How to Configure OpenVPN
Date: Sep 8, 2006
OpenVPN is a tried and true VPN solution. It's totally secure and infinitely configurable. You can install and run this software without relying on a third party, but the fact that it’s open source and free is what really makes it stand out. OpenVPN can be a little daunting to configure the first time you jump into it, but once you get your configuration worked out, it’s a pleasure to use. After you have the software running on your network, it’s possible to seamlessly perform a great number of tasks. One of the most popular and practical uses for OpenVPN is its ability to enable secure surfing and home network access—whether you're out traveling or you're on an open wifi access point. It can also be used to connect separate remote networks together into one large network that is fully routable. As you can see, there’s really no limit to what you can do with OpenVPN.
For the purposes of this article, I'm going to demonstrate how to set up OpenVPN on a typical home network. The following configuration will give your client PCs secure internet access anywhere—as well as full access to your home network. The information contained in this tutorial will be aimed at Windows users who have a router that has capabilities similar to the Linksys WRT54G.
OpenVPN Installation
First, download the install file from http://openvpn.se/download.html (the file is called openvpn-2.0.5-gui-1.0.3-install.exe). This is the GUI version of OpenVPN. It’s basically good ole OpenVPN with a minimal graphic interface that is accessible from the system tray.
Install this file on the computer that's going to be your OpenVPN server first. The computer you choose to use should be turned on and running OpenVPN whenever you wish to have your virtual network accessible.
If you have any previous versions of OpenVPN installed, you should shut down any running instance of it before running the install file.
Next, run the install program. During the installation you can choose whether the GUI program is started automatically at system startup. (The default is yes.) I recommend leaving all of the options on the default, and, as a result, all of the following instructions assume that you have installed the program in the default directory. Remember, at the end of the install you will need to reboot the machine.
Creating Certificates
After you reboot, you are going to need to configure the OpenVPN files on your server using the command prompt and a text editor, such as Notepad.
Go to Start→ Run→ and type cmd to open the command prompt.
Then, enter the following command in order to move to the correct directory:
cd C:\Program Files\OpenVPN\easy-rsa
Then, type this command to run the batch file that will copy the configuration files into place:
init-config
Now open the file vars.bat in a text editor. It should be located at C:\Program Files\OpenVPN\easy-rsa\. Next, you should change the values of the following variables at the bottom of the file. These variables are KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Don’t leave any of these parameters blank.
Back at the command prompt, enter the following commands in order:
Vars clean-all build-ca
When you run build-ca, you will be prompted for several entries. You can simply hit Enter to accept the default values taken from the vars.bat file you customized. The only parameter that must be explicitly entered is the Common Name. Enter the name of your VPN for this entry. (An example would be MyVPN.)
Next, enter the following command to generate a certificate and private key for the server:
build-key-server server
Make sure you enter server for the Common Name. The rest of the settings can be left on the defaults. You can leave the challenge password and the optional company name blank if you like. Type y for yes at the last two queries, which are "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]," respectively.
Now enter the following command one at a time changing the name for each:
build-key client1 build-key client2 build-key client3 build-key client4
and so on . . .
You will now be prompted to enter data just like when you built the server key. Make sure if you typed the command build-key client1 that you enter client1 for the Common Name. These entries much match up.
Run the above commands for as many clients as you would like to have on your VPN. I suggest that you create more than you think you will need now because it will save you the hassle of having to do it at a later time. Always use a unique common name for each client.
If you would like to password-protect your client keys, substitute build-key-pass for build-key.
The final step in this process is to generate Diffie-Hellman parameters for the OpenVPN server.
Enter this command to begin the process:
build-dh
This might take a long time.
Example Network
The following config files and settings are configured for the following network scenario.
Your home router’s IP address is 192.168.1.1 and its subnet mask is 255.255.255.0
The OpenVPN server that you have attached to that router has its network interface manually set to the IP address of 192.168.1.150 with the subnet mask 255.255.255.0 and a default gateway of 192.168.1.1
The router is configured to port forward port 1194 to the server’s IP address of 192.168.1.150
If any aspect of your network is different than what I've described previously, you'll need to take that into consideration when following the rest of this guide.
Creating the config Files
Now it’s time to create configuration files for the server and your clients. There should be sample config files in the config directory, but I recommend using the following ones if you have a network similar to the one defined in this tutorial.
Create a config file for each client. The config file can be exactly the same for each client except for the two lines that contain the file path of the .key and .crt files:
Server config file: server.ovpn (right-click, save, and open in txt editor)
You will only need to change the IP addresses of the DNS servers in the server.ovpn file, as long as everything else on your network is the same as described in the following:
Clients config file:
client1.ovpn (right-click, save, and open in txt editor)
client2.ovpn
client3.ovpn
client4.ovpn
You'll need to edit the client config files in order to enter the address of your DynDNS.org account (or other similar service), unless you have a static IP address from your ISP.
These configuration files are going to be placed in the config directory (C:\Program Files\OpenVPN\config) of each corresponding computer. Each PC is only going to need one config file.
The example config files I’ve provided will route all traffic from the client computers through the server’s internet connection. This will enable secure web browsing from anywhere, as well as access to any network resource on the home network. Examine the sample config files that come installed with the OpenVPN software to see other options and more detailed comments.
Configuring the router
You are going to need to make some changes to the settings for the router that is running on the home network and that is attached to your OpenVPN server. The particular router I used for testing is a Linksys WRT54G version 1.1 running Sveasoft’s Alchemy firmware. You will need a router that is capable of updating itself to DynDNS.org or some other service if you have a dynamic IP address.
You'll also need to make sure that the port you configured OpenVPN to listen on is forwarded on the router to the IP address of your server. On the WRT54G, port-forwarding is configured in the "Applications & Gaming" section. Enter 1194 for the port, UDP for the protocol, and 192.168.1.150 for the IP address. Make sure the entry is enabled and then save the setting.
Next, you need to add an entry to the router’s Routing Table. This will enable the router to properly route requests from the clients to the TAP interface of the server.
On the WRT54G, you would go to the "Setup page and then the "Advanced Routing" section.
Enter the following info to make the entry:
Enter Route Name: openVPN Destination LAN IP: 192.168.10.0 Subnet Mask: 255.255.255.252 Default Gateway: 192.168.1.150 Interface: LAN & Wireless
Once the info has been typed in make sure you save the setting.
Configuring the server
Depending on which version of Windows you have, you may need to make some changes on the server.
WINDOWS XP
Disable the Windows firewall for you network connections.
The built-in Windows firewall (as well as some third-party ones) causes problems if it's running on the server, but I had no problem with it on the client PCs.
Edit registry key value:
Routing registry key.reg (right-click, save, and run)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters IPEnableRouter = dword:00000001
This registry key will enable the routing set in the config file to work correctly.
WINDOWS 2000 SERVER
For routing to work properly on W2K server I had to enable and configure some settings in Routing and Remote Access.
To do this, go to Control Panel→ Admin tools -> Routing and remote access.
Right-click on the computer name and then select Configure and enable Routing and remote access.
Click Next.
Now select Internet Connection Server.
Now select"Set up a router with the Network Address Translation (NAT) routing protocol," then highlight the real network interface connected to the router when prompted. Next, use the selected Internet connection.
Now highlight the TAP-Win32 Adapter V8 when prompted. Select the routing interface for the network that should have access to the internet.
Click Finish.
This should take care of the routing on your server.
Client configuration
Now you're going to install OpenVPN on each of the client computers using the same install file you used previously. You can leave all of the install settings on their defaults for the clients. Once you've rebooted, go ahead and copy the correct .ovpn configuration file into the config directory (C:\Program Files\OpenVPN\config) of each client. Then copy the three necessary certificate files into the C:\Program Files\OpenVPN\easy-rsa\keys folder (make sure to create it if it's not there). The three files you need are ca.crt (each client and the server share a copy of this one file), clientX.key, and clientX.crt. Next, replace clientX with the filename/Common Name of each client cert.
Connecting
If everything went smoothly up to now, you should be able to start up OpenVPN and connect.
On the Server
Go to OpenVPN GUI in the system tray and then click connect. It should now successfully connect and display that it has an IP address.
On the Clients
Once the server has been connected, you should be able to connect the clients. They should be able to connect to the VPN even when on the same local network, but testing from a separate network, like a neighbor’s wifi (that you have "permission" to use, of course), is preferable.
Using OpenVPN GUI
When OpenVPN GUI is started, your config folder (C:\Program Files\OpenVPN\config) will be scanned for any .ovpn files, and an icon will be displayed in the system tray.
When you want to connect to a network, right-click the OpenVPN GUI and click connect. If you have more than one config file you will be able to choose between them. If you use a passphrase-protected key you will be prompted for the password.
OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:
--connect client1.ovpn
In Windows, you'll need to append it to the following registry key:
OpenVPN Startup.reg (right-click, save, and run)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run openvpn-gui = C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe
Change client1 as needed for the name of each client config file.
Troubleshooting
If for some reason you can't connect or have limited connectivity across the VPN, there may be any number of reasons this is happening. In fact, there is no way to cover all the different scenarios here. First off, you'll want to double-check everything covered previously and make sure your syntax is correct. One little error in an entry can make it all simply not work. You can also examine the log file to look over any errors. If you have any problems, try to simplify the network as much as possible by taking out any unnecessary variables. Another thing to consider: The previous settings and config files are for a fairly common home network. This means that if your network is much different from this, the example settings will not work for you. If you are able to connect successfully, but are not able to surf the web or access other computers on your network, then something is wrong with the routing. You can also search the forums at http://openvpn.se/bb/index.php for any particular problems you might encounter.