From Wiki
Jump to: navigation, search

Here's a quick HOWTO for setting up an OpenVPN server and client on any (Debian, in this case) Linux machine of your choice. I'm running an OpenVPN server on a box at home, and a client on my laptop, so I can securely route all my laptop traffic through my OpenVPN server, no matter where I am.

I highly recommend reading the official OpenVPN HOWTO from top to bottom, at least once. But here's a short, condensed HOWTO (specifically geared towards my needs, yours might be different):


Setting up the Server

$ aptitude install openvpn udev
$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
$ cd /etc/openvpn/easy-rsa
$ export KEY_SIZE=4096
$ . ./vars
$ . ./clean-all
$ . ./build-ca

You'll now have the chance to enter some data such as country code (e.g. "DE"), state/province, locality, organization name, organizational unit name, common name, name, and email address. The values you choose don't really matter much (except for commonName, maybe, which could be your hostname or domain or such). Finally, the ca.key (root CA key) and ca.crt (root CA certificate) files will be created.

Next, we'll create the server key:

$ ./build-key-server server

You'll have to enter lots of info again (see above), commonName could be "server" or such this time. Upon "Sign the certificate? [y/n]" say y, as well as upon "1 out of 1 certificate requests certified, commit? [y/n]". Finally, the server.key and server.crt files will be created.

Same procedure for creating a client key (I used "client1" as filename and commonName here):

$ ./build-key client1

Next up we'll generate Diffie Hellman parameters (this will take a shitload of time due to keysize=4096,

$ ./build-dh

When this step is done, you'll have a dh4096.pem file.

As we want to use OpenVPN's "tls-auth" feature for perfect forward secrecy (it "adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification"), we'll have to generate a shared secret:

$ openvpn --genkey --secret ta.key
$ mv ta.key keys

So much for creating keys. Now, we'll have to configure OpenVPN. Copy the default server config file and edit it:

$ cd /etc/openvpn
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
$ gunzip server.conf.gz

Example of my config file:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt 
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
ifconfig-pool-persist ipp.txt
push "route"
push "dhcp-option DNS"
keepalive 10 120
user nobody
group nogroup
status openvpn-status.log
log-append  openvpn.log
verb 3

You can now start the OpenVPN server, e.g. via

$ /etc/init.d/openvpn restart

Iptables and routing in your network

After setting up the server, you need to enable routing on it and enable NATTing to your network.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

On your private network you need to add a route into your internal router to route the traffic to to the internal IP of your vpn server.


Install OpenVPN (apt-get install openvpn), or the windows installer then copy the default client config file and edit it:

$ cd /etc/openvpn
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .

Change the parameters to match the server config (port 443/TCP, and so on) and use "tls-auth /etc/openvpn/ta.key 1" (note the "1" on the client, and the "0" on the server!). Replace with the public IP address of your OpenVPN server. If it doesn't have a public, static IP address already, you can use services such as DynDNS, or (my preferred method), my ssh-based DIY poor man's dynamic DNS setup.

Here's my full client config:

dev tun
proto udp
# change to your vpn server
remote xxxxxxxxxxxxxxxxxxx 1194
resolv-retry infinite
# if using linux, you might want to uncomment these 
# if order to downgrade privileges
# user nobody
# group nogroup
# persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca 'ca.crt'
cert 'client1.crt'
key 'client1.key'
ns-cert-type server
tls-auth 'ta.key' 1
# cipher DES-EDE3-CBC
verb 3
# auth-user-pass

Now you only need to copy the required certificates and keys to the client: client1.crt, client1.key, ca.crt, and ta.key. Do not copy the other, server-specific private keys and such to the client(s)! Also, the root CA key (ca.key) should not even be left on the server, but rather moved to some offline storage/box, so that it cannot fall into the wrong hands, e.g. in the case of a server compromise.

In windows you need to install the GUI and execute it as administrator.


Personal tools