OpenVPN

OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explain briefly how to configure a VPN with OpenVPN, from both server-side and client-side. 1

Server

Routed or Bridged VPN (TUN vs TAP)

OpenVPN can operate in two modes, TUN or TAP. TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TAP (namely network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge. 2 3

The openvpn option --ifconfig have different meanings according the configuration:

--ifconfig l rn : TUN: configure device to use IP address l as a local
                  endpoint and rn as a remote endpoint.  l & rn should be
                  swapped on the other peer.  l & rn must be private
                  addresses outside of the subnets used by either peer.
                  TAP: configure device to use IP address l as a local
                  endpoint and rn as a subnet mask.

Installation

# apt-get install openvpn

Preliminary testing

To ensure if you can communicate through the VPN, test a raw connection.

In the server, run the next command:

# openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2

The IP 10.9.8.1 is used as local endpoint and the IP 10.9.8.2 as remote endpoint.

You should see console output resembling:

Wed Mar  7 06:03:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar  7 06:03:03 2012 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Wed Mar  7 06:03:03 2012 TUN/TAP device tun1 opened

While openvpn is running, check your network configuration with ifconfig -a:

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.9.8.1  P-t-P:10.9.8.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2262 (2.2 KiB)  TX bytes:1819 (1.7 KiB)

Now, in the client test if can connect to the VPN server:

# openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1

Again, the IP 10.9.8.2 is used as local endpoint and the IP 10.9.8.1 as remote endpoint.

If the connection was sucessful, the next output should be produced:

...
Wed Mar  7 18:05:30 2012 Peer Connection Initiated with [AF_INET]SERVER_IP:PORT
Wed Mar  7 18:05:30 2012 Initialization Sequence Completed
...

You can test if the VPN works with ping:

# ping 10.9.8.1

PING 10.9.8.1 (10.9.8.1) 56(84) bytes of data.
64 bytes from 10.9.8.1: icmp_seq=1 ttl=64 time=5.02 ms
64 bytes from 10.9.8.1: icmp_seq=2 ttl=64 time=3.41 ms
64 bytes from 10.9.8.1: icmp_seq=3 ttl=64 time=3.53 ms
64 bytes from 10.9.8.1: icmp_seq=4 ttl=64 time=4.28 ms

Forward traffic via routed VPN

If you want have access to the resources of your network, like local devices and share internet, you should enable forward traffic in the OpenVPN server.

In server enable runtime IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

To make it permanent, edit /etc/sysctl.conf uncomment the following line:

net.ipv4.ip_forward = 1

Add the following rules to iptables to allow masquerading:

iptables -A FORWARD -i eth0 -o tun1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.9.8.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE

To save permanently the iptables rules, run:

sudo service iptables save

Now, in the client route your traffic through VPN:

route change default dev tun0

Compression

Add the option comp-lzo to the config file. 4

Client

Windows

OpenVPN Client Download

Example of a configuration file:

client
dev tun
proto udp
remote sgrg.tk 1194
resolv-retry infinite
nobind
remote-cert-tls server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
persist-key
persist-tun
ca cacert.pem
cert user.ssl_client_cert.crt
key user.ssl_client_cert.pem
comp-lzo
verb 3
auth-nocache # WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

redirect-gateway def1 bypass-dhcp