How to create a VPN using OpenVPN and Linux

Written by
Date: 2012-01-07 09:33:00 00:00

Today I'll write about OpenVPN, and how to establish a VPN between two computers.

The scenario

There are two offices.

  • The headquarters
  • The branch office

In this scenario the administrator wants all traffic of the branch office to be routed via the headquarters Internet router. This can be desirable for example if you have your branch office in a country where you suspect the Internet provider or the government may be sniffing your traffic, or just because you want to have full control of the pages and sites the workers at the branch office can access.

In this scenario, we'll establish the VPN over the Internet, so both the headquarters and the branch office should have their own access to Internet.

*Server info - At headquarters - *

  • Linux distribution: Arch Linux
  • Public IP: 12.34.56.78

*Client info - At the branch office - *

  • Linux distribution: Arch Linux
  • Public IP: 23.45.67.89
  • Private IP range: 10.1.0.0 / 255.255.0.0
  • Private IP: 10.1.1.1

Server Configuration

First we will install all needed software.

pacman -S openvpn openssl

Now we need to create the server and client certificates, so the VPN can be encrypted.

cd /usr/share/openvpn/easy-rsa/

Then set the variables:

vim vars

Be sure to locate and set this values, here are the defaults, change accordingly.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

Now run these commands

. ./vars

Then

./clean-all

then

./build-ca

follow the instructions, and once finished create the server key

./build-key-server server

Once again, follow the instructions and create the client key

./build-key client1

Finally run:

./build-dh

Now copy the the needed files to where the server is going to look for them:

cp ca.crt /etc/openvpn/

cp server.crt /etc/openvpn/

cp dh1024.pem /etc/openvpn/

cp server.key /etc/openvpn/

Finally, let's create the /etc/openvpn/server.conf file, here is an example:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.1.0.0 255.255.0.0
push "redirect-gateway def1"
keepalive 10 120
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20

This is a very simple example, you may want to check the example file and read the comments, it may be found at: /usr/share/openvpn/examples/server.conf

Configure the client

The client configuration, starts by copying the key and other files from the server. ca.crt, client1.crt and client1.key.

And finally create the configuration file, here is an example:

client

dev tun

proto udp

remote 23.45.67.89 1194
resolv-retry infinite

nobind

user nobody
group nobody

persist-key
persist-tun

ca ca.crt # Use full paths
cert home.crt # Use full paths
key home.key # Use full paths
comp-lzo
verb 3

mute 20

Start the VPN

First start the server side:

openvpn /etc/openvpn/server.conf

Then the client side:

openvpn /etc/openvpn/client.conf

If everything was OK, you should have the vpn up and working.