Home Linux OpenVPN Basics

OpenVPN Basics


The purpose of this tutorial is to introduce some OpenVPN basics. We will be configuring an OpenVPN server running on Linux, and then one client that has all it’s traffic re-directed through the tunnel. This may be useful to some readers to bypass any restrictions on internet access they may be faced with. This tutorial is based on an Ubuntu server and a Windows Client.

Server setup

The first thing we are going to do is to set-up the server. Install the relevant software -:

server# sudo aptitude install openvpn

Now copy the example configs and more importantly the easy-rsa scripts into /etc -:

server# cp -R /usr/share/doc/openvpn/examples/ /etc/openvpn

Now we want to load the vars file with our own defaults. Open the file in your favorite editor and change KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL to match your information.

cd /etc/openvpn/examples/easy-rsa/
vi ./vars

My vars file looks like this: (key components only)

#this is to ensure secure data
export KEY_SIZE=2048
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_PROVINCE=Adminville
export KEY_CITY=Adminland
export KEY_ORG=remoteadmin.org.uk
export KEY_EMAIL="nospam@netwizards.co.uk"

Now we to begin the configuration of the server.

. ./vars

The purpose of these commands are as follows, the first one will clear any old keys or configuration elements, there should not be any there but it does not hurt to be sure. The last command will setup OpenVPN configuration items, be sure to follow the prompt and make sure you fill in using elements to match your situation. Since we loaded the vars file with your settings prior to these steps the default values should work on almost all elements, but the Common Name will need to be specified.

Now you need to create the server keys, these are private files that you should keep secure.

./build-key-server server

I found that if I did not use the same information that I used in the build-ca step above that the “Sign Certificate” and “commit” did not work. If you experience this problem just repeat this step with the same values, it should work at that point. This should not occur for you as we have loaded the default values into the vars file, but just in case be aware of the cause.

Now you are ready to generate keys for users, first decide if you wish to password protect the keys or not. I recommend building with passwords if you are not going to implement authentication in OpenVPN, if you are then simply generate without. This tutorial will assume that you are going to implement authentication in OpenVPN, since it is the most trusted method. Make sure that you specify the correct Common Name when prompted.

#Generate with password
./build-key-pass username
#Generate without password
./build-key username

Now you need to build the Diffie Hellman parameters, for details on what these are, simply check the OpenVPN homepage. The simple answer is that they provide a method to negotiate a secure connection over an insecure channel. This process will take a bit of time so you may want to take a break, just relax we are almost there.

#generate server id key
openvpn --genkey --secret ta.key

As an aside I found a very interesting table on the OpenVPN web-page. It provides some information on what to do with the various files we just generated. For the purposes of this tutorial, I have “borrowed” their table and pasted it here, to view the original visit the OpenVPN installation guide on their homepage.

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
ta.key server+ all clients Server TLS Auth Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

Ok, the last step for the server set-up is the actual server config file. This is the configuration I finally settled on -:

port 1194
proto udp
dev tun
ca keys/ca.crt                          # The CA certificate
cert keys/server.crt                    # The server certificate
key keys/server.key                     # This file should be kept secret
dh keys/dh1024.pem
server         # Subnet to be used by clients
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"            # We want to redirect the client gateway to us
push "dhcp-option DNS"   # Specify a DNS server for the clients
keepalive 10 120                        # Keepalives for the tunnels
;comp-lzo                               # Uncomment this to enable lzo compression
user nobody
group nobody
status openvpn-status.log
verb 3
mute 20

Client Set-up

Ok so we now have our working server waiting for clients to connect. So now we want to create the client config. Firstly though, generate the certificates for the first client -:

./build-key client1

You will then need to copy ca.crt, client1.crt, and client1.key onto the client machine.

No for the client OpenVPN config, this is a simple config that I use -:

remote ip.ad.re.ss 1194
proto udp
ca ca.crt
cert client1.crt
key client1.key
;comp-lzo       # Uncomment this to enable lzo compression
verb 3
mute 20
resolv-retry infinite
dev tun

Incoming search terms:

  • openvpn key_province
  • classgooglepr php
  • fetchmail konfiguration mysql
  • openvpn key_org


Login with:

Please enter your comment!
Please enter your name here