LINUXMIND.DEV

How to choose, use and configure a VPN in Linux From Scratch (My opinion)

Why these VPN clients suit Linux From Scratch

Linux From Scratch (LFS) appeals to power users who compile every package from source, with no built-in package manager and absolute control over init systems (sysvinit or systemd) and dependencies. Typical desktop environments (Xfce, KDE Plasma, LXQt, or a tiling WM) are also hand-built. That level of customisation demands VPN software that:

  • Is distributed as source tarballs or a Git repository, with minimal external dependencies.
  • Integrates cleanly into a manually-compiled kernel (for kernel modules like WireGuard).
  • Offers command-line tooling, since NetworkManager or GUI front-ends may not be present.

Top VPN choices for LFS

Based on minimal requirements, upstream-friendly build systems and strong protocol support, these three stand out for an LFS environment:

  • WireGuard – modern, in-kernel or out-of-tree module, tiny codebase.
  • OpenVPN – battle-tested, pure user-space, wide compatibility.
  • OpenConnect – an open implementation of Cisco AnyConnect SSL VPN.

Feature comparison

VPN Protocol Source-only Kernel Module CLI-first Deps Upstream Link
WireGuard WireGuard Yes Yes (in-kernel or compat) wg-quick, wg libmnl, libelf (optional) WireGuard official site
OpenVPN SSL/TLS Yes No openvpn OpenSSL, LZO, PKCS#11 (optional) OpenVPN official site
OpenConnect AnyConnect SSL Yes No openconnect GnuTLS (or OpenSSL), libproxy OpenConnect official site

1. WireGuard – install and configure on LFS

Installation steps

# Ensure your kernel has CONFIG_WIREGUARD enabled (5.6  recommended):
cd /path/to/linux-source
make menuconfig
# Enable: Networking support → WireGuard
make  make modules_install  make install

# Build userspace tools:
git clone https://git.zx2c4.com/wireguard-tools
cd wireguard-tools
./configure
make
make install

Basic configuration

Create /etc/wireguard/wg0.conf with your peer settings:

[Interface]
PrivateKey = 
Address    = 10.0.0.2/24
DNS        = 1.1.1.1

[Peer]
PublicKey  = 
Endpoint   = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Bring the interface up:

wg-quick up wg0
# To check status:
wg show

2. OpenVPN – install and configure on LFS

Installation steps

# Clone the upstream repository
git clone https://github.com/OpenVPN/openvpn.git
cd openvpn

# Prepare build (ensure OpenSSL, LZO are in /usr/local)
./configure --prefix=/usr/local
make
make install

# Verify
openvpn --version

Basic configuration

Save your provider’s client.ovpn as /etc/openvpn/client.conf. A minimal example:

client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind

ca ca.crt
cert client.crt
key client.key

cipher AES-256-CBC
auth SHA256
verb 3

Start the VPN:

openvpn --config /etc/openvpn/client.conf

3. OpenConnect – install and configure on LFS

Installation steps

git clone https://github.com/openconnect/openconnect.git
cd openconnect
./autogen.sh
./configure --prefix=/usr/local --with-gnutls
make
make install

# Verify installation
openconnect --version

Basic usage

sudo openconnect vpn.example.com 
  --user=username 
  --passwd-on-stdin <

For persistent configs, drop a script in /etc/openconnect and wrap calls in a systemd service or init script.


Summary


On Linux From Scratch, you’ll want VPN clients that you can compile by hand, with minimal surprises. WireGuard offers blazing performance and a tiny codebase, OpenVPN brings rock-solid SSL/TLS support, and OpenConnect covers Cisco-style SSL VPNs. With the steps above you’ll be up and running in no time—pure source, pure control, pure LFS.

Download TXT




Powered by LinuxMind

Leave a Reply

Your email address will not be published. Required fields are marked *