OpenVPN Example Configurations
Minimal example
Point to point connection between CLNT and SRV.
The server. Edit
/etc/openvpn/CLNT.conf
:dev tun ifconfig 10.0.0.1 10.0.0.2 secret CLNT.key
Generate the key file:
# openvpn --genkey --secret CLNT.key
The client. Edit
/etc/openvpn/SRV.conf
:remote SRV.mydomain dev tun ifconfig 10.0.0.2 10.0.0.1 secret SRV.key
Copy the
CLNT.key
file from the server and rename it toSRV.key
.Start the service at the server:
# systemctl start openvpn@CLNT.service # systemctl enable openvpn@CLNT.service
and at the client:
# systemctl start openvpn@SRV.service # systemctl enable openvpn@SRV.service
Firewall: open UDP port 1194.
See https://openvpn.net/index.php/open-source/documentation/howto.html for more.
Bridging
The server
Create certificates for the server and clients.
Create
/etc/openvpn/dh1024.pem
:# openssl dhparam -out dh1024.pem 1024
Create a bridge with additional tap0 interface:
# tunctl -p -t tap0 # ip link set tap0 up # brctl newbr br0 # brctl addif br0 eth0 # brctl addif br0 tap0
Create
/etc/openvpn/NAME.conf
:server-bridge 10.0.0.0 255.255.255.0 10.0.0.200 10.10.0.254 dev tap0 proto tcp port PORT keepalive 10 120 ca cacert.pem cert SRV.crt key SRV.key dh dh1024.pem
The subnet address represents the destination network you want to access.
Run the server:
# systemctl start openvpn@NAME.service
And finally:
# systemctl enable openvpn@NAME.service
IMPORTANT: default router of the destination servers must be the same as the VPN server or appropriate additional routes have to be added.
The client
Create
/etc/openvpn/NAME.conf
:client dev tap remote SRV.domain proto tcp port PORT ca cacert.pem cert CLNT.crt key CLNT.key
Start the client:
# systemctl start openvpn@NAME.service
You can also use NetworkManager:
install NetworkManager-openvpn package
point to the certificate files
advanced settings: use custom gateway port, use TCP connection, use TAP device
IPv4 settings –> Routes: use this connection only for resources on its network
Routing
The server: create
/etc/openvpn/NAME.conf
:server 172.16.0.0 255.255.255.0 dev tun proto tcp port PORT keepalive 10 120 push "route 10.0.0.0 255.255.255.0" ca cacert.pem cert SRV.crt key SRV.key dh dh1024.pem
The 10.0.0.0/24 subnet is the destination network. 172.16.0.0/24 is used only for connecting clients (the server will use 172.16.0.1).
The client: create
/etc/openvpn/NAME.conf
:client dev tun remote SRV.domain proto tcp port PORT ca cacert.pem cert CLNT.crt key CLNT.key