Setup OpenVPN in one minute

This article will guide you on creating a client-2-server OpenVPN instance. Our goal is to redirect all client traffic to VPN server. That means VPN server would serve as a gateway for local traffic. It’s useful to bypass some STUPID National firewalls,or to test IP-restricted applications.

The most important part for this installation is openvpn’s two config files, one is the server side configuration, and the other is for client side.

This is a server side configuration file:

$ cat /usr/local/openvpn/etc/server.conf
# Which local IP address should OpenVPN listen on? (optional)
;local a.b.c.d

port 1194
proto udp
;dev tap
dev tun

;dev-node MyTap

ca /usr/local/openvpn/etc/keys/ca.crt
cert /usr/local/openvpn/etc/keys/server.crt
key /usr/local/openvpn/etc/keys/server.key
dh /usr/local/openvpn/etc/keys/dh1024.pem

ifconfig-pool-persist ipp.txt


;push "route"
;push "route"

;client-config-dir ccd
# First uncomment out these lines:
;client-config-dir ccd
# Then add this line to ccd/Thelonious:
#   ifconfig-push

;learn-address ./script
;push "redirect-gateway def1"

push "dhcp-option DNS"
;push "dhcp-option WINS"

tls-auth /usr/local/openvpn/etc/keys/ta.key 0
keepalive 10 120

# Select a cryptographic cipher.
# This config item must be copied to the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also enable it in the client config file.

# The maximum number of concurrently connected clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
# You can uncomment this out on non-Windows systems.
user nobody
group nobody


status /usr/local/openvpn/logs/openvpn-status.log
log /usr/local/openvpn/logs/openvpn.log
;log-append  openvpn.log

verb 4
;mute 20

Here’s an example of the client side configuration file, it’s used by windows client:

$ cat  netherlands.ovpn
;dev tap
dev tun
proto udp

remote 1194

;resolv-retry infinite
;user nobody
;group nobody


;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]


ca ca.crt
cert joseph.crt
key joseph.key
tls-auth ta.key 1

ns-cert-type server
;cipher x
verb 3
;mute 20
redirect-gateway def1

Let’s start the deploying now. For a typic fresh installation, we need to install both lzo ( Real-time data compression library ) and OpenVPN, for the windows client side, we need its windows version, it’s available here:

After created the applications, it’s time to generate key files, I simply listed the commands here:

$ openvpn-2.0.9/easy-rsa

$ vi vars
$ . vars
$ ./clean-all

$ ./build-ca
$ ./build-key-server server
$ ./build-dh  #Diffie Hellman parameters
$ openvpn --genkey --secret ta.key
$ ./build-key joseph  #Client key, keys/joseph.*
$ ./build-key client0  #Client0's key files, they're stored in keys/client0.*

After finished creating client keys, we may need to modify the client
side configuration file, to make sure it uses correct key file. In the
above example, we’re using joseph.*. When these key files generated, there’re two additional modifications, they both are critical:
On OpenVPN server, we need to turn on ip_forward, in order to redirect VPN traffic on localhost.

$ echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source

Now,all the configuratio is finished, let’s start the OpenVPN server now:

/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.