Sign in to follow this  
Followers 0

HPR - HPR1498: Personal OpenVPN

1 post in this topic

Personal OpenVPN

This guide will walk you through setting up an OpenVPN server as well as a client.

OpenVPN Server Setup

Here is how to install OpenVPN on Centos6. Other RedHat derivatives should be similar.

rpm -Uvh epel-release-6-8.noarch.rpm
yum install openvpn -y

Here is how to install OpenVPN on a Debian server. Other Debian derivatives should be similar.

apt-get install openvpn

After the server is installed, the server certificate authority and keys must be generated.
This will be followed by the client keys, and then the server configuration file.

Copy the easy-rsa scripts into /etc/openvpn

cp -rf /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa # on Debian

cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa # on Centos6

Set Environmental variables

cd /etc/openvpn/easy-rsa
vim vars

Change the following variables to meet your needs. These are used for your
convenience. They will be used as the defaults during the interactive key
generation session to set the keys attributes.

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Source the variables to the current shell

. ./vars

Create certificate authority


Create keys for the server and clients

./build-key-server server
./build-key client1
./build-key client2

Setup the server configuration file

cd /etc/openvpn
gunzip /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz # on Debian
vim /etc/openvpn/server.conf

Server settings

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
cipher AES-256-CBC # AES
user nobody
group nogroup
status openvpn-status.log
verb 3

Restart VPN Service

service openvpn restart

If the service fails to start, try starting openVPN manually.
The resulting errors will allow you to see what item in the
configuration file is incorrect.

openvpen server.conf

Once you are able to get openVPN to start without error,
kill it and restart it using the service command above.
You can verify that the vpn is successfully running by
looking at the configured interfaces using the following


You should now see an entry like the following:

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:
RX packets:622255 errors:0 dropped:0 overruns:0 frame:0
TX packets:986993 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:40649523 (38.7 MiB) TX bytes:1344026670 (1.2 GiB)

OpenVPN Client Setup

The installation of OpenVPN for linux is the same as described above for
the server. For Windows, Download and run the OpenVPN installer from the
OpenVPN Community Downloads.

NOTE: On Windows, User Account Control (UAC) must be turned
off in order to allow OpenVPN to execute the necessary network
commands to bring up the VPN. Open Start > Control Panel >
User Accounts and Family Safety > User Accounts > Change User
Account Control Settings. Set to Never Notify, click OK,
and reboot the machine.

Client Configuration file

For linux, the client config file would go in `/etc/openvpn` just like
the server config. We will name it `client.conf` to clarify that the
device is being configured as an OpenVPN client.
On Windows, the keys and client config files go in the
`C:Program Files (x86)OpenVPNconfig`. The config file has
to have an `.ovpn` suffix.

dev tun
proto udp
remote 1194
resolv-retry infinite
user nobody
group nogroup
ca /etc/openvpn/keys/ca.crt
# on Windows, the format is:
# ca "C:Program Files (x86)OpenVPNconfigca.crt"
# Windows may also change the file suffix on the crt files to cer.
# So, If Windows complains that it cannot find the file,
# examine its properties to verify the suffix.
# The logs are stored at C:Program Files (x86)OpenVPNlog
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key
ns-cert-type server
cipher AES-256-CBC
verb 3

Copy client key and server ca files onto client

scp ca.crt user@client1:.openvpn/
scp client1.crt user@client1:.openvpn/
scp client1.key user@client1:.openvpn/

On the server create the ccd directory to assign static addresses to clients.

mkdir /etc/openvpn/ccd

For each device, add a file with the CN name of the key.
In that file, you will indicate the static address to be used and the server IP
For linux, the server IP will be the VPN address of your VPN server. On Windows, the VPN client
will set up a local TAP interface that must be used as the server IP. See the OpenVPN docs for available
client and TAP server IP pairs.


cat /etc/openvpn/ccd/linux-client
cat /etc/openvpn/ccd/windows-client


Hacker Public Radio episode 0297
Debian OpenVPN Docs
OpenVPN HowTo
OpenVPN Windows Downloads
OpenVPN Windows Guide

[url=]Go to this episode[/url]

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0