OpenVPN Example Configurations

Minimal example

Point to point connection between CLNT and SRV.

  1. The server. Edit /etc/openvpn/CLNT.conf:

    dev tun
    ifconfig 10.0.0.1 10.0.0.2
    secret CLNT.key
    
  2. Generate the key file:

    # openvpn --genkey --secret CLNT.key
    
  3. The client. Edit /etc/openvpn/SRV.conf:

    remote SRV.mydomain
    dev tun
    ifconfig 10.0.0.2 10.0.0.1
    secret SRV.key
    
  4. Copy the CLNT.key file from the server and rename it to SRV.key.

  5. Start the service at the server:

    # systemctl start openvpn@CLNT.service
    # systemctl enable openvpn@CLNT.service
    

    and at the client:

    # systemctl start openvpn@SRV.service
    # systemctl enable openvpn@SRV.service
    
  6. Firewall: open UDP port 1194.

See https://openvpn.net/index.php/open-source/documentation/howto.html for more.

Bridging

The server

  1. Create certificates for the server and clients.

  2. Create /etc/openvpn/dh1024.pem:

    # openssl dhparam -out dh1024.pem 1024
    
  3. Create a bridge with additional tap0 interface:

    # tunctl -p -t tap0
    # ip link set tap0 up
    # brctl newbr br0
    # brctl addif br0 eth0
    # brctl addif br0 tap0
    
  4. Create /etc/openvpn/NAME.conf:

    server-bridge 10.0.0.0 255.255.255.0 10.0.0.200 10.10.0.254
    dev tap0
    proto tcp
    port PORT
    keepalive 10 120
    
    ca cacert.pem
    cert SRV.crt
    key SRV.key
    dh dh1024.pem
    

    The subnet address represents the destination network you want to access.

  5. Run the server:

    # systemctl start openvpn@NAME.service
    

    And finally:

    # systemctl enable openvpn@NAME.service
    

IMPORTANT: default router of the destination servers must be the same as the VPN server or appropriate additional routes have to be added.

The client

  1. Create /etc/openvpn/NAME.conf:

    client
    dev tap
    remote SRV.domain
    proto tcp
    port PORT
    
    ca cacert.pem
    cert CLNT.crt
    key CLNT.key
    
  2. Start the client:

    # systemctl start openvpn@NAME.service
    
  3. You can also use NetworkManager:

    • install NetworkManager-openvpn package
    • point to the certificate files
    • advanced settings: use custom gateway port, use TCP connection, use TAP device
    • IPv4 settings –> Routes: use this connection only for resources on its network

Routing

  1. The server: create /etc/openvpn/NAME.conf:

    server 172.16.0.0 255.255.255.0
    dev tun
    proto tcp
    port PORT
    keepalive 10 120
    push "route 10.0.0.0 255.255.255.0"
    
    ca cacert.pem
    cert SRV.crt
    key SRV.key
    dh dh1024.pem
    

    The 10.0.0.0/24 subnet is the destination network. 172.16.0.0/24 is used only for connecting clients (the server will use 172.16.0.1).

  2. The client: create /etc/openvpn/NAME.conf:

    client
    dev tun
    remote SRV.domain
    proto tcp
    port PORT
    
    ca cacert.pem
    cert CLNT.crt
    key CLNT.key