OpenVPN HowTo

OpenPVN is an easy to set-up and use VPN solution that offer TUN/TAP support. In this tutorial I describe how to set-up an OpenVPN connection between a Ubuntu server and an Arch client.

Preparations (Server)

First we have to install OpenVPN on the server.

# apt-get install openvpn

To see whether TUN/TAP is enabled in the kernel we can check the kernel log grep tun /var/log/kern.log and load it if it doesn't show up modprobe tun.

Creating a PKI

To use OpenVPN we need a PKI and certificates. Fortunately there is a script for that.

# apt-get install easy-rsa

First we create a folder to store our certificates in mkdir easy-rsa and get the default variables file cp /usr/share/easy-rsa/vars easy-rsa. The file is prefilled but one may want to change

KEY_COUNTRY
KEY_PROVINCE
KEY_CITY
KEY_ORG
KEY_EMAIL
KEY_OU

All other standard parameteres should usually be fine but can be changed if desired. Now we change to /usr/share/easy-rsa and load the variables # source <PATH_TO_VARS>/vars and run ./build-ca. If there have been keys before one should run ./clean-all first.

Now we can start creating keys and sign them. First we create the server key with

# ./build-key-server my-test-server

and aswer with yes two times. We do the same for a client key

# ./build-key my-test-client

To build Diffie-Hellman parameters we run ./build-dh (this can take some time). Eventually we create an HMAC key for our VPN and store it with the other keys

# openvpn --genkey --secret /usr/share/easy-rsa/keys/ta.key

Configuring OpenVPN (Server)

Everything is set-up now to configure and run the OpenVPN server. First we copy the sample configuration file to the correct folder

# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# gzip -d /etc/openvpn/server.conf.gz

At least the following changes to server.conf should be made after copying keys, parameters and certificates.

ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-test-server.crt
key /etc/openvpn/my-test-server.key
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key 0
user nobody
group nobody

Starting OpenVPN (Server)

The server can now be started with

openvpn /etc/openvpn/server.conf

Configuring OpenVPN (Client)

First we have to get key, certificate and parameters from the server to the client. Now we install OpenVPN on the client pacman -S openpvpn copy the sample-configuration file somewhere nice # cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf and modify at least the following

remote test-server-ip 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-test-client.crt
key /etc/openvpn/my-test-client.key
dh /etc/openvpn/dh2048.pem
tls-auth /etc/openvpn/ta.key 1
user nobody
group nobody

The test-server-ip has to be replaced with the server's IP or URL. Now we can also start the client # openvpn /etc/openvpn/client.conf. The start-up should end with

Initialization Sequence Completed