this is my first blog post. I will try to explain in the easiest way how to simply configure an OpenVPN server and its clients. You can find many tutorials and how-tos, but most of them are not what are you looking for and you have to search on many places.
SERVER CONFIGURATION
So let's begin. I have OpenVPN (ovpn) for Win32, but system how does it work is same. We will start with server configuration. After successful installation of your ovpn package, you have to create your very first configuration file for server. Config is a file, which contains all configuration and settings required to proper running of the application. So create a new file with .ovpn as the extension. I assume that you have your own public IP address, or if you are behind of some kind of NAT, you have forwarded the right ports to your computer. So here is an example of server's config file:
local 192.168.1.1
port 9080
proto tcp
dev tap
server 10.1.0.0 255.255.255.224
client-to-client
keepalive 10 120
comp-lzo
max-clients 20
persist-key
ifconfig-pool-persist ipp.txt
ca ca.crt
cert majo.crt
key majo.key
dh dh1024.pem
I will explain these options line by line.
local is used for determining local IP address on which the server will listen. It should be used only if there are more than one network interfaces available.
port determines the listening port. I use port 9080. Actually it does not matter which port you will use, you just have to set the same port for clients.
proto sets the network protocol by which server will communicate with clients. You can choose between tcp and udp. If you are not familiar with these protocols, I just say, that UDP is less reliable and should be used only on local networks (LAN). For connections over the Internet, use TCP.
dev tap - opposite is dev tun. The difference between these options is, that if you want your clients to have access to server's network, you should use dev tun. TAP is used for bridging on server's side.
server says that you are the server. Then comes VPN network address and subnet mask. It should be selected carefully and watch for various network collisions - if you have your PC connected to a network 192.168.1.0, you can not use this network for your VPN too. If you are not familiar with subnetting, I just explain my example: subnet mask says where network begins and where it ends. I have network 10.1.0.0 and mask 255.255.255.224 says, that I can use IP addresses 10.1.0.0 - 10.1.0.32. This article should be helpful. Also your server will automatically get the first address from the range, in this case it is 10.1.0.1.client-to-client option enables your clients to connect one to another. If you do not add this option, your clients will be able to connect only to server, not to other client. So with this option you can actually act as a network switch.
keepalive causes ping-like messages to be sent so that each side knows when the other side has gone down. In this case, it says, that "ping" will be sent every 10 seconds and assume that remote side is down, if no ping is received in 120 seconds.
comp-lzo enables data compression over the link.
max-clients sets the maximum number of connected clients in same time.
persist-key this option will try to avoid accessing certain resources on restart, that may not be longer be accessible because of the privilege downgrade. I am not sure, if this should be used on Windows server, but I use it just for case.
ifconfig-pool-persist sets filename of log, where client's IP addresses will be stored. This allows to assign the same IP address for same client every time he connects again.
The last section contains certificate filename. You will now need to create these certificates:
- server root certificate (ca)
- certificate
- private key
- Diffie-Hellman key
When you are inside that folder, begin with command:
C:\Program Files\OpenVPN\easy-rsa> init-config
This command wipes all existing certificates, keys, settings,...it is a good start:)Next it is good to edit the vars.bat file (with notepad or some text editor) and fill those, I will put here and example:
set KEY_COUNTRY=GB
set KEY_PROVINCE=London
set KEY_CITY=London
set KEY_ORG=Org
set KEY_EMAIL=majo@dom.sk
set KEY_PROVINCE=London
set KEY_CITY=London
set KEY_ORG=Org
set KEY_EMAIL=majo@dom.sk
So you will not need to fill it everytime you will want to create some certificate. Now let's create the root certificate:
C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> clean-all
C:\Program Files\OpenVPN\easy-rsa> build-ca
You will be asked to enter some values, but you have already entered them into vars.bat file, so just press Enter. You just need to enter the "Common Name", set it to "Administrator" for example. Now you have created your first certificate. You can find the file ca.crt.C:\Program Files\OpenVPN\easy-rsa> clean-all
C:\Program Files\OpenVPN\easy-rsa> build-ca
Now we will create certificate for you as a server.
C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key-server servername
As a servername variable you can enter the name of the server, like "Johns" or "Corporation". Again all required fields are already entered, you have to enter just Common Name. In this case, set it to servername. This will create you servername.crt.C:\Program Files\OpenVPN\easy-rsa> build-key-server servername
Last step required for the server is creating Diffie-Hellman key. Very easy procedure, but takes a little longer than creating certificates.
C:\Program Files\OpenVPN\easy-rsa> build-dh
That's all! Now copy ca.crt, servername.crt, servername.key and dh1024.pem to the same directory as you have your config file. After that, copy openvpn.exe and all required SSL libraries into the same folder. Now you can try to run your server with command "openvpn.exe configname.ovpn". If you have followed all steps, it should be working.
CLIENT CONFIGURATION
Configuring a client is much more easier as you got used to all terms and properties. You have to create a configuration file again, copy for each client. Here's an example:
client
proto tcp
dev tap
remote 65.198.212.56 9080
resolv-retry infinite
nobind
persist-key
comp-lzo
ca ca.crt
cert maros.crt
key maros.key
client line says, that this configuration file belongs to a client, not to server.proto tcp
dev tap
remote 65.198.212.56 9080
resolv-retry infinite
nobind
persist-key
comp-lzo
ca ca.crt
cert maros.crt
key maros.key
proto tap, dev tap - same as for server configuration
remote says server's IP address and listening port. IP address in this example is fictional and probably doesn't belong to anyone. Port number must be same as in server's config.
resolv-retry is for cases, when you enter hostname instead of IP address for server. This will keep trying reaching this hostname.
nobind command denies client's computer to bind to specific port number, as clients usually do not need it.
persist-key same as for server.
comp-lzo enables compression. When it is enabled for server, it must be enabled for client and reversal.
And names for certificates and keys. So again, you need to create certificates and keys for clients. Also the server handles it, but it is much easier. You must provide the ca.crt file to your client, so this file is same for server and for client. Then you have to create client's key and certificate.
C:\Program Files\OpenVPN\easy-rsa> vars
C:\Program Files\OpenVPN\easy-rsa> build-key client1
C:\Program Files\OpenVPN\easy-rsa> build-key client1
This will create client1.crt and client1.key. You can choose names whatever you want. Then you need to provide client's .crt, .key, ca.crt, client's .ovpn config and openvpn.exe to your client.
And that's all! Now client can run "openvpn.exe clientconfig.ovpn" and connect to server. You have just created your first simple VPN network. You can create other client configurations and certificates, creating larger network with more people connected.