Configuring VPNs with OpenVPN
Lecturer: Carlos Rey-Moreno
Honors on Computer Science
University of the Western Cape
28 – Feb - 2013
For installing the last version, we add the repository together
with its public key:
wget O http://repos.openvpn.net/repos/repopublic.gpg | sudo aptkey
sudo echo “deb http://repos.openvpn.net/repos/apt/lucidstable lucid
main” >> /etc/apt/sources.list
Once we have it in our list of repositories, we update our list of
packages and install openvpn:
sudo aptget update
sudo aptget install openvpn
First Steps in the server
OpenVPN already includes a set of script called "easy-rsa"
that handles all the certificates creations for us, it's also
already included in the ubuntu documentation, so let's copy it:
sudo mkdir /etc/openvpn/easyrsa/
sudo cp r /usr/share/doc/openvpn/examples/easyrsa/2.0/* /etc/openvpn/easyrsa/
sudo chown R $USER /etc/openvpn/easyrsa/
You should then edit the file /etc/openvpn/easy-rsa/vars (using
vi) setting default variables for the certificates:
Note: the field Key_Country must contain only 2 letters
First Steps in the server
Move to the easy-rsa directory
$ cd /etc/openvpn/easyrsa/
Execute your new vars file
$ source ./vars
Setup the easy-rsa directory (Deletes all keys)
Creates the certification and key for CA:
Creates the certification and key for the server:
$ ./buildkeyserver server
Creates the certification and key for the client:
$ ./buildkey [name_of_client]
Note: In the last 3 steps (./build-*) you have to press enter and/or press y
Note: [name_of_client] has to be different for each client in the VPN
Additional steps in the server
If further security wants to be provided
Build the Diffie Hellman parameters:
Build a TLS key
$ cd keys
$ openvpn genkey secret ta.key
Move the keys and certs to the configuration folder in the server
$ sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Move the keys and certs needed to the configuration folder
(/etc/openvpn/) into the client (over a secure channel, a hard
drive for example):
server.conf # network configuration
Which local IP address should OpenVPN listen on? (optional)
Indicate the port the OpenVPN will be using:
If you want to run multiple OpenVPN instances on the same
machine, use a different port number for each one.
You will need to open up this port on your firewall.
"dev tun" will create a routed IP tunnel
Configure server mode and supply a VPN subnet for
OpenVPN to draw client addresses from. The server will take
10.8.0.1 for itself, the rest will be made available to clients.
server 10.8.0.0 255.255.255.0
If you are using Ethernet bridging (brtcl tool), you must use
server.conf # network configuration
Maintain a record of client virtual IP address associations in
this file. If OpenVPN goes down or is restarted, reconnecting
clients can be assigned the same virtual IP address from the
pool that was previously assigned.
Push routes to the client to allow it to reach other private
subnets behind the server. Remember that these private
subnets will also need to know to route the OpenVPN client
address pool (10.8.0.0/255.255.255.0) back to the OpenVPN
push "route 10.10.38.0 255.255.255.0"
NOTE: This only make sense when the OpenVPN server is reached through a Public IP, so
this directive will give you access to the private network behind it.
server.conf # keys and certs
SSL/TLS root certificate (ca), certificate (cert), & private key (key).
Each client and the server must have their own cert and key file.
The server and all clients will use the same ca file.
key server.key # This file should be kept secret
Diffie Hellman parameters.
The tls-auth directive adds an additional HMAC signature to all
SSL/TLS handshake packets for integrity verification. The tls-auth
HMAC signature provides an additional level of security
The server and each client must have a copy of this key. The second
parameter should be '0 on the server and '1' on the clients.
tlsauth ta.key 0
Select a cryptographic cipher.
This config item must be copied to the client config file as well.
cipher BFCBC # Blowfish (default)
server.conf # logs and security
Reduce the OpenVPN daemon's privileges after initialization.
The persist options try to avoid accessing resources on restart
that are no longer accessible due to the privilege downgrade.
The keepalive directive causes ping-like messages to be sent
so that each side knows when the other side has gone down.
Ping every 10 seconds, assume that remote peer is down if no
ping received during 120 second time period.
keepalive 10 120
Output a short status file showing current connections,
truncated and rewritten every minute.
Set the appropriate level of log file verbosity.
server.conf # others
OpenVPN allows either the TCP or UDP protocol to be used
as the VPN carrier connection. The UDP protocol will provide
better protection against DoS attacks and port scanning:
Allow different clients to be able to "see" each other.
By default, clients will only see the server
Enable compression on the VPN link.
If you enable it here, you must also enable it in the client config
The maximum number of concurrently connected clients we
want to allow.
Specify that we are a client and that we will be pulling certain
config file directives from the server.
Use the same setting as you are using on the server.
Are we connecting to a TCP or # UDP server? Use the same
setting as # on the server.
The hostname/IP and port of the server.
remote server_IP 1194
Keep trying indefinitely to resolve the host name of the
Most clients don't need to bind to a specific local port number.
Downgrade privileges after initialization
Try to preserve some state across restarts.
SSL/TLS parms. See the server config file for more description.
If a tls-auth key is used on the server then every client must
also have the key.
tlsauth ta.key 1
Select a cryptographic cipher. # If the cipher option is used on
the server then you must also specify it here.
Enable compression on the VPN link. Don't enable this unless
it is also enabled in the server config file.
Set log file verbosity.
All the options available for the server:
And for the client in:
And many more HowTo in
Starting the services
In the server:
sudo openvpn /etc/openvpn/server.conf
In the client
sudo openvpn /etc/openvpn/[name_of_the_client].conf
If everything goes fine, the “Initialization Sequence Completed”
message should appear in both.
You should also be able to ping the OpenVPN server in the
10.0.8.1 IP address (and the client in the IP given to its tun0
If you want to provide access to the client to the network in
which the server is connected you have to NAT:
# iptables t nat I POSTROUTING o eth0 j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward