This page explain briefly how to configure a VPN with OpenVPN, from both server side and client side.
Install the openvpn package on both client and server.
- In the server's /etc/openvpn directory, run the following command to generate a static key:
- openvpn --genkey --secret static.key
- Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.
- On the server, create a new /etc/openvpn/tun0.conf file and add the following:
- dev tun0
- ifconfig 10.9.8.1 10.9.8.2
- secret /etc/openvpn/static.key
Where 10.9.8.x is your VPN subnetwork, 10.9.8.1 will be IP of the server, 10.9.8.2 is IP of client.
- On the client, create a new /etc/openvpn/tun0.conf file and add the following:
- remote your-server.org
- dev tun0
- ifconfig 10.9.8.2 10.9.8.1
- secret /etc/openvpn/static.key
- On the server's firewall, open up UDP 1194 (default port).
- On both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall:
- zone
- interfaces
- policy
- Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
- Start OpenVPN by hand on both sides with the following command:
- openvpn --config /etc/openvpn/tun0.conf --verb 6
verb 6 returns a very verbose output.
- You should probably configure your route at this step.
- To verify that the VPN is running, you should be able to ping 10.9.8.2 from the server and 10.9.8.1 from the client.
==Application to a VPN passing through a http proxy== This part describe how to configure a VPN to pass through a http proxy, which allow only trafic on port 443 (and 80). This use the http_proxy of OpenVPN.
- First of all, check that the port 443 isn't already used by another service on your server.
Configure OpenVPN on server side by adding port 443 and port tcp-server to the configuration file.
Configure OpenVPN on the client side by adding port 443, port tcp-client and http-proxy 1.1.1.1 8080 to the configuration file.
Where 1.1.1.1 and 8080 are IP and port of your proxy.
- Now you should launch OpenVPN on the server and next on the client.
- At this time, you should configure routes to use the VPN tunnel:
Remove the default route through the proxy: route del default eth0
Add default route through your VPN: route add default gw 10.9.8.1 dev tun0
You should keep the route to the proxy with: route add 1.1.1.1 eth0
Update your /etc/resolv.conf according to your needs.
TODO
Explain how to enable the management interface (http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html)