1OPENVPN EXAMPLES(5) Configuration files OPENVPN EXAMPLES(5)
2
6 openvpn examples - Secure IP tunnel daemon
7
9 This man page gives a few simple examples to create OpenVPN setups and
10 configuration files.
11
13 This section consists of instructions how to build a small OpenVPN
14 setup with the peer-fingerprint option. This has the advantage of being
15 easy to setup and should be suitable for most small lab and home setups
16 without the need for a PKI. For bigger scale setup setting up a PKI
17 (e.g. via easy-rsa) is still recommended.
18 Both server and client configuration can be further modified to cus‐
20 tomise the setup.
21 Server setup
23 1. Install openvpn
24 Compile from source-code (see INSTALL file) or install via a distri‐
26 bution (apt/yum/ports) or via installer (Windows).
27 2. Generate a self-signed certificate for the server:
29 openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
31 3. Generate SHA256 fingerprint of the server certificate
33 Use the OpenSSL command line utility to view the fingerprint of just
35 created certificate:
36 openssl x509 -fingerprint -sha256 -in server.crt -noout
38 This output something similar to:
40 SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
42 4. Write a server configuration (server.conf):
44 # The server certificate we created in step 1
46 cert server.crt
47 key server.key
48 dh none
50 dev tun
51 # Listen on IPv6+IPv4 simultaneously
53 proto udp6
54 # The ip address the server will distribute
56 server 10.8.0.0 255.255.255.0
57 server-ipv6 fd00:6f76:706e::/64
58 # A tun-mtu of 1400 avoids problems of too big packets after VPN encapsulation
60 tun-mtu 1400
61 # The fingerprints of your clients. After adding/removing one here restart the
63 # server
64 <peer-fingerprint>
65 </peer-fingerprint>
66 # Notify clients when you restart the server to reconnect quickly
68 explicit-exit-notify 1
69 # Ping every 60s, restart if no data received for 5 minutes
71 keepalive 60 300
72 5. Add at least one client as described in the client section.
74 6.
76 Start the server.
78 • On systemd based distributions move server.crt, server.key
80 and server.conf to /etc/openvpn/server and start it via
81 systemctl
82 sudo mv server.conf server.key server.crt /etc/openvpn/server
84 sudo systemctl start openvpn-server@server
86 Adding a client
88 1. Install OpenVPN
89 2. Generate a self-signed certificate for the client. In this example
91 the client name is alice. Each client should have a unique name. Re‐
92 place alice with a different name for each client.
93 openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice'
95 This generate a certificate and a key for the client. The output of
97 the command will look something like this:
98 -----BEGIN PRIVATE KEY-----
100 [base64 content]
101 -----END PRIVATE KEY-----
102 -----
103 -----BEGIN CERTIFICATE-----
104 [base 64 content]
105 -----END CERTIFICATE-----
106 3. Create a new client configuration file. In this example we will name
108 the file alice.ovpn:
109 # The name of your server to connect to
111 remote yourserver.example.net
112 client
113 # use a random source port instead the fixed 1194
114 nobind
115 # Uncomment the following line if you want to route
117 # all traffic via the VPN
118 # redirect-gateway def1 ipv6
119 # To set a DNS server
121 # dhcp-option DNS 192.168.234.1
122 <key>
124 -----BEGIN PRIVATE KEY-----
125 [Insert here the key created in step 2]
126 -----END PRIVATE KEY-----
127 </key>
128 <cert>
129 -----BEGIN CERTIFICATE-----
130 [Insert here the certificate created in step 2]
131 -----END CERTIFICATE-----
132 </cert>
133 # This is the fingerprint of the server that we trust. We generated this fingerprint
135 # in step 2 of the server setup
136 peer-fingerprint 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
137 # The tun-mtu of the client should match the server MTU
139 tun-mtu 1400
140 dev tun
141 4. Generate the fingerprint of the client certificate. For that we will
143 let OpenSSL read the client configuration file as the x509 command
144 will ignore anything that is not between the begin and end markers
145 of the certificate:
146 openssl x509 -fingerprint -sha256 -noout -in alice.ovpn
148 This will again output something like
150 SHA256 Fingerprint=ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
152 5. Edit the server.conf configuration file and add this new client fin‐
154 gerprint as additional line between <peer-fingerprint> and
155 </peer-fingerprint>
156 After adding two clients the part of configuration would look like
158 this:
159 <peer-fingerprint>
161 ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
162 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
163 </peer-fingperint>
164 6. (optional) if the client is an older client that does not support
166 the peer-fingerprint (e.g. OpenVPN 2.5 and older, OpenVPN Connect
167 3.3 and older), the client config alice.ovpn can be modified to
168 still work with these clients.
169 Remove the line starting with peer-fingerprint. Then add a new <ca>
171 section at the end of the configuration file with the contents of
172 the server.crt created in step 2 of the server setup. The end of al‐
173 ice.ovpn file should like:
174 [...] # Beginning of the file skipped
176 </cert>
177 # The tun-mtu of the client should match the server MTU
179 tun-mtu 1400
180 dev tun
181 <ca>
183 [contents of the server.crt]
184 </ca>
185 Note that we put the <ca> section after the <cert> section to make
187 the fingerprint generation from step 4 still work since it will only
188 use the first certificate it finds.
189 7. Import the file into the OpenVPN client or just use the openvpn al‐
191 ice.ovpn to start the VPN.
192
194 Prior to running these examples, you should have OpenVPN installed on
195 two machines with network connectivity between them. If you have not
196 yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
197 distribution.
198 Firewall Setup:
200 If firewalls exist between the two machines, they should be set to for‐
201 ward the port OpenVPN is configured to use, in both directions. The
202 default for OpenVPN is 1194/udp. If you do not have control over the
203 firewalls between the two machines, you may still be able to use Open‐
204 VPN by adding --ping 15 to each of the openvpn commands used below in
205 the examples (this will cause each peer to send out a UDP ping to its
206 remote peer once every 15 seconds which will cause many stateful fire‐
207 walls to forward packets in both directions without an explicit fire‐
208 wall rule).
209 Please see your operating system guides for how to configure the fire‐
211 wall on your systems.
212 VPN Address Setup:
214 For purposes of our example, our two machines will be called bob.exam‐
215 ple.com and alice.example.com. If you are constructing a VPN over the
216 internet, then replace bob.example.com and alice.example.com with the
217 internet hostname or IP address that each machine will use to contact
218 the other over the internet.
219 Now we will choose the tunnel endpoints. Tunnel endpoints are private
221 IP addresses that only have meaning in the context of the VPN. Each ma‐
222 chine will use the tunnel endpoint of the other machine to access it
223 over the VPN. In our example, the tunnel endpoint for bob.example.com
224 will be 10.4.0.1 and for alice.example.com, 10.4.0.2.
225 Once the VPN is established, you have essentially created a secure al‐
227 ternate path between the two hosts which is addressed by using the tun‐
228 nel endpoints. You can control which network traffic passes between the
229 hosts (a) over the VPN or (b) independently of the VPN, by choosing
230 whether to use (a) the VPN endpoint address or (b) the public internet
231 address, to access the remote host. For example if you are on bob.exam‐
232 ple.com and you wish to connect to alice.example.com via ssh without
233 using the VPN (since ssh has its own built-in security) you would use
234 the command ssh alice.example.com. However in the same scenario, you
235 could also use the command telnet 10.4.0.2 to create a telnet session
236 with alice.example.com over the VPN, that would use the VPN to secure
237 the session rather than ssh.
238 You can use any address you wish for the tunnel endpoints but make sure
240 that they are private addresses (such as those that begin with 10 or
241 192.168) and that they are not part of any existing subnet on the net‐
242 works of either peer, unless you are bridging. If you use an address
243 that is part of your local subnet for either of the tunnel endpoints,
244 you will get a weird feedback loop.
245 Example 1: A simple tunnel without security (not recommended)
247 On bob:
248 openvpn --remote alice.example.com --dev tun1 \
250 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
251 On alice:
253 openvpn --remote bob.example.com --dev tun1 \
255 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
256 Now verify the tunnel is working by pinging across the tunnel.
258 On bob:
260 ping 10.4.0.2
262 On alice:
264 ping 10.4.0.1
266 The --verb 9 option will produce verbose output, similar to the tcp‐
268 dump(8) program. Omit the --verb 9 option to have OpenVPN run quietly.
269 Example 2: A tunnel with self-signed certificates and fingerprint
271 First build a self-signed certificate on bob and display its finger‐
272 print.
273 openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout bob.pem -out bob.pem -nodes -sha256 -days 3650 -subj '/CN=bob'
275 openssl x509 -noout -sha256 -fingerprint -in bob.pem
276 and the same on alice:
278 openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout alice.pem -out alice.pem -nodes -sha256 -days 3650 -subj '/CN=alice'
280 openssl x509 -noout -sha256 -fingerprint -in alice.pem
281 These commands will build a text file called bob.pem or alice.pem (in
283 ascii format) that contain both self-signed certificate and key and
284 show the fingerprint of the certificates. Transfer the fingerprints
285 over a secure medium such as by using the scp(1) or ssh(1) program.
286 On bob:
288 openvpn --ifconfig 10.4.0.1 10.4.0.2 --tls-server --dev tun --dh none \
290 --cert bob.pem --key bob.pem --cipher AES-256-GCM \
291 --peer-fingerprint "$fingerprint_of_alices_cert"
292 On alice:
294 openvpn --remote bob.example.com --tls-client --dev tun1 \
296 --ifconfig 10.4.0.2 10.4.0.1 --cipher AES-256-GCM \
297 --cert alice.pem --key alice.pem \
298 --peer-fingerprint "$fingerprint_of_bobs_cert"
299 Now verify the tunnel is working by pinging across the tunnel.
301 On bob:
303 ping 10.4.0.2
305 On alice:
307 ping 10.4.0.1
309 Note: This example use a elliptic curve (secp384), which allows --dh to
311 be set to none.
312 Example 3: A tunnel with full PKI and TLS-based security
314 For this test, we will designate bob as the TLS client and alice as the
315 TLS server.
316 Note: The client or server designation only has meaning for the TLS
318 subsystem. It has no bearing on OpenVPN's peer-to-peer,
319 UDP-based communication model.*
320 First, build a separate certificate/key pair for both bob and alice
322 (see above where --cert is discussed for more info). Then construct
323 Diffie Hellman parameters (see above where --dh is discussed for more
324 info). You can also use the included test files client.crt, client.key,
325 server.crt, server.key and ca.crt. The .crt files are certificates/pub‐
326 lic-keys, the .key files are private keys, and ca.crt is a certifica‐
327 tion authority who has signed both client.crt and server.crt. For
328 Diffie Hellman parameters you can use the included file dh2048.pem.
329 WARNING:
331 All client, server, and certificate authority certificates and
332 keys included in the OpenVPN distribution are totally insecure
333 and should be used for testing only.
334 On bob:
336 openvpn --remote alice.example.com --dev tun1 \
338 --ifconfig 10.4.0.1 10.4.0.2 \
339 --tls-client --ca ca.crt \
340 --cert client.crt --key client.key \
341 --reneg-sec 60 --verb 5
342 On alice:
344 openvpn --remote bob.example.com --dev tun1 \
346 --ifconfig 10.4.0.2 10.4.0.1 \
347 --tls-server --dh dh1024.pem --ca ca.crt \
348 --cert server.crt --key server.key \
349 --reneg-sec 60 --verb 5
350 Now verify the tunnel is working by pinging across the tunnel.
352 On bob:
354 ping 10.4.0.2
356 On alice:
358 ping 10.4.0.1
360 Notice the --reneg-sec 60 option we used above. That tells OpenVPN to
362 renegotiate the data channel keys every minute. Since we used --verb 5
363 above, you will see status information on each new key negotiation.
364 For production operations, a key renegotiation interval of 60 seconds
366 is probably too frequent. Omit the --reneg-sec 60 option to use Open‐
367 VPN's default key renegotiation interval of one hour.
368 Routing:
370 Assuming you can ping across the tunnel, the next step is to route a
371 real subnet over the secure tunnel. Suppose that bob and alice have two
372 network interfaces each, one connected to the internet, and the other
373 to a private network. Our goal is to securely connect both private net‐
374 works. We will assume that bob's private subnet is 10.0.0.0/24 and al‐
375 ice's is 10.0.1.0/24.
376 First, ensure that IP forwarding is enabled on both peers. On Linux,
378 enable routing:
379 echo 1 > /proc/sys/net/ipv4/ip_forward
381 This setting is not persistent. Please see your operating systems doc‐
383 umentation how to properly configure IP forwarding, which is also per‐
384 sistent through system boots.
385 If your system is configured with a firewall. Please see your operat‐
387 ing systems guide on how to configure the firewall. You typically want
388 to allow traffic coming from and going to the tun/tap adapter OpenVPN
389 is configured to use.
390 On bob:
392 route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
394 On alice:
396 route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
398 Now any machine on the 10.0.0.0/24 subnet can access any machine on the
400 10.0.1.0/24 subnet over the secure tunnel (or vice versa).
401 In a production environment, you could put the route command(s) in a
403 script and execute with the --up option.
404 OPENVPN EXAMPLES(5)