OpenVPN is a VPN implementation for both client and server for Linux/Windows/Mac. To use OpenVPN, it is necessary to have an OpenVPN server in the target network, either the gateway or a dedicated “DMZ” (with publicly available IP and connected to the internal network). The client software must be installed, and the server address, port, encryption key, etc. must be configured.
OpenVPN can work on a server with TCP/IP routing ie, “tun” interface or bridge to LAN ie, “tap” interface. In the case of the “tun” interface, firewall rules must be configured for the “tun +” interface, in the case of the “tap” interface, a bridge must be set between “tap+” and the interface to the chain (internal network).
The packages required on Linux are OpenVPN and easy–RSA. Windows requires the OpenVPN package different server or client does the configuration file.
By default, OpenVPN uses port 1194 on UDP. Another TCP or UDP port can be set.
1. The configuration of the access keys – it is done only once – when installing on the server. Server keys are generated and – possibly – several client keys. The client keys can be additionally protected with the password. It is the most complicated and time-consuming step from the entire process.
2. Configure the /etc/OpenVPN/server.conf file, firewall rules, and set the OpenVPN service to boot.
3. Configuring the Linux or Windows client.
Once we finish with the installation of the easy-rsa package, we will have in the directory /usr/share/doc/easy-RSA or /usr/share/doc/packages/easy-rsa a Readme which presents the steps for generating server /client keys. Binaries are in the /usr/share/easy-RSA directory, and it is generally recommended to copy them to /etc/OpenVPN which is the main configuration directory of OpenVPN.
cp -r /usr/share/easy-RSA / /etc/OpenVPN/easy-RSA
Go to the directory where the file “vars” exists and edit the variables which are at the bottom of it: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
export KEY_COUNTRY= “US.”
export KEY_PROVINCE= “SC.”
export KEY_CITY= “Myrtle Beach.”
export KEY_ORG= “Home.”
export KEY_EMAIL=” firstname.lastname@example.org”
export KEY_OU= “PreferredOrganization.”
cd /usr/openvpn/easy-rsa – the directory that contains the vars file
source ./vars – loads the variable settings
./clean-all – any older keys will be deleted
./build-ca – Cert Authority (CA) is generated
./build-key-server – generates the certificate and private key for the server with the name “server”
./build-dh – generates dh.pem
The keys for generating VPN clients are to be generated – client, client 2 , client 3:
./build-key client 2
./build-key client 3
If you want the password for each client use build-key-pass instead of build-key.
Later other keys can be generated from the same directory with the command ./build-key <name> after running source ./vars
The generated keys are copied on the server – for example – to the /etc/openvpn/keys directory
mkdir / etc / openvpn / keys
Edit the .conf file on the server:
A simple configuration is given below and must be created in /etc/openvpn/server.conf
(Configuration examples included in the openVPN package are given in /usr/share/doc/openvpn/examples)
• port 1194 (change your port)
• port 1337
• You can use UDP or TCP
• proto UDP
• “Dev tun” will create a routed IP tunnel.
# as certified
#Server Key and keep this is secret
#See the size a dh key in / etc / openvpn / keys /
#Internal IP will get when already connect
server 192.168.50.0 255.255.255.0
#this line will redirect all traffic through our OpenVPN
push “redirect-gateway def1”
# Provide DNS servers to the client, you can use google DNS
push “dhcp-option DNS 126.96.36.199”
push “dhcp-option DNS 188.8.131.52”
#Enable multiple clients to connect with same key
keepalive 20 60
To test the configuration it can be launched as root
openvpn –config server.conf (or openvpn /etc/openvpn/server.conf)
And then stop with
killall -9 openvpn
Or you can start as a service:
systemctl list-unit-files | grep enabled
systemctl enable openvpn
systemctl start openvpn
or stop with systemctl stop openvpn
sudo service openvpn start
or stop or restart
Firewall rules must be set for VPN ↔ LAN traffic to work:
iptables -I INPUT -i tun + -j ACCEPT
iptables -I FORWARD -s <local_lan_ip / 24> -d 192.168.200.0/24 -j ACCEPT
iptables -I FORWARD -d <local_lan_ip / 24> -s 192.168.200.0/24 -j ACCEPT
It must also allow internet access because in the server.conf file we set the default route through VPN
(echo 1> / proc / sys / net / ipv4 / ip_forward)
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
ClientX.key, clientX.crt and ca.crt must be reached with the client.conf configuration file.
Under windows client.conf rename client.ovpn
At “remote” put the public address of the openVPN server and the port:
#Server IP and Port
remote 192.168.2.1 1337
For windows, files must be copied to C:/ProgramFiles/openvpnconf and run as administrator because they must have rights to create the tuner interface.
For Linux, copy the keys and client.conf in the same directory and launch:
sudo OpenVPN –config client.conf &