Difference between revisions of "OpenVPN"

From ArchWiki
Jump to: navigation, search
m (Route a client side LAN to a server: punctuation)
(Setting up the Client)
(48 intermediate revisions by 5 users not shown)
Line 29: Line 29:
 
# Load tun.ko at boot
 
# Load tun.ko at boot
 
tun</nowiki>}}
 
tun</nowiki>}}
 +
 +
The default kernel is already properly configured, but if you use another kernel make sure to enable the TUN/TAP module.  If {{ic|$ zgrep CONFIG_TUN /proc/config.gz}} returns {{ic|<nowiki>CONFIG_TUN=n</nowiki>}}, make the following change to the kernel config file and rebuild the kernel.
 +
 +
{{hc|Kernel config file|
 +
Device Drivers
 +
  --> Network device support
 +
    [M] Universal TUN/TAP device driver support}}
  
 
==Connect to a VPN provided by a third party==
 
==Connect to a VPN provided by a third party==
Line 51: Line 58:
  
 
==A basic L3 IP routing configuration==
 
==A basic L3 IP routing configuration==
 +
 +
{{Note|Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.}}
  
 
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
 
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
Line 104: Line 113:
 
Edit the following:
 
Edit the following:
  
* The remote directive to reflect the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]]hostname (as known to the client) or IP address.
+
* The remote directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]] hostname (as known to the client) or its IP address.
 
* Uncomment the user and group directives to drop privileges.
 
* Uncomment the user and group directives to drop privileges.
 
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
 
* The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
Line 133: Line 142:
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
 
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
Wed Dec 28 14:41:26 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+
.
Wed Dec 28 14:41:26 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
+
.
Wed Dec 28 14:41:26 2011 ROUTE default_gateway=10.66.0.1
+
Wed Dec 28 14:41:26 2011 TUN/TAP device tun0 opened
+
Wed Dec 28 14:41:26 2011 TUN/TAP TX queue length set to 100
+
Wed Dec 28 14:41:26 2011 /usr/sbin/ip link set dev tun0 up mtu 1500
+
Wed Dec 28 14:41:26 2011 /usr/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
+
Wed Dec 28 14:41:26 2011 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.2
+
Wed Dec 28 14:41:26 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
+
Wed Dec 28 14:41:26 2011 GID set to nobody
+
Wed Dec 28 14:41:26 2011 UID set to nobody
+
Wed Dec 28 14:41:26 2011 UDPv4 link local (bound): [undef]:1194
+
Wed Dec 28 14:41:26 2011 UDPv4 link remote: [undef]
+
Wed Dec 28 14:41:26 2011 MULTI: multi_init called, r=256 v=256
+
Wed Dec 28 14:41:26 2011 IFCONFIG POOL: base=10.8.0.4 size=62
+
Wed Dec 28 14:41:26 2011 IFCONFIG POOL LIST
+
Wed Dec 28 14:41:26 2011 Initialization Sequence Completed
+
Wed Dec 28 14:41:51 2011 MULTI: multi_create_instance called
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Re-using SSL/TLS context
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 LZO compression initialized
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Local Options hash (VER=V4): '530fdded'
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 Expected Remote Options hash (VER=V4): '41690919'
+
Wed Dec 28 14:41:51 2011 95.126.136.73:48904 TLS: Initial packet from 95.126.136.73:48904, sid=163f4a5e e0399137
+
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
+
Wed Dec 28 14:41:53 2011 95.126.136.73:48904 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=bugs/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
+
Wed Dec 28 14:41:54 2011 95.126.136.73:48904 [bugs] Peer Connection Initiated with 95.126.136.73:48904
+
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: Learn: 10.8.0.6 -> bugs/95.126.136.73:48904
+
 
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
 
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
 
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Line 176: Line 153:
 
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
 
Wed Dec 28 14:41:50 2011 LZO compression initialized
 
Wed Dec 28 14:41:50 2011 LZO compression initialized
Wed Dec 28 14:41:50 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
+
.
Wed Dec 28 14:41:50 2011 Socket Buffers: R=[114688->131072] S=[114688->131072]
+
.
Wed Dec 28 14:41:51 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
+
Wed Dec 28 14:41:51 2011 Local Options hash (VER=V4): '41690919'
+
Wed Dec 28 14:41:51 2011 Expected Remote Options hash (VER=V4): '530fdded'
+
Wed Dec 28 14:41:51 2011 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
+
Wed Dec 28 14:41:51 2011 UDPv4 link local: [undef]
+
Wed Dec 28 14:41:51 2011 UDPv4 link remote: 85.93.204.250:1194
+
Wed Dec 28 14:41:51 2011 TLS: Initial packet from 85.93.204.250:1194, sid=5f379f35 50c9ab11
+
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=Acme-CA/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
+
Wed Dec 28 14:41:52 2011 VERIFY OK: nsCertType=SERVER
+
Wed Dec 28 14:41:52 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=Acme Acres/O=Acme/CN=elmer/name=Acme-CA/emailAddress=roadrunner@acmecorp.org
+
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
+
Wed Dec 28 14:41:54 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
+
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
+
Wed Dec 28 14:41:54 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
+
Wed Dec 28 14:41:54 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
+
Wed Dec 28 14:41:54 2011 [elmer] Peer Connection Initiated with 85.93.204.250:1194
+
Wed Dec 28 14:41:57 2011 SENT CONTROL [elmer]: 'PUSH_REQUEST' (status=1)
+
Wed Dec 28 14:41:57 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
+
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: timers and/or timeouts modified
+
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: --ifconfig/up options modified
+
Wed Dec 28 14:41:57 2011 OPTIONS IMPORT: route options modified
+
Wed Dec 28 14:41:57 2011 ROUTE default_gateway=10.64.64.64
+
Wed Dec 28 14:41:57 2011 TUN/TAP device tun1 opened
+
Wed Dec 28 14:41:57 2011 TUN/TAP TX queue length set to 100
+
Wed Dec 28 14:41:57 2011 /usr/sbin/ip link set dev tun1 up mtu 1500
+
Wed Dec 28 14:41:57 2011 /usr/sbin/ip addr add dev tun1 local 10.8.0.6 peer 10.8.0.5
+
Wed Dec 28 14:41:57 2011 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
+
 
Wed Dec 28 14:41:57 2011 GID set to nobody
 
Wed Dec 28 14:41:57 2011 GID set to nobody
 
Wed Dec 28 14:41:57 2011 UID set to nobody
 
Wed Dec 28 14:41:57 2011 UID set to nobody
Line 213: Line 163:
  
 
{{hc|# ip addr show|<nowiki>
 
{{hc|# ip addr show|<nowiki>
.
 
 
.
 
.
 
.
 
.
Line 227: Line 176:
 
.
 
.
 
.
 
.
.
+
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
37: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
+
 
     link/none
 
     link/none
     inet 10.8.0.6 peer 10.8.0.5/32 scope global tun1</nowiki>}}
+
     inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0</nowiki>}}
  
 
And the client side has been given the IP 10.8.0.6.
 
And the client side has been given the IP 10.8.0.6.
Line 238: Line 186:
 
On the server:
 
On the server:
  
{{hc|# ping 10.8.0.6|<nowiki>
+
{{hc|# ping -c3 10.8.0.6|<nowiki>
 
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
 
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
 
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
 
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
 
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
 
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
 
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
 
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms
^C
+
 
 
--- 10.8.0.6 ping statistics ---
 
--- 10.8.0.6 ping statistics ---
 
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
 
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
Line 251: Line 199:
 
On the client:
 
On the client:
  
{{hc|# ping 10.8.0.1|<nowiki>
+
{{hc|# ping -c3 10.8.0.1|<nowiki>
 
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
 
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
 
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
 
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
 
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms
^C
+
 
 
--- 10.8.0.1 ping statistics ---
 
--- 10.8.0.1 ping statistics ---
 
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
 
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
Line 263: Line 211:
  
 
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.
 
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.
 +
 +
{{Note|If using a firewall, make sure that ip packets on the TUN device are not blocked.}}
  
 
==Starting OpenVPN==
 
==Starting OpenVPN==
  
{{Expansion|This section needs to add systemd instructions}}
+
===Manual startup===
 +
To manually start with a specific configuration file: {{ic|# openvpn /etc/openvpn/client.conf}}
  
To manually start OpenVPN (both server and client), run:
+
=== Initscripts startup ===
 +
To manually start as a daemon {{ic|# rc.d start openvpn}}
  
{{bc|# rc.d start openvpn}}
+
To start as a daemon at boot, add openvpn to the daemons array in {{ic|/etc/rc.conf}}
  
To have your system run OpenVPN automatically at system start, add openvpn to the daemon array in /etc/rc.conf.
+
{{Note|Starting as a daemon will start one process per valid configuration file found.}}
 +
 
 +
=== Systemd service configuration ===
 +
{{Expansion|Please add information on how to start several openvpn processes with systemd}}
 +
Since version 2.2.2-2, a service file is included by default.
 +
To start an OpenVPN daemon using <tt>/etc/openvpn/''client''.conf</tt> and enable it permanently:
 +
{{bc|# systemctl enable openvpn@''client''.service
 +
# systemctl start openvpn@''client''.service}}
 +
 
 +
Respectively using <tt>/etc/openvpn/''server''.conf</tt>:
 +
{{bc|# systemctl enable openvpn@''server''.service
 +
# systemctl start openvpn@''server''.service}}
  
 
==Advanced L3 IP routing==
 
==Advanced L3 IP routing==
  
===Prerequisites for routing a LAN over an OpenVPN connection===
+
===Prerequisites for routing a LAN===
  
To be able to route a LAN to an OpenVPN connection be it by a client or a server, the routing system must be able to forward IP packets between the tun/tap device and the LAN device.
+
====IPv4 forwarding====
  
Edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding (takes effect at the next boot):
+
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.
 +
 
 +
Edit {{ic|etc/sysctl.conf}} to permanently enable ipv4 packet forwarding (takes effect at the next boot):
  
 
{{hc|/etc/sysctl.conf|<nowiki>
 
{{hc|/etc/sysctl.conf|<nowiki>
Line 289: Line 254:
 
To temporarily enable without rebooting: {{ic|# echo 1 > /proc/sys/net/ipv4/ip_forward}}
 
To temporarily enable without rebooting: {{ic|# echo 1 > /proc/sys/net/ipv4/ip_forward}}
  
The LAN interface (eth0 in the following examples) must also be able to accept LAN traffic addressed to another IP address than it is configured for.  To do this, set it to [[Wikipedia:Promiscuous_mode|promiscious mode]] by adding the following to /etc/rc.local (takes effect at the next boot):
+
====Promiscious LAN inteface====
 +
 
 +
The forwarding host's NIC (eth0 in the following examples) must also be able to accept packets for a different IP address than it is configured for, something known as [[Wikipedia:Promiscuous_mode|promiscious mode]]. To enable, add the following to {{ic|/etc/rc.local}} (takes effect at the next boot):
  
 
{{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
 
{{hc|/etc/rc.local|ip link set dev eth0 promisc on}}
Line 295: Line 262:
 
To temporarily enable without rebooting: {{ic|# ip link set dev eth0 promisc on}}
 
To temporarily enable without rebooting: {{ic|# ip link set dev eth0 promisc on}}
  
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}
+
To set the {{ic|eth0}} in promiscuous mode using systemd use [[ Systemd/Services#Set_network_interface_in_promiscuous_mode | this service file ]] and enable it using:
  
{{Poor writing|The information on routing has to be made a lot clearer...}}
+
  # systemctl enable promiscuous@eth0.service
  
{{Note|If the routing system is not the default LAN gateway, you will have to do one of the following:
+
====Routing tables====
* Add a static route to the LAN's default gateway (most likely the LAN's router), routing the target IP range back to the routing system's eth0 IP address.
+
* Add a static route to each host on the LAN, routing the target IP range back to the routing system's eth0 IP address.
+
* Use iptables' NAT feature to masquerade the IP packets.
+
}}
+
  
===Route a server side LAN to a client===
+
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}
  
Prerequisites:
+
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway.  If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets.  There are a couple of solutions to this problem.
  
* The server is on a LAN using the 10.66.0.0/24 [[Wikipedia:Private_network|private network range]].
+
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
* The client is assigned an ip address out of the address pool 10.8.0.0/24.
+
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
 +
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.
  
To assign the client an address out of the address pool 10.8.0.0/24, add a server directive to the server configuration file: {{hc|/etc/openvpn/server.conf|server 10.8.0.0 255.255.255.0}}
+
===Connect the server LAN to a client===
  
To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
+
The server is on a LAN using the 10.66.0.0/24 subnet.  To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
  
{{Note|To add more LANs/subnets, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.}}
+
{{Note|Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the server. Make sure the server LAN knows how to reach the VPN client.}}
  
===Route a client side LAN to a server===
+
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.}}
  
{{Expansion|Add information on how to route several client side LANs to the server side}}
+
===Connect the client LAN to a server===
  
 
Prerequisites:
 
Prerequisites:
Line 328: Line 292:
 
* The server may not use the duplicate-cn directive in its config file.
 
* The server may not use the duplicate-cn directive in its config file.
  
You must now create a client configuration directory on the server.  When a client connects, the server process will check this directory for a file named the same as the client certificate's common name, and apply the directives to the client.
+
Create a client configuration directory on the server.  It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.
  
 
{{bc|# mkdir -p /etc/openvpn/ccd}}
 
{{bc|# mkdir -p /etc/openvpn/ccd}}
  
Create a file in the client configuration directory called bugs, containing the directive iroute 192.168.4.0 255.255.255.0.  This will tell the server that the 192.168.4.0/24 subnet should be routed to the client (bugs):
+
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directiveIt tells the server what subnet should be routed to the client:
  
 
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
 
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
  
Then add the directive route 192.168.4.0 255.255.255.0 to the server's configuration file /etc/openvpn/server.conf. This will tell the server that the 192.168.4.0/24 subnet should be routed from the tun device to the server process. Both are needed:
+
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:
 +
 
 +
{{hc|/etc/openvpn/server.conf|
 +
client-config-dir ccd
 +
route 192.168.4.0 255.255.255.0
 +
}}
 +
 
 +
{{Note|Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the client. Make sure the client LAN knows how to reach the VPN server.}}
 +
 
 +
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.}}
 +
 
 +
===Connect both the client and server LANs===
 +
 
 +
Combine the two previous sections:
 +
 
 +
{{hc|/etc/openvpn/server.conf|
 +
push "route 10.66.0.0 255.255.255.0"
 +
.
 +
.
 +
client-config-dir ccd
 +
route 192.168.4.0 255.255.255.0
 +
}}
 +
 
 +
 
 +
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
 +
 
 +
 
 +
{{Note|Remember to enable ipv4 forwarding and to make the LAN interfaces promiscuous on both the client and the server. Make sure that all the LANs or the needed hosts can route to all the destinations.}}
 +
 
 +
===Connect clients and client LANs===
 +
 
 +
By default clients will not see each other, to allow ip packets to flow between clients and/or client LANs add a client-to-client directive to the server configuration file: {{hc|/etc/openvpn/server.conf|client-to-client}}
 +
 
 +
In order for another client or client LAN to see a specific client LAN you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):
 +
 
 +
{{hc|/etc/openvpn/server.conf|
 +
client-to-client
 +
push "route 192.168.4.0 255.255.255.0"
 +
push "route 192.168.5.0 255.255.255.0"
 +
.
 +
.
 +
}}
 +
 
 +
{{Note|As always, make sure that the routing is properly configured.}}
 +
 
 +
==L2 Ethernet bridging==
 +
 
 +
{{Expansion|Please add a well thought out section on L2 bridging.}}
 +
 
 +
For now see: [[OpenVPN Bridge]]
 +
 
 +
==Contributions that do not yet fit into the main article==
  
{{hc|/etc/openvpn/server.conf|route 192.168.4.0 255.255.255.0}}
+
{{Accuracy|Not quite sure where this fits into the main article yet}}
  
 
===Routing client traffic through the server===
 
===Routing client traffic through the server===
Line 407: Line 422:
 
}}
 
}}
  
==L2 Ethernet bridging==
 
 
{{Expansion|Please add a well thought out section on L2 bridging.}}
 
 
For now see: [[OpenVPN Bridge]]
 
  
==Configuring LDAP authorization==
+
===Configuring LDAP authorization===
 
   
 
   
 
{{Accuracy|what does the following do, and is the package still supported?}}
 
{{Accuracy|what does the following do, and is the package still supported?}}
 
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].
 
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[Arch User Repository]].
  
==Deprecated older wiki content==
+
===Deprecated older wiki content===
  
 
{{Accuracy|See how this older content can be fitted into the new article}}
 
{{Accuracy|See how this older content can be fitted into the new article}}
  
===Using PAM and passwords to authenticate===
+
====Using PAM and passwords to authenticate====
 
{{bc|
 
{{bc|
 
port 1194
 
port 1194
Line 451: Line 461:
 
}}
 
}}
  
===Using certs to authenticate===
+
====Using certs to authenticate====
 
{{bc|
 
{{bc|
 
port 1194
 
port 1194
Line 477: Line 487:
 
}}
 
}}
  
===Routing traffic through the server===
+
====Routing traffic through the server====
  
 
Append the following to your server's openvpn.conf configuration file:
 
Append the following to your server's openvpn.conf configuration file:
Line 505: Line 515:
 
}}
 
}}
  
===Setting up the Client===
+
====Setting up the Client====
 
The clientside .conf file
 
The clientside .conf file
====With password authentication====
+
=====With password authentication=====
 
{{bc|
 
{{bc|
 
client
 
client
Line 526: Line 536:
 
* second - password
 
* second - password
  
====Certs authentication====
+
=====Certs authentication=====
 
{{bc|
 
{{bc|
 
client
 
client
Line 554: Line 564:
 
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf
 
To have the '''tun''' module loaded automatically at boot time add it to the Modules line in /etc/rc.conf
  
====DNS====
+
=====DNS=====
 
The DNS servers used by the system are defined in '''/etc/resolv.conf'''.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You should not need to configure openresolv; it should be automatically detected and used by your network system.
 
The DNS servers used by the system are defined in '''/etc/resolv.conf'''.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install '''openresolv''', which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You should not need to configure openresolv; it should be automatically detected and used by your network system.
  
Line 625: Line 635:
 
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
 
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
  
===Connecting to the Server===
+
=====Webmin=====
 +
 
 +
{{AUR|webmin-plugin-openvpn}} is available in the [[AUR]].
 +
{{Note|You must add "openvpn" to the end of /etc/webmin/webmin.acl.}}
 +
 
 +
====Connecting to the Server====
 
You need to start the service on the server
 
You need to start the service on the server
 
{{bc|
 
{{bc|

Revision as of 20:25, 12 November 2012

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: (at least) add support for ipv6 and L2 ethernet bridging (Discuss in Talk:OpenVPN#)

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.

Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.

OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Install OpenVPN

Install openvpn from the official repositories.

Note: The software contained in this package supports both server and client mode, so install it on all machines that need to create vpn connections.

Configure the system for TUN/TAP support

OpenVPN requires TUN/TAP support. Make sure to load the TUN module.

/etc/modules-load.d/tun.conf
# Load tun.ko at boot
tun

The default kernel is already properly configured, but if you use another kernel make sure to enable the TUN/TAP module. If $ zgrep CONFIG_TUN /proc/config.gz returns CONFIG_TUN=n, make the following change to the kernel config file and rebuild the kernel.

Kernel config file
 Device Drivers
  --> Network device support
    [M] Universal TUN/TAP device driver support

Connect to a VPN provided by a third party

To connect to a VPN provided by a third party, most of the following can most likely be ignored. Use the certificates and instructions given by your provider, for instance see: Airvpn.

Create a Public Key Infrastructure (PKI) from scratch

If you are setting up OpenVPN from scratch, you will need to create a Public Key Infrastructure (PKI).

Create the needed certificates and keys by following: Create a Public Key Infrastructure Using the easy-rsa Scripts.

The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.

Note: The rest of this article assumes that the keys and certificates are placed in /etc/openvpn.

The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.

A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).

A client needs client.crt (public), and client.key and ta.key (private).

A basic L3 IP routing configuration

Note: Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.

What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The openvpn daemon startup script reads all the .conf configuration files it finds in /etc/openvpn on startup and acts accordingly. In fact if it finds more than one configuration file, it will start one OpenVPN processes per configuration file.

This article explains how to setup a server called elmer, and a client that connects to it called bugs. More servers and clients can easily be added, by creating more key/certificate pairs and adding more server and client configuration files.

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN 2.2 man page and the OpenVPN documentation.

The server configuration file

Copy the example server configuration file to /etc/openvpn/server.conf

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the following:

  • The ca, cert, key, and dh parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 0 for a server.
  • It is recommended to run OpenVPN with reduced privileges once it has initialized, do this by uncommenting the user and group directives.
/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
key /etc/openvpn/elmer.key

dh /etc/openvpn/dh2048.pem
.
.
tls-auth /etc/openvpn/ta.key 0
.
.
user nobody
group nobody
Note: Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.

The client configuration file

Copy the example client configuration file to /etc/openvpn/client.conf

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the following:

  • The remote directive to reflect either the server's Fully Qualified Domain Name hostname (as known to the client) or its IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1 for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
.
user nobody
group nobody
.
.
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
key /etc/openvpn/bugs.key
.
.
tls-auth /etc/openvpn/ta.key 1

Testing the OpenVPN configuration

Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on the client. You should see something similar to this:

# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
.
.
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
.
.
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP assigned to the tunX device:

# ip addr show
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ip addr show
.
.
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0

And the client side has been given the IP 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping -c3 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms

You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.

Note: If using a firewall, make sure that ip packets on the TUN device are not blocked.

Starting OpenVPN

Manual startup

To manually start with a specific configuration file: # openvpn /etc/openvpn/client.conf

Initscripts startup

To manually start as a daemon # rc.d start openvpn

To start as a daemon at boot, add openvpn to the daemons array in /etc/rc.conf

Note: Starting as a daemon will start one process per valid configuration file found.

Systemd service configuration

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please add information on how to start several openvpn processes with systemd (Discuss in Talk:OpenVPN#)

Since version 2.2.2-2, a service file is included by default. To start an OpenVPN daemon using /etc/openvpn/client.conf and enable it permanently:

# systemctl enable openvpn@client.service
# systemctl start openvpn@client.service

Respectively using /etc/openvpn/server.conf:

# systemctl enable openvpn@server.service
# systemctl start openvpn@server.service

Advanced L3 IP routing

Prerequisites for routing a LAN

IPv4 forwarding

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.

Edit etc/sysctl.conf to permanently enable ipv4 packet forwarding (takes effect at the next boot):

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1

To temporarily enable without rebooting: # echo 1 > /proc/sys/net/ipv4/ip_forward

Promiscious LAN inteface

The forwarding host's NIC (eth0 in the following examples) must also be able to accept packets for a different IP address than it is configured for, something known as promiscious mode. To enable, add the following to /etc/rc.local (takes effect at the next boot):

/etc/rc.local
ip link set dev eth0 promisc on

To temporarily enable without rebooting: # ip link set dev eth0 promisc on

To set the eth0 in promiscuous mode using systemd use this service file and enable it using:

 # systemctl enable promiscuous@eth0.service

Routing tables

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used (Discuss in Talk:OpenVPN#)

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

  • Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  • Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  • Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:
/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
Note: Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the server. Make sure the server LAN knows how to reach the VPN client.
Note: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

Connect the client LAN to a server

Prerequisites:

  • Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in its config file.

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server.conf
client-config-dir ccd
route 192.168.4.0 255.255.255.0
Note: Remember to enable ipv4 forwarding and to make the LAN interface promiscuous on the client. Make sure the client LAN knows how to reach the VPN server.
Note: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

Connect both the client and server LANs

Combine the two previous sections:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
.
.
client-config-dir ccd
route 192.168.4.0 255.255.255.0


/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0


Note: Remember to enable ipv4 forwarding and to make the LAN interfaces promiscuous on both the client and the server. Make sure that all the LANs or the needed hosts can route to all the destinations.

Connect clients and client LANs

By default clients will not see each other, to allow ip packets to flow between clients and/or client LANs add a client-to-client directive to the server configuration file:
/etc/openvpn/server.conf
client-to-client

In order for another client or client LAN to see a specific client LAN you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

/etc/openvpn/server.conf
client-to-client
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
.
.
Note: As always, make sure that the routing is properly configured.

L2 Ethernet bridging

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please add a well thought out section on L2 bridging. (Discuss in Talk:OpenVPN#)

For now see: OpenVPN Bridge

Contributions that do not yet fit into the main article

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Not quite sure where this fits into the main article yet (Discuss in Talk:OpenVPN#)

Routing client traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

Change "192.168.1.1" to your preferred DNS IP address.

If you have problems with non responsive DNS after connecting to server, install BIND as simple DNS forwarder and push openvpn ip address of server as DNS to clients.

Configure ufw for routing

Configure your ufw settings to enable routing traffic from clients through server.

You must change default forward policy, edit /etc/sysctl.conf to permanently enable ipv4 packet forwarding. Takes effect at the next boot.

/etc/sysctl.conf
# Enable packet forwarding
net.ipv4.ip_forward=1

And then configure ufw in /etc/default/ufw

/etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”

Now change /etc/ufw/before.rules, add following code after header and before *filter line, don't forget to change ip range to yours

/etc/ufw/before.rules
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# don.t delete the .COMMIT. line or these nat table rules won.t be processed
COMMIT

Open openvpn port 1194

ufw allow 1194

usage of iptables

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [1]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save


Configuring LDAP authorization

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: what does the following do, and is the package still supported? (Discuss in Talk:OpenVPN#)

You may also want to install openvpn-authldap-pluginAUR, available in the Arch User Repository.

Deprecated older wiki content

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: See how this older content can be fitted into the new article (Discuss in Talk:OpenVPN#)

Using PAM and passwords to authenticate

port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

Using certs to authenticate

port 1194
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

Routing traffic through the server

Append the following to your server's openvpn.conf configuration file:

push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"

Change "192.168.1.1" to your external DNS IP address.

Use an iptable for NAT forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running ArchLinux in a OpenVZ VPS environment [2]:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)

If all is well, make the changes permanent:

Edit /etc/conf.d/iptables and change IPTABLES_FORWARD=1

/etc/rc.d/iptables save

Setting up the Client

The clientside .conf file

With password authentication
client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt

passwd file (referenced by auth-user-pass) must contain two lines:

  • first line - username
  • second - password
Certs authentication
client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo

Copy three files from server to remote computer.

ca.crt
client1.crt
client1.key

Install the tunnel/tap module:

 # sudo modprobe tun

To have the tun module loaded automatically at boot time add it to the Modules line in /etc/rc.conf

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...) However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes. Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.

Next, save the following script at /usr/share/openvpn/update-resolv-conf:

#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
# and Chris Hanson
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
#
# 05/2006 chlauber@bnc.ch
#
# Example envs set from openvpn:
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

[ -x /usr/sbin/resolvconf ] || exit 0

case $script_type in

up)
   for optionname in ${!foreign_option_*} ; do
      option="${!optionname}"
      echo $option
      part1=$(echo "$option" | cut -d " " -f 1)
      if [ "$part1" == "dhcp-option" ] ; then
         part2=$(echo "$option" | cut -d " " -f 2)
         part3=$(echo "$option" | cut -d " " -f 3)
         if [ "$part2" == "DNS" ] ; then
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
         fi
         if [ "$part2" == "DOMAIN" ] ; then
            IF_DNS_SEARCH="$part3"
         fi
      fi
   done
   R=""
   if [ "$IF_DNS_SEARCH" ] ; then
           R="${R}search $IF_DNS_SEARCH
"
   fi
   for NS in $IF_DNS_NAMESERVERS ; do
           R="${R}nameserver $NS
"
   done
   echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
   ;;
down)
   /usr/sbin/resolvconf -d "${dev}.inet"
   ;;
esac

Remember to make the file executable with:

 $ chmod +x /usr/share/openvpn/update-resolv-conf

Next, add the following lines to your OpenVPN client configuration file:

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Webmin

webmin-plugin-openvpnAUR is available in the AUR.

Note: You must add "openvpn" to the end of /etc/webmin/webmin.acl.

Connecting to the Server

You need to start the service on the server

/etc/rc.d/openvpn start

You can add it to rc.conf to make it permanet.

On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the .crt/.key files. Assuming your OpenVPN config folder is called .openvpn and your client config file is vpn1.conf, to connect to the server issue the following command:

cd ~/.openvpn && sudo openvpn vpn1.conf