Difference between revisions of "OpenVPN"

From ArchWiki
Jump to: navigation, search
m (Connect to a VPN provided by a third party)
(Update resolv-conf script: the most recent mod is not true in my experience)
 
(228 intermediate revisions by 66 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
 
[[de:OpenVPN]]
 
[[de:OpenVPN]]
 +
[[ja:OpenVPN]]
 +
[[ru:OpenVPN]]
 
[[zh-CN:OpenVPN]]
 
[[zh-CN:OpenVPN]]
{{Expansion|(at least) add support for IPv6 and L2 Ethernet bridging}}
+
{{Related articles start}}
 +
{{Related|OpenVPN in Linux containers}}
 +
{{Related|Easy-RSA}}
 +
{{Related articles end}}
  
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
+
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.
  
OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. OpenVPN supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]], support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.
+
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.
  
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it.
+
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].
 
+
OpenVPN supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. OpenVPN also supports unencrypted TCP/UDP tunnels.
+
 
+
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms.
+
 
+
Overall, OpenVPN aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint.
+
 
+
OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].
+
  
 
== Install OpenVPN ==
 
== Install OpenVPN ==
  
[[pacman|Install]] {{Pkg|openvpn}} from the [[official repositories]].
+
[[Install]] the {{Pkg|openvpn}} package.
  
 
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.}}
 
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.}}
  
== Configure the system for TUN/TAP support ==
+
== Kernel configuration ==
 
+
OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module:
OpenVPN requires TUN/TAP support. Make sure to load at boot the {{ic|tun}} module.
+
 
+
Read [[Kernel modules]] for more information.
+
 
+
The default kernel is already properly configured, but if you use another kernel make sure to enable the TUN/TAP module.  If {{ic|$ zgrep CONFIG_TUN /proc/config.gz}} returns {{ic|1=CONFIG_TUN=n}}, make the following change to the kernel config file and rebuild the kernel.
+
  
 
{{hc|Kernel config file|
 
{{hc|Kernel config file|
Line 36: Line 28:
 
   --> Network device support
 
   --> Network device support
 
     [M] Universal TUN/TAP device driver support}}
 
     [M] Universal TUN/TAP device driver support}}
 +
 +
Read [[Kernel modules]] for more information.
  
 
== Connect to a VPN provided by a third party ==
 
== Connect to a VPN provided by a third party ==
  
To connect to a VPN provided by a third party, most of the following can most likely be ignored.  Use the certificates and instructions given by your provider, for instance see: [[Airvpn]].
+
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile (OpenVPN)|#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after thatOne should use the provider certificates and instructions, for instance see: [[Airvpn]].
  
{{Note|To connect to servers of the most VPN providers that offer free service, one can plainly use [[pptpd]] since most offers only this protocol.}}
+
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but is [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}
  
 
== Create a Public Key Infrastructure (PKI) from scratch ==
 
== Create a Public Key Infrastructure (PKI) from scratch ==
  
If you are setting up OpenVPN from scratch, you will need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].
+
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[easy-rsa]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in {{ic|/etc/openvpn}} at this point:
 
+
*{{ic|/etc/openvpn/ca.crt}}
Create the needed certificates and keys by following: [[Create a Public Key Infrastructure Using the easy-rsa Scripts]].
+
*{{ic|/etc/openvpn/dh.pem}}
 
+
*{{ic|/etc/openvpn/servername.crt}} and {{ic|/etc/openvpn/servername.key}}
The final step of the key creation process is to copy the files needed to the correct machines through a secure channel.
+
*{{ic|/etc/openvpn/ta.key}}
 
+
{{Note|The rest of this article assumes that the keys and certificates are placed in {{ic|/etc/openvpn}}.}}
+
 
+
The public ca.crt certificate is needed on all servers and clients. The private ca.key key is secret and only needed on the key generating machine.
+
 
+
A server needs server.crt, dh2048.pem (public), server.key, and ta.key (private).
+
+
A client needs client.crt (public), client.key, and ta.key (private).
+
  
 
== A basic L3 IP routing configuration ==
 
== A basic L3 IP routing configuration ==
Line 65: Line 51:
 
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
 
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.
  
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in {{ic|/etc/openvpn}} on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.
+
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the *.conf configuration files it finds in {{ic|/etc/openvpn}} on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.
  
This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.
+
This article explains how to set up a server named {{ic|elmer}} and a client that connects to it named {{ic|bugs}}. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.
  
 +
=== Example configuration ===
 
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
 
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:
  
Line 76: Line 63:
 
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
 
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
  
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
+
For more advanced configurations, please see the official [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].
  
 
=== The server configuration file ===
 
=== The server configuration file ===
 +
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forward on to the server.}}
  
 
Copy the example server configuration file to {{ic|/etc/openvpn/server.conf}}:
 
Copy the example server configuration file to {{ic|/etc/openvpn/server.conf}}:
Line 84: Line 72:
 
  # cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf
 
  # cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf
  
Edit the following:
+
Edit the file making a minimum of the following changes:
 
+
* The {{ic|ca}}, {{ic|cert}}, {{ic|key}}, and {{ic|dh}} parameters to reflect the path and names of the keys and certificates. Specifying the paths will allow you to run the OpenVPN executable from any directory for testing purposes.
+
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 0 for a server'''.
+
* It is recommended to run OpenVPN with reduced privileges once it has initialized. Do this by uncommenting the {{ic|user}} and {{ic|group}} directives.
+
  
 
{{hc|/etc/openvpn/server.conf|
 
{{hc|/etc/openvpn/server.conf|
 
ca /etc/openvpn/ca.crt
 
ca /etc/openvpn/ca.crt
cert /etc/openvpn/elmer.crt
+
cert /etc/openvpn/servername.crt
key /etc/openvpn/elmer.key
+
key /etc/openvpn/servername.key # This file should be kept secret
 
+
dh /etc/openvpn/dh.pem
dh /etc/openvpn/dh2048.pem
+
.
+
 
.
 
.
 
tls-auth /etc/openvpn/ta.key '''0'''
 
tls-auth /etc/openvpn/ta.key '''0'''
.
 
 
.
 
.
 
user nobody
 
user nobody
Line 105: Line 86:
 
}}
 
}}
  
{{Note|Note that if the server is behind a firewall or a NAT translating router, you will have to forward the OpenVPN UDP port (1194) to the server.}}
+
==== Hardening the server ====
 +
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and limiting the newer tls ciphers.  Do so by adding the following to {{ic|/etc/openvpn/server.conf}}
  
=== The client configuration file ===
+
{{hc|/etc/openvpn/server.conf|
 +
.
 +
cipher AES-256-CBC
 +
auth SHA512
 +
tls-version-min 1.2
 +
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
 +
.
 +
}}
 +
 
 +
{{Note|The .ovpn client profile MUST contain a matching cipher and auth line to work properly (at least with the iOS and Android client)!}}
 +
 
 +
==== Deviating from the standard port and/or protocol ====
 +
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol.  One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.
 +
 
 +
To do so, configure {{ic|/etc/openvpn/server.conf}} as such:
 +
{{hc|/etc/openvpn/server.conf|
 +
.
 +
port 443
 +
proto tcp
 +
.
 +
}}
 +
 
 +
{{Note|The .ovpn client profile MUST contain a matching port and proto line to work properly!}}
 +
 
 +
===== TCP vs UDP =====
 +
There are subtle differences between TCP and UDP.
 +
 
 +
TCP
 +
* So-called "stateful protocol."
 +
* High reliability due to error correction (i.e. waits for packet acknowledgment).
 +
* Potentially slower than UDP.
 +
 
 +
UDP
 +
* So-called "stateless protocol."
 +
* Less reliable than TCP as no error correction is in use.
 +
* Potentially faster than TCP.
 +
 
 +
=== The client config profile (OpenVPN) ===
  
 
Copy the example client configuration file to {{ic|/etc/openvpn/client.conf}}:
 
Copy the example client configuration file to {{ic|/etc/openvpn/client.conf}}:
Line 122: Line 141:
 
{{hc|/etc/openvpn/client.conf|
 
{{hc|/etc/openvpn/client.conf|
 
remote elmer.acmecorp.org 1194
 
remote elmer.acmecorp.org 1194
.
 
 
.
 
.
 
user nobody
 
user nobody
 
group nobody
 
group nobody
.
 
.
 
 
ca /etc/openvpn/ca.crt
 
ca /etc/openvpn/ca.crt
cert /etc/openvpn/bugs.crt
+
cert /etc/openvpn/client.crt
key /etc/openvpn/bugs.key
+
key /etc/openvpn/client.key
.
+
 
.
 
.
 
tls-auth /etc/openvpn/ta.key '''1'''
 
tls-auth /etc/openvpn/ta.key '''1'''
 
}}
 
}}
 +
 +
==== Drop root privileges after connecting ====
 +
 +
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''OpenVPN'' drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes are not desired. Further, it can happen that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.
 +
 +
As it could seem to require manual action to manage the routes, the options {{ic|user nobody}} and {{ic|group nobody}} might seem undesirable. Depending on setup, however, there are four ways to handle these situations:
 +
 +
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
 +
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}} (see README in its directory), which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges.[https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15]
 +
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
 +
* Further, it is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki HowTo].
 +
 +
{{Note|The OpenVPN HowTos linked above create a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons.}}
 +
 +
=== The client profile (generic for Linux, iOS, or Android) ===
 +
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.
 +
 +
Simply invoke the script with 5 tokens:
 +
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
 +
# Full path to the CA cert.
 +
# Full path to the client cert.
 +
# Full path to the client private key.
 +
# Full path to the server TLS shared secret key.
 +
# Optionally a port number.
 +
# Optionally a protocol (udp or tcp).
 +
 +
Example:
 +
# ovpngen example.org /etc/openvpn/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/ta.key > iphone.ovpn
 +
 +
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.
 +
 +
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth.  Failure to do so may results in connection errors!}}
 +
 +
=== Converting certificates to encrypted .p12 format ===
 +
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:
 +
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}
  
 
=== Testing the OpenVPN configuration ===
 
=== Testing the OpenVPN configuration ===
  
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client.  You should see something similar to this:
+
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client.  Example output should be similar to the following:
  
 
{{hc|# openvpn /etc/openvpn/server.conf|2=
 
{{hc|# openvpn /etc/openvpn/server.conf|2=
Line 213: Line 264:
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
 
}}
 
}}
 
You now have a working OpenVPN installation, and your client (bugs) will be able to use services on the server (elmer), and vice versa.
 
  
 
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}
 
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}
Line 223: Line 272:
  
 
Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.
 
Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.
 +
 +
{{Accuracy|Output is different - I do not see anything like {{ic|...Frag needed and DF set...}}}}
  
 
{{hc|# ping -c5 -M do -s 1500 elmer.acmecorp.org|2=
 
{{hc|# ping -c5 -M do -s 1500 elmer.acmecorp.org|2=
Line 255: Line 306:
 
{{hc|/etc/openvpn/client.conf|
 
{{hc|/etc/openvpn/client.conf|
 
remote elmer.acmecorp.org 1194
 
remote elmer.acmecorp.org 1194
.
+
...
.
+
 
fragment 548
 
fragment 548
mssfix
+
mssfix 548
.
+
...}}
.
+
user nobody
+
group nobody
+
.
+
.
+
ca /etc/openvpn/ca.crt
+
cert /etc/openvpn/bugs.crt
+
key /etc/openvpn/bugs.key
+
.
+
.
+
tls-auth /etc/openvpn/ta.key '''1'''
+
}}
+
  
 +
We also need to tell the server about the fragmentation. Note that "mssfix" is NOT needed in the server configuration.
 +
 +
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the 'fragment' directive. To support such clients, skip this section and configure the clients with the 'mtu-test' directive described below.}}
 +
 +
{{hc|/etc/openvpn/server.conf|
 +
...
 +
fragment 548
 +
}}
  
{{Note|This will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.}}
+
{{Note|The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.}}
  
You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN.
+
You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.
 
{{hc|/etc/openvpn/client.conf|
 
{{hc|/etc/openvpn/client.conf|
 
remote elmer.acmecorp.org 1194
 
remote elmer.acmecorp.org 1194
.
+
...
.
+
 
mtu-test
 
mtu-test
.
+
...
.
+
user nobody
+
group nobody
+
.
+
.
+
ca /etc/openvpn/ca.crt
+
cert /etc/openvpn/bugs.crt
+
key /etc/openvpn/bugs.key
+
.
+
.
+
 
tls-auth /etc/openvpn/ta.key '''1'''
 
tls-auth /etc/openvpn/ta.key '''1'''
 
}}
 
}}
 +
 +
=== IPv6 ===
 +
==== Connect to the server via IPv6 ====
 +
 +
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.
 +
 +
==== Provide IPv6 inside the tunnel ====
 +
 +
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:
 +
 +
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).
 +
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.
 +
 +
After you have received a prefix (a /64 is recommended), append the following to the server.conf:
 +
 +
server-ipv6 2001:db8:0:123::/64
 +
 +
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.
 +
 +
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:
 +
 +
push "route-ipv6 2001:db8:0:abc::/64"
 +
 +
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.
  
 
== Starting OpenVPN ==
 
== Starting OpenVPN ==
Line 300: Line 359:
 
=== Manual startup ===
 
=== Manual startup ===
  
To troubleshoot a VPN connection, start the daemon manually with: {{ic|# openvpn /etc/openvpn/client.conf}}.
+
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server.conf}}).
  
 
=== systemd service configuration ===
 
=== systemd service configuration ===
  
To start OpenVPN automatically at system boot, [[Daemon|enable]] {{ic|openvpn@''<configuration>''.service}}.
+
To start OpenVPN automatically at system boot, either for a client or for a server, [[enable]] {{ic|openvpn@''<configuration>''.service}} on the applicable machine.
  
For example, if the configuration file is {{ic|/etc/openvpn/client.conf}}, the service name is {{ic|openvpn@client.service}}.
+
For example, if the client configuration file is {{ic|/etc/openvpn/client.conf}}, the service name is {{ic|openvpn@client.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server.conf}}, the service name is {{ic|openvpn@server.service}}.
  
== Advanced L3 IP routing==
+
=== Letting NetworkManager start a connection ===
  
=== Prerequisites for routing a LAN ===
+
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:
  
==== IPv4 forwarding ====
+
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=
 +
#!/bin/bash
  
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device.
+
case "$2" in
 +
  up)
 +
    if [ "$CONNECTION_ID" == "Provider" ]; then
 +
      systemctl start openvpn@client
 +
    fi
 +
  ;;
 +
  down)
 +
    systemctl stop openvpn@client
 +
  ;;
 +
esac}}
  
Edit or create {{ic|etc/sysctl.d/99-sysctl.conf}} to permanently enable IPv4 packet forwarding (takes effect at the next boot):
+
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.
 +
 
 +
=== Gnome configuration ===
 +
 
 +
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{ic|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client configuration file]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).
 +
 
 +
== Routing all client traffic through the server ==
 +
 
 +
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect the OpenVPN documentation on this topic] for more information.}}
 +
 
 +
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., {{ic|/etc/openvpn/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect]:
 +
 
 +
push "redirect-gateway def1 bypass-dhcp"
 +
push "dhcp-option DNS 8.8.8.8"
 +
 
 +
Change {{ic|8.8.8.8}} to your preferred DNS IP address if configured to run on the same box as the server or else leave it at 8.8.8.8 to use google's DNS.
 +
 
 +
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.
  
{{hc|/etc/sysctl.d/99-sysctl.conf|2=
+
After setting up the configuration file, one must [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's firewall will need to be set up to allow VPN traffic through it, which is described below for both [[ufw]] and [[iptables]].
# Enable packet forwarding
+
 
net.ipv4.ip_forward=1
+
To allow clients to be able to reach other (private) subnets behind the server, you may want to use the {{ic|push "route <address pool> <subnet>"}} option:
 +
 
 +
push "route 172.10.142.0 255.255.255.0"
 +
push "route 172.20.142.0 255.255.255.0"
 +
 
 +
=== Firewall configuration ===
 +
 
 +
==== ufw ====
 +
 
 +
In order to configure your ufw settings for VPN traffic first add the following to {{ic|/etc/default/ufw}}:
 +
 
 +
{{hc|/etc/default/ufw|2=
 +
DEFAULT_FORWARD_POLICY="ACCEPT"
 
}}
 
}}
  
{{Tip|To temporarily enable without rebooting: {{ic|# echo 1 > /proc/sys/net/ipv4/ip_forward}}}}
+
Now change {{ic|/etc/ufw/before.rules}}, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in {{ic|/etc/openvpn/server.conf}}.  The adapter ID in the example is generically called {{ic|eth0}} so edit it for your system accordingly.
  
==== Promiscuous LAN interface ====
+
{{hc|/etc/ufw/before.rules|2=
 +
# NAT (Network Address Translation) table rules
 +
*nat
 +
:POSTROUTING ACCEPT [0:0]
  
The forwarding host's NIC (enp1s0 in the following examples) must also be able to accept packets for a different IP address than it is configured for, something known as [[Wikipedia:Promiscuous_mode|promiscuous mode]]. To set the {{ic|enp1s0}} in promiscuous mode using systemd, use [[ Systemd/Services#Set_network_interface_in_promiscuous_mode | this service file ]] and enable it using:
+
# Allow traffic from clients to eth0
 +
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  
   # systemctl enable promiscuous@enp1s0
+
# do not delete the "COMMIT" line or the NAT table rules above will not be processed
 +
COMMIT
 +
}}
 +
 
 +
Open OpenVPN port 1194:
 +
 
 +
# ufw allow 1194
 +
 
 +
Lastly, reload UFW:
 +
 
 +
# ufw reload
 +
 
 +
==== iptables ====
 +
 
 +
In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:
 +
 
 +
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 +
 
 +
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:
 +
 
 +
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}
 +
 
 +
iptables -A INPUT -i tun+ -j ACCEPT
 +
iptables -A FORWARD -i tun+ -j ACCEPT
 +
iptables -A INPUT -i tap+ -j ACCEPT
 +
iptables -A FORWARD -i tap+ -j ACCEPT
 +
 
 +
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.
 +
 
 +
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].
 +
 
 +
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.
 +
 
 +
=== Prevent leaks if VPN goes down ===
 +
 
 +
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.
 +
If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.
 +
 
 +
Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.
 +
 
 +
==== ufw ====
 +
 
 +
  # Default policies
 +
  ufw default deny incoming
 +
  ufw default deny outgoing
 +
 
 +
  # Openvpn interface (adjust interface accordingly to your configuration)
 +
  ufw allow in on tun0
 +
  ufw allow out on tun0
 +
 
 +
  # Local Network (adjust ip accordingly to your configuration)
 +
  ufw allow in on enp3s0 from 192.168.1.0/24
 +
  ufw allow out on enp3s0 to 192.168.1.0/24
 +
 
 +
  # Openvpn (adjust port accordingly to your configuration)
 +
  ufw allow out on enp3s0 to any port 1194
 +
  ufw allow in on enp3s0 from any port 1194
 +
 
 +
{{Warning| DNS '''will not''' work '''unless''' you run your own dns server like [[BIND]]
 +
Otherwise, you will need to allow dns leak. '''Be sure to trust your dns server!'''
 +
  # DNS
 +
  ufw allow in from any to any port 53
 +
   ufw allow out from any to any port 53
 +
}}
 +
 
 +
==== vpnfailsafe ====
 +
 
 +
Alternatively, the [https://github.com/wknapik/vpnfailsafe vpnfailsafe] ({{AUR|vpnfailsafe-git}}) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of [[#Update resolv-conf script|update-resolv-conf]], so the two don't need to be combined.
 +
 
 +
== L3 IPv4 routing==
 +
 
 +
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.
 +
 
 +
=== Prerequisites for routing a LAN ===
  
{{Tip|To temporarily enable without rebooting: {{ic|# ip link set dev enp1s0 promisc on}}.}}
+
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.
  
 
==== Routing tables ====
 
==== Routing tables ====
Line 347: Line 522:
 
The server is on a LAN using the 10.66.0.0/24 subnet.  To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
 
The server is on a LAN using the 10.66.0.0/24 subnet.  To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}
  
{{Note|
+
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.
* Remember to enable IPv4 forwarding and to make the LAN interface promiscuous on the server. Make sure the server LAN knows how to reach the VPN client.
+
* To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.
+
 
}}
 
}}
  
Line 375: Line 548:
 
}}
 
}}
  
{{Note|
+
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.
* Remember to enable IPv4 forwarding and to make the LAN interface promiscuous on the client. Make sure the client LAN knows how to reach the VPN server.
+
* To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.
+
 
}}
 
}}
  
Line 394: Line 565:
 
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
 
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}
  
{{Note|Remember to enable IPv4 forwarding and to make the LAN interfaces promiscuous on both the client and the server. Make sure that all the LANs or the needed hosts can route to all the destinations.}}
+
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}
  
 
=== Connect clients and client LANs ===
 
=== Connect clients and client LANs ===
Line 412: Line 583:
 
{{Note|As always, make sure that the routing is properly configured.}}
 
{{Note|As always, make sure that the routing is properly configured.}}
  
== L2 Ethernet bridging ==
+
== DNS ==
  
{{Expansion|Please add a well thought out section on L2 bridging.}}
+
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.
  
For now see: [[OpenVPN Bridge]]
+
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.
  
== Contributions that do not yet fit into the main article ==
+
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Drop root privileges after connecting]]:
 
+
{{hc|/etc/openvpn/clienttunnel.conf|
{{Accuracy|Not quite sure where this fits into the main article yet}}
+
 
+
=== Routing client traffic through the server ===
+
 
+
Append the following to your server's openvpn.conf configuration file:
+
 
+
push "redirect-gateway def1"
+
push "dhcp-option DNS 192.168.1.1"
+
 
+
Change "192.168.1.1" to your preferred DNS IP address.
+
 
+
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.
+
 
+
==== Configure ufw for routing ====
+
 
+
Configure your ufw settings to enable routing traffic from clients through server.
+
 
+
You must change default forward policy as in [[#IPv4 forwarding]].
+
 
+
And then configure ufw in {{ic|/etc/default/ufw}}:
+
 
+
{{hc|/etc/default/ufw|2=
+
DEFAULT_FORWARD_POLICY="ACCEPT"
+
}}
+
 
+
Now change {{ic|/etc/ufw/before.rules}}, and add the following code after the header and before the "*filter" line. Don't forget to change the IP/subnet mask to match the one in {{ic|/etc/openvpn/server.conf}}.
+
 
+
{{hc|/etc/ufw/before.rules|2=
+
# NAT (Network Address Translation) table rules
+
*nat
+
:POSTROUTING ACCEPT [0:0]
+
 
+
# Allow traffic from clients to enp1s0
+
-A POSTROUTING -s 10.8.0.0/8 -o enp1s0 -j MASQUERADE
+
 
+
# don't delete the "COMMIT" line or the NAT table rules above won't be processed
+
COMMIT
+
}}
+
 
+
Open OpenVPN port 1194:
+
 
+
ufw allow 1194
+
 
+
==== Using iptables ====
+
 
+
Use an iptable for NAT forwarding:
+
 
+
echo 1 > /proc/sys/net/ipv4/ip_forward
+
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
+
 
+
If running Arch Linux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:
+
 
+
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
+
 
+
If all is well, make the changes permanent:
+
 
+
Edit {{ic|/etc/conf.d/iptables}} and change IPTABLES_FORWARD=1
+
 
+
# iptables-save > /etc/iptables/iptables.rules
+
 
+
=== Configuring LDAP authorization ===
+
+
{{Accuracy|what does the following do, and is the package still supported?}}
+
You may also want to install {{AUR|openvpn-authldap-plugin}}, available in the [[AUR]].
+
 
+
=== Deprecated older wiki content ===
+
 
+
{{Accuracy|See how this older content can be fitted into the new article}}
+
 
+
====Using PAM and passwords to authenticate====
+
 
+
{{bc|
+
port 1194
+
proto udp
+
mtu-test
+
dev tap
+
ca /etc/openvpn/easy-rsa/keys/ca.crt
+
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
+
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
+
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
+
server 192.168.56.0 255.255.255.0
+
ifconfig-pool-persist ipp.txt
+
;learn-address ./script
+
client-to-client
+
;duplicate-cn
+
keepalive 10 120
+
;tls-auth ta.key 0
+
comp-lzo
+
;max-clients 100
+
;user nobody
+
;group nobody
+
persist-key
+
persist-tun
+
status /var/log/openvpn-status.log
+
verb 3
+
client-cert-not-required
+
username-as-common-name
+
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login
+
}}
+
 
+
==== Using certs to authenticate ====
+
 
+
{{bc|
+
port 1194
+
proto tcp
+
dev tun0
+
 
+
ca /etc/openvpn/easy-rsa/keys/ca.crt
+
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
+
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
+
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
+
 
+
server 10.8.0.0 255.255.255.0
+
ifconfig-pool-persist ipp.txt
+
keepalive 10 120
+
comp-lzo
+
 
user nobody
 
user nobody
 
group nobody
 
group nobody
persist-key
+
# Optional, choose a suitable path to chroot into for your system
persist-tun
+
chroot /srv
status /var/log/openvpn-status.log
+
script-security 2
verb 3
+
up /etc/openvpn/client.up
 +
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client.down tun0"}}
  
log-append /var/log/openvpn
+
=== Update resolv-conf script ===
status /tmp/vpn.status 10
+
{{Accuracy|Inclusion of the setenv PATH statement does not seem to be required.}}
}}
+
  
==== Routing traffic through the server ====
+
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]]. There is also an AUR package: {{AUR|openvpn-update-resolv-conf}} which will take care of the script installation for you.
  
Append the following to your server's openvpn.conf configuration file:
+
Once the script is installed add lines like the following into your OpenVPN client configuration file:
  
  push "dhcp-option DNS 192.168.1.1"
+
  script-security 2
  push "redirect-gateway def1"
+
  setenv PATH /usr/bin
 +
up /etc/openvpn/update-resolv-conf
 +
down /etc/openvpn/update-resolv-conf
  
Change "192.168.1.1" to your external DNS IP address.
+
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
  
Use an iptable for NAT forwarding:
+
=== Update systemd-resolved script ===
  
echo 1 > /proc/sys/net/ipv4/ip_forward
+
Since systemd-229, [[systemd-networkd]]'s {{ic|systemd-resolved.service}} has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
+
  
If running Arch Linux in a OpenVZ VPS environment [http://thecodeninja.net/linux/openvpn-archlinux-openvz-vps/]:
+
If you copy the script into {{ic|/etc/openvpn}} and mark as executable with [[chmod]], or install it via the AUR package ({{AUR|openvpn-update-systemd-resolved}}), you can add lines like the following into your OpenVPN client configuration file:
  
  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to (venet0 ip)
+
  script-security 2
 +
setenv PATH /usr/bin
 +
up /etc/openvpn/update-systemd-resolved
 +
down-pre /etc/openvpn/update-systemd-resolved
  
If all is well, make the changes permanent:
+
== L2 Ethernet bridging ==
  
Edit {{ic|/etc/conf.d/iptables}} and change IPTABLES_FORWARD=1
+
{{Expansion|Please add a well thought out section on L2 bridging.}}
  
# iptables-save > /etc/iptables/iptables.rules
+
For now see: [[OpenVPN Bridge]]
  
==== Setting up the client ====
+
== Troubleshooting ==
  
The client-side .conf file
+
=== Client daemon not restarting after suspend ===
  
===== With password authentication =====
+
If you put your client system to sleep, and on resume OpenVPN does not restart, resulting in broken connectivity, create the following file:
  
{{bc|
+
{{hc|/usr/lib/systemd/system-sleep/vpn.sh|2=
client
+
#!/bin/sh
dev tap
+
if [ "$1" == "pre" ]
proto udp
+
then
mtu-test
+
  killall openvpn
remote <address> 1194
+
fi
resolv-retry infinite
+
nobind
+
persist-tun
+
comp-lzo
+
verb 3
+
auth-user-pass passwd
+
ca ca.crt
+
 
}}
 
}}
  
passwd file (referenced by auth-user-pass) must contain two lines:
+
Make it executable {{ic|chmod a+x /usr/lib/systemd/system-sleep/vpn.sh}}
* first line - username
+
* second - password
+
  
===== Certificates authentication =====
+
{{hc|/etc/systemd/system/openvpn@.service.d/restart.conf|2=
 
+
[Service]
{{bc|
+
Restart=always
client
+
remote <MYSERVER> 1194
+
dev tun0
+
proto tcp
+
resolv-retry infinite
+
nobind
+
persist-key
+
persist-tun
+
verb 2
+
ca ca.crt
+
cert client1.crt
+
key client1.key
+
comp-lzo
+
 
}}
 
}}
Copy three files from server to remote computer.
 
ca.crt
 
client1.crt
 
client1.key
 
  
Install the tunnel/tap module:
+
=== Connection drops out after some time of inactivity ===
  
# modprobe tun
+
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:
  
To have the '''tun''' module loaded automatically at boot, read [[Kernel_modules]].
+
{{hc|/etc/openvpn/server.conf|
 
+
.
===== DNS =====
+
.
 
+
keepalive 10 120
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}.  Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc...)  However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side.  To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.  Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by "resolvconf", and that your DNS resolution still works as before.  You should not need to configure openresolv; it should be automatically detected and used by your network system.
+
.
 
+
.
Next, save the following script at {{ic|/usr/share/openvpn/update-resolv-conf}}:
+
}}
{{bc|<nowiki>
+
#!/bin/bash
+
#
+
# Parses DHCP options from openvpn to update resolv.conf
+
# To use set as 'up' and 'down' script in your openvpn *.conf:
+
# up /etc/openvpn/update-resolv-conf
+
# down /etc/openvpn/update-resolv-conf
+
#
+
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
+
# and Chris Hanson
+
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
+
# 07/2013 colin@daedrum.net Fixed intet name
+
# 05/2006 chlauber@bnc.ch
+
#
+
# Example envs set from openvpn:
+
# foreign_option_1='dhcp-option DNS 193.43.27.132'
+
# foreign_option_2='dhcp-option DNS 193.43.27.133'
+
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+
 
+
#[ -x $(which resolvconf) ] || exit 0
+
[ -x /usr/bin/resolvconf ] || exit 0
+
 
+
case $script_type in
+
 
+
up)
+
  for optionname in ${!foreign_option_*} ; do
+
      option="${!optionname}"
+
      echo $option
+
      part1=$(echo "$option" | cut -d " " -f 1)
+
      if [ "$part1" == "dhcp-option" ] ; then
+
        part2=$(echo "$option" | cut -d " " -f 2)
+
        part3=$(echo "$option" | cut -d " " -f 3)
+
        if [ "$part2" == "DNS" ] ; then
+
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
+
        fi
+
        if [ "$part2" == "DOMAIN" ] ; then
+
            IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
+
        fi
+
      fi
+
  done
+
  R=""
+
  if [ "$IF_DNS_SEARCH" ] ; then
+
          R="${R}search $IF_DNS_SEARCH
+
"
+
  fi
+
  for NS in $IF_DNS_NAMESERVERS ; do
+
          R="${R}nameserver $NS
+
"
+
  done
+
  #echo -n "$R" | resolvconf -p -a "${dev}"
+
  echo -n "$R" | /usr/bin/resolvconf -a "${dev}.inet"
+
  ;;
+
down)
+
  resolvconf -d "${dev}.inet"
+
  ;;
+
esac
+
</nowiki>}}
+
 
+
Remember to make the file executable with:
+
  $ chmod +x /usr/share/openvpn/update-resolv-conf
+
Next, add the following lines to your OpenVPN client configuration file:
+
 
+
script-security 2
+
up /usr/share/openvpn/update-resolv-conf
+
down /usr/share/openvpn/update-resolv-conf
+
 
+
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.
+
 
+
''Caveat: The script will fail to restore the original DNS settings if your OpenVPN client.conf is set-up to drop root privileges after connection.''
+
 
+
===== Webmin =====
+
 
+
{{AUR|webmin-plugin-openvpn}} is available in the [[AUR]].
+
{{Note|You must add "openvpn" to the end of {{ic|/etc/webmin/webmin.acl}}.}}
+
 
+
==== Connecting to the server ====
+
  
You need to start the service on the server
+
In this case the server will send ping-like messages to all of its clients every {{ic|10}} seconds, thus keeping the tunnel up.
systemctl start openvpn
+
If the server does not receive a response within {{ic|120}} seconds from a specific client, it will assume this client is down.
  
To make it permanent:
+
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.
systemctl enable openvpn
+
  
On the client, in the home directory create a folder that will hold your OpenVPN client config files along with the '''.crt'''/'''.key''' files. Assuming your OpenVPN config folder is called '''.openvpn''' and your client config file is '''vpn1.conf''', to connect to the server issue the following command:
+
== See Also ==
# cd ~/.openvpn && openvpn vpn1.conf
+
* [https://openvpn.net/index.php/open-source.html OpenVPN Official Site]
 +
* [[Airvpn]]

Latest revision as of 20:48, 1 December 2016

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.3 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Install OpenVPN

Install the openvpn package.

Note: The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.

Kernel configuration

OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the tun module:

Kernel config file
 Device Drivers
  --> Network device support
    [M] Universal TUN/TAP device driver support

Read Kernel modules for more information.

Connect to a VPN provided by a third party

To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with #The client config profile and skip ahead to #Starting OpenVPN after that. One should use the provider certificates and instructions, for instance see: Airvpn.

Note: Most free VPN providers will (often only) offer PPTP, which is drastically easier to setup and configure, but is not secure.

Create a Public Key Infrastructure (PKI) from scratch

When setting up an OpenVPN server, users need to create a Public Key Infrastructure (PKI) which is detailed in the easy-rsa article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 5 files in /etc/openvpn at this point:

  • /etc/openvpn/ca.crt
  • /etc/openvpn/dh.pem
  • /etc/openvpn/servername.crt and /etc/openvpn/servername.key
  • /etc/openvpn/ta.key

A basic L3 IP routing configuration

Note: Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.

OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.

What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the *.conf configuration files it finds in /etc/openvpn on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.

This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.

Example configuration

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

  • Uses Public Key Infrastructure (PKI) for authentication.
  • Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).
  • Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
  • Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the official OpenVPN 2.3 man page and the OpenVPN documentation.

The server configuration file

Note: Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forward on to the server.

Copy the example server configuration file to /etc/openvpn/server.conf:

# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf

Edit the file making a minimum of the following changes:

/etc/openvpn/server.conf
ca /etc/openvpn/ca.crt
cert /etc/openvpn/servername.crt
key /etc/openvpn/servername.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
.
tls-auth /etc/openvpn/ta.key 0
.
user nobody
group nobody

Hardening the server

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and limiting the newer tls ciphers. Do so by adding the following to /etc/openvpn/server.conf

/etc/openvpn/server.conf
.
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
.
Note: The .ovpn client profile MUST contain a matching cipher and auth line to work properly (at least with the iOS and Android client)!

Deviating from the standard port and/or protocol

Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.

To do so, configure /etc/openvpn/server.conf as such:

/etc/openvpn/server.conf
.
port 443
proto tcp
.
Note: The .ovpn client profile MUST contain a matching port and proto line to work properly!
TCP vs UDP

There are subtle differences between TCP and UDP.

TCP

  • So-called "stateful protocol."
  • High reliability due to error correction (i.e. waits for packet acknowledgment).
  • Potentially slower than UDP.

UDP

  • So-called "stateless protocol."
  • Less reliable than TCP as no error correction is in use.
  • Potentially faster than TCP.

The client config profile (OpenVPN)

Copy the example client configuration file to /etc/openvpn/client.conf:

# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf

Edit the following:

  • The remote directive to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
  • Uncomment the user and group directives to drop privileges.
  • The ca, cert, and key parameters to reflect the path and names of the keys and certificates.
  • Enable the SSL/TLS HMAC handshake protection. Note the use of the parameter 1 for a client.
/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
.
user nobody
group nobody
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
.
tls-auth /etc/openvpn/ta.key 1

Drop root privileges after connecting

Using the options user nobody and group nobody in the configuration file makes OpenVPN drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes are not desired. Further, it can happen that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.

As it could seem to require manual action to manage the routes, the options user nobody and group nobody might seem undesirable. Depending on setup, however, there are four ways to handle these situations:

  • For errors of the unit, a simple way is to edit it and add a Restart=on-failure to the [Service] section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
  • The package contains the /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so (see README in its directory), which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges.[1]
  • The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
  • Further, it is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki HowTo.
Note: The OpenVPN HowTos linked above create a dedicated non-privileged user/group, instead of the already existing nobody. The advantage is that this avoids potential risks when sharing a user among daemons.

The client profile (generic for Linux, iOS, or Android)

The ovpngenAUR package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.

Simply invoke the script with 5 tokens:

  1. Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
  2. Full path to the CA cert.
  3. Full path to the client cert.
  4. Full path to the client private key.
  5. Full path to the server TLS shared secret key.
  6. Optionally a port number.
  7. Optionally a protocol (udp or tcp).

Example:

# ovpngen example.org /etc/openvpn/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/ta.key > iphone.ovpn

The resulting iphone.ovpn can be edited if desired as the script does insert some commented lines.

Tip: If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!

Converting certificates to encrypted .p12 format

Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:

# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12

Testing the OpenVPN configuration

Run # openvpn /etc/openvpn/server.conf on the server, and # openvpn /etc/openvpn/client.conf on the client. Example output should be similar to the following:

# openvpn /etc/openvpn/server.conf
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key
.
.
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
# openvpn /etc/openvpn/client.conf
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Dec 28 14:41:50 2011 LZO compression initialized
.
.
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

On the server, find the IP address assigned to the tunX device:

# ip addr show
.
.
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.

Do the same on the client:

# ip addr show
.
.
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0

And the client side has been given the IP address 10.8.0.6.

Now try pinging the interfaces.

On the server:

# ping -c3 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms

--- 10.8.0.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms

On the client:

# ping -c3 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms
Note: If using a firewall, make sure that IP packets on the TUN device are not blocked.

Configure the MTU with Fragment and MSS

Note: If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.

Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Output is different - I do not see anything like ...Frag needed and DF set... (Discuss in Talk:OpenVPN#)
# ping -c5 -M do -s 1500 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)

--- core.myrelay.net ping statistics ---
0 packets transmitted, 0 received, +5 errors

We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead.

# ping -c5 -M do -s 548 elmer.acmecorp.org
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms

--- myrelay.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms

After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS).

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
...
fragment 548
mssfix 548
...

We also need to tell the server about the fragmentation. Note that "mssfix" is NOT needed in the server configuration.

Note: Clients that do not support the 'fragment' directive (e.g. OpenELEC, iOS app) are not able to connect to a server that uses the 'fragment' directive. To support such clients, skip this section and configure the clients with the 'mtu-test' directive described below.
/etc/openvpn/server.conf
...
fragment 548
Note: The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.

You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.

/etc/openvpn/client.conf
remote elmer.acmecorp.org 1194
...
mtu-test
...
tls-auth /etc/openvpn/ta.key 1

IPv6

Connect to the server via IPv6

In order to enable Dual Stack for OpenVPN, you have to change proto udp to proto udp6 in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.

Provide IPv6 inside the tunnel

In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

  • Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).
  • ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.

After you have received a prefix (a /64 is recommended), append the following to the server.conf:

server-ipv6 2001:db8:0:123::/64

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:

push "route-ipv6 2001:db8:0:abc::/64"

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

Starting OpenVPN

Manual startup

To troubleshoot a VPN connection, start the client's daemon manually with openvpn /etc/openvpn/client.conf as root. The server can be started the same way using its own configuration file (e.g., openvpn /etc/openvpn/server.conf).

systemd service configuration

To start OpenVPN automatically at system boot, either for a client or for a server, enable openvpn@<configuration>.service on the applicable machine.

For example, if the client configuration file is /etc/openvpn/client.conf, the service name is openvpn@client.service. Or, if the server configuration file is /etc/openvpn/server.conf, the service name is openvpn@server.service.

Letting NetworkManager start a connection

On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to /etc/NetworkManager/dispatcher.d/. In the following example "Provider" is the name of the NetworkManager connection:

/etc/NetworkManager/dispatcher.d/10-openvpn
#!/bin/bash

case "$2" in
  up)
    if [ "$CONNECTION_ID" == "Provider" ]; then
      systemctl start openvpn@client
    fi
  ;;
  down)
    systemctl stop openvpn@client
  ;;
esac

See NetworkManager#Network services with NetworkManager dispatcher for more details.

Gnome configuration

If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install networkmanager-openvpn. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import #The client configuration file, if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via journalctl -b -u NetworkManager).

Routing all client traffic through the server

Note: There are potential pitfalls when routing all traffic through a VPN server. Refer to the OpenVPN documentation on this topic for more information.

By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., /etc/openvpn/server.conf) [2]:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

Change 8.8.8.8 to your preferred DNS IP address if configured to run on the same box as the server or else leave it at 8.8.8.8 to use google's DNS.

If you have problems with non responsive DNS after connecting to server, install BIND as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.

After setting up the configuration file, one must enable packet forwarding on the server. Additionally, the server's firewall will need to be set up to allow VPN traffic through it, which is described below for both ufw and iptables.

To allow clients to be able to reach other (private) subnets behind the server, you may want to use the push "route <address pool> <subnet>" option:

push "route 172.10.142.0 255.255.255.0"
push "route 172.20.142.0 255.255.255.0"

Firewall configuration

ufw

In order to configure your ufw settings for VPN traffic first add the following to /etc/default/ufw:

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

Now change /etc/ufw/before.rules, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in /etc/openvpn/server.conf. The adapter ID in the example is generically called eth0 so edit it for your system accordingly.

/etc/ufw/before.rules
# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT

Open OpenVPN port 1194:

# ufw allow 1194

Lastly, reload UFW:

# ufw reload

iptables

In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [3] on the server, assuming the interface you want to forward to is named eth0:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [4]:

Warning: There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the OpenVPN documentation on this topic for more details.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT

Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.

When you are satisfied make the changes permanent as shown in iptables#Configuration and usage.

If you have multiple tun or tap interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. tun22 instead of tun. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.

Prevent leaks if VPN goes down

The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0. If the OpenVPN connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.

Be sure to set up a script to restart OpenVPN if it goes down if you do not want to manually restart it.

ufw

 # Default policies
 ufw default deny incoming
 ufw default deny outgoing
 
 # Openvpn interface (adjust interface accordingly to your configuration)
 ufw allow in on tun0
 ufw allow out on tun0
 
 # Local Network (adjust ip accordingly to your configuration)
 ufw allow in on enp3s0 from 192.168.1.0/24
 ufw allow out on enp3s0 to 192.168.1.0/24
 
 # Openvpn (adjust port accordingly to your configuration)
 ufw allow out on enp3s0 to any port 1194
 ufw allow in on enp3s0 from any port 1194
Warning: DNS will not work unless you run your own dns server like BIND

Otherwise, you will need to allow dns leak. Be sure to trust your dns server!

 # DNS
 ufw allow in from any to any port 53
 ufw allow out from any to any port 53

vpnfailsafe

Alternatively, the vpnfailsafe (vpnfailsafe-gitAUR) script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two don't need to be combined.

L3 IPv4 routing

This section describes how to connect client/server LANs to each other using L3 IPv4 routing.

Prerequisites for routing a LAN

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.

Routing tables

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used (Discuss in Talk:OpenVPN#)

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

  • Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
  • Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
  • Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

Connect the server LAN to a client

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:
/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
Note: To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.

Connect the client LAN to a server

Prerequisites:

  • Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
  • Each client's certificate has a unique Common Name, in this case bugs.
  • The server may not use the duplicate-cn directive in its config file.

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the iroute 192.168.4.0 255.255.255.0 directive. It tells the server what subnet should be routed to the client:

/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0

Add the client-config-dir and the route 192.168.4.0 255.255.255.0 directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server.conf
client-config-dir ccd
route 192.168.4.0 255.255.255.0
Note: To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.

Connect both the client and server LANs

Combine the two previous sections:

/etc/openvpn/server.conf
push "route 10.66.0.0 255.255.255.0"
.
.
client-config-dir ccd
route 192.168.4.0 255.255.255.0
/etc/openvpn/ccd/bugs
iroute 192.168.4.0 255.255.255.0
Note: Remember to make sure that all the LANs or the needed hosts can route to all the destinations.

Connect clients and client LANs

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:
/etc/openvpn/server.conf
client-to-client

In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

/etc/openvpn/server.conf
client-to-client
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.5.0 255.255.255.0"
.
.
Note: As always, make sure that the routing is properly configured.

DNS

The DNS servers used by the system are defined in /etc/resolv.conf. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install openresolv, which makes it possible for more than one program to modify resolv.conf without stepping on each-other's toes.

Before continuing, test openresolv by restarting your network connection and ensuring that resolv.conf states that it was generated by resolvconf, and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.

For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the client.up and client.down scripts packaged in /usr/share/openvpn/contrib/pull-resolv-conf/. See their comments on how to install them to /etc/openvpn. The following is an excerpt of a resulting client configuration using the scripts in conjunction with resolvconf and options to #Drop root privileges after connecting:

/etc/openvpn/clienttunnel.conf
user nobody
group nobody
# Optional, choose a suitable path to chroot into for your system
chroot /srv
script-security 2
up /etc/openvpn/client.up 
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client.down tun0"

Update resolv-conf script

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Inclusion of the setenv PATH statement does not seem to be required. (Discuss in Talk:OpenVPN#)

The openvpn-update-resolv-conf script is available as an alternative to packaged scripts. It needs to be saved for example at /etc/openvpn/update-resolv-conf and made executable with chmod. There is also an AUR package: openvpn-update-resolv-confAUR which will take care of the script installation for you.

Once the script is installed add lines like the following into your OpenVPN client configuration file:

script-security 2
setenv PATH /usr/bin
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.

Update systemd-resolved script

Since systemd-229, systemd-networkd's systemd-resolved.service has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as openresolv may not work reliably when /etc/resolv.conf is managed by systemd-resolved, and will not work at all if you are using resolve instead of dns in your /etc/nsswitch.conf file. The update-systemd-resolved script is another alternative and links OpenVPN with systemd-resolved via DBus to update the DNS records.

If you copy the script into /etc/openvpn and mark as executable with chmod, or install it via the AUR package (openvpn-update-systemd-resolvedAUR), you can add lines like the following into your OpenVPN client configuration file:

script-security 2
setenv PATH /usr/bin
up /etc/openvpn/update-systemd-resolved
down-pre /etc/openvpn/update-systemd-resolved

L2 Ethernet bridging

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please add a well thought out section on L2 bridging. (Discuss in Talk:OpenVPN#)

For now see: OpenVPN Bridge

Troubleshooting

Client daemon not restarting after suspend

If you put your client system to sleep, and on resume OpenVPN does not restart, resulting in broken connectivity, create the following file:

/usr/lib/systemd/system-sleep/vpn.sh
#!/bin/sh
if [ "$1" == "pre" ]
then
  killall openvpn
fi

Make it executable chmod a+x /usr/lib/systemd/system-sleep/vpn.sh

/etc/systemd/system/openvpn@.service.d/restart.conf
[Service]
Restart=always

Connection drops out after some time of inactivity

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalivedirective to the server's configuration:

/etc/openvpn/server.conf
.
.
keepalive 10 120
.
.

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.

See Also