Home :

• Home
• Contact
• Readme
• Thanks
• Translations
• History
• References
• Statistics
• About us

Tutorials :

• Analyzing
• 
• Wireshark
• Ettercap
• Snort & BASE
• Snort_Inline & BASE
• Kismet
• 
• Monitoring
• 
• Cacti
• PHP Weathermap
• 
• Logging
• 
• Php-syslog-ng
• Rancid
• Ipplan
• 
• Routing
• 
• Vyatta
• Quagga
• 
• VPN
• 
• OpenVPN
• 
• Telephony
• 
• Trixbox
• 
• Link Emulation
• 
• WANem

Other :

• Open Source
• MySQL

Networking :

• Interfaces
• Ping
• TCPdump
• Netstat
• Iperf
• CDP

OS :

• Linux ;
• Windows ;
• 
• Debian ;
• Ubuntu ;
• 
• APT Tools
• CheckInstall
• Minicom

Php Scripts :

• World Time
• Menu

OpenVPN Tutorial
Last Change : Dec 07 2010

---

Tool
Install
Ergonomy
Forum


Details What is OpenVPN?
Screenshots
Prerequisites & Installation
Tutorial OpenVPN
-----SECURITY MODE-----------
Transparent Tunnel
Static key
SSL & PKI (certificates)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing

---

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

---

INSTALL OPENVPN:

Follow the OpenVPN installation tutorial.

CLIENT/SERVER ARCHITECTURE:

Upon the two OpenVPN boxes, you have to declare one as server and the other as client. In some scenarios, each box can be declared as server or client, but in other scenarios you must specifically choose a device as client and the other as server. Let us see when.
Before establishing the SSL VPN, the client first reaches the server on a specific port, whereas the server doesn't need to reach the client. Let's take an example where you are in a professional environment and want to establish a VPN with a device connected directly to the Internet, let's say a box at your home.
In this frequent case, the client can reach the server but not the contrary. This is due to the fact that the client is located in a local network and reaches the internet via a proxy or Firewall which will substitute its own IP address or another one (Hide NAT) for the source IP address.
Nevertheless, when the tunnel is created, the bi-directional traffic inside it is of course possible.



CONFIGURATION FILE:

Create a file where you store your OpenVPN configuration.
In our example, we will call this file config.txt and save it in the /home/user/ or "C:\Program Files\OpenVPN\config\" directory depending on whether it is a Linux/Unix or Microsoft machine.

The configuration settings are presented in the next paragraphs.

CLIENT/SERVER DESIGNATION:

	SERVER		CLIENT
	# SERVER IP ADDRESS # The Client WAN IP address is not # needed		# SERVER IP ADDRESS remote 100.0.0.1 #

TUNNEL MODE:

You can choose between an IP (TUN driver) and an Ethernet (TAP driver) tunnel.
IP tunneling is also referred as routing mode, and Ethernet tunneling as bridging mode.
Prefer the IP tunnel mode (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the tunnel.

TUNNEL PORT:

Default source and destination tunneling port is UDP 1194. You should keep the default setting unless you need to change it for Firewall reasons otherwise you can keep it.
Prefer UDP ports. The use of TCP can lead to degraded performances.

As the majority of the applications uses TCP, if you opt for TCP tunneling, you will create a TCP over TCP tunnel. This is not recommended because in case of packets retransmissions on the interior TCP tunnel, recomputation will occur in both tunnels leading to slow performances such as high response time. Thus, prefer the UDP protocol to tunnel your application since contrary to TCP, it does not suffer from an overhead error checking mechanism..
Read this article to get details about the problems with TCP over TCP tunnels.

		SERVER and CLIENT
		# TCP OR UDP TUNNEL # TCP tunnel proto tcp # UDP tunnel is recommended proto udp # use TCP or UDP but not both # # TCP OR UDP PORT port 1194

FIREWALL SETTINGS:

You must ascertain that your OpenVPN client IP address can reach the OpenVPN server IP address and the TCP/UDP port.
Here is an example of a security rule that can be implemented on the Firewall illustrated in the picture below.



Because of to the simplicity of the OpenVPN configurations, problems establishing a connection are often due to IP or port restrictions on the client and/or server side.

ETHERNET/IP TUNNEL:

You can choose to build either Ethernet (Bridged) or IP (Routed) VPNs with the help of respectively the TAP or TUN network drivers. TAP/TUN are available on all the platforms and are already bundled with the Linux 2.4 kernel or higher.
Prefer TUN (default setting) unless you need to pass Ethernet traffic such as NetBIOS inside the VPN.

To check whether or not the TUN/TAP drivers are properly loaded:

#lsmod | grep tun

tun 12672 1

Note that the "tun" driver is also the TAP driver.
If you don't receive any answer, you can load the kernel module as follows:

#modprobe tun

		SERVER and CLIENT
		# ETHERNET OR IP TUNNEL # "dev tun" will create a routed IP tunnel dev tun # "dev tap" will create an Ethernet tunnel dev tap # use "dev tun" or "dev tap" but not both

OPENVPN SECURITY ARCHITECTURE:

Transparent tunnel:

OpenVPN just tunnels the data without authentication, confidentiality, or integrity. In other words there is no security checks whatsoever, and the data can be read as it passes through the tunnel.

		SERVER and CLIENT
		# Client AND Server configs # No integritiy (hash function # algorithm) auth none # No encryption (cipher algorithm) cipher none

Preshared keys:

A secret and permanent key is shared between the VPN gateways.

First create the preshared keys with the preshared keys creation tutorials.

		SERVER and CLIENT
		# PRESHARED KEYS # Linux system static /home/user/openvpn/key.txt # Windows system static "C:\\Program Files\\OpenVPN\\config\\key.txt"

#openvpn /home/teddybear/openvpn/config.txt
>openvpn "C:\Program Files\OpenVPN\config\config.txt"

SSL/TLS:

- SSL/TLS server or client:

	SERVER		CLIENT
	# SSL/TLS SERVER tls-server		# SSL/TLS CLIENT tls-client

- Certificates and public keys:

Each device must have its private and public keys, the latter being included in a certificate.
The CA (Certification Authority) certificate must also be owned by each OpenVPN device.

See the PKI Tutorial to understand the Public Key Infrastructure and know how to create private keys and certificates.

	SERVER		CLIENT
	# CERTIFICATES AND PRIVATE KEY # Authority certificate (CA public key) ca ca.key # Server certificate (server public key) cert server.crt # Server private key key server.key		# CERTIFICATES AND PRIVATE KEY # Authority certificate (CA public key) ca ca.key # Client certificate (client public key) cert client.crt # Client private key key client.key

- Diffie-Hellmann (DH) settings:

Once the OpenVPN peers are sure about each other's identity, DH can be used to create a shared secret key for the hash function and the cipher algorithm.
By combining a DH private key with the other OpenVPN box DH public key, it is possible to calculate a shared secret that only the two OpenVPN peers know.

See the SSL Tutorial to get information about how to create the DH settings.

	SERVER		CLIENT
	# Diffie-Hellman settings dh dh1024.pem		# No DH setting on the client #

This DH shared secret could be compared to the OpenVPN preshared key.
These keys will be used by the symmetric ciphers and hash functions algorithms as shown in the two next paragraphs.

CIPHER ALGORITHM

		SERVER and CLIENT
		# CIPHER ALGORITHM cipher AES-256-CBC

- The confidentiality is ensured with symmetric ciphers such as 3DES or AES to protect the data from being read.
The OpenVPN default cipher algorithm is Blowfish.
To check the available algorithms:

#openvpn --show-ciphers

DES-CBC 64 bit default key (fixed)
IDEA-CBC 128 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)

CBC for Cipher Block Chaining is a cryptography operational modes used to encrypt data with a cipher block algorithm like the AES, DES or Blowfish. CBC uses small piece of data, instead of processing an entire block at a time, other cryptography operational mode are EBC, OFB, CFB. CBC mode is recommended.


HASH FUNCTION ALGORITHM

- The Integrity uses hash function algorithms to protect the data from being altered.
HMAC is often used in addition with SHA1 or MD5.
The OpenVPN default hash functions are HMAC-SHA1.
To check the available algorithms:

#openvpn --show-digests

MD2 128 bit digest size
MD5 128 bit digest size
RSA-MD2 128 bit digest size
RSA-MD5 128 bit digest size
SHA 160 bit digest size
RSA-SHA 160 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA 160 bit digest size
DSA-SHA1-old 160 bit digest size
MDC2 128 bit digest size
RSA-MDC2 128 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size

		SERVER and CLIENT
		# HASH FUNCTION ALGORYTHM auth MD5

"openvpn --show-tls" displays the cipher and message authentication code (MAC) used during the SSL/TLS negotiation. They should not be confounded with the cipher and MAC used to secure the OpenVPN tunnel.

IP ADDRESSES:

Choose the IP addresses you want to use inside the tunnel.

Static IP addresses:

In routed mode, two IP addresses (local and remote) inside a 30 bits subnet mask must be chosen.
In bridge mode, one IP address for the local OpenVPN box and a subnet mask including the server IP address are chosen.

	SERVER		CLIENT
	# IP ADDRESSING # IP mode example: # Server IP: 10.8.0.1 ; Client IP: 10.8.0.2 ifconfig 10.8.0.1 10.8.0.2 # Bridge mode example # Server IP: 10.8.0.1 ifconfig 10.8.0.1 255.255.255.0 # Use bridged or routed settings but not # both # Client and Server must use the same # tunnel mode		# IP ADDRESSING # IP mode example: # Server IP: 10.8.0.1 ; Client IP: 10.8.0.2 ifconfig 10.8.0.2 10.8.0.1 # Bridge mode example # Client IP: 10.8.0.2 ifconfig 10.8.0.2 255.255.255.0 # Use bridged or routed settings but not # both # Client and Server must use the same # tunnel mode

Dynamic IP addresses:

In this case, the server owns a static IP address and provides IP addresses to the clients as a DHCP server.

	SERVER		CLIENT
	# DHCP SETTINGS # DHCP range # Server will take the first IP address server 10.8.0.0 255.255.255.0		# CLIENT ACCEPTS SERVER OPTIONS # The client should accept options pushed # by the server pull

OPTIONAL SETTINGS:

OpenVPN offers a very large number of optional settings.
Refer to the OpenVPN man page for assistance.

LOG SETTINGS:

The log verbosity is configured from 0 (minimum) to 15 (maximal). For a normal use, the "2" and "4" verbose levels will already provide sufficient logs.

# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but displays non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting

		SERVER and CLIENT
		# LOG VERBOSITY # log verbosity setting, 0=min 15=max verb 3

OPENVPN USER:

For security reasons, it's always better to run a software without the root privileges.
You can reduce the OpenVPN daemon's privileges after initialization in order to operate as user "nobody".
Another interesting security point is to limit the right OpenVPN has to access files after initialization with "chroot".

Note that these two security settings are available under Linux/UNIX systems, but not under Windows. Another reason to prefer opens source tools like Linux OS ...

		SERVER and CLIENT
		# OPENVPN SECURITY - Linux only # OpenVPN User user nobody # After initialization, OpenVPN can only # access a directory # The directory can be empty # OpenVPN process limitation chroot /etc/openvpn/

LAUNCH OPENVPN:

Use the following syntax to launch OpenVPN.

#openvpn path-to-config-file

Below are two examples with Linux and Windows. The config file is "config.txt":

#openvpn /home/teddybear/openvpn/config.txt >openvpn "C:\Program Files\OpenVPN\config\config.txt"

LOG CHECK:

The log should end will the following line:

Initialization Sequence Completed

This indicates that the OpenVPN tunnel has been created successfully.

CONNECTIVITY TESTS:

Ping is a common utility to check IP connectivities.
The VPN gateway should ping the tunnel IP address of the other.
For example, in our scenario, we ping the client tunnel IP address from the server:

ping 10.8.0.2

OPENVPN PROCESS CHECK:

Coming soon ...

---

Here are some OpenVPN default values:

SETTING:	VALUE:
Src & dest port:	UDP 1194
Tunnel mode:	IP tunnel (tun mode)
Symmetric cipher:	Blowfish - CBC (128 bits)
Hash functions:	HMAC - SHA1 (160 bits)
Compression:	NO
Tunnel MTU:	1500 bytes
Verbose mode:	0

Top of the page