Setting up OpenVPN server

Please read through the entire tutorial BEFORE doing anything. If you do not read through this you might end up with some unanswered questions on how to do something, that is actually described further down. Thanks.

Test setup: XEN based VPS. 256 slice from Slicehost running Debian Lenny 64-bit

Let’s get started!

The first thin you want to do is install OpenVPN:

apt-get update && apt-get install -y openvpn

If everything above goes as it should, OpenVPN is now installed and we will continue to configuring it.

The following 4 commands will go to the configuration directory, copy easy-rsa (which we will use), copy a sample of the configuration file and unpack the sample.

cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
gunzip server.conf.gz

Now that these files are in place it’s time to start creating keys and configuration. For this we will use the easy-rsa package supplied by OpenVPN. This package makes the creation and signing of keys much easier.

Next thing we are going to do is set the variables for easy-rsa to use. These must be set every time you want to use easy-rsa if you have been logged out!

. ./vars
source ./vars

Make sure that our directory for keys exists, has the correct settings and such. Note! If  you have any keys at this point, they will be removed!


Set up your Certificate Authority


We need a certificate and a key for the server itself, let’s build those. The second argument is the name of the server. If you choose to change this from server (there’s not really a reason to do so), then remember to change this as well in the config changes we make later on.

During the build-key-server process you will be asked for various information, you can choose to change this if you want, but for the setup to work it is not necessary. Just make sure that Common Name is server

./build-key-server server

We need to build the Diffie-Hellman parameters.


We are basically done with building the server now, but at this point no users will be able to log on and use the VPN. We use the build-key command (remember that vars MUST be set for this to work, if you want to create users at a later time). I will create a user called “fbh” for myself.

Again, I will be asked for some information and again I can choose whether to enter this or not.

./build-key fbh

Next thing we need to do is edit the server configuration file to know where these keys are located, use your favorite editor and open the server.conf file and find the part that holds paths to keys. Change it as following. (Note! If you change the servername from “server” above, this is where you need to change the keyname)

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key

# And a little further down

dh /etc/openvpn/keys/dh1024.pem

For now, leave all other parameters  at the default.

You are now done with a basic OpenVPN server. If the LAN you are connected to uses the range currently, you should edit the server.conf file and find the line that says “server” and change it to something else, otherwise you will encounter a conflict!

Tunnel internet access through the VPN as well

With the above setup you will be connected via VPN to the network of the VPN server, however you will not be browsing the internet through the VPN server. As you might think, this configuration is not done in the client. You will need some changes to the OpenVPN server for this to work, as the server pushes configuration to the client.

Again, edit /etc/openvpn/server.conf and add the following line to it:

push “redirect-gateway def1”

Now it will set the client’s default gateway to go through the OpenVPN server upon connect – however, it will not work yet and there are multiple things to this.

At first, you might currently be using your ISP’s DNS servers, and they will probably not allow you to do recursive lookups when not connected through their network. So you need to push a set of open DNS server as well, or set up your own on the server (this tutorial does not cover that). In this tutorial we will use Level 3 Communications DNS, as they have a set of free, public DNS servers that responds quickly. Add these lines to your configuration:

push “dhcp-option DNS”
push “dhcp-option DNS”
push “dhcp-option DNS”

We’re getting closer now, but it might STILL not work. Also, you must have NAT between eth0 and tun0 enabled in iptables. You will need to know the name of your public interface to do this. In most cases it’s eth0. To enable it run these commands:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o tun0 -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

If you want these to be run whenever the server reboots, to make sure this works, add the 3 lines to /etc/rc.local before the “exit 0” line. This script is being run every time a multiuser level is started up on the server.

Almost there! The last thin you need is to enable forwarding, do this with:

echo 1 > /proc/sys/net/ipv4/ip_forward

And done! Restart OpenVPN and make sure that it starts up

/etc/init.d/openvpn restart

Your VPN server is now able to tunnel connections and you are able to connect to the internet through it.

When I have the time, I will be publishing a tutorial on setting up clients as well.