Simple OpenVPN Configuration

Assume we have two Linux virtual machines A and B, where A and B act as Server and Client for each other.

TLS Mode

Assume A acts as the server and B acts as the client.

TLS Server

• Download OpenVPN on A:

  sudo apt-get install openvpn
  

• In the /usr/share/doc/openvpn/examples/sample-keys/ folder there are sample keys. On the server, copy ca.crt, server.key, server.crt, and dh2048.pem to /etc/openvpn/tls-server:

  sudo cp /usr/share/doc/openvpn/examples/sample-keys/{ca.crt,server.key,server.crt,dh2048.pem} /etc/openvpn/tls-server
  

• Write the server configuration file:

  port 1194
  proto udp
  dev tun0
  ca ca.crt
  cert server.crt
  key server.key
  dh dh2048.pem
  server 10.8.0.0 255.255.255.0
  keepalive 10 120
  user nobody
  group nogroup
  persist-key
  persist-tun
  verb 3
  

• If using TCP connection, modify to:

  port 1194
  proto tcp-server
  dev tun0
  ca ca.crt
  cert server.crt
  key server.key
  dh dh2048.pem
  server 10.8.0.0 255.255.255.0
  keepalive 10 120
  user nobody
  group nogroup
  persist-key
  persist-tun
  verb 3
  

• Start the OpenVPN Server:

  cd /etc/openvpn/tls-server
  sudo openvpn --config server.conf
  

• At this point, if you check the IP address, you should see the tun0 interface with address 10.8.0.1.

TLS Client

• Download OpenVPN on B:

  sudo apt-get install openvpn
  

• From the /usr/share/doc/openvpn/examples/sample-keys/ directory on A, find ca.crt, client.key, and client.crt, and copy them to B:

  # In B
  sudo scp [A_username]@[A_addr]:/usr/share/doc/openvpn/examples/sample-keys/{ca.crt,client.crt,client.key} /etc/openvpn/tls-client
  

• Write server.conf:

  client
  dev tun0
  remote [A_addr] 1194 udp
  ca ca.crt
  cert client.crt
  key client.key
  user nobody
  group nogroup
  persist-key
  persist-tun
  verb 3
  

• If using TCP connection:

  client
  dev tun0
  remote [A_addr] 1194 tcp-client
  ca ca.crt
  cert client.crt
  key client.key
  user nobody
  group nogroup
  persist-key
  persist-tun
  verb 3
  

• Run the OpenVPN Client:

  cd /etc/openvpn/tls-client
  sudo openvpn --config client.conf
  

• At this point, if you execute:

  ping 10.8.0.1
  

  If successful, it means OpenVPN has been established correctly.

PSK Mode

PSK mode doesn’t require complex key configuration and is simpler, but the security level is lower. Here, A acts as the Server and B acts as the Client.

PSK Server

• Generate psk.key on A and copy a copy to B:

  # In A
  cd /etc/openvpn/psk-server
  openvpn --genkey --secret psk.key
  

  # In B
  cd /etc/openvpn/psk-client
  scp [A_username]@[A_addr]:/etc/openvpn/psk-server/psk.key .
  

• Write server.conf:

  dev-type tun
  dev tun0
  ifconfig 10.8.0.6 10.8.0.1
  keepalive 10 120
  persist-tun
  secret psk.key
  verb 0
  # proto tcp-server
  

  If using TCP connection, uncomment the last line.

• Start OpenVPN:

  cd /etc/openvpn/psk-server
  sudo openvpn --config server.conf
  

PSK Client

• Write client.conf:

  dev-type tun
  dev tun0
  remote [A_addr] 1194 udp
  ifconfig 10.8.0.1 10.8.0.6
  keepalive 10 120
  persist-tun
  secret psk.key
  verb 0
  

• If using TCP connection:

  dev-type tun
  dev tun0
  remote 10.10.200.120 1194 tcp-client
  ifconfig 10.8.0.1 10.8.0.6
  keepalive 10 120
  persist-tun
  secret psk.key
  verb 0