OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explain briefly how to configure a VPN with OpenVPN, from both server-side and client-side. 1
OpenVPN can operate in two modes, TUN or TAP. TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TAP (namely network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge. 2 3
--ifconfig have different meanings according the configuration:
--ifconfig l rn : TUN: configure device to use IP address l as a local endpoint and rn as a remote endpoint. l & rn should be swapped on the other peer. l & rn must be private addresses outside of the subnets used by either peer. TAP: configure device to use IP address l as a local endpoint and rn as a subnet mask.
# apt-get install openvpn
To ensure if you can communicate through the VPN, test a raw connection.
In the server, run the next command:
# openvpn --dev tun1 --ifconfig 10.9.8.1 10.9.8.2
10.9.8.1 is used as local endpoint and the IP
10.9.8.2 as remote endpoint.
You should see console output resembling:
Wed Mar 7 06:03:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Mar 7 06:03:03 2012 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext Wed Mar 7 06:03:03 2012 TUN/TAP device tun1 opened
While openvpn is running, check your network configuration with
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.9.8.1 P-t-P:10.9.8.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2262 (2.2 KiB) TX bytes:1819 (1.7 KiB)
Now, in the client test if can connect to the VPN server:
# openvpn --remote SERVER_IP --dev tun1 --ifconfig 10.9.8.2 10.9.8.1
Again, the IP
10.9.8.2 is used as local endpoint and the IP
10.9.8.1 as remote endpoint.
If the connection was sucessful, the next output should be produced:
... Wed Mar 7 18:05:30 2012 Peer Connection Initiated with [AF_INET]SERVER_IP:PORT Wed Mar 7 18:05:30 2012 Initialization Sequence Completed ...
You can test if the VPN works with
# ping 10.9.8.1 PING 10.9.8.1 (10.9.8.1) 56(84) bytes of data. 64 bytes from 10.9.8.1: icmp_seq=1 ttl=64 time=5.02 ms 64 bytes from 10.9.8.1: icmp_seq=2 ttl=64 time=3.41 ms 64 bytes from 10.9.8.1: icmp_seq=3 ttl=64 time=3.53 ms 64 bytes from 10.9.8.1: icmp_seq=4 ttl=64 time=4.28 ms
If you want have access to the resources of your network, like local devices and share internet, you should enable forward traffic in the OpenVPN server.
In server enable runtime IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
To make it permanent, edit
/etc/sysctl.conf uncomment the following line:
net.ipv4.ip_forward = 1
Add the following rules to
iptables to allow masquerading:
iptables -A FORWARD -i eth0 -o tun1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s 10.9.8.0/24 -o eth0 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE
To save permanently the iptables rules, run:
sudo service iptables save
Now, in the client route your traffic through VPN:
route change default dev tun0
Add the option
comp-lzo to the config file. 4
Example of a configuration file:
client dev tun proto udp remote sgrg.tk 1194 resolv-retry infinite nobind remote-cert-tls server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks persist-key persist-tun ca cacert.pem cert user.ssl_client_cert.crt key user.ssl_client_cert.pem comp-lzo verb 3 auth-nocache # WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this redirect-gateway def1 bypass-dhcp