Latest News

Sharing

OpenVPN Server and Client Installation

Server side installation

Our target server is OpenBSD. You may check on how to install this server by following OpenBSD installation link. This will assume that you already have openbsd's ports installed in your system if not, you may use cvsup to install openbsd's ports.

mkdir -p /etc/openvpn/keys
mkdir -p /var/log/openvpn
touch /etc/hostname.tun0
echo "up" > /etc/hostname.tun0
chmod 640 /etc/hostname.tun0
sh /etc/netstart
touch /var/log/openvpn/openvpn.log
touch /var/log/openvpn/ipp.txt
touch /var/log/openvpn/server-tcp.log
chown root:nobody /var/log/openvpn/
chmod 655 /var/log/openvpn/
mkdir -p /etc/openvpn/easy-rsa/1.0/keys

Generate server certificate

cp -R /usr/local/share/examples/openvpn/easy-rsa ~
cd ~/easy-rsa/1.0
vi vars

Edit and save contents in vars

   export KEY_COUNTRY=PH
   export KEY_PROVINCE=Cebu
   export KEY_CITY="Cebu City"
   export KEY_ORG="My Company"
   export KEY_EMAIL="admin@mycompany.com"

Build certificate

. ./vars
./clean-all
./build-ca

./build-key-server server

Build client certificaate

./build-key client01
./build-dh

Copy certificates to the following locations

cp keys/ca.crt /etc/openvpn/keys/
cp keys/dh1024.pem /etc/openvpn/keys/
cp keys/server.crt /etc/openvpn/keys/
cp keys/server.key /etc/openvpn/keys/
chmod 600 /etc/openvpn/keys/server.key

Create the OpenVPN server configuration file using vi /etc/openvpn/server.conf

port 1194
proto udp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

server 192.168.1.0 255.255.255.0
client-config-dir ccd

push "dhcp-option DNS "
push "dhcp-option DNS "
push "dhcp-option DISABLE-NBT"
push "dhcp-option DOMAIN "
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"

keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/server-tcp.log
ifconfig-pool-persist /var/log/openvpn/ipp.txt
log-append /var/log/openvpn/openvpn.log
verb 4

client-to-client
duplicate-cn

user nobody
group nobody

Enable routing in /etc/sysctl.conf:

net.inet.ip.forwarding=1

Start OpenVPN every time the system boot. Add this to /etc/rc.local

if [ -x /usr/local/sbin/openvpn ]; then
    echo -n ' openvpn'
    /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf >/dev/null 2>&1
fi

Append to your firewall rule

if_ext="dc0"
if_tunnel="tun0"
table  table  scrub in

nat on $if_ext from  to any -> $if_ext
pass in quick on $if_ext proto udp from any to $if_ext port 1194
pass in quick on $if_ext from 
pass in quick on $if_tunnel from  to any
block in log all

Client side installation

You may use winscp from your client to copy the following certificates. You may download OpenVPN client from OpenVPN website.

ca.crt
client01.crt
client01.key

Create a file with a .ovpn file extension. For example vpn-server.ovpn with the following content.

client
proto udp
dev tun
#remote  <vpn.domain.com> <-- if defined in DNS
remote <server ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
--float

Place all the mentioned files to configuration location in your OpenVPN installation. You may try connecting from your client to your server and that's about it.

Previous page: Installing Apache, PHP, and MySQL Next page: Oracle Stuffs