1OPENVPN(EXAMPLES)                                            OPENVPN(EXAMPLES)
2
3
4

NAME

6       openvpn examples - Secure IP tunnel daemon
7

INTRODUCTION

9       This  man page gives a few simple examples to create OpenVPN setups and
10       configuration files.
11

EXAMPLES

13       Prior to running these examples, you should have OpenVPN  installed  on
14       two  machines  with  network connectivity between them. If you have not
15       yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
16       distribution.
17
18   Firewall Setup:
19       If firewalls exist between the two machines, they should be set to for‐
20       ward the port OpenVPN is configured to use, in  both  directions.   The
21       default  for  OpenVPN is 1194/udp.  If you do not have control over the
22       firewalls between the two machines, you may still be able to use  Open‐
23       VPN  by  adding --ping 15 to each of the openvpn commands used below in
24       the examples (this will cause each peer to send out a UDP ping  to  its
25       remote  peer once every 15 seconds which will cause many stateful fire‐
26       walls to forward packets in both directions without an  explicit  fire‐
27       wall rule).
28
29       Please  see your operating system guides for how to configure the fire‐
30       wall on your systems.
31
32   VPN Address Setup:
33       For purposes of our example, our two machines will be called  bob.exam‐
34       ple.com  and  alice.example.com. If you are constructing a VPN over the
35       internet, then replace bob.example.com and alice.example.com  with  the
36       internet  hostname  or IP address that each machine will use to contact
37       the other over the internet.
38
39       Now we will choose the tunnel endpoints. Tunnel endpoints  are  private
40       IP addresses that only have meaning in the context of the VPN. Each ma‐
41       chine will use the tunnel endpoint of the other machine  to  access  it
42       over  the  VPN. In our example, the tunnel endpoint for bob.example.com
43       will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
44
45       Once the VPN is established, you have essentially created a secure  al‐
46       ternate path between the two hosts which is addressed by using the tun‐
47       nel endpoints. You can control which network traffic passes between the
48       hosts  (a)  over  the  VPN or (b) independently of the VPN, by choosing
49       whether to use (a) the VPN endpoint address or (b) the public  internet
50       address, to access the remote host. For example if you are on bob.exam‐
51       ple.com and you wish to connect to alice.example.com  via  ssh  without
52       using  the  VPN (since ssh has its own built-in security) you would use
53       the command ssh alice.example.com. However in the  same  scenario,  you
54       could  also  use the command telnet 10.4.0.2 to create a telnet session
55       with alice.example.com over the VPN, that would use the VPN  to  secure
56       the session rather than ssh.
57
58       You can use any address you wish for the tunnel endpoints but make sure
59       that they are private addresses (such as those that begin  with  10  or
60       192.168)  and that they are not part of any existing subnet on the net‐
61       works of either peer, unless you are bridging. If you  use  an  address
62       that  is  part of your local subnet for either of the tunnel endpoints,
63       you will get a weird feedback loop.
64
65   Example 1: A simple tunnel without security
66       On bob:
67
68          openvpn --remote alice.example.com --dev tun1 \
69                   --ifconfig 10.4.0.1 10.4.0.2 --verb 9
70
71       On alice:
72
73          openvpn --remote bob.example.com --dev tun1 \
74                   --ifconfig 10.4.0.2 10.4.0.1 --verb 9
75
76       Now verify the tunnel is working by pinging across the tunnel.
77
78       On bob:
79
80          ping 10.4.0.2
81
82       On alice:
83
84          ping 10.4.0.1
85
86       The --verb 9 option will produce verbose output, similar  to  the  tcp‐
87       dump(8) program. Omit the --verb 9 option to have OpenVPN run quietly.
88
89   Example  2:  A tunnel with static-key security (i.e. using a pre-shared se‐
90       cret)
91       First build a static key on bob.
92
93          openvpn --genkey --secret key
94
95       This command will build a key file called key (in  ascii  format).  Now
96       copy key to alice.example.com over a secure medium such as by using the
97       scp(1) program.
98
99       On bob:
100
101          openvpn --remote alice.example.com --dev tun1  \
102                   --ifconfig 10.4.0.1 10.4.0.2 --verb 5 \
103                   --secret key
104
105       On alice:
106
107          openvpn --remote bob.example.com --dev tun1   \
108                  --ifconfig 10.4.0.2 10.4.0.1 --verb 5 \
109                  --secret key
110
111       Now verify the tunnel is working by pinging across the tunnel.
112
113       On bob:
114
115          ping 10.4.0.2
116
117       On alice:
118
119          ping 10.4.0.1
120
121   Example 3: A tunnel with full TLS-based security
122       For this test, we will designate bob as the TLS client and alice as the
123       TLS server.
124
125       Note:  The  client  or  server designation only has meaning for the TLS
126              subsystem.  It  has  no  bearing  on   OpenVPN's   peer-to-peer,
127              UDP-based communication model.*
128
129       First,  build  a  separate  certificate/key pair for both bob and alice
130       (see above where --cert is discussed for  more  info).  Then  construct
131       Diffie  Hellman  parameters (see above where --dh is discussed for more
132       info). You can also use the included test files client.crt, client.key,
133       server.crt, server.key and ca.crt. The .crt files are certificates/pub‐
134       lic-keys, the .key files are private keys, and ca.crt is  a  certifica‐
135       tion  authority  who  has  signed  both client.crt and server.crt.  For
136       Diffie Hellman parameters you can use the included file dh2048.pem.
137
138       WARNING:
139              All client, server, and certificate authority  certificates  and
140              keys  included  in the OpenVPN distribution are totally insecure
141              and should be used for testing only.
142
143       On bob:
144
145          openvpn --remote alice.example.com --dev tun1    \
146                  --ifconfig 10.4.0.1 10.4.0.2             \
147                  --tls-client --ca ca.crt                 \
148                  --cert client.crt --key client.key       \
149                  --reneg-sec 60 --verb 5
150
151       On alice:
152
153          openvpn --remote bob.example.com --dev tun1      \
154                  --ifconfig 10.4.0.2 10.4.0.1             \
155                  --tls-server --dh dh1024.pem --ca ca.crt \
156                  --cert server.crt --key server.key       \
157                  --reneg-sec 60 --verb 5
158
159       Now verify the tunnel is working by pinging across the tunnel.
160
161       On bob:
162
163          ping 10.4.0.2
164
165       On alice:
166
167          ping 10.4.0.1
168
169       Notice the --reneg-sec 60 option we used above. That tells  OpenVPN  to
170       renegotiate  the data channel keys every minute. Since we used --verb 5
171       above, you will see status information on each new key negotiation.
172
173       For production operations, a key renegotiation interval of  60  seconds
174       is  probably  too frequent. Omit the --reneg-sec 60 option to use Open‐
175       VPN's default key renegotiation interval of one hour.
176
177   Routing:
178       Assuming you can ping across the tunnel, the next step is  to  route  a
179       real subnet over the secure tunnel. Suppose that bob and alice have two
180       network interfaces each, one connected to the internet, and  the  other
181       to a private network. Our goal is to securely connect both private net‐
182       works. We will assume that bob's private subnet is 10.0.0.0/24 and  al‐
183       ice's is 10.0.1.0/24.
184
185       First,  ensure  that  IP forwarding is enabled on both peers. On Linux,
186       enable routing:
187
188          echo 1 > /proc/sys/net/ipv4/ip_forward
189
190       This setting is not persistent.  Please see your operating systems doc‐
191       umentation  how to properly configure IP forwarding, which is also per‐
192       sistent through system boots.
193
194       If your system is configured with a firewall.  Please see your  operat‐
195       ing systems guide on how to configure the firewall.  You typically want
196       to allow traffic coming from and going to the tun/tap  adapter  OpenVPN
197       is configured to use.
198
199       On bob:
200
201          route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
202
203       On alice:
204
205          route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
206
207       Now any machine on the 10.0.0.0/24 subnet can access any machine on the
208       10.0.1.0/24 subnet over the secure tunnel (or vice versa).
209
210       In a production environment, you could put the route  command(s)  in  a
211       script and execute with the --up option.
212
213
214
215
216                                       5                     OPENVPN(EXAMPLES)
Impressum