OpenVPN is famously difficult to get up and running, but the truth is that it needn’t be. In this second and concluding OpenVPN article I am going to go through what it takes to get an OpenVPN Ethernet tunnel set up between a laptop computer and an office or home machine acting as an OpenVPN server.
Downloading and Installing OpenVPN
Before you can get OpenVPN running on any computer you need to download and install it:
Windows: Download the OpenVPN GUI installation package from http://openvpn.se/download.html
Red Hat, Fedora, CentOS: Download RPM packages from http://dag.wieers.com/rpm/packages/openvpn/
Ubuntu: Download and install OpenVPN using Synaptic Package Manager
Mac OS X: Download and install Tunnelblick OpenVPN GUI client installation package from http://code.google.com/p/tunnelblick/
Source code: Download source code from http://www.openvpn.net/index.php/downloads.html, compile and install it.
Creating a Public Key Infrastructure
Once you’ve got OpenVPN successfully installed, it’s time to build the public key infrastructure needed for certificate-based authentication. If you don’t know what this means, don’t worry: just follow the instructions. A fuller explanation can be found at http://openvpn.net/index.php/documentation/howto.html#pki
To get started, you’ll need to use the Easy-RSA PKI suite.
On Windows machines you’ll find it at:
On Linux machines this will probably be installed in an easy-rsa directory machines at
/usr/share/doc/openvpn-2.0, but it’s a good idea to move this to
/etc/openvpn to prevent it getting overwritten by future updates.
Generating the Master Certificate Authority (CA) Certificate & Key
Windows: From the Start button select
cmd, and in the command window type:
cd "C:Program FilesOpenVPNeasy-rsa
Linux/BSD/UNIX: Open a terminal window and type
(assuming you have moved the easy-rsa directory to this location)
Then type the following commands, followed by return:
init-config vars clean-all build-ca
./init-config ./vars ./clean-all ./build-ca
The last command will invoke a window which will ask for a series of values. You can press the return key to enter the default values for all of these except the value for Common Name. For this, type:
Generating the Server and Client Certificates and Keys
Then next step is to generate a server certificate and key, again using the Easy-RSA suite. The command for this is:
In the interactive session that follows, simply press Enter to provide the default value each time, until you are asked for a Common Name. For Common Name enter “server” , then continue entering the default values until prompted to sign the certificate. Answer “y” to this question and to the following one to finish.
Then generate the certificate and key for your client machine. The process is similar to the one for building the server certificate and key, but this time enter client1 as the common name.
If you think you may want to access the OpenVPN server from more than one laptop, repeat the process, replacing client2 or client3 for client1 each time.
Generating Diffie-Hellman Parameters
The final step is to generate Diffie-Hellman parameters for key exchange:
You’ll find the results of all this work in a subfolder called keys in the easy-rsa folder, and the final task is to move the client key and certificate to your client device. The files in question are client1.key and client1.crt. (If you have created more than one client certificate key and certificate, move the client2.key and client2.crt files to the second machine, and so on.)
- Windows: place the files in
- Linux/BSD/Unix: place the files in
Your public key infrastructure is now set up.
Creating the OpenVPN Configuration Files
When OpenVPN runs it reads a configuration file at
c:Program FilesOpenVPNconfig (Windows) or in
/etc/openvpn (Linux/BSD/Unix). This text file contains all the information OpenVPN needs to know to make or receive a connection, so it’s crucial that these files are correct.
The easiest way to get OpenVPN working in the way we want is to edit the highlighted lines in the following config files to match your network setup, save them as a text file and copy them to the appropriate location.
Server configuration file:
#server config file start
local 192.168.1.15 # Change this address to the IP address of the network card attached to your router. To ensure this does not change you need either to have a static local IP address, or to configure your router to always assign this local IP address to your server.
port 1194 # This is the port OpenVPN will run on. Change it to a different port if you prefer
push "dhcp-option DNS XXX.XXX.XXX.XXX" # Replace the Xs with the IP address of the DNS server for your network
push "dhcp-option DNS YYY.YYY.YYY.YYY" # Replace the Xs with the IP address of the secondary DNS server for your network
ca "C:\Program Files\OpenVPN\easy-rsa\keys\ca.crt" #change this location to /etc/openvpn (without quotation marks) for Linux/BSD/Unix systems
cert "C:\Program Files\OpenVPN\easy-rsa\keys\server.crt" #change this location to /etc/openvpn for Linux/BSD/Unix systems
key "C:\Program Files\OpenVPN\easy-rsa\keys\server.key" #change this location to /etc/openvpn for Linux/BSD/Unix systems
dh "C:\Program Files\OpenVPN\easy-rsa\keys\dh1024.pem" #change this location to /etc/openvpn for Linux/BSD/Unix systems
server 192.168.10.0 255.255.255.128 # This will be the virtual IP address and subnet of the server’s OpenVPN connection. Change it to something similar like 192.168.11.0 if this subnet is already in use
ifconfig-pool-persist ipp.txt push "redirect-gateway def1" keepalive 10 120
cipher BF-CBC # Blowfish (default)If you prefer, you can use one of the two ciphers listed below (which must be the same as the client)
#cipher AES-128-CBC # AES #cipher DES-EDE3-CBC # Triple-DES comp-lzo max-clients 3 # Change the 3 to the number of client keys you have created persist-key persist-tun status openvpn-status.log # user nobody # remove the # at the start of the line for Linux/BSD/Unix systems # group nobody # remove the first # at the start of the line for Linux/BSD/Unix systems verb 1 #config file ends
Save this file as
server.ovpn, and move it to
c:Program FilesOpenVPNconfig (Windows) or
What to Do If You Don’t Have a Static Public IP Address
OpenVPN clients connect to the OpenVPN server using a public IP address or host name that needs to be entered into the client config file. If your ISP provides your business or home network with a dynamic IP address that changes each time an Internet connection is reset then your client config will no longer work after a reconnection. To get round this you can get a free hostname from DynDNS which automatically points to your dynamic IP address, even when it changes. To get a dynamic host name (such as myhost.dyndns.org) visit http://www.dyndns.com.