# Howto Openvpn - The quick easy way

## adelante

Hi,

I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.

Here is my HOWTO on openvpn, which i find was the simpliest way of setting it up.

Server Config

========================================

 *Quote:*   

> 
> 
> # emerge openvpn
> 
> # nano /usr/share/openvpn/easy-rsa/vars
> ...

 

Paste this into the file and edit to suit you needs

```

export EASY_RSA="`pwd`"

export KEY_CONFIG="$EASY_RSA/openssl.cnf"

export KEY_DIR="$EASY_RSA/keys"

echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

export KEY_SIZE=1024

export CA_EXPIRE=3650

export KEY_EXPIRE=3650

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="SanFrancisco"

export KEY_ORG="Fort-Funston"

export KEY_EMAIL="me@myhost.mydomain"

```

 *Quote:*   

> 
> 
> # cd /usr/share/openvpn/easy-rsa/
> 
> # source ./vars
> ...

 

Just press enter through everything and select (Y) where necessary

 *Quote:*   

> 
> 
> # ./build-key-server server
> 
> # ./build-dh
> ...

 

 *Quote:*   

> 
> 
> # cd /etc/openvpn/
> 
> # openvpn --genkey --secret ta.key
> ...

 

Paste this into your server.conf and edit the <network range> value

```

port 9000

proto udp

dev tun

mode server

ca /usr/share/openvpn/easy-rsa/keys/ca.crt

cert /usr/share/openvpn/easy-rsa/keys/server.crt

key /usr/share/openvpn/easy-rsa/keys/server.key

dh /usr/share/openvpn/easy-rsa/keys/dh1024.pem

server <network range> 255.255.255.0 # for example 192.168.139.0

client-to-client

ifconfig-pool-persist ipp.txt

client-config-dir ccd

keepalive 10 120

tls-auth ta.key 0

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

duplicate-cn

comp-lzo

max-clients 100

persist-key

persist-tun

status openvpn-status.log

log        /var/log/openvpn.log

log-append /var/log/openvpn.log

verb 3

```

 *Quote:*   

> 
> 
> # ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.server
> 
> # /etc/init.d/openvpn.server start
> ...

 

Your server side of things should be up and running now.

If you run an ifconfig you should see the tun0 device.

========================================

Windows Client Configuration

========================================

On the Openvpn server you have just setup:

 *Quote:*   

> 
> 
> cd /usr/share/openvpn/easy-rsa/
> 
> source ./vars
> ...

 

On the Client side:

# install the openvpn client on windows : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

# create folder : C:\Program Files\OpenVPN\config\<USERNAME>

# create a file called : C:\Program Files\OpenVPN\config\<USERNAME>.ovpn

# open this file with notepad and inside that file put the following and edit the <USERNAME> value and the <vpn server IP> value:

```

client

dev tun

proto udp

remote <vpn server IP> 9000

resolv-retry infinite

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

persist-key

persist-tun

ca "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.crt"

key "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\<USERNAME>.key"

tls-auth "C:\\Program Files\\OpenVPN\\config\\<USERNAME>\\ta.key" 1

comp-lzo

verb 3

```

# copy these files from /usr/share/openvpn/easy-rsa/keys/ to C:\Program Files\OpenVPN\config\<USERNAME>\

ca.crt

<USERNAME>.crt

<USERNAME>.key

# copy the ta.key file from /etc/openvpn/ to C:\Program Files\OpenVPN\config\<USERNAME>\

# if you want to assign a specific user an IP address, create a file on the server  : /etc/openvpn/ccd/<username>

# and in it put for example : 

```

ifconfig-push 192.168.220.5 192.168.220.6

```

# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

The fire up the client and you should be connected.

========================================

Linux Client Configuration

========================================

On the Openvpn server you have just setup:

 *Quote:*   

> 
> 
> cd /usr/share/openvpn/easy-rsa/
> 
> source ./vars
> ...

 

On the Client side:

 *Quote:*   

> 
> 
> # emerge openvpn
> 
> # cd /etc/openvpn
> ...

 

Put this into your client.conf and edit the <vpn server ip> & <username> values.

```

client

dev tun

proto udp

remote <vpn server ip> 9900

resolv-retry infinite

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

persist-key

persist-tun

ca "/etc/openvpn/client/ca.crt"

cert "/etc/openvpn/client/<username>.crt"

key "/etc/openvpn/client/<username>.key"

tls-auth "/etc/openvpn/client/ta.key" 1

comp-lzo

verb 3

```

copy these files from /usr/share/openvpn/easy-rsa/keys/ on the server to /etc/openvpn/client/ on the client side:

ca.crt

<username>.*

copy the ta.key file from /etc/openvpn/ on the server to /etc/openvpn/client on the client side.

 *Quote:*   

> 
> 
> # ln -sf /etc/init.d/openvpn /etc/init.d/openvpn.client
> 
> # /etc/init.d/openvpn.client start
> ...

 

# if you want to assign a specific user an IP address, create a file on the server : /etc/openvpn/ccd/<username>

# and in it put for example : 

```

ifconfig-push 192.168.220.5 192.168.220.6

```

# it must be 2 IP's in the same network, the first is the ip is the tun0 interface the 2nd is just a tunnel ip.

========================================

Please let me know if i've left anything out.

regards

Dave

----------

## Schangu

Sorry, but I think there is one mistake:

It is in your Linux-Client Configuration:

You wrote that the VPN Server Port must be 9900 but in your Server Configuration it is 9000 ;]

----------

## idl0r

nice howto but:

WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want

WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

----------

## Tuinslak

thanks, great howto

just watch out with iptables/masquerading when you went to use the VPN server as gateway

----------

## Bethney Piper

Usually yes it will route all your traffic through the company LAN. But you can make it do what is known as split-tunneling depending on what VPN vendor you are using. If it is just the microsoft VPN you can go to the VPN connection properties, networking, tcp/ip advanaced, and uncheck "use gateway on remote network".

----------

## alex6

This guide still works except 2 things : 

- have to emerge easy-rsa (ok it does make sense but not written in this guide)

- all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

----------

## solamour

 *alex6 wrote:*   

> This guide still works except 2 things : 
> 
> - have to emerge easy-rsa (ok it does make sense but not written in this guide)
> 
> - all the paths changed : /usr/share/openvpn/easy-rsa is now /usr/share/easy-rsa

 

Ha... that's why I wasn't able to find some of the files in the guide. Thanks for sharing.

__

sol

----------

## fbcyborg

Thank you for the information. Actually I had the same problem!  :Very Happy: 

That should be put in the first post!

----------

## djbadballie469

Hi I'm in south africa durban I'm on 8.ta network Can sum1 email me the config folder with all settings intact. Djbadballie469(at)gmail(dot)com. Tx in advance. I have open vpn but no working config files

----------

## fincoop

 *adelante wrote:*   

> Hi,
> 
> I've read through a lot of howto's for openvpn, and a lot of them didn't seem to work, I could follow them line for line and I kept running into problems.
> 
> 

 

Thanks a lot, still works!

----------

## wichtounet

Unfortunately, this does not work anymore at all. All the directories have changed. 

It's the same issue with the official OpenVPN page of Gentoo :S

----------

## Joseph_sys

 *wichtounet wrote:*   

> Unfortunately, this does not work anymore at all. All the directories have changed. 
> 
> It's the same issue with the official OpenVPN page of Gentoo :S

 

This is not a helpful reply.  

Just point it out which directory had change, so far only "/usr/share/easy-rsa" had change.

----------

## Joseph_sys

Quick and dirty instructions to make openvpn + easy-rsa working.

On SERVER do:

```
cd /usr/share/easy-rsa/

./easyrsa init-pki

./easyrsa build-ca nopass

./easyrsa build-server-full server_clinic_8amd nopass

./easyrsa gen-dh

openvpn --genkey --secret ta.key

mkdir /etc/openvpn/cert

cp pki/ca.crt /etc/openvpn/cert/

cp pki/issued/server_clinic_8amd.crt /etc/openvpn/cert/

cp pki/private/server_clinic_8amd.key /etc/openvpn/cert/

cp pki/dh.pem /etc/openvpn/cert/

cp ta.key /etc/openvpn/cert/

./easyrsa build-client-full syscon7 nopass
```

Hit "ENTER" when need to (no need to change anything)

Copy the following files to Client (via USB or ssh 'zip_it" etc. pay attention to permission)

=> The public ca.crt certificate is needed on all servers and clients.

=> The private ca.key key is secret and only needed on the key generating machine. (not in cert/ folder)

=> A server needs server.crt, and dh2048.pem (public), and server.key and ta.key (private).

=> A client needs client.crt (public), and client.key and ta.key (private).

eg. (transfer these files to your client)

cp pki/ca.crt /home/fd/keys/

cp pki/issued/syscon7.crt /home/fd/keys/

cp pki/private/syscon7.key /home/fd/keys/

cp ta.key /home/fd/keys/

Copy file from instruction above to server /etc/openvpn

I copied them to dir "cert" on /etc/openvpn/

```
ll /etc/openvpn/cert/

total 28

-rw------- 1 root root 1749 Feb  7 12:24 ca.crt

-rw------- 1 root root  424 Feb  7 12:28 dh.pem

-rw------- 1 root root 5280 Feb  7 12:26 server_clinic_8amd.crt

-rw------- 1 root root 1704 Feb  7 12:27 server_clinic_8amd.key

-rw------- 1 root root  636 Feb  7 13:35 ta.key

cat server_clinic_8amd.conf (on server PC)
```

proto udp

port 9000

dev tun

mode server

ca /etc/openvpn/cert/ca.crt

cert /etc/openvpn/cert/server_clinic_8amd.crt

key /etc/openvpn/cert/server_clinic_8amd.key

dh /etc/openvpn/cert/dh.pem

topology subnet

server 192.168.140.0 255.255.255.0 

client-to-client

ifconfig-pool-persist ipp.txt

client-config-dir ccd

keepalive 10 120

tls-auth /etc/openvpn/cert/ta.key 

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

duplicate-cn

comp-lzo

max-clients 10

persist-key

persist-tun

status openvpn-status.log

log        /var/log/openvpn.log

log-append /var/log/openvpn.log

verb 3

=================

on SERVER

```
cd /etc/openvpn

touch ipp.txt (on server in /etc/openvpn)

mkdir ccd

nano -w ccd/syscon7
```

ifconfig-push 192.168.140.7 255.255.255.0

"save it"

```
cd /etc/init.d/

ln -s openvpn openvpn.server_clinic_8amd

openvpn.server_clinic_8amd start
```

==========================

On a client PC my "syscon7" log in as root:

```
cd /etc/openvpn

mkdir cert_clinic_8amd

and copy the obove "files" to that directory.

# ll cert_clinic_8amd/

total 20

-rwx------ 1 root root 1749 Feb  7 14:21 ca.crt

-rwx------ 1 root root 5239 Feb  7 14:21 syscon7.crt

-rwx------ 1 root root 1704 Feb  7 14:21 syscon7.key

-rwx------ 1 root root  636 Feb  7 14:21 ta.key

nano -w clinic_8amd.conf
```

client

dev tun

proto udp

port 9071

topology subnet

remote <your_remote_PC_IP_address> 9071

resolv-retry infinite

tun-mtu 1500

tun-mtu-extra 32

mssfix 1200

persist-key

persist-tun

remote-cert-tls server

ca "/etc/openvpn/cert_clinic_8amd/ca.crt"

cert "/etc/openvpn/cert_clinic_8amd/syscon7.crt"

key "/etc/openvpn/cert_clinic_8amd/syscon7.key"

tls-auth "/etc/openvpn/cert_clinic_8amd/ta.key"

comp-lzo

log        /var/log/openvpn.log

log-append /var/log/openvpn.log

verb 3

================

Note: make sure on your server network firewall you forward traffic from incoming port: 9071 to 9000

```
cd /etc/inid.d/

ln -s openvpn openvpn.clinic_8amd

openvpn.clinic_8amd start
```

You should have VPN

check it "ifconfig"

----------

