1OPENVPN(EXAMPLES) OPENVPN(EXAMPLES)
2
6 openvpn examples - Secure IP tunnel daemon
7
9 This man page gives a few simple examples to create OpenVPN setups and
10 configuration files.
11
13 Prior to running these examples, you should have OpenVPN installed on
14 two machines with network connectivity between them. If you have not
15 yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
16 distribution.
17 Firewall Setup:
19 If firewalls exist between the two machines, they should be set to for‐
20 ward the port OpenVPN is configured to use, in both directions. The
21 default for OpenVPN is 1194/udp. If you do not have control over the
22 firewalls between the two machines, you may still be able to use Open‐
23 VPN by adding --ping 15 to each of the openvpn commands used below in
24 the examples (this will cause each peer to send out a UDP ping to its
25 remote peer once every 15 seconds which will cause many stateful fire‐
26 walls to forward packets in both directions without an explicit fire‐
27 wall rule).
28 Please see your operating system guides for how to configure the fire‐
30 wall on your systems.
31 VPN Address Setup:
33 For purposes of our example, our two machines will be called bob.exam‐
34 ple.com and alice.example.com. If you are constructing a VPN over the
35 internet, then replace bob.example.com and alice.example.com with the
36 internet hostname or IP address that each machine will use to contact
37 the other over the internet.
38 Now we will choose the tunnel endpoints. Tunnel endpoints are private
40 IP addresses that only have meaning in the context of the VPN. Each ma‐
41 chine will use the tunnel endpoint of the other machine to access it
42 over the VPN. In our example, the tunnel endpoint for bob.example.com
43 will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
44 Once the VPN is established, you have essentially created a secure al‐
46 ternate path between the two hosts which is addressed by using the tun‐
47 nel endpoints. You can control which network traffic passes between the
48 hosts (a) over the VPN or (b) independently of the VPN, by choosing
49 whether to use (a) the VPN endpoint address or (b) the public internet
50 address, to access the remote host. For example if you are on bob.exam‐
51 ple.com and you wish to connect to alice.example.com via ssh without
52 using the VPN (since ssh has its own built-in security) you would use
53 the command ssh alice.example.com. However in the same scenario, you
54 could also use the command telnet 10.4.0.2 to create a telnet session
55 with alice.example.com over the VPN, that would use the VPN to secure
56 the session rather than ssh.
57 You can use any address you wish for the tunnel endpoints but make sure
59 that they are private addresses (such as those that begin with 10 or
60 192.168) and that they are not part of any existing subnet on the net‐
61 works of either peer, unless you are bridging. If you use an address
62 that is part of your local subnet for either of the tunnel endpoints,
63 you will get a weird feedback loop.
64 Example 1: A simple tunnel without security
66 On bob:
67 openvpn --remote alice.example.com --dev tun1 \
69 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
70 On alice:
72 openvpn --remote bob.example.com --dev tun1 \
74 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
75 Now verify the tunnel is working by pinging across the tunnel.
77 On bob:
79 ping 10.4.0.2
81 On alice:
83 ping 10.4.0.1
85 The --verb 9 option will produce verbose output, similar to the tcp‐
87 dump(8) program. Omit the --verb 9 option to have OpenVPN run quietly.
88 Example 2: A tunnel with static-key security (i.e. using a pre-shared se‐
90 cret)
91 First build a static key on bob.
92 openvpn --genkey --secret key
94 This command will build a key file called key (in ascii format). Now
96 copy key to alice.example.com over a secure medium such as by using the
97 scp(1) program.
98 On bob:
100 openvpn --remote alice.example.com --dev tun1 \
102 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 \
103 --secret key
104 On alice:
106 openvpn --remote bob.example.com --dev tun1 \
108 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 \
109 --secret key
110 Now verify the tunnel is working by pinging across the tunnel.
112 On bob:
114 ping 10.4.0.2
116 On alice:
118 ping 10.4.0.1
120 Example 3: A tunnel with full TLS-based security
122 For this test, we will designate bob as the TLS client and alice as the
123 TLS server.
124 Note: The client or server designation only has meaning for the TLS
126 subsystem. It has no bearing on OpenVPN's peer-to-peer,
127 UDP-based communication model.*
128 First, build a separate certificate/key pair for both bob and alice
130 (see above where --cert is discussed for more info). Then construct
131 Diffie Hellman parameters (see above where --dh is discussed for more
132 info). You can also use the included test files client.crt, client.key,
133 server.crt, server.key and ca.crt. The .crt files are certificates/pub‐
134 lic-keys, the .key files are private keys, and ca.crt is a certifica‐
135 tion authority who has signed both client.crt and server.crt. For
136 Diffie Hellman parameters you can use the included file dh2048.pem.
137 WARNING:
139 All client, server, and certificate authority certificates and
140 keys included in the OpenVPN distribution are totally insecure
141 and should be used for testing only.
142 On bob:
144 openvpn --remote alice.example.com --dev tun1 \
146 --ifconfig 10.4.0.1 10.4.0.2 \
147 --tls-client --ca ca.crt \
148 --cert client.crt --key client.key \
149 --reneg-sec 60 --verb 5
150 On alice:
152 openvpn --remote bob.example.com --dev tun1 \
154 --ifconfig 10.4.0.2 10.4.0.1 \
155 --tls-server --dh dh1024.pem --ca ca.crt \
156 --cert server.crt --key server.key \
157 --reneg-sec 60 --verb 5
158 Now verify the tunnel is working by pinging across the tunnel.
160 On bob:
162 ping 10.4.0.2
164 On alice:
166 ping 10.4.0.1
168 Notice the --reneg-sec 60 option we used above. That tells OpenVPN to
170 renegotiate the data channel keys every minute. Since we used --verb 5
171 above, you will see status information on each new key negotiation.
172 For production operations, a key renegotiation interval of 60 seconds
174 is probably too frequent. Omit the --reneg-sec 60 option to use Open‐
175 VPN's default key renegotiation interval of one hour.
176 Routing:
178 Assuming you can ping across the tunnel, the next step is to route a
179 real subnet over the secure tunnel. Suppose that bob and alice have two
180 network interfaces each, one connected to the internet, and the other
181 to a private network. Our goal is to securely connect both private net‐
182 works. We will assume that bob's private subnet is 10.0.0.0/24 and al‐
183 ice's is 10.0.1.0/24.
184 First, ensure that IP forwarding is enabled on both peers. On Linux,
186 enable routing:
187 echo 1 > /proc/sys/net/ipv4/ip_forward
189 This setting is not persistent. Please see your operating systems doc‐
191 umentation how to properly configure IP forwarding, which is also per‐
192 sistent through system boots.
193 If your system is configured with a firewall. Please see your operat‐
195 ing systems guide on how to configure the firewall. You typically want
196 to allow traffic coming from and going to the tun/tap adapter OpenVPN
197 is configured to use.
198 On bob:
200 route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
202 On alice:
204 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
206 Now any machine on the 10.0.0.0/24 subnet can access any machine on the
208 10.0.1.0/24 subnet over the secure tunnel (or vice versa).
209 In a production environment, you could put the route command(s) in a
211 script and execute with the --up option.
212 5 OPENVPN(EXAMPLES)