How to Route: Setup and Configure OpenVPN Client / Server VPN
OpenVPN is a full-featured SSL VPN that implements an OSI Layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, and supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials , and allows user or group access control policies to use firewall rules applied to the default VPN interface. OpenVPN is not a web application proxy and does not work through a web browser.
OpenVPN 2.0 expands the capabilities of OpenVPN 1.x by introducing a scalable client/server mode, allowing multiple clients to connect to a single OpenVPN server process over a single TCP or UDP port. OpenVPN 2.3 includes a large number of improvements, including full IPv6 support and PolarSSL support.
This document provides step-by-step instructions for configuring the OpenVPN 2.x client/server VPN, including:
This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS names, network masks, subnets, IP routing, routers, network interfaces, local networks, gateways, and firewall rules.
OpenVPN 1.x HOWTO is still available, and is still suitable for hard key or point-to-point configurations.
While HOWTO will guide you in setting up a scalable VPN client/server using X509 PKI (Public Key Infrastructure Using Certificates and Private Keys), this may be overkill if you are just looking for a simple VPN setup with a server that can handle a single client.
If you want to run a VPN quickly with minimal configuration, you can check out Static Key Mini-HOWTO.
The OpenVPN source code and Windows installers can be downloaded here. Recent versions (2.2 and later) are also available as Debian and RPM packages; See the OpenVPN wiki for details.
The OpenVPN executable must be installed on both the server and client machines, since the single executable provides both client and server functionality.
If you are using a Linux distribution that supports RPM packages (SuSE, Fedora, Redhat, etc.), it is better to install using this mechanism. The easiest way is to find an existing RPM binary file for your distribution. You can also create your own RPM binary:
Furthermore, if you are building your own binary RPM package, there are several additional dependencies:
See the openvpn.spec file for additional notes on building an RPM package for Red Hat Linux 9 or building with low dependencies.
If you are using a Debian, Gentoo or Linux distro that is not RPM based, use the distro’s package mechanism like apt-get on Debian or He appears on Gentoo.
It is also possible to install OpenVPN on Linux using public ./initialize method. First expand the .tar.gz file:
OpenVPN for Windows can be installed from the self-install exe file on the OpenVPN download page. Remember that OpenVPN will only work on Windows XP or later. Also note that OpenVPN must be installed and run by a user with administrative privileges (this restriction is imposed by Windows, not OpenVPN). The restriction can be bypassed by running OpenVPN in the background as a service, in which case even non-admin users will be able to access the VPN once it is installed. Further discussion of OpenVPN + Windows privilege issues.
The official OpenVPN Windows installers include OpenVPN-GUI, which allows managing OpenVPN connections from a system tray applet. Other GUI applications are also available.
After running the Windows installer, OpenVPN is ready to use and will associate itself with files containing .ovpn extension. To run OpenVPN, you can:
Some notes are available in the installation file for certain operating systems. In general, the
The method can be used, or you can search for an OpenVPN port or package specific to your operating system/distribution.
See the FAQ for an overview of routing vs. Ethernet connectivity. Also see the OpenVPN Ethernet Bridging page for more notes and details on bridging.
In general, routing is probably a better option for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides greater ability to selectively control access rights on a client-specific basis.
I would recommend using directive unless you need a specific feature that requires bridging, like:
Setting up a VPN often requires connecting private subnets from different locations together.
The Internet Assigned Numbers Authority (IANA) has allocated the following three sets of IP address space for private Internet networks (coded in RFC 1918):
While addresses from these netblocks should usually be used in VPN configurations, it is important to select addresses that reduce the possibility of IP address or subnet conflicts. The types of conflicts to avoid are:
For example, let’s say you are using the common subnet 192.168.0.0/24 as your LAN subnet. Now you are trying to connect to a VPN from an internet café that is using the same subnet as their WiFi LAN. You will have a routing conflict because your device will not know if 192.168.0.1 is pointing to the local WiFi gateway or to the same address on the VPN.
As another example, let’s say you want to connect multiple sites together by VPN, but each site uses 192.168.0.0/24 as its sub-LAN. This won’t work without adding a complex layer of NAT translation, because the VPN won’t know how to route packets between multiple sites if those sites don’t use a subnet that they uniquely identify.
The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN addresses. Instead, use something that has a lower probability of being used at a WiFi café, airport, or hotel where you might expect to be connected from remotely. The best candidate networks are subnets in the middle of the wide netblock 10.0.0.0/8 (eg 10.66.77.0/24).
To avoid IP numbering conflicts across sites, always use a unique numbering for LAN subnets.
The first step in building an OpenVPN 2.x configuration is to create a PKI (Public Key Infrastructure). PKI consists of:
OpenVPN supports two-way authentication based on certificates, which means that the client must authenticate the server’s certificate and the server must authenticate the client’s certificate before the mutual trust can be established.
The client and server will authenticate the other by first verifying that the presented certificate has been signed by the main certification authority (CA), and then by testing information in the address of the now-authenticated certificate, such as the common name of the certificate or certificate type (client or server). ).
Note that the server and client clocks must be nearly in sync or else the certificates may not work properly.
In this section, we will create a CA master key/certificate, a server certificate/key, and certificates/keys for three separate clients.
To manage PKI, we will use files easy-rsa 2, a set of scripts included with OpenVPN 2.2.x and earlier. If you are using OpenVPN 2.3.x, you need to download easy-rsa 2 separately from here.
To manage the PKI we will be using easy-rsa 2, which is a set of scripts integrated with OpenVPN 2.2.x and earlier. If you are using OpenVPN 2.3.x, you may need to download easy-rsa 2 separately from the old easy-rsa project page. On *NIX platforms you should consider using easy-rsa 3 instead; Refer to its documentation for details.
If you are using Linux, BSD or a unix-like operating system, open the shell and cd to a file easy-rsa sub directory. If you installed OpenVPN from an RPM or DEB file, the easy-rsa directory can usually be found in the . format / usr / share / doc /pack / openvpn or / usr / share / doc / openvpn(It is better to copy this guide to another site like /etc/openvpn, before any modifications, so that future OpenVPN package upgrades do not replace your modifications). If you install from a .tar.gz file, the easy-rsa directory will be in the top level directory of the extended source tree.
If you are using Windows, open a Command Prompt window and press cd Program Files OpenVPN easy-rsa. Run the following batch file to copy the configuration files in place (this will replace any pre-existing vars.bat and openssl.cnf files):
Now edit a file sorter file (called vars.bat on Windows) and set the parameters KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Do not leave any of these parameters blank.
Next, configure the PKI. On Linux/BSD/Unix:
last command (California Building) will generate certificate and CA key through interactive call Opensordering:
Note that in the above sequence, most of the parameters queried by default are set to the values set in sorteror vars.bat files. The only parameter that must be entered explicitly is common name. In the example above, I used “OpenVPN-CA”.
Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:
As in the previous step, most parameters can be defaulted. when common name Query, enter ‘server’. Two more requests that require an affirmative answer, “Did you sign the certificate? [y/n]and “1 Certificate out of 1 Certified, Want to Commit?” [y/n]”.
Creating client certificates is very similar to the previous step. On Linux/BSD/Unix:
If you want to protect your client keys with a password, replace passkey building script.
Remember that for each customer, be sure to write the appropriate common name When prompted, such as “client1”, “client2” or “client3”. Always use a unique common name for each customer.
Diffie Hellman parameters must be created for the OpenVPN server. On Linux/BSD/Unix:
We will now find the newly created keys and certificates in a file keys sub directory. Below is an explanation of the related files:
The final step in the key generation process is to copy all the files to the devices you need, taking care that the confidential files are copied over a secure channel.
Now wait, you can say. Shouldn’t it be possible to set up a PKI without a pre-existing secure channel?
The answer, apparently, is yes. In the above example, for the sake of brevity, we created all the private keys in the same place. With more effort, we could have done it differently. For example, instead of generating the client’s certificate and keys on the server, we could have the client generate its private key locally, and then send a Certificate Signing Request (CSR) to the key signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without any secret needed at all .key A file that leaves the hard drive of the device on which it was created.
It is best to use the typical OpenVPN configuration files as a starting point for your own configuration. These files can also be found in the . format
Note that on Linux, BSD, or Unix-like operating systems, typical configuration files are named server.conf And Client. On Windows they are named server.ovpn And client.ovpn.
The sample server configuration file is an ideal starting point for configuring an OpenVPN server. It will create a VPN using virtual TUN Network interface (for routing), you will listen for client connections on UDP port 1194 (OpenVPN’s official port number), distribute virtual addresses to connect clients from 10.8.0.0/24 subnet.
Before using the sample configuration file, you must first edit a file CaliforniaAnd sirtAnd key, And Dr Parameters to refer to the files you created in the PKI section above.
At this point, the server configuration file is usable, however you may want to customize it further:
If you want to run multiple OpenVPN instances on the same machine, each one using a different configuration file, it is possible if you:
Typical client configuration file (Client On Linux / BSD / Unix or client.ovpn on Windows) reflects the default routes specified in the server configuration file form.
First, make sure that the OpenVPN server can be accessed from the Internet. this means:
To simplify troubleshooting, it is best to start OpenVPN initially…