{"id":410,"date":"2013-02-20T17:54:38","date_gmt":"2013-02-20T22:54:38","guid":{"rendered":"https:\/\/infotechguy.net\/?p=410"},"modified":"2025-02-22T13:15:24","modified_gmt":"2025-02-22T18:15:24","slug":"client-vpn-with-openvpn-server","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=410","title":{"rendered":"Linux — OpenVPN Creating a Client VPN Setup"},"content":{"rendered":"

Before we begin I want to clearly identify the scope of this tutorial. There are different types of VPN, we will be creating a Client VPN which implies a many to one relationship. We will have multiple clients connecting via VPN to a single OpenVPN server. This OpenVPN server will assign IP addresses to each successfully authenticated client. Using this IP Address, client’s may, depending on your network security, access devices on a private network. Effectively appearing as if the Client was directly tied into the Private Network. If you are looking for a site-to-site VPN tunnel via IPSEC this is out of the scope of this tutorial.<\/p>\n

Our Simple Client VPN Topology<\/h4>\n

\"\"<\/a>
\n
\nWe are assuming that the 172.16.23.0\/24<\/strong> network has the appropriate ACLs to the resources you want VPN Clients to access.<\/em><\/p>\n

    \n
  1. \n

    Install the base packages needed<\/h4>\n
    apt-get install openvpn openssl<\/pre>\n<\/li>\n
  2. \n
    Copy example confs<\/h4>\n
    mkdir -P \/etc\/openvpn\/easy-rsa\/ \r\ncp -r \/usr\/share\/doc\/openvpn\/examples\/easy-rsa\/2.0\/* \/etc\/openvpn\/easy-rsa\/<\/pre>\n<\/li>\n
  3. \n
    For Ubuntu 12.04 64-bit, there is an issue with the scripts installed with openvpn.<\/h4>\n
    To fix create a symbolic link for openssl.cnf file that CA scripts look for.<\/p>\n
    cd \/etc\/openvpn\/easy-rsa \r\nln -s openssl-1.0.0.cnf openssl.cnf<\/pre>\n<\/li>\n
  4. \n
    Change vars settings to your paticular set up.<\/h4>\n
    vi \/etc\/openvpn\/easy-rsa\/vars\r\nexport EASY_RSA=\"\/etc\/openvpn\/easy-rsa\"\r\nexport KEY_SIZE=2048\r\nexport KEY_COUNTRY=\"US\"\r\nexport KEY_PROVINCE=\"CT\"\r\nexport KEY_CITY=\"Hartford\"\r\nexport KEY_ORG=\"techjockey.net\"\r\nexport KEY_EMAIL=\"me@myhost.mydomain\"<\/pre>\n<\/li>\n
  5. \n
    Create our Certificate Authority:<\/h4>\n<\/li>\n
  6. This step is necessary to create a root level trusted authority that will sign the SSL certificates\/keys used by both our OpenVPN server and OpenVPN clients, during their SSL handshake. If their is no trust between either entity, their will be a SSL invalid issue, because the client trying to connect is not presenting a trusted and signed certificate. For more information on SSL please see here<\/a>.<\/em><\/em><\/em>\n
    cd \/etc\/openvpn\/easy-rsa\r\nsource vars\r\n.\/clean-all\r\n\r\n.\/build-ca OpenVPN-CA\r\nGenerating a 2048 bit RSA private key\r\n..................................................+++\r\n......+++\r\nwriting new private key to 'ca.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [US]:\r\nState or Province Name (full name) [CT]:\r\nLocality Name (eg, city) [Hartford]:\r\nOrganization Name (eg, company) [thejimmahknows]:\r\nOrganizational Unit Name (eg, section) [changeme]:CertificateAuthority\r\nCommon Name (eg, your name or your server's hostname) [changeme]:OpenVPN-CA\r\nName [changeme]:CertAuth\r\nEmail Address [mail@host.domain]:<\/pre>\n
    <\/code><\/code><\/pre>\n
    <\/h4>\n<\/li>\n
  7. \n
    Create Server Cert and Key, signed by CA:<\/h4>\n
    Notice, in the next step, how we are signing the OpenVPN server’s Certificate and Key with our Certificate Authority certificate from the previous step!
    \n<\/em><\/p>\n
    cd \/etc\/openvpn\/easy-rsa\r\nsource vars\r\n.\/build-key-server OpenVPN-Server\r\nGenerating a 2048 bit RSA private key\r\n.....................................................................................+++\r\n............+++\r\nwriting new private key to 'OpenVPN-Server.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [US]:\r\nState or Province Name (full name) [CT]:\r\nLocality Name (eg, city) [Hartford]:\r\nOrganization Name (eg, company) [thejimmahknows]:\r\nOrganizational Unit Name (eg, section) [changeme]:OpenVPN Server\r\nCommon Name (eg, your name or your server's hostname) [OpenVPN-Server]:\r\nName [changeme]:OpenVPN Service\r\nEmail Address [mail@host.domain]:\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\nUsing configuration from \/etc\/openvpn\/easy-rsa\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName           :PRINTABLE:'US'\r\nstateOrProvinceName   :PRINTABLE:'CT'\r\nlocalityName          :PRINTABLE:'Hartford'\r\norganizationName      :PRINTABLE:'THEJIMMAHKNOWS'\r\norganizationalUnitName:PRINTABLE:'OpenVPN Server'\r\ncommonName            :PRINTABLE:'OpenVPN-Server'\r\nname                  :PRINTABLE:'OpenVPN Service'\r\nemailAddress          :IA5STRING:'mail@host.domain'\r\nCertificate is to be certified until Nov 13 19:22:27 2022 GMT (3650 days)\r\nSign the certificate? [y\/n]:y\r\n\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nData Base Updated<\/pre>\n
    \u00a0<\/em><\/li>\n
  8. Create Client<\/strong> Certificate\/Key Pair and sign by CA:\n
    cd \/etc\/openvpn\/easy-rsa \r\nsource vars \r\n.\/build-key thejimmahknows_vpnclient\r\n\r\nGenerating a 2048 bit RSA private key\r\n.......................+++\r\n...................+++\r\nwriting new private key to 'thejimmahknows_vpnclient.key'\r\n-----\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter '.', the field will be left blank.\r\n-----\r\nCountry Name (2 letter code) [US]:\r\nState or Province Name (full name) [CT]:\r\nLocality Name (eg, city) [Hartford]:\r\nOrganization Name (eg, company) [THEJIMMAHKNOWS]:\r\nOrganizational Unit Name (eg, section) [changeme]:\r\nCommon Name (eg, your name or your server's hostname) [thejimmahknows_vpnclient]:\r\nName [changeme]:jim\r\nEmail Address [mail@host.domain]:\r\n\r\nPlease enter the following 'extra' attributes\r\nto be sent with your certificate request\r\nA challenge password []:\r\nAn optional company name []:\r\nUsing configuration from \/etc\/openvpn\/easy-rsa\/openssl.cnf\r\nCheck that the request matches the signature\r\nSignature ok\r\nThe Subject's Distinguished Name is as follows\r\ncountryName :PRINTABLE:'US'\r\nstateOrProvinceName :PRINTABLE:'CT'\r\nlocalityName :PRINTABLE:'Hartford'\r\norganizationName :PRINTABLE:'THEJIMMAHKNOWS'\r\norganizationalUnitName:PRINTABLE:'changeme'\r\ncommonName :T61STRING:'thejimmahknows_vpnclient'\r\nname :PRINTABLE:'jim'\r\nemailAddress :IA5STRING:'mail@host.domain'\r\nCertificate is to be certified until Nov 13 19:24:19 2022 GMT (3650 days)\r\nSign the certificate? [y\/n]:y\r\n1 out of 1 certificate requests certified, commit? [y\/n]y\r\nWrite out database with 1 new entries\r\nData Base Updated<\/pre>\n<\/li>\n
  9. \n
    Create Diffie Hellman Key Exchange<\/a>:<\/h4>\n
    .\/build-dh<\/pre>\n<\/li>\n
  10. \n
    Change to Keys Directory<\/h4>\n
    So we just created a Certificate Authority certificate and key pair, a Server certificate and key pair signed by our CA, and a Client certificate and key pair signed by our CA. The scripts you just ran place the certificates and keys in the \/etc\/openvpn\/easy-rsa\/keys directory . Navitgate to this directory. You may notice that you need to be root user in order to change to this directory…Don’t worry that is a good thing! Do an ls -l so we can see what’s in this directory…we should see the following:<\/p>\n
    cd \/etc\/openvpn\/easy-rsa\/keys\r\nls -l\r\nca.key\r\nca.crt\r\nOpenVPN-Server.crt\r\nOpenVPN-Server.key\r\nthejimmahknows_vpnclient.crt\r\nthejimmahknows_vpnclient.key<\/pre>\n
    NOTICE: We have to files per entity. a CRT and a KEY, it is very important that the KEY is only<\/strong> readable at the root level and only resides on the entity. You should not<\/strong>, I repeat not have the entity’s KEY in multiple locations.!!<\/em><\/li>\n
  11. \n
    Copy Client files to Client device<\/h4>\n
    Copy the Client’s CRT and KEY to it’s device. You will also need to copy the ca.crt certificate to the Client’s device. (This is due to the fact that the CA we created is self-signed and is not a public third party Certificate. Anyway..) Remember when the CRT and KEY are on the Client’s device, make sure the KEY is read-only by a root user.<\/li>\n
  12. \n
    Identify Server side files<\/h4>\n
    Make note on our OpenVPN server the location of the following; ca.crt, dh2048.pem, OpenVPN-Server.crt, and OpenVPN-Server.key<\/strong>. We will need their full path for the next step<\/li>\n
  13. \n
    Copy a sample server configuration file:<\/h4>\n
    cp \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz . \r\ngunzip server.conf.gz<\/pre>\n<\/li>\n
  14. \n
    Edit the server.conf file and change\/add the following:<\/h4>\n
    vi server.conf\r\nport 1194\r\nproto udp\r\n#cert information\r\nca \/etc\/openvpn\/easy-rsa\/keys\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/keys\/OpenVPN-Server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/keys\/OpenVPN-Server.key\r\ndh \/etc\/openvpn\/easy-rsa\/keys\/dh2048.pem\r\n\r\n#sets IP range and subnet to assign VPN clients after they successfully connect and negotiate. Or your VPN range here.\r\nserver 172.16.23.0  255.255.255.0\r\n\r\n#maintain a record of clients and their virtual IP address, so they are assign the same one every time.\r\nifconfig-pool-persist ipp.txt\r\n\r\n#push statements, push routing and other broadcast information to a client when they ask to get an virtual IP. Push your DNS and route information relative to your infrastructure. Here is where you would want to put your DNS server clients should use to resolve resources on your networks.\r\npush \"dhcp-option DNS 208.67.220.220\"\r\npush \"dhcp-option DNS 208.67.222.220\"\r\n\r\n#do you want VPN clients to be able to talk to each other?\r\nclient-to-client\r\n\r\n#keepalives\r\nkeepalive 10 120\r\n\r\n#enable compression (has to be done on both sides to work)\r\ncomp-lzo\r\n\r\n#status file (different than logging, show user virtual IP associations, etc). Handy.\r\nstatus openvpn-status-log\r\n\r\n#log stuff\r\nlog  \/var\/log\/openvpn.log\r\nverb 3<\/pre>\n<\/li>\n
  15. \n
    Restart the OpenVPN service on the server.<\/h4>\n
    service openvpn restart<\/pre>\n<\/li>\n
  16. \n
    Client Configuration<\/h4>\n
    On your client, assuming Ubuntu OS is running on your client. Install the necessary packages for the OpenVPN Client<\/p>\n
    apt-get install network-manager-openvpn<\/pre>\n
    After an OpenVPN option should be available in Network Manager, remember where your Client’s certificate and key are stored, then go to Edit Connections and the VPN Tab.
    \n\"\"<\/a><\/p>\n
    Click Add, OpenVPN.
    \n    \"\"<\/a><\/p>\n
    Now fill in the information necessary, Connection name, Gateway (which is your OpenVPN Server IP or DNS), User Certificate is your client CRT, CA Certificate is the ca.crt, and Private Key si the KEY file. See picture for example.
    \n    \"\"<\/a><\/p>\n
    The new connection should now appear in your Network Manager list of connections.
    \n    \"\"<\/a><\/li>\n
  17. Congratulations! You just set up a Client VPN Server and got a Client connecting over a secure SSL tunnel. Woot!<\/li>\n<\/ol>\n
    Sources:<\/strong><\/p>\n