OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explain briefly how to configure a VPN with OpenVPN, from both server-side and client-side. 1


Routed or Bridged VPN (TUN vs TAP)

OpenVPN can operate in two modes, TUN or TAP. TUN (namely network TUNnel) simulates a network layer device and it operates with layer 3 packets like IP packets. TAP (namely network tap) simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TUN is used with routing, while TAP is used for creating a network bridge. 2 3

The openvpn option --ifconfig have different meanings according the configuration:

--ifconfig l rn : TUN: configure device to use IP address l as a local
                  endpoint and rn as a remote endpoint.  l & rn should be
                  swapped on the other peer.  l & rn must be private
                  addresses outside of the subnets used by either peer.
                  TAP: configure device to use IP address l as a local
                  endpoint and rn as a subnet mask.


# apt-get install openvpn

Preliminary testing

To ensure if you can communicate through the VPN, test a raw connection.

In the server, run the next command:

# openvpn --dev tun1 --ifconfig

The IP is used as local endpoint and the IP as remote endpoint.

You should see console output resembling:

Wed Mar  7 06:03:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar  7 06:03:03 2012 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
Wed Mar  7 06:03:03 2012 TUN/TAP device tun1 opened

While openvpn is running, check your network configuration with ifconfig -a:

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:  P-t-P:  Mask:
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:2262 (2.2 KiB)  TX bytes:1819 (1.7 KiB)

Now, in the client test if can connect to the VPN server:

# openvpn --remote SERVER_IP --dev tun1 --ifconfig

Again, the IP is used as local endpoint and the IP as remote endpoint.

If the connection was sucessful, the next output should be produced:

Wed Mar  7 18:05:30 2012 Peer Connection Initiated with [AF_INET]SERVER_IP:PORT
Wed Mar  7 18:05:30 2012 Initialization Sequence Completed

You can test if the VPN works with ping:

# ping

PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=5.02 ms
64 bytes from icmp_seq=2 ttl=64 time=3.41 ms
64 bytes from icmp_seq=3 ttl=64 time=3.53 ms
64 bytes from icmp_seq=4 ttl=64 time=4.28 ms

Forward traffic via routed VPN

If you want have access to the resources of your network, like local devices and share internet, you should enable forward traffic in the OpenVPN server.

In server enable runtime IP forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

To make it permanent, edit /etc/sysctl.conf uncomment the following line:

net.ipv4.ip_forward = 1

Add the following rules to iptables to allow masquerading:

iptables -A FORWARD -i eth0 -o tun1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

To save permanently the iptables rules, run:

sudo service iptables save

Now, in the client route your traffic through VPN:

route change default dev tun0


Add the option comp-lzo to the config file. 4



OpenVPN Client Download

Example of a configuration file:

dev tun
proto udp
remote 1194
resolv-retry infinite
remote-cert-tls server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks
ca cacert.pem
cert user.ssl_client_cert.crt
key user.ssl_client_cert.pem
verb 3
auth-nocache # WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

redirect-gateway def1 bypass-dhcp