Difference between revisions of "OpenVPN"

From ArchWiki
Jump to navigation Jump to search
m (→‎iptables: Add how to allow forwarding)
 
(497 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
[[zh-CN:OpenVPN]]
+
[[de:OpenVPN]]
{{Expansion|(at least) add support for ipv6 and L2 ethernet bridging}}
+
[[ja:OpenVPN]]
 +
[[zh-hans:OpenVPN]]
 +
{{Related articles start}}
 +
{{Related|OpenVPN client in Linux Containers}}
 +
{{Related|OpenVPN server in Linux Containers}}
 +
{{Related|Easy-RSA}}
 +
{{Related articles end}}
  
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
+
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage OpenVPN 2.4 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.
  
OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. OpenVPN supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]], support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.
+
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.
  
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it.
+
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].
  
OpenVPN supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.
+
== Installation ==
  
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms.
+
[[Install]] the {{Pkg|openvpn}} package, which provides both server and client mode.
  
Overall, OpenVPN aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint.
+
Available frontends:
  
OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].
+
* {{App| NetworkManager OpenVPN|NetworkManager VPN plugin for OpenVPN.|https://wiki.gnome.org/Projects/NetworkManager/VPN|{{Pkg|networkmanager-openvpn}}}}
 +
* {{App|QOpenVPN|Simple OpenVPN GUI written in PyQt for systemd based distributions.|https://github.com/xmikos/qopenvpn|{{Pkg|qopenvpn}}}}
  
==Install OpenVPN==
+
== Kernel configuration ==
[[pacman|Install]] {{Pkg|openvpn}} from the [[official repositories]].
 
  
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.}}
+
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:
  
==Configure the system for TUN/TAP support==
+
{{hc|Kernel config file|
 +
Device Drivers
 +
  --> Network device support
 +
    [M] Universal TUN/TAP device driver support
 +
}}
  
OpenVPN requires TUN/TAP support. Make sure to load the TUN module.
+
Read [[Kernel modules]] for more information.
  
{{hc|/etc/modules-load.d/tun.conf|<nowiki>
+
== Connect to a VPN provided by a third party ==
# Load tun.ko at boot
 
tun</nowiki>}}
 
  
==Connect to a VPN provided by a third party==
+
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, see [[:Category:VPN providers]] for examples that can be adapted to other providers. [[OpenVPN client in Linux Containers]] also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.
  
To connect to a VPN provided by a third party, most of the following can most likely be ignored.  Use the certificates and instructions given by your provider, for instance see: [[Airvpn]].
+
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}
  
==Create a Public Key Infrastructure (PKI) from scratch==
+
== Create a Public Key Infrastructure (PKI) from scratch ==
  
If you are setting up OpenVPN from scratch, you will need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].
+
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[Easy-RSA]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn/server}} at this point:
  
Create the needed certificates and keys by following: [[Create a Public Key Infrastructure Using the easy-rsa Scripts]].
+
ca.crt
 +
dh.pem
 +
servername.crt
 +
servername.key
 +
ta.key
  
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.
+
Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.
  
{{Note|The rest of this article assumes that the keys and certificates are placed in /etc/openvpn.}}
+
== A basic Layer-3 IP routing configuration ==
  
The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.
+
{{Note|Unless otherwise explicitly stated, the rest of this article assumes a basic Layer-3 IP routing configuration.}}
  
A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).
+
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.
 
A client needs client.crt (public),  and client.key and ta.key (private).
 
  
==A basic L3 IP routing configuration==
+
With the release of v2.4, server configurations are stored in {{ic|/etc/openvpn/server}} and client configurations are stored in {{ic|/etc/openvpn/client}} and each mode has its own respective systemd unit, namely, {{ic|openvpn-client@.service}} and {{ic|openvpn-server@.service}}.
  
{{Note|Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.}}
+
=== Example configuration ===
  
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
+
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
  
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup and acts accordingly. In fact if it finds more than one configuration file, it will start one OpenVPN processes per configuration file.
+
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.
 +
* Creates a VPN using a virtual TUN network interface (OSI Layer-3 IP routing).
 +
* Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=openvpn]).
 +
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
  
This article explains how to setup a server called elmer, and a client that connects to it called bugs. More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.
+
For more advanced configurations, please see the {{man|8|openvpn}} man page and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
  
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
+
=== The server configuration file ===
  
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.
+
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.}}
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
 
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).
 
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
 
  
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
+
Copy the example server configuration file {{ic|/usr/share/openvpn/examples/server.conf}} to {{ic|/etc/openvpn/server/server.conf}}.
  
===The server configuration file===
+
Edit the file making a minimum of the following changes:
  
Copy the example server configuration file to /etc/openvpn/server.conf
+
{{hc|/etc/openvpn/server/server.conf|
 +
ca ca.crt
 +
cert servername.crt
 +
key servername.key
 +
dh dh.pem
 +
.
 +
tls-crypt ta.key # Replaces ''tls-auth ta.key 0''
 +
.
 +
user nobody
 +
group nobody
 +
}}
  
{{bc|# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf}}
+
If TLS with elliptic curves is used, specify {{ic|dh none}} and {{ic|ecdh-curve secp521r1}}. DH parameters file is not used when using elliptic curves. Starting from OpenVPN 2.4.8, it is required to specify the type of elliptic curves in server configuration. Otherwise the server would fail to recognize the curve type and possibly use an incompatible one, resulting in authentication errors.
  
Edit the following:
+
==== Hardening the server ====
  
* The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
+
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers. Starting from OpenVPN 2.4, the server and the client will automatically negotiate AES-256-GCM in TLS mode.
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.
 
*It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.
 
  
{{hc|/etc/openvpn/server.conf|
+
Add the following to {{ic|/etc/openvpn/server/server.conf}}:
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/elmer.crt
 
key /etc/openvpn/elmer.key
 
  
dh /etc/openvpn/dh2048.pem
+
{{hc|/etc/openvpn/server/server.conf|
 
.
 
.
 +
cipher AES-256-GCM
 +
auth SHA512
 +
tls-version-min 1.2
 +
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
 
.
 
.
tls-auth /etc/openvpn/ta.key '''0'''
+
}}
 +
 
 +
{{Note|
 +
*The .ovpn client profile '''must''' contain a matching cipher and auth line to work properly (at least with the iOS and Android client).
 +
*Using {{ic|tls-cipher}} incorrectly may cause difficulty with debugging connections and may not be necessary. See [https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher OpenVPN’s community wiki] for more information.}}
 +
 
 +
==== Enabling compression ====
 +
Enabling compression is not recommended by upstream; doing so opens to the server the so-called VORACLE attack vector.  See [https://community.openvpn.net/openvpn/wiki/VORACLE this] article.
 +
 
 +
==== Deviating from the standard port and/or protocol ====
 +
 
 +
It is generally recommended to use OpenVPN over UDP, because [http://sites.inka.de/bigred/devel/tcp-tcp.html TCP over TCP is a bad idea][http://adsabs.harvard.edu/abs/2005SPIE.6011..138H].
 +
 
 +
Some networks may disallow OpenVPN connections on the default port and/or protocol. One strategy to circumvent this is to mimic HTTPS traffic which is very likely unobstructed.
 +
 
 +
To do so, configure {{ic|/etc/openvpn/server/server.conf}} as such:
 +
{{hc|/etc/openvpn/server/server.conf|
 
.
 
.
 +
port 443
 +
proto tcp
 +
.
 +
}}
 +
 +
{{Note|The .ovpn client profile '''must''' contain a matching port and proto line to work properly!}}
 +
 +
==== Running multiple instances of OpenVPN on different ports on the physical machine ====
 +
 +
One can have multiple, concurrent instances of OpenVPN running on the same box.  Each server needs to be defined in {{ic|/etc/openvpn/server/}} as a separate .conf file.  At a minimum, the parallel servers need to be running on different ports.  A simple setup directs traffic connecting in to a separate IP pool.  More advanced setups are beyond the scope of this guide.
 +
 +
Consider this example, running 2 concurrent servers, one port 443/udp and another on port 80/tcp.
 +
 +
First modify {{ic|/etc/openvpn/server/server.conf}} created as so:
 +
 +
{{hc|/etc/openvpn/server/server.conf|
 +
.
 +
port 443
 +
proto udp
 +
server 10.8.0.0 255.255.255.0
 
.
 
.
user nobody
 
group nobody
 
 
}}
 
}}
  
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}
+
Now copy it and modify the copy to run on 80/tcp:
 +
{{hc|/etc/openvpn/server/server2.conf|
 +
.
 +
port 80
 +
proto tcp
 +
server 10.8.1.0 255.255.255.0
 +
.
 +
}}
  
===The client configuration file===
+
Be sure to setup the corresponding entries in the firewall, see the relevant sections in [[#Firewall configuration]].
  
Copy the example client configuration file to /etc/openvpn/client.conf
+
=== The client config profile ===
  
{{bc|# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf}}
+
Copy the example client configuration file {{ic|/usr/share/openvpn/examples/client.conf}} to {{ic|/etc/openvpn/client/}}.
  
 
Edit the following:
 
Edit the following:
  
* The remote directive to reflect the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client) or IP address.
+
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.
* Uncomment the user and group directives to drop privileges.
+
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
+
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.
+
* Enable the TLS HMAC handshake protection ({{ic|--tls-crypt}} or {{ic|--tls-auth}}).
  
{{hc|/etc/openvpn/client.conf|
+
{{hc|/etc/openvpn/client/client.conf|
 +
client
 
remote elmer.acmecorp.org 1194
 
remote elmer.acmecorp.org 1194
.
 
 
.
 
.
 
user nobody
 
user nobody
 
group nobody
 
group nobody
 +
ca ca.crt
 +
cert client.crt
 +
key client.key
 
.
 
.
.
+
tls-crypt ta.key # Replaces ''tls-auth ta.key 1''
ca /etc/openvpn/ca.crt
 
cert /etc/openvpn/bugs.crt
 
key /etc/openvpn/bugs.key
 
.
 
.
 
tls-auth /etc/openvpn/ta.key '''1'''
 
 
}}
 
}}
  
===Testing the OpenVPN configuration===
+
==== Run as unprivileged user ====
 +
 
 +
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its {{ic|root}} privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.
 +
 
 +
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are different ways to handle these situations:
 +
 
 +
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
 +
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}}, which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its [https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15 README]).
 +
 
 +
The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons:
 +
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
 +
* It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki] (howto). The howto assumes the presence of System V init, rather than [[Systemd]] and does not cover the handling of {{ic|--up}}/{{ic|--down}} scripts - those should be handled the same way as the ''ip'' command, with additional attention to access rights.
 +
* It is also possible to run OpenVPN from within unprivileged podman container, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser#RunOpenVPNwithinunprivilegedpodmancontainer this section of OpenVPN HowTo]
 +
 
 +
{{Tip|[[#openvpn-unroot]] describes a tool to automate above setup.}}
 +
 
 +
=== Converting certificates to encrypted .p12 format ===
 +
 
 +
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:
 +
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}
  
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client.  You should see something similar to this:
+
=== Testing the OpenVPN configuration ===
  
{{hc|# openvpn /etc/openvpn/server.conf|<nowiki>
+
Run {{ic|# openvpn /etc/openvpn/server/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client/client.conf}} on the client.  Example output should be similar to the following:
 +
 
 +
{{hc|# openvpn /etc/openvpn/server/server.conf|2=
 
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
 
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
 
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+
.
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
+
.
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
 
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
 
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
 
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
 
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
 
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
 
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
 
Wed Dec 28 14:41:26 2011 GID set to nobody
 
Wed Dec 28 14:41:26 2011 UID set to nobody
 
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
 
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
 
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
 
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
 
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
 
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
 
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
 
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
 
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
 
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
 
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
 
 
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
 
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
</nowiki>}}
+
}}
  
{{hc|# openvpn /etc/openvpn/client.conf|<nowiki>
+
{{hc|# openvpn /etc/openvpn/client/client.conf|2=
 
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
 
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
 
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
+
.
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+
.
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
 
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
 
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
 
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
 
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
 
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
 
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
 
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
 
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
 
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
 
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
 
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
 
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
 
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
 
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
 
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
 
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified
 
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified
 
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
 
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
 
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
 
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
 
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
 
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
 
 
Wed Dec 28 14:41:57 2011 GID set to nobody
 
Wed Dec 28 14:41:57 2011 GID set to nobody
 
Wed Dec 28 14:41:57 2011 UID set to nobody
 
Wed Dec 28 14:41:57 2011 UID set to nobody
 
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed
 
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed
</nowiki>}}
+
}}
 +
 
 +
[[Network configuration#IP addresses|Find the IP address]] assigned to the tunX interface on the server, and [[ping]] it from the client.
 +
 
 +
[[Network configuration#IP addresses|Find the IP address]] assigned to the tunX interface on the client, and [[ping]] it from the server.
 +
 
 +
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}
 +
 
 +
=== Configure the MTU with Fragment and MSS ===
 +
 
 +
If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, [[DNS]], [[NFS]]), it may be needed to set a MTU value manually.
 +
 
 +
The following message may indicate the MTU value should be adjusted:
 +
 
 +
read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)
 +
 
 +
In order to get the  maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this  ping the server and disable fragmentation, then specify the maximum packet size [https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn]:
 +
 
 +
# ping -M do -s 1500 -c 1 example.com
 +
 
 +
Decrease the 1500 value by 10 each time, until the ping succeeds.
 +
 
 +
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/ iOS app]) are not able to connect to a server that uses the {{ic|fragment}} directive. See {{ic|mtu-test}} as alternative solution.}}
 +
 
 +
Update the client configuration to use the succeeded MTU value, e.g.:
 +
 
 +
{{hc|/etc/openvpn/client/client.conf|
 +
remote example.com 1194
 +
...
 +
tun-mtu 1400
 +
mssfix 1360
 +
}}
 +
 
 +
OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since the client may not inform about the test being run and the connection may appear as nonfunctional until finished.  The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:
 +
 
 +
{{hc|/etc/openvpn/client/client.conf|
 +
remote example.com 1194
 +
...
 +
mtu-test
 +
...
 +
}}
 +
 
 +
=== IPv6 ===
 +
 
 +
==== Connect to the server via IPv6 ====
 +
 
 +
Starting from OpenVPN 2.4, OpenVPN will use {{ic|AF_INET}} defined by the OS when just using {{ic|proto udp}} or {{ic|proto tcp}}, which in most cases will be IPv4 only. To use both IPv4 and IPv6, use {{ic|proto udp6}} or {{ic|proto tcp6}}. To enforce only IPv4-only, you need to use {{ic|proto udp4}} or {{ic|proto tcp4}}. On older OpenVPN versions, one server instance can only support either IPv4 or IPv6.
 +
 
 +
==== Provide IPv6 inside the tunnel ====
 +
 
 +
In order to provide IPv6 inside the tunnel, have an IPv6 prefix routed to the OpenVPN server. Either set up a static route on the gateway (if a static block is assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). Also consider using a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:
 +
 
 +
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so change the server.conf every time the prefix is changed (Maybe can be automated with a script).
 +
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. This means one cannot route the entire traffic over the tunnel. Those wanting to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, may want to use the ULA addresses for ease.
 +
 
 +
Alternatively, if you have no access to these mentioned methods, an NDP proxy should work. See [https://unix.stackexchange.com/questions/136211/routing-public-ipv6-traffic-through-openvpn-tunnel this StackExchange post].
 +
 
 +
After having received a prefix (a /64 is recommended), append the following to the server.conf:
 +
 
 +
server-ipv6 2001:db8:0:123::/64
 +
 
 +
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.
 +
 
 +
Those wanting to push a route to a home network (192.168.1.0/24 equivalent), need to also append:
 +
 
 +
push "route-ipv6 2001:db8:0:abc::/64"
 +
 
 +
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.
 +
 
 +
== Starting OpenVPN ==
 +
 
 +
=== Manual startup ===
 +
 
 +
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server/server.conf}}).
 +
 
 +
=== systemd service configuration ===
 +
 
 +
To start the OpenVPN server automatically at system boot, [[enable]] {{ic|openvpn-server@''<configuration>''.service}} on the applicable machine. For a client, [[enable]] {{ic|openvpn-client@''<configuration>''.service}} instead. (Leave {{ic|.conf}} out of the {{ic|<configuration>}} string.)
 +
 
 +
For example, if the client configuration file is {{ic|/etc/openvpn/client/''client''.conf}}, the service name is {{ic|openvpn-client@''client''.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server/''server''.conf}}, the service name is {{ic|openvpn-server@''server''.service}}.
 +
 
 +
=== Letting NetworkManager start a connection ===
 +
 
 +
One might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:
 +
 
 +
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=
 +
#!/bin/bash
 +
 
 +
case "$2" in
 +
  up)
 +
    if [ "$CONNECTION_ID" == "Provider" ]; then
 +
      systemctl start openvpn-client@''<configuration>''
 +
    fi
 +
  ;;
 +
  down)
 +
    systemctl stop openvpn-client@''<configuration>''
 +
  ;;
 +
esac}}
 +
 
 +
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.
 +
 
 +
=== Gnome configuration ===
 +
 
 +
To connect to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{pkg|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there, choose OpenVPN and manually enter the settings. One can optionally import [[#The client config profile]]. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied (e.g. via {{ic|journalctl -b -u NetworkManager}}).
 +
 
 +
== Routing client traffic through the server ==
 +
 
 +
Without further configuration only traffic directly to and from the OpenVPN server's IP passes through the VPN. To have other traffic, like web traffic pass through the VPN, correspondent routes must be added. You can either add routes in the client's configuration or configure the server to push these routes to the client.
 +
 
 +
To redirect traffic to and from a subnet of the server, add {{ic|push "route <address pool> <subnet>"}} right before the {{ic|remote <address> <port> udp/tcp}}, like:
 +
 
 +
route 192.168.1.0 255.255.255.0
 +
 
 +
To redirect all traffic including Internet traffic to the server, add the following in the client's configuration:
 +
 
 +
redirect-gateway def1 bypass-dhcp ipv6
 +
 
 +
If you are running an IPv4-only server, drop the {{ic|ipv6}} option. If you are going IPv6-only, use {{ic|redirect-gateway ipv6 !ipv4}}.
 +
 
 +
To make the server push routes, [[append]] {{ic|push "redirect-gateway def1 bypass-dhcp ipv6"}} to the configuration file (i.e. {{ic|/etc/openvpn/server/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] of the server. Note this is not a requirement and may even give performance issue:
 +
 
 +
push "redirect-gateway def1 bypass-dhcp ipv6"
 +
 
 +
If you are running an IPv4-only server, drop the {{ic|ipv6}} option. If you are going IPv6-only, use {{ic|push "redirect-gateway ipv6 !ipv4"}}
 +
 
 +
Use the {{ic|push "route <address pool> <subnet>"}} option to allow clients reaching other subnets/devices behind the server:
 +
 
 +
push "route 192.168.1.0 255.255.255.0"
 +
push "route 192.168.2.0 255.255.255.0"
 +
 
 +
Optionally, push local [[DNS]] settings to clients (e.g. the DNS-server of the router and domain prefix ''.internal''):
 +
 
 +
{{Note|One may need to use a simple [[DNS]] forwarder like [[BIND]] and push the IP address of the OpenVPN server as DNS to clients.}}
 +
 
 +
push "dhcp-option DNS 192.168.1.1"
 +
push "dhcp-option DOMAIN internal"
 +
 
 +
After setting up the configuration file, [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's [[firewall]] needs to be adjusted to allow VPN traffic, which is described below for both [[#ufw|ufw]] and [[#iptables|iptables]].
 +
 
 +
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to the [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect OpenVPN documentation] for more information.}}
 +
 
 +
=== Firewall configuration ===
 +
 
 +
==== firewalld ====
 +
 
 +
If you use the default port 1194, enable the {{ic|openvpn}} service. Otherwise, create a new service with a different port.
 +
 
 +
# firewall-cmd --zone=public --add-service openvpn
 +
 
 +
Now add masquerade to the zone:
 +
 
 +
# firewall-cmd --zone=FedoraServer --add-masquerade
 +
 
 +
Make these changes permanent:
 +
 
 +
# firewall-cmd --runtime-to-permanent
 +
 
 +
==== ufw ====
 +
 
 +
In order to allow [[ufw]] forwarding (VPN) traffic [[append]] the following to {{ic|/etc/default/ufw}}:
 +
 
 +
{{hc|/etc/default/ufw|2=
 +
DEFAULT_FORWARD_POLICY="ACCEPT"
 +
}}
 +
 
 +
Change {{ic|/etc/ufw/before.rules}}, and [[append]] the following code after the header and before the "*filter" line:
 +
* Change the IP/subnet mask to match the {{ic|server}} set in the OpenVPN server configuration.
 +
* Change the [[Network_configuration#Check_the_connection|network interface]] to the connection used by OpenVPN server.
 +
 
 +
{{hc|/etc/ufw/before.rules|2=
 +
# NAT (Network Address Translation) table rules
 +
*nat
 +
:POSTROUTING ACCEPT [0:0]
  
On the server, find the IP assigned to the tunX device:
+
# Allow traffic from clients to the interface
 +
-A POSTROUTING -s 10.8.0.0/24 -o ''interface'' -j MASQUERADE
  
{{hc|# ip addr show|<nowiki>
+
# Optionally duplicate this line for each subnet if your setup requires it
.
+
-A POSTROUTING -s 10.8.1.0/24 -o ''interface'' -j MASQUERADE
.
+
 
.
+
# do not delete the "COMMIT" line or the NAT table rules above will not be processed
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
+
COMMIT
    link/none
+
 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0</nowiki>}}
+
# Don't delete these required lines, otherwise there will be errors
 +
*filter
 +
..
 +
}}
 +
 
 +
Make sure to open the chosen OpenVPN port (default 1194/udp):
 +
 
 +
# ufw allow 1194/udp
  
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.
+
To apply the changes. [[reload]]/[[restart]] ufw:
  
Do the same on the client:
+
# ufw reload
  
{{hc|# ip addr show|<nowiki>
+
==== iptables ====
.
 
.
 
.
 
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
 
    link/none
 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}
 
  
And the client side has been given the IP 10.8.0.6.
+
In order to allow VPN traffic through an [[iptables]] firewall, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server. An example (assuming the interface to forward to is named {{ic|eth0}}):
  
Now try pinging the interfaces.
+
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  
On the server:
+
If running multiple servers on different IP pools, add a corresponding line for each one, for example:
  
{{hc|# ping 10.8.0.6|<nowiki>
+
# iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
 
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
 
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
 
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
 
^C
 
--- 10.8.0.6 ping statistics ---
 
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms
 
</nowiki>}}
 
  
On the client:
+
If the server cannot be pinged through the VPN, one may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:
  
{{hc|# ping 10.8.0.1|<nowiki>
+
{{Warning|There are security implications for the following rules if one does not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
 
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
 
^C
 
--- 10.8.0.1 ping statistics ---
 
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
</nowiki>}}
 
  
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.
+
# iptables -A INPUT -i tun+ -j ACCEPT
 +
# iptables -A FORWARD -i tun+ -j ACCEPT
 +
# iptables -A INPUT -i tap+ -j ACCEPT
 +
# iptables -A FORWARD -i tap+ -j ACCEPT
  
==Starting OpenVPN==
+
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface:
  
{{Expansion|This section needs to add systemd instructions}}
+
# iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
 +
# iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
# iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
# iptables -A FORWARD -i tap+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
# iptables -A FORWARD -i eth0 -o tap+ -m state --state RELATED,ESTABLISHED -j ACCEPT
  
To manually start OpenVPN (both server and client), run:
+
When satisfied, make the changes permanent as shown in [[iptables#Configuration and usage]].
  
{{bc|# rc.d start openvpn}}
+
Those with multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration can "pin" the name of the interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if different firewall rules for different interfaces or OpenVPN configurations are wanted.
  
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.
+
=== Prevent leaks if VPN goes down ===
  
=== Systemd service configuration ===
+
This prevents all traffic through the default interface (enp3s0 for example) and only allows traffic through tun0.
Create a template service file for [[Systemd]]:
+
If the OpenVPN connection drops, the system will lose its internet access thereby preventing connections through the default network interface.
{{hc|/etc/systemd/system/openvpn@.service|<nowiki>
 
[Unit]
 
Description=Openvpn Service %I
 
Requires=network.target
 
After=network.target
 
  
[Service]
+
One may want to set up a script to restart OpenVPN if it goes down.
Type=simple
 
ExecStartPre=/bin/mkdir -p "/var/run/openvpn/%I"
 
ExecStart=/usr/sbin/openvpn --user openvpn --group openvpn --chroot /var/run/openvpn --config "/etc/openvpn/%I.conf"
 
ExecReload=/bin/kill -HUP $MAINPID</nowiki>}}
 
Then symlink it, while including the OpenVPN configuration profile name. For example:
 
{{bc|# ln -s /usr/lib/systemd/system/openvpn@.service /etc/systemd/system/multi-user.target.wants/openvpn@client.service}}
 
After that, reload your systemd manager configuration:
 
{{bc|# systemctl daemon-reload}}
 
Now you can start the OpenVPN daemon and enable it permanentely:
 
{{bc|# systemctl enable openvpn@client.service
 
# systemctl start openvpn@client.service}}
 
  
==Advanced L3 IP routing==
+
==== ufw ====
  
===Prerequisites for routing a LAN===
+
  # Default policies
 +
  ufw default deny incoming
 +
  ufw default deny outgoing
 +
 
 +
  # Openvpn interface (adjust interface accordingly to your configuration)
 +
  ufw allow in on tun0
 +
  ufw allow out on tun0
 +
 
 +
  # Local Network (adjust ip accordingly to your configuration)
 +
  ufw allow in on enp3s0 from 192.168.1.0/24
 +
  ufw allow out on enp3s0 to 192.168.1.0/24
 +
 
 +
  # Openvpn (adjust port accordingly to your configuration)
 +
  ufw allow in on enp3s0 from any port 1194
 +
  ufw allow out on enp3s0 to any port 1194
  
====IPv4 forwarding====
 
  
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.
+
{{Warning|DNS '''will not''' work '''unless''' running a dedicated DNS server like [[BIND]].
 +
Alternatively, one can allow DNS leaks. '''Be sure to trust your DNS server!'''
 +
  # DNS
 +
  ufw allow in from any to any port 53
 +
  ufw allow out from any to any port 53
 +
}}
  
Edit {{ic|etc/sysctl.conf}} to permanently enable ipv4 packet forwarding (takes effect at the next boot):
+
==== vpnfailsafe ====
  
{{hc|/etc/sysctl.conf|<nowiki>
+
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#The update-resolv-conf custom script|update-resolv-conf]], so the two do not need to be combined.
# Enable packet forwarding
 
net.ipv4.ip_forward=1
 
</nowiki>}}
 
  
To temporarily enable without rebooting: {{ic|# echo 1 > /proc/sys/net/ipv4/ip_forward}}
+
== Layer-3 IPv4 routing==
  
====Promiscious LAN inteface====
+
This section describes how to connect client/server LANs to each other using Layer-3 IPv4 routing.
 
The forwarding host's NIC (eth0 in the following examples) must also be able to accept packets for a different IP address than it is configured for, something known as [[Wikipedia:Promiscuous_mode|promiscious mode]]. To enable, add the following to {{ic|/etc/rc.local}} (takes effect at the next boot):
 
  
{{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
+
=== Prerequisites for routing a LAN ===
  
To temporarily enable without rebooting: {{ic|# ip link set dev eth0 promisc on}}
+
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.
  
====Routing tables====
+
==== Routing tables ====
  
 
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}
 
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}
Line 332: Line 510:
 
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.
 
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.
  
===Route a server side LAN to a client===
+
=== Connect the server LAN to a client ===
  
The server is on a LAN using the 10.66.0.0/24 subnet.  To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
+
The server is on a LAN using the 10.66.0.0/24 subnet.  To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server/server.conf|push "route 10.66.0.0 255.255.255.0"}}
  
{{Note|Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the server. Make sure the server LAN knows how to reach the VPN client.}}
+
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.
 +
}}
  
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.}}
+
=== Connect the client LAN to a server ===
 
 
===Route a client side LAN to a server===
 
  
 
Prerequisites:
 
Prerequisites:
Line 347: Line 524:
 
* Each client's certificate has a unique Common Name, in this case bugs.
 
* Each client's certificate has a unique Common Name, in this case bugs.
 
* The server may not use the duplicate-cn directive in its config file.
 
* The server may not use the duplicate-cn directive in its config file.
 +
* The CCD folder must be accessible via user and group defined in the server config file (typically nobody:nobody)
  
 
Create a client configuration directory on the server.  It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.
 
Create a client configuration directory on the server.  It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.
  
{{bc|# mkdir -p /etc/openvpn/ccd}}
+
# mkdir -p /etc/openvpn/ccd
  
 
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive.  It tells the server what subnet should be routed to the client:
 
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive.  It tells the server what subnet should be routed to the client:
Line 358: Line 536:
 
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:
 
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:
  
{{hc|/etc/openvpn/server.conf|
+
{{hc|/etc/openvpn/server/server.conf|
 
client-config-dir ccd
 
client-config-dir ccd
 
route 192.168.4.0 255.255.255.0
 
route 192.168.4.0 255.255.255.0
 
}}
 
}}
  
{{Note|Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the client. Make sure the client LAN knows how to reach the VPN server.}}
+
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.
 +
}}
 +
 
 +
=== Connect both the client and server LANs ===
  
{{Note| To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.}}
+
Combine the two previous sections:
  
==L2 Ethernet bridging==
+
{{hc|/etc/openvpn/server/server.conf|
 +
push "route 10.66.0.0 255.255.255.0"
 +
.
 +
.
 +
client-config-dir ccd
 +
route 192.168.4.0 255.255.255.0
 +
}}
 +
 
 +
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
 +
 
 +
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}
 +
 
 +
=== Connect clients and client LANs ===
 +
 
 +
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:
 +
 
 +
{{hc|/etc/openvpn/server/server.conf|
 +
client-to-client
 +
}}
  
{{Expansion|Please add a well thought out section on L2 bridging.}}
+
In order for another client or client LAN to see a specific client LAN, add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):
  
For now see: [[OpenVPN Bridge]]
+
{{hc|/etc/openvpn/server/server.conf|
 +
client-to-client
 +
push "route 192.168.4.0 255.255.255.0"
 +
push "route 192.168.5.0 255.255.255.0"
 +
..
 +
}}
  
==Contributions that do not yet fit into the main article==
+
{{Note|One may need to adjust the [[#Firewall configuration|firewall]] to allow client traffic passing through the VPN server.}}
  
{{Accuracy|Not quite sure where this fits into the main article yet}}
+
== DNS ==
 +
For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the {{ic|up}} and {{ic|down}} config options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN, so in order for any of them to work, {{ic|script-security}} must be set to 2. The {{ic|down-root}} plugin can be used instead of the {{ic|down}} option if [[#Run as unprivileged user|running as an unprivileged user]].
  
===Routing client traffic through the server===
+
=== The pull-resolv-conf custom scripts ===
 +
These scripts are [https://github.com/OpenVPN/openvpn/tree/master/contrib/pull-resolv-conf maintained by] OpenVPN. They are {{ic|client.up}} and {{ic|client.down}}, and they are packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with the {{ic|down-root}} plugin:
  
Append the following to your server's openvpn.conf configuration file:
+
{{hc|/etc/openvpn/client/''clienttunnel''.conf|
{{bc|
+
user nobody
push "redirect-gateway def1"
+
group nobody
push "dhcp-option DNS 192.168.1.1"
+
# Optional, choose a suitable path to chroot into
 +
chroot /srv
 +
script-security 2
 +
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
 +
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/usr/share/openvpn/contrib/pull-resolv-conf/client.down tun0"
 
}}
 
}}
Change "192.168.1.1" to your preferred DNS IP address.
 
  
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push openvpn ip address of server as DNS to clients.
+
These scripts use the {{ic|resolvconf}} command if present. [[Systemd-resolvconf]] and [[Openresolv]] both implement this command. See their wiki pages for more information on getting a working {{ic|resolvconf}} implementation.
  
====Configure ufw for routing====
+
{{Note|As of October 2019, systemd-resolvconf works as long as the systemd-resolved service is running. Openresolv will not work out of the box because {{ic|client.up}} will only create private DNS server entries. These require extra configuration of openresolv to work. See {{ic|man 8 resolvconf}} for more details on private DNS servers in openresolv.}}
Configure your ufw settings to enable routing traffic from clients through server.
 
  
You must change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.
+
If no implementation of {{ic|resolvconf}} is present, {{ic|client.up}} preserves the existing {{ic|resolv.conf}} at {{ic|/etc/resolv.conf.ovpnsave}} and writes a new one. This new one will not have any of the original DNS servers.
{{hc|/etc/sysctl.conf|<nowiki>
 
# Enable packet forwarding
 
net.ipv4.ip_forward=1
 
</nowiki>}}  
 
  
And then configure ufw in '''/etc/default/ufw'''
+
If you need to edit these scripts, copy them somewhere else and edit them there, so that your changes don't get overwritten by the next {{pkg|openvpn}} package upgrade. {{ic|/etc/openvpn/client}} is a pretty good place.
 +
# cp /usr/share/openvpn/contrib/pull-resolv-conf/* /etc/openvpn/client
 +
# $EDITOR /etc/openvpn/client/client.{up.,down}
 +
# # etc ...
  
{{hc|/etc/default/ufw|<nowiki>
+
=== The update-resolv-conf custom script ===
DEFAULT_FORWARD_POLICY=”ACCEPT”
 
</nowiki>}}
 
  
Now change '''/etc/ufw/before.rules''', add following code after header and before *filter line, don't forget to change ip range to yours
+
{{Note|Another script, [[#The update-systemd-resolved custom script|update-systemd-resolved]], is recommended by the author of update-resolv-conf for systems with systemd.}}
  
{{hc|/etc/ufw/before.rules|<nowiki>
+
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made [[executable]].
# nat Table rules
+
 
*nat
+
If you prefer a package, there is {{AUR|openvpn-update-resolv-conf-git}} that does above for you. You still need to do the following.
:POSTROUTING ACCEPT [0:0]
+
 
 +
Once the script is installed add lines like the following into the OpenVPN client configuration file:
 +
 
 +
script-security 2
 +
up /etc/openvpn/update-resolv-conf
 +
down /etc/openvpn/update-resolv-conf
 +
 
 +
{{Note|If manually placing the script on the filesystem, be sure to have {{pkg|openresolv}} installed.}}
 +
 
 +
Now, when launching the OpenVPN connection, {{ic|resolv.conf}} should be updated accordingly, and also should get returned to normal when the connection is closed.
 +
 
 +
{{Note|When using {{ic|openresolv}} with the ''-p'' or ''-x'' options in a script (as both the included {{ic|client.up}} and {{ic|update-resolv-conf}} scripts currently do), a DNS resolver like {{Pkg|dnsmasq}} or {{Pkg|unbound}} is required for {{ic|openresolv}} to correctly update {{ic|/etc/resolv.conf}}.  In contrast, when using the default DNS resolution from {{ic|libc}} the ''-p'' and ''-x'' options must be removed in order for {{ic|/etc/resolv.conf}} to be correctly updated by {{ic|openresolv}}.
 +
For example, if the script contains a command like {{ic|resolvconf -p -a }} and the default DNS resolver from {{ic|libc}} is being used, change the command in the script to be {{ic|resolvconf -a }}.}}
 +
 
 +
=== The update-systemd-resolved custom script ===
  
# Allow traffic from clients to eth0
+
{{Note|Since [[systemd]] 229, [[systemd-networkd]] has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if using {{ic|resolve}} instead of {{ic|dns}} in {{ic|/etc/nsswitch.conf}}.}}
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
 
  
# don.t delete the .COMMIT. line or these nat table rules won.t be processed
+
The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.
COMMIT
 
</nowiki>}}
 
  
Open openvpn port 1194
+
Copy the script into {{ic|/etc/openvpn/scripts}} and mark as [[executable]] (or [[install]] {{AUR|openvpn-update-systemd-resolved}}) and [[append]] the following lines into the OpenVPN client configuration file:
  
{{bc|
+
{{hc|/etc/openvpn/client/client.conf|
ufw allow 1194
+
client
 +
remote example.com 1194 udp
 +
..
 +
script-security 2
 +
setenv PATH /usr/bin
 +
up /etc/openvpn/scripts/update-systemd-resolved
 +
down /etc/openvpn/scripts/update-systemd-resolved
 +
down-pre
 
}}
 
}}
  
====usage of iptables====
+
In order to send all DNS traffic through the VPN tunnel and prevent DNS leaks, also add the following line (see [https://github.com/jonathanio/update-systemd-resolved#dns-leakage]):
  
Use an iptable for NAT forwarding:
+
{{hc|/etc/openvpn/client/client.conf|
{{bc|
+
dhcp-option DOMAIN-ROUTE .
echo 1 > /proc/sys/net/ipv4/ip_forward
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 
 
}}
 
}}
  
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:
+
Make sure that the [[systemd-resolved]] service is configured and running.
{{bc|
+
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
+
===Override DNS servers using NetworkManager===
}}
+
By default {{pkg|networkmanager-openvpn}} plugin appends DNS servers provided by OpenVPN to {{ic|/etc/resolv.conf}}. This may result in DNS instability (leakage).
 +
 
 +
The NetworkManager GUI does not provide any way to change this behavior, but it is possible to [https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1211110/comments/92 completely override] DNS using connection configuration file.
 +
 
 +
If the override is applied, queries for non-public DNS records are sent to the external resolver, see [https://bugs.launchpad.net/network-manager/+bug/1624317].
 +
 
 +
To use DNS settings provided by the VPN connection add {{ic|1=dns-priority=-1}} ([https://developer.gnome.org/NetworkManager/stable/settings-ipv4.html ipv4 section]) to the file located at {{ic|/etc/NetworkManager/system-connections/''your_vpn_name''}}, where {{ic|''your_vpn_name''}} is the name of your VPN connection.
 +
 
 +
Making changes to the VPN connection with the NetworkManager GUI will remove the setting above.
 +
 
 +
To verify that the correct DNS server(s) are configured, see {{ic|resolvectl status}} if systemd-resolved is in use, for other resolvers see [[Domain name resolution]].
 +
 
 +
== Layer-2 Ethernet bridging ==
 +
 
 +
{{Expansion|Please add a well thought out section on Layer-2 bridging.}}
 +
 
 +
For now see: [[OpenVPN Bridge]]
 +
 
 +
== Config generators ==
 +
 
 +
{{Warning|Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.}}
 +
 
 +
=== ovpngen ===
 +
 
 +
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the OpenVPN Connect app for Android and iOS.
 +
 
 +
Simply invoke the script with 5 tokens:
 +
 
 +
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
 +
# Full path to the CA cert.
 +
# Full path to the client cert.
 +
# Full path to the client private key.
 +
# Full path to the server TLS shared secret key.
 +
# Optionally a port number.
 +
# Optionally a protocol (udp or tcp).
 +
 
 +
Example:
 +
 
 +
# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > foo.ovpn
  
If all is well, make the changes permanent:
+
If the server is configured to use tls-crypt, as is suggested in [[#The server configuration file]], [https://github.com/graysky2/ovpngen/issues/4 manually edit] the resulting {{ic|foo.ovpn}} replacing {{ic|<tls-auth>}} and {{ic|</tls-auth>}} with {{ic|<tls-crypt>}} and {{ic|</tls-crypt>}}.
  
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1
+
The resulting {{ic|foo.ovpn}} can be edited if desired as the script does insert some commented lines. {{ic|foo.ovpn}} will not automatically route all traffic through the VPN, so you may want to follow [[#Routing client traffic through the server]] to enable redirection.
  
{{bc|
+
The client expects this file to be located in {{ic|/etc/openvpn/client/foo.conf}}. Note the change in file extension from 'ovpn' to 'conf' in this case.
/etc/rc.d/iptables save
 
}}
 
  
 +
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth.  Failure to do so may results in connection errors!}}
  
===Configuring LDAP authorization===
+
=== openvpn-unroot ===
 
{{Accuracy|what does the following do, and is the package still supported?}}
 
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].
 
  
===Deprecated older wiki content===
+
{{Note|If you intend to use a custom script, perhaps for configuring [[#DNS]], you must add these scripts to your config before calling openvpn-unroot on it. Failing to do so will cause problems if the scripts require root permissions.}}
  
{{Accuracy|See how this older content can be fitted into the new article}}
+
The steps necessary for OpenVPN to [[#Run as unprivileged user]], can be performed automatically using [https://github.com/wknapik/openvpn-unroot openvpn-unroot] ({{AUR|openvpn-unroot-git}}).
  
====Using PAM and passwords to authenticate====
+
It automates the actions required for the [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser OpenVPN howto] by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.
{{bc|
 
port 1194
 
proto udp
 
dev tap
 
ca /etc/openvpn/easy-rsa/keys/ca.crt
 
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
 
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 
server 192.168.56.0 255.255.255.0
 
ifconfig-pool-persist ipp.txt
 
;learn-address ./script
 
client-to-client
 
;duplicate-cn
 
keepalive 10 120
 
;tls-auth ta.key 0
 
comp-lzo
 
;max-clients 100
 
;user nobody
 
;group nobody
 
persist-key
 
persist-tun
 
status /var/log/openvpn-status.log
 
verb 3
 
client-cert-not-required
 
username-as-common-name
 
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
 
}}
 
  
====Using certs to authenticate====
+
== Troubleshooting ==
{{bc|
 
port 1194
 
proto tcp
 
dev tun0
 
  
ca /etc/openvpn/easy-rsa/keys/ca.crt
+
=== Client daemon not reconnecting after suspend ===
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
 
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 
  
server 10.8.0.0 255.255.255.0
+
{{AUR|openvpn-reconnect}}, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.
ifconfig-pool-persist ipp.txt
 
keepalive 10 120
 
comp-lzo
 
user nobody
 
group nobody
 
persist-key
 
persist-tun
 
status /var/log/openvpn-status.log
 
verb 3
 
  
log-append /var/log/openvpn
+
Alternatively, restart OpenVPN after suspend by creating the following systemd service:
status /tmp/vpn.status 10
 
}}
 
  
====Routing traffic through the server====
+
{{hc|1=/etc/systemd/system/openvpn-reconnect.service|2=
 +
[Unit]
 +
Description=Restart OpenVPN after suspend
  
Append the following to your server's openvpn.conf configuration file:
+
[Service]
{{bc|
+
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn
push "dhcp-option DNS 192.168.1.1"
 
push "redirect-gateway def1"
 
}}
 
Change "192.168.1.1" to your external DNS IP address.
 
  
Use an iptable for NAT forwarding:
+
[Install]
{{bc|
+
WantedBy=sleep.target
echo 1 > /proc/sys/net/ipv4/ip_forward
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 
 
}}
 
}}
  
If running ArchLinux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:
+
[[Enable]] this service for it to take effect.
{{bc|
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
 
}}
 
  
If all is well, make the changes permanent:
+
=== Connection drops out after some time of inactivity ===
  
Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1
+
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:
  
{{bc|
+
{{hc|/etc/openvpn/server/server.conf|
/etc/rc.d/iptables save
+
.
 +
.
 +
keepalive 10 120
 +
.
 +
.
 
}}
 
}}
  
====Setting up the Client====
+
In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up.
The clientside .conf file
+
If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.
=====With password authentication=====
 
{{bc|
 
client
 
dev tap
 
proto udp
 
remote <address> 1194
 
resolv-retry infinite
 
nobind
 
persist-tun
 
comp-lzo
 
verb 3
 
auth-user-pass passwd
 
ca ca.crt
 
}}
 
  
passwd file (referenced by auth-user-pass) must contain two lines:
+
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on the connection, also try lower intervals than 10 seconds.
* first line - username
 
* second - password
 
  
=====Certs authentication=====
+
=== PID files not present ===
{{bc|
 
client
 
remote <MYSERVER> 1194
 
dev tun0
 
proto tcp
 
resolv-retry infinite
 
nobind
 
persist-key
 
persist-tun
 
verb 2
 
ca ca.crt
 
cert client1.crt
 
key client1.key
 
comp-lzo
 
}}
 
Copy three files from server to remote computer.
 
ca.crt
 
client1.crt
 
client1.key
 
  
Install the tunnel/tap module:
+
The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change {{ic|openvpn-client@.service}} using a [[drop-in snippet]]:
{{bc|
 
# sudo modprobe tun
 
}}
 
  
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf
+
[Service]
 +
ExecStart=
 +
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid
  
=====DNS=====
+
=== Route configuration fails with systemd-networkd ===
The DNS servers used by the system are defined in '''/etc/resolv.conf'''.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You should not need to configure openresolv; it should be automatically detected and used by your network system.
 
  
Next, save the following script at '''/usr/share/openvpn/update-resolv-conf''':
+
When using [[systemd-networkd]] to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.
{{bc|<nowiki>
 
#!/bin/bash
 
#
 
# Parses DHCP options from openvpn to update resolv.conf
 
# To use set as 'up' and 'down' script in your openvpn *.conf:
 
# up /etc/openvpn/update-resolv-conf
 
# down /etc/openvpn/update-resolv-conf
 
#
 
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
 
# and Chris Hanson
 
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
 
#
 
# 05/2006 chlauber@bnc.ch
 
#
 
# Example envs set from openvpn:
 
# foreign_option_1='dhcp-option DNS 193.43.27.132'
 
# foreign_option_2='dhcp-option DNS 193.43.27.133'
 
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
 
  
[ -x /usr/sbin/resolvconf ] || exit 0
+
openvpn[458]: RTNETLINK answers: Network is unreachable
 +
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2
  
case $script_type in
+
From systemd-233, systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:
  
up)
+
{{hc|1=/etc/systemd/network/90-tun-ignore.network|2=
  for optionname in ${!foreign_option_*} ; do
+
[Match]
      option="${!optionname}"
+
Name=tun*
      echo $option
 
      part1=$(echo "$option" | cut -d " " -f 1)
 
      if [ "$part1" == "dhcp-option" ] ; then
 
        part2=$(echo "$option" | cut -d " " -f 2)
 
        part3=$(echo "$option" | cut -d " " -f 3)
 
        if [ "$part2" == "DNS" ] ; then
 
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
 
        fi
 
        if [ "$part2" == "DOMAIN" ] ; then
 
            IF_DNS_SEARCH="$part3"
 
        fi
 
      fi
 
  done
 
  R=""
 
  if [ "$IF_DNS_SEARCH" ] ; then
 
          R="${R}search $IF_DNS_SEARCH
 
"
 
  fi
 
  for NS in $IF_DNS_NAMESERVERS ; do
 
          R="${R}nameserver $NS
 
"
 
  done
 
  echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
 
  ;;
 
down)
 
  /usr/sbin/resolvconf -d "${dev}.inet"
 
  ;;
 
esac
 
</nowiki>}}
 
  
Remember to make the file executable with:
+
[Link]
  $ chmod +x /usr/share/openvpn/update-resolv-conf
+
Unmanaged=true
Next, add the following lines to your OpenVPN client configuration file:
 
{{bc|
 
script-security 2
 
up /usr/share/openvpn/update-resolv-conf
 
down /usr/share/openvpn/update-resolv-conf
 
 
}}
 
}}
  
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
+
[[Restart]] {{ic|systemd-networkd.service}} to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run {{ic|networkctl}}. The output should have a line similar to the following:
 +
 
 +
7 tun0            none              routable    unmanaged
 +
 
 +
=== tls-crypt unwrap error: packet too short ===
  
====Connecting to the Server====
+
This error shows up in the server log when a client that does not support tls-crypt, or a client that is misconfigured to use tls-auth while the server is configured to use tls-crypt, attempts to connect.
You need to start the service on the server
+
 
{{bc|
+
To support clients that do not support tls-crypt, replace {{ic|tls-crypt ta.key}} with {{ic|tls-auth ta.key 0}} (the default) in {{ic|server.conf}}. Also replace {{ic|tls-crypt ta.key}} with {{ic|tls-auth ta.key 1}} (the default) in {{ic|client.conf}}.
/etc/rc.d/openvpn start
+
 
}}
+
== See also ==
You can add it to rc.conf to make it permanet.
 
  
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:
+
* [[Wikipedia:OpenVPN]]
{{bc|
+
* [https://www.infosecwriters.com/text_resources/pdf/securing_communication.pdf Securing Network Communication with Stunnel, OpenSSH, and OpenVPN] (PDF)
cd ~/.openvpn && sudo openvpn vpn1.conf
 
}}
 

Latest revision as of 14:04, 15 February 2020

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.4 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Contents

Installation

Install the openvpn package, which provides both server and client mode.

Available frontends:

  • NetworkManager OpenVPN — NetworkManager VPN plugin for OpenVPN.
https://wiki.gnome.org/Projects/NetworkManager/VPN || networkmanager-openvpn
  • QOpenVPN — Simple OpenVPN GUI written in PyQt for systemd based distributions.
https://github.com/xmikos/qopenvpn || qopenvpn

Kernel configuration

OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the tun module:

Kernel config file
 Device Drivers
  --> Network device support
    [M] Universal TUN/TAP device driver support

Read Kernel modules for more information.

Connect to a VPN provided by a third party

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client config profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, see Category:VPN providers for examples that can be adapted to other providers. OpenVPN client in Linux Containers also has general applicable instructions, while it goes a step further by isolating an OpenVPN client process into a container.

Note: Most free VPN providers will (often only) offer PPTP, which is drastically easier to setup and configure, but not secure.

Create a Public Key Infrastructure (PKI) from scratch

When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the Easy-RSA article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in /etc/openvpn/server at this point:

ca.crt
dh.pem
servername.crt
servername.key
ta.key

Alternatively, as of OpenVPN 2.4, one can use Easy-RSA to generate certificates and keys using elliptic curves. See the OpenVPN documentation for details.

A basic Layer-3 IP routing configuration

Note: Unless otherwise explicitly stated, the rest of this article assumes a basic Layer-3 IP routing configuration.

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both servers and clients.

With the release of v2.4, server configurations are stored in /etc/openvpn/server and client configurations are stored in /etc/openvpn/client and each mode has its own respective systemd unit, namely, openvpn-client@.service and openvpn-server@.service.

Example configuration

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI Layer-3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number[1]).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the openvpn(8) man page and the OpenVPN documentation.

The server configuration file

Note: Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forwarded on to the server.

Copy the example server configuration file /usr/share/openvpn/examples/server.conf to /etc/openvpn/server/server.conf.

Edit the file making a minimum of the following changes:

/etc/openvpn/server/server.conf
ca ca.crt
cert servername.crt
key servername.key
dh dh.pem
.
tls-crypt ta.key # Replaces tls-auth ta.key 0
.
user nobody
group nobody

If TLS with elliptic curves is used, specify dh none and ecdh-curve secp521r1. DH parameters file is not used when using elliptic curves. Starting from OpenVPN 2.4.8, it is required to specify the type of elliptic curves in server configuration. Otherwise the server would fail to recognize the curve type and possibly use an incompatible one, resulting in authentication errors.

Hardening the server

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers. Starting from OpenVPN 2.4, the server and the client will automatically negotiate AES-256-GCM in TLS mode.

Add the following to /etc/openvpn/server/server.conf:

/etc/openvpn/server/server.conf
.
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
.
Note:
  • The .ovpn client profile must contain a matching cipher and auth line to work properly (at least with the iOS and Android client).
  • Using tls-cipher incorrectly may cause difficulty with debugging connections and may not be necessary. See OpenVPN’s community wiki for more information.

Enabling compression

Enabling compression is not recommended by upstream; doing so opens to the server the so-called VORACLE attack vector. See this article.

Deviating from the standard port and/or protocol

It is generally recommended to use OpenVPN over UDP, because TCP over TCP is a bad idea[2].

Some networks may disallow OpenVPN connections on the default port and/or protocol. One strategy to circumvent this is to mimic HTTPS traffic which is very likely unobstructed.

To do so, configure /etc/openvpn/server/server.conf as such:

/etc/openvpn/server/server.conf
.
port 443
proto tcp
.
Note: The .ovpn client profile must contain a matching port and proto line to work properly!

Running multiple instances of OpenVPN on different ports on the physical machine

One can have multiple, concurrent instances of OpenVPN running on the same box. Each server needs to be defined in /etc/openvpn/server/ as a separate .conf file. At a minimum, the parallel servers need to be running on different ports. A simple setup directs traffic connecting in to a separate IP pool. More advanced setups are beyond the scope of this guide.

Consider this example, running 2 concurrent servers, one port 443/udp and another on port 80/tcp.

First modify /etc/openvpn/server/server.conf created as so:

/etc/openvpn/server/server.conf
.
port 443
proto udp
server 10.8.0.0 255.255.255.0
.

Now copy it and modify the copy to run on 80/tcp:

/etc/openvpn/server/server2.conf
.
port 80
proto tcp
server 10.8.1.0 255.255.255.0
.

Be sure to setup the corresponding entries in the firewall, see the relevant sections in #Firewall configuration.

The client config profile

Copy the example client configuration file /usr/share/openvpn/examples/client.conf to /etc/openvpn/client/.

Edit the following:

  • The remote directive to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the TLS HMAC handshake protection (--tls-crypt or --tls-auth).
/etc/openvpn/client/client.conf
client
remote elmer.acmecorp.org 1194
.
user nobody
group nobody
ca ca.crt
cert client.crt
key client.key
.
tls-crypt ta.key # Replaces tls-auth ta.key 1

Run as unprivileged user

Using the options user nobody and group nobody in the configuration file makes OpenVPN drop its root privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.

As it could seem to require manual action to manage the routes, the options user nobody and group nobody might seem undesirable. Depending on setup, however, there are different ways to handle these situations:

  • For errors of the unit, a simple way is to edit it and add a Restart=on-failure to the [Service] section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
  • The package contains the /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so, which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its README).

The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing nobody. The advantage is that this avoids potential risks when sharing a user among daemons:

  • The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
  • It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki (howto). The howto assumes the presence of System V init, rather than Systemd and does not cover the handling of --up/--down scripts - those should be handled the same way as the ip command, with additional attention to access rights.
  • It is also possible to run OpenVPN from within unprivileged podman container, see this section of OpenVPN HowTo
Tip: #openvpn-unroot describes a tool to automate above setup.

Converting certificates to encrypted .p12 format

Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:

# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12

Testing the OpenVPN configuration

Run # openvpn /etc/openvpn/server/server.conf on the server, and # openvpn /etc/openvpn/client/client.conf on the client. Example output should be similar to the following:

# openvpn /etc/openvpn/server/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
.
.
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
.
.
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

Find the IP address assigned to the tunX interface on the server, and ping it from the client.

Find the IP address assigned to the tunX interface on the client, and ping it from the server.

Note: If using a firewall, make sure that IP packets on the TUN device are not blocked.

Configure the MTU with Fragment and MSS

If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, DNS, NFS), it may be needed to set a MTU value manually.

The following message may indicate the MTU value should be adjusted:

read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)

In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size [3]:

# ping -M do -s 1500 -c 1 example.com

Decrease the 1500 value by 10 each time, until the ping succeeds.

Note: Clients that do not support the 'fragment' directive (e.g. OpenELEC, iOS app) are not able to connect to a server that uses the fragment directive. See mtu-test as alternative solution.

Update the client configuration to use the succeeded MTU value, e.g.:

/etc/openvpn/client/client.conf
remote example.com 1194
...
tun-mtu 1400 
mssfix 1360

OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since the client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:

/etc/openvpn/client/client.conf
remote example.com 1194
...
mtu-test
...

IPv6

Connect to the server via IPv6

Starting from OpenVPN 2.4, OpenVPN will use AF_INET defined by the OS when just using proto udp or proto tcp, which in most cases will be IPv4 only. To use both IPv4 and IPv6, use proto udp6 or proto tcp6. To enforce only IPv4-only, you need to use proto udp4 or proto tcp4. On older OpenVPN versions, one server instance can only support either IPv4 or IPv6.

Provide IPv6 inside the tunnel

In order to provide IPv6 inside the tunnel, have an IPv6 prefix routed to the OpenVPN server. Either set up a static route on the gateway (if a static block is assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). Also consider using a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

  • Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so change the server.conf every time the prefix is changed (Maybe can be automated with a script).
  • ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. This means one cannot route the entire traffic over the tunnel. Those wanting to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, may want to use the ULA addresses for ease.

Alternatively, if you have no access to these mentioned methods, an NDP proxy should work. See this StackExchange post.

After having received a prefix (a /64 is recommended), append the following to the server.conf:

server-ipv6 2001:db8:0:123::/64

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

Those wanting to push a route to a home network (192.168.1.0/24 equivalent), need to also append:

push "route-ipv6 2001:db8:0:abc::/64"

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

Starting OpenVPN

Manual startup

To troubleshoot a VPN connection, start the client's daemon manually with openvpn /etc/openvpn/client/client.conf as root. The server can be started the same way using its own configuration file (e.g., openvpn /etc/openvpn/server/server.conf).

systemd service configuration

To start the OpenVPN server automatically at system boot, enable openvpn-server@<configuration>.service on the applicable machine. For a client, enable openvpn-client@<configuration>.service instead. (Leave .conf out of the <configuration> string.)

For example, if the client configuration file is /etc/openvpn/client/client.conf, the service name is openvpn-client@client.service. Or, if the server configuration file is /etc/openvpn/server/server.conf, the service name is openvpn-server@server.service.

Letting NetworkManager start a connection

One might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection:

/etc/NetworkManager/dispatcher.d/10-openvpn
#!/bin/bash

case "$2" in
  up)
    if [ "$CONNECTION_ID" == "Provider" ]; then
      systemctl start openvpn-client@<configuration>
    fi
  ;;
  down)
    systemctl stop openvpn-client@<configuration>
  ;;
esac

See NetworkManager#Network services with NetworkManager dispatcher for more details.

Gnome configuration

To connect to an OpenVPN server through Gnome's built-in network configuration do the following. First, install networkmanager-openvpn. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there, choose OpenVPN and manually enter the settings. One can optionally import #The client config profile. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied (e.g. via journalctl -b -u NetworkManager).

Routing client traffic through the server

Without further configuration only traffic directly to and from the OpenVPN server's IP passes through the VPN. To have other traffic, like web traffic pass through the VPN, correspondent routes must be added. You can either add routes in the client's configuration or configure the server to push these routes to the client.

To redirect traffic to and from a subnet of the server, add push "route <address pool> <subnet>" right before the remote <address> <port> udp/tcp, like:

route 192.168.1.0 255.255.255.0

To redirect all traffic including Internet traffic to the server, add the following in the client's configuration:

redirect-gateway def1 bypass-dhcp ipv6

If you are running an IPv4-only server, drop the ipv6 option. If you are going IPv6-only, use redirect-gateway ipv6 !ipv4.

To make the server push routes, append push "redirect-gateway def1 bypass-dhcp ipv6" to the configuration file (i.e. /etc/openvpn/server/server.conf) [4] of the server. Note this is not a requirement and may even give performance issue:

push "redirect-gateway def1 bypass-dhcp ipv6"

If you are running an IPv4-only server, drop the ipv6 option. If you are going IPv6-only, use push "redirect-gateway ipv6 !ipv4"

Use the push "route <address pool> <subnet>" option to allow clients reaching other subnets/devices behind the server:

push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"

Optionally, push local DNS settings to clients (e.g. the DNS-server of the router and domain prefix .internal):

Note: One may need to use a simple DNS forwarder like BIND and push the IP address of the OpenVPN server as DNS to clients.
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN internal"

After setting up the configuration file, enable packet forwarding on the server. Additionally, the server's firewall needs to be adjusted to allow VPN traffic, which is described below for both ufw and iptables.

Note: There are potential pitfalls when routing all traffic through a VPN server. Refer to the OpenVPN documentation for more information.

Firewall configuration

firewalld

If you use the default port 1194, enable the openvpn service. Otherwise, create a new service with a different port.

# firewall-cmd --zone=public --add-service openvpn

Now add masquerade to the zone:

# firewall-cmd --zone=FedoraServer --add-masquerade

Make these changes permanent:

# firewall-cmd --runtime-to-permanent

ufw

In order to allow ufw forwarding (VPN) traffic append the following to /etc/default/ufw:

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Change /etc/ufw/before.rules, and append the following code after the header and before the "*filter" line:

  • Change the IP/subnet mask to match the server set in the OpenVPN server configuration.
  • Change the network interface to the connection used by OpenVPN server.
/etc/ufw/before.rules
# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to the interface
-A POSTROUTING -s 10.8.0.0/24 -o interface -j MASQUERADE

# Optionally duplicate this line for each subnet if your setup requires it
-A POSTROUTING -s 10.8.1.0/24 -o interface -j MASQUERADE

# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT

# Don't delete these required lines, otherwise there will be errors
*filter
..

Make sure to open the chosen OpenVPN port (default 1194/udp):

# ufw allow 1194/udp

To apply the changes. reload/restart ufw:

# ufw reload

iptables

In order to allow VPN traffic through an iptables firewall, first create an iptables rule for NAT forwarding [5] on the server. An example (assuming the interface to forward to is named eth0):

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running multiple servers on different IP pools, add a corresponding line for each one, for example:

# iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

If the server cannot be pinged through the VPN, one may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [6]:

Warning: There are security implications for the following rules if one does not trust all clients which connect to the server. Refer to the OpenVPN documentation on this topic for more details.
# iptables -A INPUT -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A INPUT -i tap+ -j ACCEPT
# iptables -A FORWARD -i tap+ -j ACCEPT

Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface:

# iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i tap+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o tap+ -m state --state RELATED,ESTABLISHED -j ACCEPT

When satisfied, make the changes permanent as shown in iptables#Configuration and usage.

Those with multiple tun or tap interfaces, or more than one VPN configuration can "pin" the name of the interface by specifying it in the OpenVPN config file, e.g. tun22 instead of tun. This is advantageous if different firewall rules for different interfaces or OpenVPN configurations are wanted.

Prevent leaks if VPN goes down

This prevents all traffic through the default interface (enp3s0 for example) and only allows traffic through tun0. If the OpenVPN connection drops, the system will lose its internet access thereby preventing connections through the default network interface.

One may want to set up a script to restart OpenVPN if it goes down.

ufw

 # Default policies
 ufw default deny incoming
 ufw default deny outgoing
 
 # Openvpn interface (adjust interface accordingly to your configuration)
 ufw allow in on tun0
 ufw allow out on tun0
 
 # Local Network (adjust ip accordingly to your configuration)
 ufw allow in on enp3s0 from 192.168.1.0/24
 ufw allow out on enp3s0 to 192.168.1.0/24
 
 # Openvpn (adjust port accordingly to your configuration)
 ufw allow in on enp3s0 from any port 1194
 ufw allow out on enp3s0 to any port 1194


Warning: DNS will not work unless running a dedicated DNS server like BIND.

Alternatively, one can allow DNS leaks. Be sure to trust your DNS server!

 # DNS
 ufw allow in from any to any port 53
 ufw allow out from any to any port 53

vpnfailsafe

Alternatively, the vpnfailsafe (vpnfailsafe-gitAUR) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two do not need to be combined.

Layer-3 IPv4 routing

This section describes how to connect client/server LANs to each other using Layer-3 IPv4 routing.

Prerequisites for routing a LAN

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.

Routing tables

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used (Discuss in Talk:OpenVPN#)

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

  • Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  • Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  • Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

/etc/openvpn/server/server.conf
push "route 10.66.0.0 255.255.255.0"
Note: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

Connect the client LAN to a server

Prerequisites:

  • Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in its config file.
  • The CCD folder must be accessible via user and group defined in the server config file (typically nobody:nobody)

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server/server.conf
client-config-dir ccd
route 192.168.4.0 255.255.255.0
Note: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

Connect both the client and server LANs

Combine the two previous sections:

/etc/openvpn/server/server.conf
push "route 10.66.0.0 255.255.255.0"
.
.
client-config-dir ccd
route 192.168.4.0 255.255.255.0
/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0
Note: Remember to make sure that all the LANs or the needed hosts can route to all the destinations.

Connect clients and client LANs

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:

/etc/openvpn/server/server.conf
client-to-client

In order for another client or client LAN to see a specific client LAN, add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

/etc/openvpn/server/server.conf
client-to-client
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
..
Note: One may need to adjust the firewall to allow client traffic passing through the VPN server.

DNS

For Linux, the OpenVPN client can receive DNS host information from the server, but the client expects an external command to act on this information. No such commands are configured by default. They must be specified with the up and down config options. There are a few alternatives for what scripts to use, but none are officially recognised by OpenVPN, so in order for any of them to work, script-security must be set to 2. The down-root plugin can be used instead of the down option if running as an unprivileged user.

The pull-resolv-conf custom scripts

These scripts are maintained by OpenVPN. They are client.up and client.down, and they are packaged in /usr/share/openvpn/contrib/pull-resolv-conf/. The following is an excerpt of a resulting client configuration using the scripts in conjunction with the down-root plugin:

/etc/openvpn/client/clienttunnel.conf
user nobody
group nobody
# Optional, choose a suitable path to chroot into
chroot /srv
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up 
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/usr/share/openvpn/contrib/pull-resolv-conf/client.down tun0"

These scripts use the resolvconf command if present. Systemd-resolvconf and Openresolv both implement this command. See their wiki pages for more information on getting a working resolvconf implementation.

Note: As of October 2019, systemd-resolvconf works as long as the systemd-resolved service is running. Openresolv will not work out of the box because client.up will only create private DNS server entries. These require extra configuration of openresolv to work. See man 8 resolvconf for more details on private DNS servers in openresolv.

If no implementation of resolvconf is present, client.up preserves the existing resolv.conf at /etc/resolv.conf.ovpnsave and writes a new one. This new one will not have any of the original DNS servers.

If you need to edit these scripts, copy them somewhere else and edit them there, so that your changes don't get overwritten by the next openvpn package upgrade. /etc/openvpn/client is a pretty good place.

# cp /usr/share/openvpn/contrib/pull-resolv-conf/* /etc/openvpn/client
# $EDITOR /etc/openvpn/client/client.{up.,down}
# # etc ...

The update-resolv-conf custom script

Note: Another script, update-systemd-resolved, is recommended by the author of update-resolv-conf for systems with systemd.

The openvpn-update-resolv-conf script is available as an alternative to packaged scripts. It needs to be saved for example at /etc/openvpn/update-resolv-conf and made executable.

If you prefer a package, there is openvpn-update-resolv-conf-gitAUR that does above for you. You still need to do the following.

Once the script is installed add lines like the following into the OpenVPN client configuration file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Note: If manually placing the script on the filesystem, be sure to have openresolv installed.

Now, when launching the OpenVPN connection, resolv.conf should be updated accordingly, and also should get returned to normal when the connection is closed.

Note: When using openresolv with the -p or -x options in a script (as both the included client.up and update-resolv-conf scripts currently do), a DNS resolver like dnsmasq or unbound is required for openresolv to correctly update /etc/resolv.conf. In contrast, when using the default DNS resolution from libc the -p and -x options must be removed in order for /etc/resolv.conf to be correctly updated by openresolv. For example, if the script contains a command like resolvconf -p -a and the default DNS resolver from libc is being used, change the command in the script to be resolvconf -a .

The update-systemd-resolved custom script

Note: Since systemd 229, systemd-networkd has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as openresolv may not work reliably when /etc/resolv.conf is managed by systemd-resolved, and will not work at all if using resolve instead of dns in /etc/nsswitch.conf.

The update-systemd-resolved script links OpenVPN with systemd-resolved via DBus to update the DNS records.

Copy the script into /etc/openvpn/scripts and mark as executable (or install openvpn-update-systemd-resolvedAUR) and append the following lines into the OpenVPN client configuration file:

/etc/openvpn/client/client.conf
client
remote example.com 1194 udp
..
script-security 2
setenv PATH /usr/bin
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

In order to send all DNS traffic through the VPN tunnel and prevent DNS leaks, also add the following line (see [7]):

/etc/openvpn/client/client.conf
dhcp-option DOMAIN-ROUTE .

Make sure that the systemd-resolved service is configured and running.

Override DNS servers using NetworkManager

By default networkmanager-openvpn plugin appends DNS servers provided by OpenVPN to /etc/resolv.conf. This may result in DNS instability (leakage).

The NetworkManager GUI does not provide any way to change this behavior, but it is possible to completely override DNS using connection configuration file.

If the override is applied, queries for non-public DNS records are sent to the external resolver, see [8].

To use DNS settings provided by the VPN connection add dns-priority=-1 (ipv4 section) to the file located at /etc/NetworkManager/system-connections/your_vpn_name, where your_vpn_name is the name of your VPN connection.

Making changes to the VPN connection with the NetworkManager GUI will remove the setting above.

To verify that the correct DNS server(s) are configured, see resolvectl status if systemd-resolved is in use, for other resolvers see Domain name resolution.

Layer-2 Ethernet bridging

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please add a well thought out section on Layer-2 bridging. (Discuss in Talk:OpenVPN#)

For now see: OpenVPN Bridge

Config generators

Warning: Users are highly recommended to pass through the manual configuration described above to gain knowledge about options and usage before using any additional automation scripts.

ovpngen

The ovpngenAUR package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the OpenVPN Connect app for Android and iOS.

Simply invoke the script with 5 tokens:

  1. Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
  2. Full path to the CA cert.
  3. Full path to the client cert.
  4. Full path to the client private key.
  5. Full path to the server TLS shared secret key.
  6. Optionally a port number.
  7. Optionally a protocol (udp or tcp).

Example:

# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > foo.ovpn

If the server is configured to use tls-crypt, as is suggested in #The server configuration file, manually edit the resulting foo.ovpn replacing <tls-auth> and </tls-auth> with <tls-crypt> and </tls-crypt>.

The resulting foo.ovpn can be edited if desired as the script does insert some commented lines. foo.ovpn will not automatically route all traffic through the VPN, so you may want to follow #Routing client traffic through the server to enable redirection.

The client expects this file to be located in /etc/openvpn/client/foo.conf. Note the change in file extension from 'ovpn' to 'conf' in this case.

Tip: If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!

openvpn-unroot

Note: If you intend to use a custom script, perhaps for configuring #DNS, you must add these scripts to your config before calling openvpn-unroot on it. Failing to do so will cause problems if the scripts require root permissions.

The steps necessary for OpenVPN to #Run as unprivileged user, can be performed automatically using openvpn-unroot (openvpn-unroot-gitAUR).

It automates the actions required for the OpenVPN howto by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.

Troubleshooting

Client daemon not reconnecting after suspend

openvpn-reconnectAUR, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.

Alternatively, restart OpenVPN after suspend by creating the following systemd service:

/etc/systemd/system/openvpn-reconnect.service
[Unit]
Description=Restart OpenVPN after suspend

[Service]
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn

[Install]
WantedBy=sleep.target

Enable this service for it to take effect.

Connection drops out after some time of inactivity

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalivedirective to the server's configuration:

/etc/openvpn/server/server.conf
.
.
keepalive 10 120
.
.

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on the connection, also try lower intervals than 10 seconds.

PID files not present

The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /var/run/openvpn-client. If this breaks a config (such as an i3bar VPN indicator), simply change openvpn-client@.service using a drop-in snippet:

[Service]
ExecStart=
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /var/run/openvpn-client/%i.pid

Route configuration fails with systemd-networkd

When using systemd-networkd to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.

openvpn[458]: RTNETLINK answers: Network is unreachable
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2

From systemd-233, systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:

/etc/systemd/network/90-tun-ignore.network
[Match]
Name=tun*

[Link]
Unmanaged=true

Restart systemd-networkd.service to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run networkctl. The output should have a line similar to the following:

7 tun0             none               routable    unmanaged

tls-crypt unwrap error: packet too short

This error shows up in the server log when a client that does not support tls-crypt, or a client that is misconfigured to use tls-auth while the server is configured to use tls-crypt, attempts to connect.

To support clients that do not support tls-crypt, replace tls-crypt ta.key with tls-auth ta.key 0 (the default) in server.conf. Also replace tls-crypt ta.key with tls-auth ta.key 1 (the default) in client.conf.

See also