VPN - Setting up OpenVPN Server - Part 2

Here's the second part of my previous post.

In this tutorial, we're going to finish up the OpenVPN setup. What's left to do is creating client configuration file (.ovpn), which is going to contain all the info required by the OpenVPN client for establishing a VPN connection. We're also going to look into the actual client software setup on Windows, Linux, Android, iOS and OSX.

The final part of the tutorial is probably going to be released sometime later this month - it's going to cover more advanced OpenVPN features such as password protected client certificates, adding SSL from a Top-Level CA as well as how to configure a side-to-side VPN connection between two networks.

Welcome, to OpenVPN Server Setup Part II



Table of Contents
I. Creating OVPN configuration file
II. Client setup on Windows
III. Client setup on Linux
IV. Client setup on Android
V. Client setup on iOS
VI. Client setup on OSX
VII. End Note

I. Creating OVPN configuration file

1. Editing the template .ovpn file

Before proceeding, please make sure you followed up the OpenVPN server setup from my previous post. The commands from this point are going to work only on a very similar or identical machine.

Having that said, let's begin. Firstly, create a directory for storing client files on your server:

> mkdir -p ~/client-configs/files

We should also lock our directory by running:

> sudo chmod 700 ~/client-configs/files

 Next, copy the template configuration files. We are going to use it as a base for further edits:

> cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

Ok, now the real fun begins. As we discussed earlier, we need a public IP address for the VPN to work. If you're unsure what is it, you probably don't have one and you'll need to contact your ISP to obtain it. Open the template config file we copied for editing.

> sudo nano ~/client-configs/base.conf

 Next, find the remote line and replace server_IP_address with your public IP. Remember to leave the port number (1194) as it is.

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote server_IP_address 1194

Continuing on, uncomment the user nobody and group nogroup lines (remove ;)

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Find lines ca ca.crt, cert client.crt key client.key and comment them all (add #), as we're going to include them inside the .ovpn file later in this tutorial.

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key

Next, find the cipher line and mirror the changes we did to server.conf file in the previous post. Remember to include key-direction 1 line.

cipher AES-128-CBC
auth SHA256
key-direction 1 

Finally, exit the editor and save the changes by pressing CTRL+X


2. Configuration Script

We are going to use a script which I wrote some time ago for merging the template ovpn, ca.crt, client.crt and client.key files. First, create new file by running a command:

> sudo nano ~/client-configs/make_config.sh

 Inside, paste the following code. Save and exit by pressing CTRL+X

#!/bin/bash
KDIR=~/openvpn-ca/keys
ODIR=~/client-configs/files
BASE=~/client-configs/base.conf

cat ${BASE} \
    <(echo -e '<ca>') \
    ${KDIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KDIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KDIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KDIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${ODIR}/${1}.ovpn

To finish up, make the script executable.

> sudo chmod 700 ~/client-configs/make_config.sh


3. The OVPN file

If you followed the guide from the very begging, you shoul have all the files nessesary for the next step in ~/client-configs directory.

First, make sure you're located in a correct directory by running:

> cd ~/client-configs

Next, run the script we created earlier and point it to client1 files from the previous post.

> ./make-configs.sh client1

If nothing goes wrong, you should end up with client1.ovpn file in ~/client-configs directory.

Use your favourite file browser (either local or remote such as FileZilla) to move the client1.ovpn file out of your server and save it for future use by the VPN clients. The OpenVPN server setup is complete!

NOTE: The following part is intended for complete newbies. Please do not be offended by the details described below... You won't imagine what sometimes you have to explain to the users... 

II. Client setup on Windows

First, download the client setup file from the following link:

OpenVPN Windows Client

After the download finishes, double click the installer file (openvpn-install-2.4.4-I601.exe).

Nothing to do on the first screen, press Next.

OpenVPN Client Install

Read carefully (lol nope) the license agreement and after selecting the checkbox, click Next.

OpenVPN Client Install

Select the install location and click Next.

OpenVPN Client Install

Another useless screen... press Install.

OpenVPN Client Install

Agree to add a virtual network adapter to your system. It is going to be used during every connection with our VPN (it's really similar to Linux tunnel interface).

OpenVPN Client Install

Press Finish to close the installation.

OpenVPN Client Install

After getting the client onto our system, we can transfer the client1.ovpn file from the previous point to a secure location such as C:\VPN\Certs

Launch the VPN by double clicking the ovpn file. After a while, you should see a green lock icon on the taskbar - installation complete. You're connected to the VPN.

III. Client Setup on Linux

Connect to your Linux machine and open the terminal emulator by pressing Win+T or opening it up through GUI. You can obviously skip this part if you're working on a terminal-only Linux.

Download the OpenVPN client. Some Linux distributions might have it already included by default. You might need the root permissions for running the commands below.

> apt-get update
> apt-get install openvpn (Debian based distros)
> yum install openvpn (Redhat/Fedora based)
> pacman -S openvpn (Arch based)

Transfer the client1.ovpn file from point I to a secure location such as ~/openvpn

Start the OpenVPN connection by running (again, root access might be required):

> openvpn --config ~/openvpn/client1.ovpn

If you want OpenVPN to run in the background, add the --daemon switch at the end of the command.

> openvpn --config ~/openvpn/client1.ovpn --daemon

You can check if the OpenVPN established the connection succesfully by listing all active interfaces in your system (commands: ifconfig, ip list etc.). If an interface such as tun0/tunnel0/etc. is there, it means your VPN connection is up.

If you want OpenVPN to start automatically with the OS, you can paste above command into a boot script such as /etc/rc.local

IV. Client Setup on Android

Before starting, download the client1.ovpn file from point I onto your phone. Place it in a easy to find place such as ~/Download

First, open up Google Play app and search for "OpenVPN Connect". Press INSTALL to download it.


Accept the file access request to start the installation.



Open up the newly installed app. Select the option menu in the upper right corner of your screen and select Import.


In the next window, browse for your client1.ovpn file. As we didn't setup a password on it, you should already be back in the main menu. Press the Connect button.


You are probably going to see the following warning. Click Continue on it. The only way to get rid of it is securing the VPN with SSL from Top-Level CA.


If you see the following - congratulations - you are connected to the VPN.





V. Client Setup on iOS (iPhone/iPad)

Before starting, download the client1.ovpn file from point I onto your iPhone. Place it in a easy to find place such as Downloads folder.

First, open up your App Store and search for OpenVPN Connect app. Click the Install button to download & install it.













Second, open up the client1.ovpn file using the built-in file browser. You should see the following warning:


At this point, the OpenVPN connection should be established automatically. You can double check it by opening up the OpenVPN Connect app. If you see the green tick, you're connected!








VI. Client Setup on OSX (Macbook, Mac etc.)

As easy as it gets, I won't be going into details as I don't have a Macbook handy.

Download and install TunnelBlick

Transfer the client1.ovpn file from point I to your machine and place it somewhere safe, i.e. Documents folder.

Double click the client1.ovpn file - it should automatically open up the TunelBlick app and connect to the VPN. Done.

VII. End Notes

Well, that was an easy post to write.

I hope you found the tutorial easy enough to follow. If you had any issues along the way (especially in the Part I), you can try giving my script from GitHub a go: OpenVPN Install Script - It's basically skipping everything up to point II of this post. After running it you should have a basic OpenVPN server ready in less than 5min, however...

...for choosing the easy path ;)

The final part of the OpenVPN setup series should be finished soon.
I hope your OS won't crash today,
P.W.


Popular posts from this blog

Setting up a simple Linux VM for internal routing within virtual environment