Installation

_$: apt-get install openvpn

Client certificate

Note: These instructions must be run in the server

(server)_$: cd /etc/openvpn
(server)_$: openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.req
Country Name (2 letter code) [AU]:SP
State or Province Name (full name) [Some-State]:Aragon
Locality Name (eg, city) []:Zaragoza
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(server)_$: openssl ca -out client.cert -config ./CA/openssl.cnf -infiles client.req

Do a secure copy (scp, usb) of the following files:

  • client.cert
  • client.key
  • cacert.pem

to the client’s /etc/openvpn directory.

Now, configure the client:

/etc/openvpn/client.conf:
-------------------------
# Network configuration
dev tun
client
remote 82.223.XXX.YYY 1194
keepalive 10 120

# Certificate configuration
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/client.cert
key /etc/openvpn/client.key

# Logging configuration
log-append /var/log/openvpn.log
status /var/log/openvpn-status.log
verb 4
mute 20

# Security configuration
user nobody
group nogroup
persist-key
persist-tun

# Compression
comp-lzo

Basic check

(server)_$: service openvpn stop
(server)_$: openvpn --dev tun1 --ifconfig 10.8.0.1 10.8.0.2
(server)_$: ifconfig
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

(client)_$: service openvpn stop
(client)_$: openvpn --remote 82.223.XXX.YYY --dev tun1 --ifconfig 10.8.0.2 10.8.0.1
(client)_$: ifconfig
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

(server)_$: ping 10.8.0.2     # Ping the client
(client)_$: ping 10.8.0.1     # Ping the server

Check the certificates

(server)_$: service openvpn start
(server)_$: ifconfig tun
tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

(client)_$: service openvpn start
(client)_$: ifconfig tun
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

(server)_$: ping 10.8.0.6     # Ping the client
(client)_$: ping 10.8.0.1     # Ping the server

Use the server as a gateway

Server

(server)_$: iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

Client:

/etc/openvpn/client.conf:
-------------------------
...
# Use server as gateway
redirect-gateway def1
(client)_$: service openvpn restart

Disable autostart

/etc/default/openvpn:
---------------------
# This is the configuration file for /etc/init.d/openvpn

#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
#AUTOSTART="all"
AUTOSTART="none"
#AUTOSTART="home office"
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0