Configuring OpenVPN connections on server and client

Last updated: December 12, 2020

OpenVPN is a free software for setting up a Virtual Private Network (VPN) over encrypted TLS/SSL connections. The encryption is done by OpenSSL. The transport protocol can be either UDP or TCP, and OpenVPN currently offers the pre-shared key method or certificates as authentication methods. OpenVPN is licensed under the GNU GPL (General Public License).


Table of contents

OpenVPN offers a great possibility to establish an encrypted VPN connection. The program is both server and client application. The software is OpenSource and available for Linux, OpenBSD, Microsoft Windows and MAC OS X.

Since Linux in most cases is used as server OS and Windows on the client side machines, this article discovers the configuration of a VPN server under Linux, as well as the setup of the client accesses within Windows systems. However, the configuration should not differ at all for other systems.

Advantages of OpenVPN

Communication via OpenVPN offers numerous advantages:

  • Stability
  • Scalability (thousands of clients)
  • Easy installation
  • Supports a wide range of operating systems (e.g.: Linux, Solaris, div. BSD, OS X and Windows, as well as iOS and Android)
  • Dynamic IP addresses and NAT
  • OpenSSL security model
  • SSL/TLS and X509 PKI (Public Key Infrastructure) for session authentication
  • IPsec ESP protocol for secure tunnel transport over UDP

Basics of the OpenVPN tunnel

The basis of the OpenVPN tunnel is the openvpn program, which runs on a UDP port (standard 5000) on the server as well as on the client side and creates a virtual network interface with the help of the Tun/Tap driver, which represents one end of the tunnel in each case.

Authentication

In contrast to PPP, which works similarly, all network traffic can be encrypted based onOpenSSL. Two methods can be used to authenticate the server and client:

Shared-secret authentication

Shared-secret authentication (also known as static-key authentication) is based on a symmetric encryption method in which the communication partners must first exchange the shared key via a secure channel. All tunnel network traffic is then encrypted with this key and can be decrypted by anyone who also possesses the key. Therefore, if the key is compromised, it must be exchanged on all systems involved.

First, a key is generated.

Assuming that the server has the real IP address 192.168.0.1 and the client the IP address 192.168.0.2, a first test connection can be established. The computers should now be able to communicate with each other. Alternatively, you could create a configuration file on the server or client and then use openvpn –config config.ovpn to establish the connection.

Generating the static key

Windows command line (administrator):

openvpn --genkey --secret ta.key
In our example we do it like this:
openvpn --genkey --secret C:\Programs\OpenVPN\easy-rsa\keys\ta.key

Linux root shell:

openvpn --genkey --secret ta.key
In our example:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key

Generating the master certificate and key

On Linux, open a root shell in the directory /etc/openvpn/easy-rsa/. Under Windows open the command prompt and change to the directory C:\Programs\OpenVPN\easy-rsa\ and start the batch file with the command:

init-config

Now the vars file (Windows: vars.bat) must be edited and certain information (country, city, eMail etc.) must be entered. All fields must be filled in.

Now the PKI (public key infrastruction using certificates and private keys) is initialized.

Windows command line (administrator):

vars
clean-all
build-ca

Linux root shell:

./vars
./clean-all
./build-ca

Caution: clean-all deletes all files in the keys directory, i.e. if VPN client certificates are subsequently created, only the vars must be loaded.

The script now returns the information from the vars file (Windows: vars.bat). Missing information must be entered here (e.g. the “Common Name”). Here e.g. “My-OpenVPN-CA” can be entered. Furthermore, a password can be assigned, which is then required for the later creation of client certificates (point 2.4).

In the directory C:\ProgrammeOpen\VPN\easy-rsa\keys\ (or under Linux: /etc/openvpn/easy-rsa/keys/) should now be the files ca.key and ca.crt, otherwise something went wrong.

Generating the certificate and key for the VPN server

Windows command line (administrator):
build-key-server server

Linux root shell:
./build-key-server server

As with the creation of the master key, the defaults from the vars file are suggested and additionally a common name called “server” must be entered. In addition, a password must be entered and the two questions for signing the certificate must be answered with Yes (y).

In the directory C:\Programme\OpenVPN\easy-rsa\keys\ (or under Linux: /etc/openvpn/easy-rsa/keys/) should now be the files server.key and server.crt, otherwise something went wrong.

Generating certificate and key for the VPN clients

Windows command line (administrator):

build-key notebook1
build-key notebook2
build-key notebook3

Linux root shell:

./build-key notebook1
./build-key notebook2
./build-key notebook3

The steps are the same as for generating the server key. However, a unique common name must be assigned for each client (e.g. “client1”, “client2”, “client3”). If a password was assigned when creating the master CA certificate under point 2.2, this must also be specified here!

In the directory C:\Programme\OpenVPN\easy-rsa\keys\ (or under Linux: /etc/openvpn/easy-rsa/keys/) should now be the files notebookx.key and notebookx.crt for each client, otherwise something went wrong.

Generating unique Diffie-Hellman parameters for later key exchange

Windows command line (administrator):
build-dh

Linux root shell:
./build-dh

The process can take quite a while, so it is a good idea to pause here.

In the directory C:\Programme\OpenVPN\easy-rsa\keys\ (or under Linux: /etc/openvpn/easy-rsa/keys/) should be the file dh1024.pem afterwards, otherwise something went wrong.

Certificate-based authentication

Certificate-based authentication is based on an asymmetric encryption method that creates a secure channel.

Since asymmetric encryption is considerably slower than symmetric encryption, a temporary symmetric random key is generated by a communication partner and sent to its counterpart via the secure channel.

In the event of compromise, only the corresponding certificate needs to be revoked. However, more configuration work is required to set up the public key infrastructure.

For small networks, the peer-to-peer mode (with shared-secret authentication) ofOpenVPN can be used. With this implementation, the administration effort increases with the size of the VPN network – i.e., with the number of VPN clients.

In addition, an explicit daemon process with a separate UDP port must run on the server side for each client, which also makes the firewall configuration more complex.

Therefore, the server-client mode of OpenVPN (from version 2) with the help of certificate-based authentication is described in the following.

For signing the server and client certificates, one should set up one’s own CA. TheOpenSSL package, which must be installed (Linux), already provides the necessary tools for this. To create the necessary certificates, see the script “Create your own OpenSSL certificates”.

Important: execute the commands to create the certificates in the OpenVPN folder /etc/openvpn(on SuSE Linux).

Create your own certificate authority, a server certificate and at least one client certificate according to the documentation. Execute also the command to create the PKCS12 file, but do NOT assign a password for the server (client yes!), because otherwise the OpenVPN daemon will ask for it at every start. If everything is ready, the server can be configured.

Note: of course there is also the Perl script CA.pl.

Configuration

Configure server

In the OpenVPN directory (/etc/openvpn on SuSE Linux) you can now create a configuration file (e.g. openvpn.conf).

Configure client

As mentioned at the beginning, we set up the client computer under Windows here. Download OpenVPN for Windows (http://openvpn.se/). It is assumed that OpenVPN has been installed into the directory C:\Programme\OpenVPN.

Change to the folder C:\Programme\OpenVPN\config and create a new OVPN file here, e.g. openvpn_client.ovpn

Communication

A VPN with OpenVPN can connect clients to a server (road warrior) or also enable a site-to-site connection between two or more locations. The router must either have a fixed IP address, or be reachable using a dynamic DNS record. By default, an OpenVPN is configured using the stateless UDP protocol with the default port 1194. However, it can also be enabled using the TCP protocol if UDP is blocked on the network. In this case, HTTPS port 443 is a good choice since it is open on most networks.
Network modes

OpenVPN currently offers two different network modes:

  • Bridging (TAP-Device)
  • Routing (TUN-Device)

Routing mode (TUN-Device) is recommended as a more efficient and modern method.

Bridging (TAP device)

In the bridging mode a complete tunneling of Ethernet frames (Layer2) is performed. Here, the use of alternative protocols such as IPX or even the sending of Wake-On-LAN packets is possible. The client is transparently dialed into the dial-up network and receives an IP address of the subnet there. Thus broadcasts are also forwarded, e.g. to enable the name resolution of the SMB protocol.

Advantages of Bridging

  • Behaves like a real network adapter
  • Any network protocols
  • Client transparent in the target network
  • Broadcasts and Wake-On-LAN

Disadvantages of Bridging

  • Inefficient
  • High broadcast overhead on VPN tunnel
  • Poor scalability

Routing (TUN device)

The routing mode establishes an encrypted tunnel in which only IP packets (Layer3) are routed. Each remote station is assigned a virtual IP address of a fictitious subnet. Access to the network behind it is not possible by default, but can be enabled by means of IP forwarding and entries in the routing table of the firewall.

Advantages of Routing

  • Less traffic overhead
  • Lower bandwidth load, because no Ethernet layer
  • Good scalability

Disadvantages of Routing

  • IP packets only
  • No broadcasts

Managing large scale VPNs easily with OpenVPN and PERL

Enterprise-Ready – OpenVPN has proven itself in use in large companies and organizations. The fact that this free VPN tool combines such a wide range of functions with a simple configuration and high security at the same time seems like squaring the circle.

Limits exceeded

If an admin faces entries like this in the logfile of OpenVPN, he’s exceeded in limit for the named user (here “user1.example.de”):

Oct 18 16:43:53 ovpn-server[28631]: user1.example.de/IP.add.res.se:33359 Maximum length of --push buffer (1024) has been exceeded.

How to prevent foreign X.509 certificates?

A malicious client could present the certificate “username1.example.de”, but use the data of “user2” for authentication. So the OpenVPN server has to check during authentication if the CN of the certificate matches the username of the authentication data, and this is done by the parameter “auth-user-pass-verify” in “/etc/openvpn/server.conf”:

auth-user-pass-verify /usr/local/scripts/ucn.pl via-env

To this PERL script OpenVPN passes username and CN of the certificate via environment variables. A transfer via file is also possible. The corresponding script in Listing 1 is rather unspectacular: with “split()” the username remains in the “common_name_array” as the first element, which must be identical to the one passed in the environment variable “username”.


#!/usr/bin/perl -t
# OpenVPN --auth-user-pass-verify script.
# Only authenticate if username equals Ucommon_name.
# In OpenVPN config file: auth-user-pass-verify ./ucn.pl via-env
$username = $ENV{'username'};
$common_name = $ENV{'common_name'};
@common_name_array = split(/./, $common_Uname);
exit !(length($username) > 0 && Ulength($common_name) > 0 && $username eq U$common_name_array[0]);

Individual firewall rules for each user

Because each user receives his own static IP via his certificate, specific firewall rules can be applied for each client when establishing a connection. OpenVPN already provides the means for this as well. In the “server.conf” this is done via the “learn-address” option:

learn-address /usr/local/scripts/ovpnfwconf

OpenVPN calls this script with up to three parameters:

  • “operation”: “add”, “delete” or “update”.
  • “add” is used for the assignment of an IP, for example when the user dials in and gets an initial address. For example, an individual script immediately sets the firewall rules.
  • If the user disconnects, “delete” takes effect.
  • “OpenVPN discards the client address, a script deletes the firewall rules.
  • With a reconnect of the OpenVPN passes “update”, it works similar to “delete” with following an “add”.
  • “address”: The IP address in the VPN, that is the address which OpenVPN has statically assigned by means of “client-config-dir ccd”.
  • “Common Name”: The CN of the X.509 certificate.

The script “/usr/local/scripts/ovpnfwconf” used at the example is only a wrapper that calls the actual script with root privileges, because IPtables needs them:


#!/bin/sh
/usr/local/bin/bin-id-wrapper /usr/local/scripts/ovpncfg.pl $1 $2 $3 2>&1 | logger -t ovpnfwconf -p daemon.info

The actual work is done by “/usr/local/scripts/ovpncfg.pl”, it generates the IPtables rules.

What problems can occur?

As always: a lot. One of the errors we faced was that the Linux PC was set to “local time” and the certificates only became valid after one hour (GMT+1). Also, make sure that your firewall does not hinder the connection setup, open port 5000 if necessary. If no IP is assigned to your TAP device, you may have to start the “DHCP client” service in Windows.

Conclusion of OpenVPN

  • Tunnel any subnet or virtual Ethernet adapter over a single TCP or UDP port.
  • Configure a scalable, load-balacing VPN server farm for thousands of client connections.
  • OpenVPN can make use of all encryption, authentication and certification features of the OpenSSL library.
  • Authentication is performed using a conventional static key (pre-shared key) or certificate-based public-key encryption.
  • OpenVPN offers bridging (tap) and routing (tun) as operating modes.
  • Network tunnels over dynamic endpoints (DHCP or dial-in), over connection and stateful firewalls or NAT networks.
  • Control via GUI for Windows and OS X clients.