:29:48 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 8 01:29:49 2018 VERIFY OK: depth=1, CN=de1-rsa
Mon Jan 8 01:29:49 2018 Validating certificate key usage
Mon Jan 8 01:29:49 2018 ++ Certificate has key usage 00a0, expects 00a0
Mon Jan 8 01:29:49 2018 VERIFY KU OK
Mon Jan 8 01:29:49 2018 Validating certificate extended key usage
Mon Jan 8 01:29:49 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 8 01:29:49 2018 VERIFY EKU OK
Mon Jan 8 01:29:49 2018 VERIFY OK: depth=0, CN=de1-ecc-server
Mon Jan 8 01:29:59 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 8 01:29:59 2018 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:59 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Jan 8 01:29:59 2018 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Jan 8 01:29:59 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES256-GCM-SHA384
Mon Jan 8 01:29:59 2018 [de1-rsa-server] Peer Connection Initiated with [AF_INET]104.238.177.127:255
Mon Jan 8 01:30:01 2018 SENT CONTROL [de1-rsa-server]: 'PUSH_REQUEST' (status=1)
Mon Jan 8 01:30:02 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.101.0.1,redirect-gateway def1,route-gateway 10.111.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.111.0.2 255.255.255.0,peer-id 0'
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: route options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: route-related options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: peer-id set
Mon Jan 8 01:30:02 2018 OPTIONS IMPORT: adjusting link_mtu to 1607
Mon Jan 8 01:30:02 2018 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlp3s0 HWADDR=44:6d:57:b7:8e:7e
Mon Jan 8 01:30:02 2018 TUN/TAP device tun0 opened
Mon Jan 8 01:30:02 2018 TUN/TAP TX queue length set to 100
Mon Jan 8 01:30:02 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jan 8 01:30:02 2018 /usr/sbin/ip link set dev tun0 up mtu 1500
Mon Jan 8 01:30:02 2018 /usr/sbin/ip addr add dev tun0 10.111.0.2/24 broadcast 10.111.0.255
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 104.238.177.127/32 via 192.168.0.1
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 0.0.0.0/1 via 10.111.0.1
Mon Jan 8 01:30:02 2018 /usr/sbin/ip route add 128.0.0.0/1 via 10.111.0.1
Mon Jan 8 01:30:02 2018 Initialization Sequence Completed
To avoid DNS leaks and for correctly working of the Internet, don't forget to set DNS after a successfully connecting.
Press Ctrl+C in the terminal window to disconnect.