VPN Service >  Privacy News >  OpenVPN configuration and use

Ivacy

OpenVPN configuration and use

2018/10/10

OpenVPN is a software package for creating virtual private network encryption channels that allow VPNs to be created using public keys, digital certificates, or username/passwords for authentication. OpenVPN runs on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Windows 2000/XP/Vista/7, as well as Android and iOS, and includes many security features.

OpenVPN configuration and use

The first step in configuring OpenVPN 2.0 is to establish a PKI (public key infrastructure public key infrastructure). PKI includes:

 

The server and each client have a certificate (also known as a public key) and a private key.

A certificate authority and private key of a certificate authority (CA) used to sign each of the server and client certificates.

OpenVPN supports certificate-based two-way authentication, which means that the client needs to authenticate the server, and the server also authenticates the client.

 

The first step for the server and client to authenticate each other is to verify that the certificate provided by the other party is issued by a certificate authority (CA). Then test the header information of the certificate passed in the first step, such as the common name of the certificate, the type of the certificate (client or server).

 

From a VPN perspective, this security model meets a number of requirements:

 

The server only needs its own certificate/private key pair -- it does not need to know the client's certificate.

The server only accepts clients that have certificates issued by the CA. Because the server does not need to access the CA's private key when the server checks whether the certificate is issued by the CA, the CA's private key (the most important private key in the entire PKI) can be placed on another machine.

If a private key (is compromised), this private key can be banned by adding its certificate to the CRL (Certificate Revocation List). The CRL allows for selective rejection of the compromised certificate without the need to rebuild the entire PKI.

Based on an embedded certificate domain such as Vommon Name, the server can enhance client-specific access fights.

Generate a Certificate Authority (CA) certificate & private key

In this section we generate a certificate authority (master CA) certificate/private key, a server certificate/private key, and two client certificate/private keys.

 

We use a set of scripts bundled with OpenVPN.

 

Open a Sehll under Linux and enter the easy-rsa directory under OpenVPN. If OpenVPN is installed from an RPM package, the easy-rsa directory is usually located in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (preferably copy this directory before the change) Somewhere else, such as /etc/openvpn, in case future OpenVPN upgrades will cover the changes made).

 

Under Windows, open a command line window and go to the \Program Files\OpenVPN\easy-rsa directory. Run the following batch file to copy the configuration file to the correct location (this command will overwrite the pre-existing vars.bat and openssl. Cnf file).

 

-------------

init-config

-------------

 

Edit the vars file (vars.bat under Windows) to set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters. None of these parameters can be blank.

 

Next, initialize PKI, under Linux:

 

-------------

. ./vars
./clean-all
./build-ca

-------------

 

Windows:

 

-------------

vars
clean-all
build-ca

-------------

 

 

The final command (build-ca) generates the certificate and private key of the certificate authority (CA) by calling the interactive openssl command.

 

-------------

ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [[email protected]]:

-------------

 

 

In the above sequence, the default value for most query parameters is the value set in the vars or vars.bat file. The only parameter that needs to be explicitly entered is the Common Name. In the above example, the input is "OpenVPN-CA".

 

Generate a certificate & private key for the server

Generate a certificate and private key for the server. Linux/BSD/Unix:

 

-------------

./build-key-server server

-------------

 

Windows:

 

-------------

build-key-server server

-------------

 

Similar to the previous step, most parameters can be kept at their default values. When asked for Common Name, type "server". The other two questions answered "y", "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

 

Generate a certificate & private key for 3 clients

Generating a client certificate is similar to the previous step. Linux/BSD/Unix:

 

-------------

./build-key client1
./build-key client2
./build-key client3

-------------

 

Windows:

 

-------------

build-key client1
build-key client2
build-key client3

-------------

 

If you want to protect your client private key with a password, use the build-key-pass script instead of build-key.

 

Enter the appropriate Common Name for each client, which is "client1", "client2", "client3". Always give each client a unique name.

 

Generate Diffie Hellman parameters

The Diffie Hellman parameter must be generated for the OpenVPN server. Linux/BSD/Unix:

 

-------------

./build-dh

-------------

 

Windows:

 

-------------

build-dh

-------------

 

Output:

 

-------------

ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................

-------------

 

Key file

 

The private key and certificate generated in the keys directory. The final step in generating the key is to copy the key file to the machine that needs them.

 

Create a configuration file for the server and client

Get the example configuration file Getting the sample config files

It is best to use the OpenVPN example configuration file as a starting point for your own configuration files. These files are in the following directory

 

Sample-config-files directory of the OpenVPN source code package

If you are installing from RPM, the sample-config-files directory in the /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 directory

Windows, Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files

In Linux, BSD, or unix operating systems, the sample configuration files are server.conf and client.conf. Under Windows is server.ovpn and client.ovpn.

 

Write a server configuration file

The sample configuration file uses a virtual TUN network interface (route mode for routing) to create a VPN that listens for client connection requests on UDP port 1194 (the official port of OpenVPN) and connects clients from 10.8.0.0/24 subnet. The end allocates a virtual address.

 

Before using the sample configuration file, first edit the ca, cert, key, and dh parameters to point to the file you generated in the previous PKI.

 

At this point, the server configuration file can be used, or you can modify it further:

 

If you use an Ethernet bridge, you must use server-bridge and dev tap instead of server and dev tun.

If you want the OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp

If you want to use a virtual IP address range other than 10.8.0.0/24, modify the server entry. Remember that this virtual IP address range must not be used on your network.

If you want the connected clients to access each other via VPN, remove the client-to-client comment. By default, the client can only access the server.

If you are using Linux, BSD, or Unix, you can remove the comments for user nobody and group nobody to enhance security.

If you want to run multiple OpenVPNs on the same machine, each VPN uses a different configuration file, which can be done:

 

Each VPN instance uses a different port number (UDP and TCP use different port spaces, so one VPN can listen to UDP-1194 and the other listens for TCP-1194).

If running under Windows, each OpenVPN configuration requires its own TAP-Win32 virtual NIC. You can increase the TAP-Win32 virtual NIC by using Start Menu -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.

If you are running multiple OpenVPNs, remember to edit the instructions for specifying the output file to avoid one VPN overwriting the output file of another VPN. These instructions include log, log-append, status, and ifconfig-pool-persist.

Write a client configuration file

An example of a client configuration file (client.conf Linux/BSD/Unix or client.ovpn Windows) corresponds to an example of a server configuration file.

 

Just like the server configuration file, first edit the ca, cert, and key parameters to point to the file you generated in the previous PKI. Each client has its own cert/key pair. Only ca files are common between the server and all clients.

 

Next, edit the remote command to point to the server's hostname/IP address and port number. (If the OpenVPN server is running on a single NIC behind the firewall/NAT-gateway, use the public IP address of the gateway and the port that you configured on the gateway to forward to the OpenVPN server).

 

Finally, ensure the consistency of the instructions in the client configuration file and the server configuration file. The main checks are dev(tun/tap) and proto(udp/tcp). Also comp-lzo and fragment (if used) must be available in both the client and server configuration files.

 

Start and test the initial connection to the VPN

Start the server

First, make sure the OpenVPN server is accessible from the internet. this means:

 

The firewall opens UDP port 1194 (or whatever TCP/UDP port you have configured).

Set a port forwarding rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.

 

Next, make sure the TUN/TAP virtual NIC is not blocked.

 

In order to reduce errors, it is best to start the OpenVPN server from the command line (or right click on the .ovpn file under Windows) and do not run it as a background or service.

 

A server startup process:

 

----------------

Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005

Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key

Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]

Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened

Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500

Sun Feb  6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2

Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]

Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194

Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]

Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256

Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62

Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST

Sun Feb  6 20:46:38 2005 Initialization Sequence Completed

-------------

 

Start the client

As with the server, it is best to start OpenVPN from the command line (or right click on the client.ovpn file under Windows).

 

The client startup under Windows is similar to the server startup above, and ends with the Initialization Sequence Completed message.

Now, send the ping packet from the client through the VPN. If you use the routing mode (dev tun in the server configuration file), enter the following command:

 

If you are using bridge mode (the server configuration file is dev tap), try to ping the IP address of a machine on the subnet where the server is located.

 

If the ping is successful, congratulations! You already have a working VPN.


common problem

If the ping fails or the OpenVPN client fails to initialize, check the following symptoms and solutions:


Error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client cannot establish a network connection with the server.


Solution:

 

Ensure that the client uses the hostname/IP address and port number that allows it to access the OpenVPN server.

If the OpenVPN server is a single NIC in a protected LAN, ensure that the correct port forwarding rules are used on the server gateway firewall. If your OpenVPN IP address is 192.168.4.4 in the firewall, listen for client connections on UDP port 1194. The NAT gateway serving the 192.168.4.x subnet should have a port forwarding rule: forward UDP port 1194 from my public IP address to 192.168.4.4.


Open the server's firewall to allow connections to UDP port 1194 (or whatever TCP/UDP port you specify in the server configuration file).


Error message: Initialization Sequence Completed with errors -- This error may occur under Windows, (a) the DHCP client service is not running, and (b) a third-party personal firewall is used on XP SP2.


Solution: Start the DHCP client service and make sure that the personal firewall and XP SP2 are working properly.

 

I got the Initialization Sequence Completed message, but the ping failed -- this is usually the firewall on the server or client filtering the TUN/TAP network interface to block traffic on the VPN network.

 

Workaround: Disable the client's firewall (if any) to filter the TUN/TAP network interface. For example, under Windows, you can go to Windows Security Center -> Windows Firewall -> Advanced to cancel the selection corresponding to TAP-Win32 NIC (disabling client firewall filtering TUN/TAP NIC is usually reasonable from a security point of view, because you originally would The firewall has been told not to block authorized VPN traffic). Also ensure that the server TUN/TAP interface is not filtered by the firewall.

 

When using proto udp, the connection stops at startup, and the server has the following line in the log file:

---------------

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx

---------------

 

But there is no equivalent line in the client's log.

Solution: You have a one-way connection from the client to the server. The server-to-client connection is blocked by the firewall (usually on the client side). The firewall may be (a) running a personal software firewall on the client, or (b) a NAT routing gateway to the client. Modifying the firewall settings allows the UDP packets returned by the server to reach the client.


Related Reading >> Top 10 Best VPN Comparison
TOP