Setup OpenVPN in one minute

This article will guide you on creating a client-2-server OpenVPN instance. Our goal is to redirect all client traffic to VPN server. That means VPN server would serve as a gateway for local traffic. It’s useful to bypass some STUPID National firewalls,or to test IP-restricted applications.

The most important part for this installation is openvpn’s two config files, one is the server side configuration, and the other is for client side.

This is a server side configuration file:

$ cat /usr/local/openvpn/etc/server.conf
# Which local IP address should OpenVPN listen on? (optional)
;local a.b.c.d

port 1194
proto udp
;dev tap
dev tun

;dev-node MyTap

ca /usr/local/openvpn/etc/keys/ca.crt
cert /usr/local/openvpn/etc/keys/server.crt
key /usr/local/openvpn/etc/keys/server.key
dh /usr/local/openvpn/etc/keys/dh1024.pem

server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt

;server-bridge 10.10.10.2 255.255.255.0 10.10.10.30 10.10.10.40

;push "route 10.10.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

;learn-address ./script
;push "redirect-gateway def1"

# http://openvpn.net/faq.html#dhcpcaveats
push "dhcp-option DNS 85.17.150.123"
;push "dhcp-option WINS 10.8.0.1"

tls-auth /usr/local/openvpn/etc/keys/ta.key 0
client-to-client
keepalive 10 120

# Select a cryptographic cipher.
# This config item must be copied to the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
# You can uncomment this out on non-Windows systems.
user nobody
group nobody

persist-key
persist-tun

status /usr/local/openvpn/logs/openvpn-status.log
log /usr/local/openvpn/logs/openvpn.log
;log-append  openvpn.log

verb 4
;mute 20

Here’s an example of the client side configuration file, it’s used by windows client:

$ cat  netherlands.ovpn
client
;dev tap
dev tun
proto udp

remote openvpn.admon.org 1194

;remote-random
;resolv-retry infinite
;nobind
;user nobody
;group nobody

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca ca.crt
cert joseph.crt
key joseph.key
tls-auth ta.key 1

ns-cert-type server
;cipher x
comp-lzo
verb 3
;mute 20
redirect-gateway def1

Let’s start the deploying now. For a typic fresh installation, we need to install both lzo ( Real-time data compression library ) and OpenVPN, for the windows client side, we need its windows version, it’s available here: http://www.openvpn.se/

After created the applications, it’s time to generate key files, I simply listed the commands here:

$ openvpn-2.0.9/easy-rsa

$ vi vars
$ . vars
$ ./clean-all

$ ./build-ca
$ ./build-key-server server
$ ./build-dh  #Diffie Hellman parameters
$ openvpn --genkey --secret ta.key
$ ./build-key joseph  #Client key, keys/joseph.*
$ ./build-key client0  #Client0's key files, they're stored in keys/client0.*

After finished creating client keys, we may need to modify the client
side configuration file, to make sure it uses correct key file. In the
above example, we’re using joseph.*. When these key files generated, there’re two additional modifications, they both are critical:
On OpenVPN server, we need to turn on ip_forward, in order to redirect VPN traffic on localhost.

$ echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.10.10.0/255.255.255.0 -o eth0 -j SNAT --to-source 94.94.94.94

Now,all the configuratio is finished, let’s start the OpenVPN server now:

/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf

Leave a comment

Your email address will not be published. Required fields are marked *