Deploy your own OpenVPN

The instruction describes the installation and configuration of the server and client parts of OpenVPN. The solution is designed to connect remote clients to the enterprise network. After connecting, the client retains its own gateway by default and the Internet connection is not blocked. The solution showed simplicity in configuring the client part, it has been tested (and is currently used) on Windows-XP, Windows-7, Andriod 3.x, Archlinux, Ububnu. There is information about the successful connection and iPad.


Installing OpenVPN Server (FreeBSD).


Install the package from the ports. Options can be left by default. Most importantly, do not disable 'easy-rsa', as it will be required to configure and generate certificates:

# cd /usr/ports/security/openvpn
# make configure-recursiv install clean

Or:

# make configure-recursiv install clean -С /usr/ports/security/openvpn

Create directories for configs:

 # mkdir /usr/local/etc/openvpn/
 # mkdir /usr/local/etc/openvpn/ccd

Copy the easy-rsa directory to the OpenVPN config directory:

 # cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/

Go to the copied directory:

 # cd /usr/local/etc/openvpn/easy-rsa/

Go to the sh shell:

 # sh

We execute the command to generate our own certificate:

 # . ./vars
 # ./clean-all
 # ./build-ca

Fill in the data for the certificate in accordance with the questions.

 # ./build-key-server vpn0.example.com

'Common name' should match the DNS name of your VPN server, for example: 'vpn0.example.com'. We answer the last questions with 'Y'.

 # ./build-dh

Now we make the certificate for the client with the name 'client'. Here also the last questions are answered with 'Y'

 # ./build-key client

Exiting the sh shell:

 # exit

Create a key for tls-authentication:

 # /usr/local/sbin/openvpn --genkey --secret /usr/local/etc/openvpn/easy-rsa/keys/ta.key

Create the server.conf file (below under the spoiler). Do not forget to specify the address of the internal DNS server, which the names of your local hosts know.

/usr/local/etc/openvpn/server.conf
 # cat /usr/local/etc/openvpn/server.conf
 local vpn0.example.com
 port 1194
 proto udp
 dev tun
 ca /usr/local/etc/openvpn/easy-rsa/keys/ca.crt
 cert /usr/local/etc/openvpn/easy-rsa/keys/vpn0.example.com.crt
 key /usr/local/etc/openvpn/easy-rsa/keys/vpn0.example.com.key
 dh /usr/local/etc/openvpn/easy-rsa/keys/dh1024.pem
 tls-server
 tls-auth /usr/local/etc/openvpn/easy-rsa/keys/ta.key 0
 server 172.17.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 client-config-dir ccd
 push "route 10.10.210.72 255.255.255.248"
 push "route 172.27.102.0 255.255.255.0"
 push "route 172.27.103.0 255.255.255.0"
 push "route 172.27.105.0 255.255.255.0"
 push "dhcp-option DNS 192.168.100.1"
 keepalive 10 120
 comp-lzo
 user nobody
 group nobody
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3


For each client, it will be necessary to create a user config file on the server, where the IP address and gateway assigned to the client are indicated. For example, for a client named 'client':

 # cat /usr/local/etc/openvpn/ccd/client
 ifconfig-push 172.17.0.2 172.17.0.1

To start the OpenVPN daemon when loading the operating system, add the following lines to '/etc/rc.conf':

 openvpn_enable="YES"
 openvpn_if="tun"
 openvpn_configfile="/usr/local/etc/openvpn/server.conf"
 openvpn_dir="/usr/local/etc/openvpn"


Service Launch:

 # /usr/local/etc/rc.d/openvpn start
 Starting openvpn.
 add net 172.17.0.0: gateway 172.17.0.2

If the task is to provide users via OpenVPN Internet, then NAT will be required. You can enable its support through downloadable modules. To do this, add the following lines to the '/boot/loader.conf' file:

ipfw_nat_load="YES"
libalias_load="YES"

Example NAT IPFW setup:

${ipfw} nat 1 config if re0 reset same_ports
${ipfw} add nat 1 ip from 172.17.0.0/24 to any via $INT_if
${ipfw} add nat 1 ip from any to $EXT_ip
${ipfw} add allow all from any to any

Everything, the OpenVPN server is installed, configured and running. Now you can deal with customers.

Creating an OpenVPN Client Certificate


The description is given for a server on the FreeBSD operating system with the OpenVPN service installed and configured, as described above.

The certificate is generated from the system console of the server with superuser rights from the easy-rsa directory:

cd / usr / local / etc / openvpn / easy-rsa /
 $ cd /usr/local/etc/openvpn/easy-rsa/
 $ sudo /bin/sh
 # . ./vars
 NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/keys
 # ./build-key ЛОГИН_ПОЛЬЗОВАТЕЛЯ
 Generating a 1024 bit RSA private key
 ......++++++
 ....++++++
 writing new private key to 'ЛОГИН_ПОЛЬЗОВАТЕЛЯ.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter source) [US]:RU
 State or Province Name (full name) [CA]:ZC
 Locality Name (eg, city) [SanFrancisco]:Zabubensk
 Organization Name (eg, company) [Fort-Funston]:JSC Zabuba
 Organizational Unit Name (eg, section) [changeme]:ITD
 Common Name (eg, your name or your server's hostname) [ЛОГИН_ПОЛЬЗОВАТЕЛЯ]:
 !----------------------------------------------------------------------!
 ! ВНИМАНИЕ ! использовать только латинские буквы. Кирилица не работает !
 !----------------------------------------------------------------------!
 Name [changeme]:ИМЯ ФАМИЛИЯ
 Email Address [mail@host.domain]:ЛОГИН_ПОЛЬЗОВАТЕЛЯ@zabubensk.example.com
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
 Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-0.9.8.cnf
 Check that the request matches the signature
 Signature ok
 The Subject's Distinguished Name is as follows
 countryName           :PRINTABLE:'RU'
 stateOrProvinceName   :PRINTABLE:'ZC'
 localityName          :PRINTABLE:'Zabubensk'
 organizationName      :PRINTABLE:'JSC Zabuba'
 organizationalUnitName:PRINTABLE:'ITD'
 commonName            :PRINTABLE:'ЛОГИН_ПОЛЬЗОВАТЕЛЯ'
 name                  :PRINTABLE:'ИМЯ ФАМИЛИЯ'
 emailAddress          :IA5STRING:'ЛОГИН_ПОЛЬЗОВАТЕЛЯ@zabubensk.example.com'
 Certificate is to be certified until Nov 12 06:24:49 2023 GMT (3650 days)
 Sign the certificate? [y/n]:y
 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 #
 # exit


As a result, client certificate files for connection will be generated. Next, you need to create the file `/ usr / local / etc / openvpn / ccd / USER LOGIN` with one line of the form:

 $ sudo ee /usr/local/etc/openvpn/ccd/ЛОГИН_ПОЛЬЗОВАТЕЛЯ
 ifconfig-push 172.17.0.118 172.17.0.117

Each pair of addresses in ifconfig-push corresponds to the virtual IP addresses of the endpoints (client and server) - each client is assigned its own subnet at the time of connection. You can add additional routes here, if clients connect to different subnets (branches, technical specialists)

 $ sudo ee /usr/local/etc/openvpn/ccd/ЛОГИН_ПОЛЬЗОВАТЕЛЯ
ifconfig-push 172.17.0.118 172.17.0.117
push "route 10.12.1.0 255.255.255.0"
push "route 10.12.2.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"

To maintain compatibility with Windows clients and the TAP-Win32 driver, these addresses must be taken from consecutive subnets with the / 30 mask. For example, for the range `172.17.0.1-172.17.0.254`, the last octet of the IP address of each client-server pair should be assigned from the set:

  [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
  [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
  [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
  [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
  [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
  [101,102] [105,106] [109,110] [113,114] [117,118]
  [121,122] [125,126] [129,130] [133,134] [137,138]
  [141,142] [145,146] [149,150] [153,154] [157,158]
  [161,162] [165,166] [169,170] [173,174] [177,178]
  [181,182] [185,186] [189,190] [193,194] [197,198]
  [201,202] [205,206] [209,210] [213,214] [217,218]
  [221,222] [225,226] [229,230] [233,234] [237,238]
  [241,242] [245,246] [249,250] [253,254]

For convenience, I created a text file "/usr/local/etc/openvpn/not_use_ip.txt" which lists the free pairs of addresses that are deleted as they are distributed to clients. Please note that in the configuration file, the first is the IP address assigned to the client (senior), the second is the server address (one less).

After adding the client, it is advisable to restart the OpenVPN service:

 $ sudo /usr/local/etc/rc.d/openvpn restart
 Stopping openvpn.
 Waiting for PIDS: 62293.
 Starting openvpn.
 add net 172.17.0.0: gateway 172.17.0.2

The client needs to transfer five files (ca.crt, vpn0.crt, vpn0.key, ta.key, vpn0.example.com.ovpn):

  • /usr/local/share/doc/openvpn/easy-rsa/keys/ca.crt
  • /usr/local/share/doc/openvpn/easy-rsa/keys/USER_LOGIN.crt → vpn0.crt
  • /usr/local/share/doc/openvpn/easy-rsa/keys/USER_LOGIN.key → vpn0.key
  • /usr/local/etc/openvpn/easy-rsa/keys/ta.key
  • /usr/local/etc/openvpn/vpn0.example.com.ovpn

The listed files are copied to a separate (temporary) folder with the name “config”, files of the form “USER LOGIN. *” In it are renamed to “vpn0. *”, The folder is packed into the archive and sent to the user by e-mail with a link to the instructions for setting up OpenVPN client connection (see below).

Instructions for setting up a client connection OpenVPN

(For users without technical training)

To install and configure OpenVPN connections, you must first determine the bit depth of your operating system. For 32-bit systems, the OpenVPN client installation file ends with "-i686.exe." If you have 64-bit MS-Windows, then you need a file whose name contains "-x86_64.exe". In addition, for a VPN connection to the network, you will need client certificates and a configuration file, which can be obtained from your system administrator.

For MS-Windows, download and install the appropriate OpenVPN client program (for Android and iOS there are packages in your own market / store repositories). Go to the OpenVPN program directory (C: Program Files \ OpenVPN) and copy the folder to itconfigwith all content received from the system administrator. This folder contains your client certificates and settings for connecting to the VPN server.



The names of the files in the config folder may differ slightly from you. Run the OpenVPN client on behalf of the Administrator or change the properties of the shortcut on the Desktop (check the box “run as administrator”).





Connection to the enterprise’s local network via the Internet is carried out through the context menu or by double-clicking on the OpenVPN icon in the system area of ​​the taskbar. You can only connect while outside the enterprise network. OpenVPN server does not accept connections from within the network.



After the connection procedure is successfully completed, the OpenVPN icon in the taskbar will turn green and a pop-up will appear with the IP address assigned to the VPN client. The address is “attached” to the certificate, therefore it will not work with the same certificate at the same time from two or more workplaces due to a conflict of addresses.

After connecting you will be able to access all services (RDP, FTP , HTTP ...) both by IP address and by domain name in the LAN segment allowed by the system administrator, except for the possibility of connecting network drives blocked for security reasons.

Documentation and distribution:


Also popular now: