Howto Openvpn - The quick easy way

[adelante]

Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.

Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.

Server Config
========================================

# emerge openvpn
# nano /usr/share/openvpn/easy-rsa/vars

Paste this into the file and edit to suit you needs

Code: Select all

export EASY_RSA="`pwd`"
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

# cd /usr/share/openvpn/easy-rsa/
# source ./vars
# ./clean-all
# ./build-ca

Just press enter through everything and select (Y) where necessary

# ./build-key-server server
# ./build-dh

# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
# mkdir ccd
# nano server.conf

Paste this into your server.conf and edit the <network range> value

Code: Select all

port 9000
proto udp
dev tun
mode server
ca /usr/share/openvpn/easy-rsa/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/keys/server.crt
key /usr/share/openvpn/easy-rsa/keys/server.key
dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem
server <network range> 255.255.255.0 # for example 192.168.139.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
tls-auth ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
duplicate-cn
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
log        /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
# /etc/init.d/openvpn.server start
# rc-update add openvpn.server default

Your server side of things should be up and running now.
If you run an ifconfig you should see the tun0 device.

========================================


Windows Client Configuration
========================================

On the Openvpn server you have just setup:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>

On the Client side:

# install the openvpn client on windows : http://openvpn.se/files/install_package ... nstall.exe
# create folder : C:\Program Files\OpenVPN\config\<USERNAME>
# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn
# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:

Code: Select all

client
dev tun
proto udp
remote <vpn server IP> 9000
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"
key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"
tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1
comp-lzo
verb 3

# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\
ca.crt
<USERNAME>.crt
<USERNAME>.key

# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\

# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :

Code: Select all

ifconfig-push 192.168.220.5 192.168.220.6

# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

The fire up the client and you should be connected.
========================================


Linux Client Configuration
========================================
On the Openvpn server you have just setup:

cd /usr/share/openvpn/easy-rsa/
source ./vars
./build-key <USERNAME>

On the Client side:

# emerge openvpn
# cd /etc/openvpn
# mkdir client
# nano client.conf

Put this into your client.conf and edit the <vpn server ip> & <username> values.

Code: Select all

client
dev tun
proto udp
remote <vpn server ip> 9900
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1200
persist-key
persist-tun
ca "/etc/openvpn/client/ca.crt"
cert "/etc/openvpn/client/<username>.crt"
key "/etc/openvpn/client/<username>.key"
tls-auth "/etc/openvpn/client/ta.key" 1
comp-lzo
verb 3

copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:
ca.crt
<username>.*

copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.

# ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
# /etc/init.d/openvpn.client start
# rc-update add openvpn.client default

# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>
# and in it put for example :

Code: Select all

ifconfig-push 192.168.220.5 192.168.220.6

# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

========================================


Please let me know if i've left anything out.

regards
Dave

[Schangu]

Sorry, but I think there is one mistake:

It is in your Linux-Client Configuration:
You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;]

[idl0r]

nice howto but:
WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

[Tuinslak]

thanks, great howto
just watch out with iptables/masquerading when you went to use the VPN server as gateway

[Bethney Piper]

Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".

[alex6]

This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

[solamour]

This guide still works except 2 things :
- have to emerge easy-rsa (ok it does make sense but not written in this guide)
- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

Ha... that's why I wasn't able to find some of the files in the guide. Thanks for sharing.
__
sol

[fbcyborg]

Thank you for the information. Actually I had the same problem!

That should be put in the first post!

[djbadballie469]

Hi I'm in south africa durban I'm on 8.ta network Can sum1 email me the config folder with all settings intact. Djbadballie469(at)gmail(dot)com. Tx in advance. I have open vpn but no working config files

[fincoop]

Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.

Thanks a lot, still works!

[wichtounet]

Unfortunately, this does not work anymore at all. All the directories have changed.

It's the same issue with the official OpenVPN page of Gentoo :S

[Joseph_sys]

Unfortunately, this does not work anymore at all. All the directories have changed.

It's the same issue with the official OpenVPN page of Gentoo :S

This is not a helpful reply.
Just point it out which directory had change, so far only "/usr/share/easy-rsa" had change.

[Joseph_sys]

Quick and dirty instructions to make openvpn + easy-rsa working.

On SERVER do:

Code: Select all

cd /usr/share/easy-rsa/
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server_clinic_8amd nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

mkdir /etc/openvpn/cert

cp pki/ca.crt /etc/openvpn/cert/
cp pki/issued/server_clinic_8amd.crt /etc/openvpn/cert/
cp pki/private/server_clinic_8amd.key /etc/openvpn/cert/
cp pki/dh.pem /etc/openvpn/cert/
cp ta.key /etc/openvpn/cert/
./easyrsa build-client-full syscon7 nopass

Hit "ENTER" when need to (no need to change anything)

Copy the following files to Client (via USB or ssh 'zip_it" etc. pay attention to permission)
=> The public ca.crt certificate is needed on all servers and clients.
=> The private ca.key key is secret and only needed on the key generating machine. (not in cert/ folder)
=> A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).
=> A client needs client.crt (public), and client.key and ta.key (private).

eg. (transfer these files to your client)
cp pki/ca.crt /home/fd/keys/
cp pki/issued/syscon7.crt /home/fd/keys/
cp pki/private/syscon7.key /home/fd/keys/
cp ta.key /home/fd/keys/

Copy file from instruction above to server /etc/openvpn
I copied them to dir "cert" on /etc/openvpn/

Code: Select all

ll /etc/openvpn/cert/
total 28
-rw------- 1 root root 1749 Feb  7 12:24 ca.crt
-rw------- 1 root root  424 Feb  7 12:28 dh.pem
-rw------- 1 root root 5280 Feb  7 12:26 server_clinic_8amd.crt
-rw------- 1 root root 1704 Feb  7 12:27 server_clinic_8amd.key
-rw------- 1 root root  636 Feb  7 13:35 ta.key

cat server_clinic_8amd.conf (on server PC)

• proto udp
  port 9000
  dev tun
  mode server
  ca /etc/openvpn/cert/ca.crt
  cert /etc/openvpn/cert/server_clinic_8amd.crt
  key /etc/openvpn/cert/server_clinic_8amd.key
  dh /etc/openvpn/cert/dh.pem
  topology subnet
  server 192.168.140.0 255.255.255.0
  client-to-client
  ifconfig-pool-persist ipp.txt
  client-config-dir ccd
  keepalive 10 120
  tls-auth /etc/openvpn/cert/ta.key
  tun-mtu 1500
  tun-mtu-extra 32
  mssfix 1200
  duplicate-cn
  comp-lzo
  max-clients 10
  persist-key
  persist-tun
  status openvpn-status.log
  log /var/log/openvpn.log
  log-append /var/log/openvpn.log
  verb 3

=================
on SERVER

Code: Select all

cd /etc/openvpn
touch ipp.txt (on server in /etc/openvpn)
mkdir ccd
nano -w ccd/syscon7

ifconfig-push 192.168.140.7 255.255.255.0

"save it"

Code: Select all

cd /etc/init.d/
ln -s openvpn openvpn.server_clinic_8amd
openvpn.server_clinic_8amd start

==========================

On a client PC my "syscon7" log in as root:

Code: Select all

cd /etc/openvpn
mkdir cert_clinic_8amd

and copy the obove "files" to that directory.
# ll cert_clinic_8amd/
total 20
-rwx------ 1 root root 1749 Feb  7 14:21 ca.crt
-rwx------ 1 root root 5239 Feb  7 14:21 syscon7.crt
-rwx------ 1 root root 1704 Feb  7 14:21 syscon7.key
-rwx------ 1 root root  636 Feb  7 14:21 ta.key

nano -w clinic_8amd.conf

• client
  dev tun
  proto udp
  port 9071
  topology subnet
  
  remote <your_remote_PC_IP_address> 9071
  
  resolv-retry infinite
  tun-mtu 1500
  tun-mtu-extra 32
  mssfix 1200
  persist-key
  persist-tun
  remote-cert-tls server
  ca "/etc/openvpn/cert_clinic_8amd/ca.crt"
  cert "/etc/openvpn/cert_clinic_8amd/syscon7.crt"
  key "/etc/openvpn/cert_clinic_8amd/syscon7.key"
  tls-auth "/etc/openvpn/cert_clinic_8amd/ta.key"
  comp-lzo
  log /var/log/openvpn.log
  log-append /var/log/openvpn.log
  verb 3

================

Note: make sure on your server network firewall you forward traffic from incoming port: 9071 to 9000

Code: Select all

cd /etc/inid.d/
ln -s openvpn openvpn.clinic_8amd
openvpn.clinic_8amd start

You should have VPN
check it "ifconfig"

[truekaiser]

Sorry to Necro an old topic, but i want to ask.
Would this configuration work for setting up a vpn server from my home. So my phone can connect to it over public wifi?

[flexibeast]

Off the top of my head i'd suggest that people consider setting up WireGuard rather than OpenVPN, but i'd be interested in others' opinions on this. (i've run a WireGuard setup involving a Linux host and an OpenBSD host, but i've never run an OpenVPN setup.)