How to configure OpenVPN

 29 / January / 2006 by Riley

OpenVPN is a tried and true VPN solution. It is totally secure and infinitely configurable. You can install and run this software without relying on a third party. The fact that it’s open source and free really makes it stand out though. OpenVPN can be a little daunting to configure the first time you jump into it, but once you get your configuration worked out, it’s a pleasure to use. Once you have the software running on your network, it’s possible to seamlessly perform a great number of tasks. One of the most popular and practical uses for OpenVPN is to enable secure surfing and home network access when out travelling or on an open wifi access point. It can also be used to connect separate remote networks together into one large network that is fully routable. There’s really no limit to what you can do with OpenVPN.

For the purposes of this article I am going to demonstrate how to set up OpenVPN on a typical home network. The below configuration will give your client PCs a secure internet access anywhere, as well as full access to your home network. The info contained in this tutorial will be aimed at Windows users with a router that has capabilities similiar to the Linksys WRT54G.

OpenVPN Installation:

First, download the install file from http://openvpn.se/download.html (openvpn-2.0.5-gui-1.0.3-install.exe). This is the GUI version of OpenVPN. It’s basically good ole OpenVPN with a minimal graphic interface that is accessible from the system tray.

Install it on the computer that is going to be your OpenVPN server first. This computer is going to need to be turned on and running OpenVPN at all times that you wish to have your virtual network accessible.

If you have any previous versions of OpenVPN installed, then shut down any running instance of it before running the install file.

Run the install program. During the installation you can choose if the GUI program will be started automatically at system startup. The default is yes. I recommend leaving all of the options on the default. All the instructions below assume that you have installed the program in the default directory. At the end of the install you will need to reboot the machine.

Creating certificates:

After rebooting you are going to need to configure the OpenVPN files on your server using the command prompt and a text editor like Notepad.

Go to Start – Run – and type cmd to open the command prompt.

Then enter the command below to move to the correct directory:

cd C:\Program Files\OpenVPN\easy-rsa

Then type this command to run the batch file that will copy the configuration files into place:

init-config

Now open the file vars.bat in a text editor. It should be located here: C:\Program Files\OpenVPN\easy-rsa\ You should change the values of the following variables at the bottom of the file KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Don’t leave any of these parameters blank.

Back at the command prompt you are going to enter the following commands in order:

vars
clean-all
build-ca

When you run build-ca you will be prompted for several entries. You can simply hit Enter to accept the default values taken from the vars.bat file you customized. The only parameter that must be explicitly entered is the Common Name. Enter the name of your VPN for this entry. An example would be MyVPN.

Next enter the following command to generate a certificate and private key for the server:

build-key-server server

Make sure you enter server for the Common Name. The rest of the settings can be left on the defaults. You can leave the challenge password and optional company name blank if you like. Type y for yes at the last two queries, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

Now enter the following command one at a time changing the name for each:

build-key client1
build-key client2
build-key client3
build-key client4

and so on…

You will be prompted to enter data just like when you built the server key. Make sure if you typed the command build-key client1 that you enter client1 for the Common Name. These entries much match up.

Run the above commands for as many clients as you would like to have on your VPN. I suggest you create more than you think you will need now because it will save you the hassle of having to do it at a later time. Always use a unique common name for each client.

If you would like to password-protect your client keys, substitute build-key-pass for build-key

The final step in this process is to generate Diffie Hellman parameters for the OpenVPN server.

Enter this command to begin the process:

build-dh

This might take a long time.

Note: You only need to do the certificate process listed above on the server.

Example network:

The below config files and settings are configured for the following network scenerio:

Your home router’s IP address is 192.168.1.1 and its subnet mask is 255.255.255.0

Your OpenVPN server attached to that router has its network interface manually set to the IP address of 192.168.1.150 with the subnet mask 255.255.255.0 and a default gateway of 192.168.1.1

The router is configured to port forward port 1194 to the server’s IP address of 192.168.1.150

Note: 1194 is the default port for OpenVPN. It’s probably a good idea to change every instance of the port number 1194 to another port number for better security. Just make sure the router and all the config files are set to the same number.

If any aspect of your network is different, you will need to take that into consideration when following the rest of this guide.

Creating the config files:

Now it’s time to create configuration files for the server and your clients. There should be sample config files in the config directory, but I recommend using the ones below if you have a network similiar to the one defined in this tutorial.

Create a config file for each client. The config file can be exactly the same for each client except for the two lines that contain the file path of the .key and .crt files.

Server config file:
server.ovpn (right-click, save, and open in txt editor)

You will only need to change the IP addresses of the DNS servers in the server.ovpn file, if everything else on your network is the same as described below.

Clients config file:
client1.ovpn (right-click, save, and open in txt editor)
client2.ovpn
client3.ovpn
client4.ovpn

You need to edit the client config files to enter the address of your DynDNS.org account (or other similiar service), unless you have a staic IP address from your ISP.

These configuration files are going to be placed in the config directory (C:\Program Files\OpenVPN\config) of each corresponding computer. Each PC is only going to need one config file.

The example config files I’ve provided will route all traffic from the client computers through the server’s internet connection. This will enable secure web browsing from anywhere, as well as access to any network resource on the home network. Examine the sample config files that come installed with the OpenVPN software to see other options and more detailed comments.

Configuring the router:

You are going to need to make some changes to the settings of the router that is running on the home network that your OpenVPN server is attached to. The particular router I used for testing is a Linksys WRT54G version 1.1 running Sveasoft’s Alchemy firmware. You will need a router that is capable of updating itself to DynDNS.org or some other service if you have a dynamic IP address.

You need to make sure the port you configured OpenVPN to listen on is forwarded on the router to the IP address of your server. On the WRT54G, port forwarding is configured in the “Applications & Gaming” section. Enter 1194 for the port, UDP for the protocol, and 192.168.1.150 for the IP address. Make sure the entry is enabled and then save the setting.

Next, you need to add an entry to the router’s Routing Table. This will enable the router to properly route requests from the clients to the TAP interface of the server.

On the WRT54G you would go to the “Setup” page and then the “Advanced Routing” section.

Enter the follwing info to make the entry:

Enter Route Name: openVPN
Destination LAN IP: 192.168.10.0
Subnet Mask: 255.255.255.252
Default Gateway: 192.168.1.150
Interface: LAN & Wireless

Once the info has been typed in make sure you save the setting.

This entry for the Routing Table assumes you have all the same settings mentioned above for your network. The names of the variables may vary on other routers.

Configuring the server:

Depending on which verison of Windows you have, you will need to make some changes on the server.

WINDOWS XP:
Disable the Windows firewall for you network connections.

The buit-in Windows firewall (as well as some third party ones) causes problems if it is running on the server, but I had no problem with it on the client PCs.

Edit registry key value:
Routing registry key.reg (right-click, save, and run)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter = dword:00000001

This registry key will enable the routing set in the config file to work correctly.

WINDOWS 2000 SERVER:
For routing to work properly on W2K server I had to enable and configure some settings in Routing and Remote Access.

Go to Control Panel – Admin tools – Routing and remote access

Right-click computer name – Select: Configure and enable Routing and remote access

Click Next

Select: Internet Connection Server

Select: Set up a router with the Network Address Translation (NAT) routing protocol

Highlight the real network interface connected to the router when prompted: Use the selected Internet connection

Highlight the TAP-Win32 Adapter V8 when prompted: Select the routing interface for the network that should have access to the internet

Click Finish

This should take care of the routing on your server.

Client configuration:

You are going to install OpenVPN on each of the client computers using the same install file you used above. You can leave all the install settings on their defaults for the clients. Once you rebooted, go ahead and copy the correct .ovpn configuration file into the config directory (C:\Program Files\OpenVPN\config) of each client. Then copy the three necessary certificate files into the C:\Program Files\OpenVPN\easy-rsa\keys folder (create it if not there). The three needed files are ca.crt (each client and the server share a copy of this one file), clientX.key, and clientX.crt. Replace “clientX” with the file name/Common Name of each client cert.

Connecting:

If everything went smoothly up to now, you should be able to start up OpenVPN and connect.

On the server:
Go to OpenVPN GUI in the system tray and click connect. It should successfully connect and display that it has an IP address.

On the clients:
Once the server has been connected, you should be able to connect the clients. They should be able to connect to the VPN even when on the same local network, but testing from a separate network, like a neighbor’s wifi (that you have “permission” to use, of course), is preferable.

Using OpenVPN GUI:

When OpenVPN GUI is started your config folder (C:\Program Files\OpenVPN\config) will be scanned for any .ovpn files, and an icon will be displayed in the system tray.

When you want to connect to a network, right-click the OpenVPN GUI and click connect. If you have more than one config file you will be able to choose between them. If you use a passphrase protected key you will be prompted for the password.

OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:

In Windows, you need to append it to the following registry key:
OpenVPN Startup.reg (right-click, save, and run)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
openvpn-gui = C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe

Change client1 as needed for the name of each client config file.

Troubleshooting:

If for some reason you cannot connect or have limited connectivity across the VPN, then there is any number of reasons is is not working. There is no way to cover all the different scenarios here. Double-check everything covered above and make sure the syntax is correct. One little error in an entry can make it all simply not work. You can also examine the log file to look over any errors. If you have any problems, try to simplify the network as much as possible to take out any unnecessary variables. The above settings and config files are for a fairly common home network. So, if your network is much different from this, the example settings will not work for you. If you are able to connect successfully, but are not able to surf the web or access other computers on your network, then something is wrong with the routing. You can search the forums at http://openvpn.se/bb/index.php for any particular problems you might encounter.

The above configuration has worked well for me in a variety of situations. If you have any suggestions, feel free to comment below.

         filed under: misc, networking, windows

55 Comments

  1.  
    1
     

    […] It’s A Tech World » How to configure OpenVPN OpenVPN is a tried and true VPN solution. You can install and run this software without needing any help or connections from a third party. It is totally secure and infinitely configurable. The fact that it’s open source and free really makes it stand out though. […]

  2.  
    2
    compuhut_1 06/17/06 @ 6:23am
     

    I just wanted to thank you for this guide and the config files, they worked great. I’ve been trying to get OpenVPN configured properly for awhile now but couldnt figure out the routing part. I had never even seen the registry setting in any guide on OpenVPN before nor did anyone ever bother to mention to the routing table in your router as you did.

    Thanks again just wanted to let you know this guide helped someone.

  3.  
    3
    gdubya 09/16/06 @ 7:56am
     

    Is the third octet in the destination LAN IP in the routing config a typo? I cannot figure why it is 10 instead of 1, but one user posting a comment said everything worked OK but didn’t mention correcting the typo. If it is not a typo, why would it be 10, given the LAN config given in the article? Thanks in advance!
    gdubya

    Enter the follwing info to
    make the entry:

    Enter Route Name: openVPN
    Destination LAN IP: 192.168.10.0
    Subnet Mask: 255.255.255.252
    Default Gateway: 192.168.1.150
    Interface: LAN & Wireless

  4.  
    4
    Riley 09/16/06 @ 9:08am
     

    It’s not a typo. For this config to work you are going to have two different sets of IPs with routing between them. The 10 and 1 are competely arbitrary, but they do need to be two different numbers. This router table setting corresponds to the IP settings in the config files.

  5.  
    5
    gdubya 09/16/06 @ 6:41pm
     

    OK…

    Thanks for the response. My home network where I plan to have Open VPN server running already has a WRT54g set to a non default IP range. (192.168.25.xxx) That’s because the work network a family member was connecting to by VPN was 192.168.1.xxx and I reset it to get his VPN running. Now the routing config make sense to me. (Light dawns on Marblehead!) Thanks again.

  6.  
    6
    Gustavor38 09/30/06 @ 5:22pm
     

    Perhaps (Sure) my question is stupid but…. I suppose that in the settings of the tcp in the server tap adapter i must remove the dhcp and configure a static ip in the 192.168.10.x. range.
    If i am ok wich is the default gateway? 192.168.1.1?
    Sorry for my poor english and thanks for your help.

  7.  
    7
    Riley 10/01/06 @ 8:47pm
     

    OpenVPN takes care of all the network settings for the virtual tap adapter via the config files. You do not need to change any settings unless listed in this article.

  8.  
    8
    charles 01/08/07 @ 12:06am
     

    THANK YOU! This tutorial rocks and is dead on. I have used it several times to set up VPNs behind linksys routers.

    Alas, I am faced with a slightly different (and simpler) task of setting up a VPN on a windows server that is not behind a WRT54G router but instead directly connected to the internet. I don’t know where to start but would assume the changes from this tutorial to be minor.

    How do I do this same tutorial sans linksys router? Please help!

  9.  
    9
    Riley 01/09/07 @ 7:24pm
     

    You don’t have to have a Linksys router. Most any router will work and can be configured with basically the same steps.

    I can’t imagine why you would ever directly connect a Windows server to an internet connection without some type of router. Spend a few bucks on a router, it’s worth it.

    I recommend:
    http://www.dd-wrt.com/wiki/index.php/Supported_Devices

  10.  
    10
    NWTSCL 02/26/07 @ 12:00am
     

    I noticed that the subnet mask is 255.255.255.128 in the server config file, where you also said to ‘make sure the Routing Table entry matches this..’

    Yet, the info you said to enter into the Routing Table does NOT match this. Rather, you said to enter a subnet mask of 255.255.255.252.

    Why the difference?

  11.  
    11
    Riley 02/26/07 @ 11:14am
     

    I won’t go into all the details of why it works, but it does. Yes, the numbers are different, but they match up to make this config work.

    Follow the above directions and it will work. OpenVPN has many options, so I wrote this article to give people a simple way to use the software without having to know too much advanced networking. There are other resources for that cover these topics.

  12.  
    12
    attig 03/13/07 @ 7:19am
     

    Riley,

    Thanks for this guide, it worked beautifully from the first time. I’ve followed all the steps except that I used port 443 (TCP), so I can connect when the client is behind a restrictive firewall. Now, whenever I connect via the client to the VPN, my internet connection is gone. Do you know what should I do to have the client connect to the VPN, and at the same time not lose its genera internet connectivity?

    Thanks,

  13.  
    13
    Riley 03/13/07 @ 10:08am
     

    If you follow the above guide, the clients should have full internet connectivity, but it will be routed through the server’s internet connection. It is possible to make modifications to the config files and routing settings to achieve a different arrangement. There are too many variables for me to be able to give you step by step instructions though.

  14.  
    14
    zsolt 03/28/07 @ 7:55pm
     

    I followed your protocol VERBATIM, the way you described it, on the very same router, checked every parameter 3 times and I am still getting the ominous error message when I try to fire up the server:

    Options error: –server directive network/netmask combination is invalid

    Any suggestion? Tx.

  15.  
    15
    Riley 03/28/07 @ 8:01pm
     

    Make sure you pay close attention to the details in the config files. Every single setting in the process must be correct for it to work. I’ve done the above set up countless times and heard positive feedback from others. There must be something different in your network configuration or an incorrect setting. If you email me all of the details, I’ll try to take a look.

  16.  
    16
    bigtoque 06/14/07 @ 12:30am
     

    I followed your guide and was able to get OpenVPN working without much trouble. Thank you very much!

    I noticed quite quickly though that once I connect to the server I lose the ability to use the internet.

    Is there any way to keep access to the net while I am connected to the server?

  17.  
    17
    zapf 06/14/07 @ 12:35am
     

    Hi Riley,
    Thanks for your guide above, without which I would have never got OVPN working. Which brings me to the problem I have got, I have created 10 client keys initially. And now would like to add more, however upon running “build-key client11” it gave error of “could not find c:\*.old” do you think you can help?

    Thanks
    Felix

  18.  
    18
    Riley 06/14/07 @ 9:07am
     

    You should have full internet access when connected if you configured it correctly. I would check to make sure that you entered the DNS servers. See if you can ping anything outside your network and double-check everything else. You might need to customize some of the settings for your particular needs.

  19.  
    19
    Riley 06/14/07 @ 9:11am
     

    There is a utility to generate keys after the install, but I’ve found it much easier to generate all of the keys during the initial installation (just go ahead and make way more than you think you need). You can always scrap all your current keys and start over.

  20.  
    20
    sumit kalsait 06/18/07 @ 9:12am
     

    i made my first tunnel with Static Key — Use a pre-shared static key.
    and tunnel created successfully. when i tried to ping using Ip of virtual tunnel 10.3.0.1 to other station whose vpn tunnel ip (virtual ) is 10.3.0.2 it works fine
    reply from 10.3.0.2 : 32 bytes time=1ms ttl=128

    also when i tried to ping byHost ID 192.168.0.1 to other host ID 192.168.0.2 it again ping that terminal means
    reply from 192.168.0.2: 32 bytes time=1ms ttl=128

    As per OpenVPN when tunnel get created all traffic should run betwwen this tunnel.
    what i guess by this
    only Pinging is possible through virtual Ip adresses of tunnel

    not through host ID like 192.168.0.1 to 192.168.0.2 between two terminal if virtual tunnel is present

    my question is both ping possible ?
    or only virtual tunnel ip adress ping is possible?

    Host ID 192.168.0.1———>openVPN Tap win 32——–>IPID 10.3.0.1—————>virtual tunnel————->IP adress 10.3.0.1——————–>openVPN Tap win 32——Host IP ID 192.168.0.2

    subnet 255.255.255.0 subnet 255.255.255.0 subnet 255.255.255.0 subnet 255.255.255.0

    thanks

    Sumit Kalsait

  21.  
    21
    sumit kalsait 06/18/07 @ 9:15am
     

    Host ID 192.168.0.1——Host ID 192.168.0.2

    Ip of virtual tunnel 10.3.0.1——-Ip of virtual tunnel 10.3.0.2

    after tunnel get connected

    my question is both ping possible ?
    host id Ping possible?
    or only virtual tunnel ip adress ping is possible?

    in my case both are working.

    thanx

  22.  
    22
    Riley 06/19/07 @ 9:44am
     

    Yes, once set up, each computer will have two IP addresses (one for the real interface and one for the virtual TAP interface). You want to use the virtual IP to access computers across the VPN (ex. 10.3.0.1). You can configure the routing to work in any number of ways. You can adjust the settings in the config files or in the routing table of the router.

  23.  
    23
    OwenWatson 07/23/07 @ 11:14pm
     

    1. Might be worth a note about not using the cert wizard at the start of that section.
    2. Windows XP firewall can’t(=shouldn’t) be turned off on the server: any hints on how to configure it to allow this traffic (apart from the nominated UDP port).
    3. My PC (the server) is on the DMZ and allocated a static IP without any NAT at the firewall. I take it that in server.ovpn that local=my static ip, and server=any unallocated IP on the network.

  24.  
    24
    Riley 07/24/07 @ 8:14am
     

    You are welcome to customize any options in this guide. It’s just meant to be a starting point with general settings that should work for most people.

    I think running a software firewall on a server kind of defeats the purpose, but there’s many ways to use OpenVPN.

    You can choose whatever IPs you want. It just works better if the IPs are available and routable.

  25.  
    25
    TheCableGuy007 07/30/07 @ 8:06pm
     

    Hi there, I tried using this quick guide and everything works great, but I have a problem!
    As I can’t install the openvpn soft on a windows nt 4 server, I installed it on an xp computer in the network and every thing works great but I can’t ping nor connect to anything in the network except the pc that the openvpn server is installed on!
    Any hints?
    thanks, David

  26.  
    26
    Riley 07/30/07 @ 8:25pm
     

    David – I don’t even want to know why you’re using NT4.

    If you can connect to your OpenVPN server from outside the network, but not to any of the other PCs on the network it sounds like a routing issue. There’s way too many variables to say what the precise cause of the problem might be. Troubleshooting is fun.

  27.  
    27
    mike.beats 08/12/07 @ 2:36pm
     

    I’ve got a simple client server network running on Vmware Server Console.The server’s running Windows Server 2003 and the 3 clients are running Windows XP.I’ve got OpenVPN running on each one correctly.What I’m trying to achieve is virtualised path solation on my network,so I’ve firewalled off all my LAN connections but left port 1194 open for OpenVPN on each machine.I wish to know how to reroute ALL network traffic on each machine to go through OpenVPN port 1194 as my LAN connections are firewalled off

  28.  
    28
    true_bolla 08/26/07 @ 4:23am
     

    i hope someone can help me,i have setup openvpn with my laptop with no prblems,my flat mate use linx and he have the vpn running on the linux server,but i have connected to it with windows,but from his server,so we have only the openvpn running on the Router and the home next work running on another Router ,but both are connected to the linux server,after i got my wireless working through the openvpn,i cant find my desktop on the loacal network,is there some changes i could make to make my laptop connect to the local network? thanks in advance…..

  29.  
    29
    Madwin 08/29/07 @ 8:08am
     

    hey there guys, i hope some can solve this problem i have, i’ve been trying to set up an OpenVPN network between 2 PC’s, both using Windows 2000, and both on their own work just fine, its just that when I connect the server and I connect 1 client to the server, the server crashes for no apparent reason, if you want i can send you the config files i’ve been using for the server and for the client and tell me what you think, i’d really appreciate if anyone can help me with this problem

  30.  
    30
    rohanmeyer 09/05/07 @ 7:51am
     

    I followed this howto for setting up a OpenVPN server on SuSE Enterprise Linux 10 with the clients connecting through the ISP -> MyFirewall -> MyServer(OpenVPN). My clients are WinXP. Now I can ping the outside and inside IP’s as well as access a Samba shared folder while I’m connected to the VPN from a client, but I need to go right through the inside IP of MyServer to my LAN. Now I’m probably missing something stupid, but I just can’t get it running. Pleas help if you can. My LAN is on the 10.0.0.0 255.255.255.0 range and I want the VPN to be on the 10.10.0.0 subnet.

  31.  
    31
    shawn524 09/27/07 @ 3:15pm
     

    Has anybody had any luck getting this to work where the server is behind a dlink WBR-2310? There does not seem to be any way to add a route as described in the guide.

  32.  
    32
    rookiebot 10/02/07 @ 10:54pm
     

    How to share óne vpn client connection to multiple pcs?

    I’m connected to an openVPN Server using the openvpn client (dev tun).
    The client pc(xp sp2) has 2 nics. one to connect to lan/adsl & the
    other to connect to a voice gateway (spa3102)via crossover. How can I
    configure the spa3102 connected over nic2 to go through only the open
    vpn connection to connect to its sip server? or in other words how can
    i share the open vpn client connection?

  33.  
    33
    peter 11/24/07 @ 11:01pm
     

    Hi There.
    I connected OpenVPN to server, but client can not connect to internet. Pls help me, i don’t know why. Thanks

  34.  
    34
    Riley 11/25/07 @ 10:44am
     

    Peter

    You don’t give us much info, but the first thing to check is the DNS settings. Make sure the client is at least resolving the domain names.

  35.  
    35
    alex 12/05/07 @ 5:29am
     

    There is no way I can make a static route in Setup>Advanced Routing>Static Routing, Linksys router is WRV200, and it will NOT accept subnet mask in form 255.255.255.252! It will only accept 255.255.255.0 or 255.255.255.255. How can I get arround this?

  36.  
    36
    juice381 12/18/07 @ 8:16am
     

    This was an excellent tutorial and worked flawlessly for me. I just want ot add because I have found that no one gives a definative answer to the question ragarding new client keys after iniatial install. What needs to be done as rather simple. On the server machine cmd and cd into your easy-rsa folder. By default it should be in C:\Program Files\OpenVPN\easy-rsa
    you have to first run vars.bat this will put you into config mode finally run build-key.bat and use the instructions in this tutorial. If you have working clients already then just copy the config file from one them and alter the information with in it. Example:cert “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt” if this was the name of your first client and you now made client 22 then change anything with client 1 to client22 then save as a what ever you want .opvn. Hope that helps

  37.  
    37
    pedram 01/07/08 @ 12:36pm
     

    Hi Riley. Thanks for the detailed instructions. I followed them and was able to connect from my laptop to my home PC. My home network has a network address of 192.168.1.0 and the home PC has one address in this range as well as one virtual address of 192.168.10.1.
    Now, in order to be able to connect to the rest of the computers on the home network, I can think of two solutions:
    1. To have a second NIC on the home PC and set up the home network with a separate router that connects to the second NIC of the home PC.
    2. Have opnVpn installed on all home PCs and set up a VPN tunnel every time I bring them up.

    My question is whether both of my solutions are valid? And if there is any other solution?
    Thanks
    Pedram

  38.  
    38
    bbarrett2868 01/09/08 @ 10:34am
     

    I am having a problem with my OpenVPN configuration, and it looks like the official forum is full of spam. My server side configuration is running on XP Pro SP2. I have the IP forwarding enabled, and have turned off the Windows Firewall. I am able to connect successfully from client to server and I am able to navigate the internet. I am unable to access the local area network though. I get a timeout response when I try to ping internal ip addresses. The DNS servers are both local network resources though, and it must be accessing them if I can navigate the internet. I have also tried pinging my servers using the domain name, and it correctly translates the associated IP address, but I still get a timeout response. Any ideas would be wonderful.

  39.  
    39
    Riley 01/09/08 @ 11:04am
     

    @pedram – I don’t really understand your problem. The above config should give you full access to any PC on the OpenVPN server’s local network, as well as any client that is connected to that server.

    @bbarrett2868 – it sounds like a routing issue. Check the routing table. The above config works, but there might be changes that need to be made for various router models.

  40.  
    40
    pedram 01/09/08 @ 3:50pm
     

    I guess the routing entry that I entered on my router is not working right because when I manually put the route on any of the PCs on my home network the the ping comes back.

  41.  
    41
    stmcgarrett 01/17/08 @ 11:48pm
     

    Greetings. When I run build-ca I am receiving the following error:

    error on line 37 of c:\program files\openvpn\easy-rsa\openssl.cnf
    3184:error:0E065068:configuration file routines:STR_COPY:variable has no value:.
    \crypto\conf\conf_def.c:629:line 37

    Any ideas as to resolving this? FYI – trying to install on Win XP SP2 machine. Thanks for your time and assistance.

  42.  
    42
    stmcgarrett 01/21/08 @ 6:04pm
     

    The build at openvpn.se/ was apparently the problem for me as I downloaded the one from Sourceforge and had no issues.

  43.  
    43
    jetter 01/31/08 @ 5:16pm
     

    Thanks for the great guide, it worked the first try.
    Is there any way besides putting a packet sniffer on the wire
    to verify that the data is encrypted? Or is it safe to say that once
    there is a tunnel setup, then its going to be encrypted? Im pretty
    new to vpn’s and I just want to make sure I have it set up correctly.

  44.  
    44
    vpnboy 02/25/08 @ 1:25pm
     

    This is the most useful guide for setting up OpenVPN I have found on the web. Thanks. I am not particularly technical but I managed to get OpenVPN up and working (maybe that just shows how good your guide is!).

    I am using Win XP Pro Sp2 for both my server side (desktop pc) and my client side (laptop pc). I travel somewhat with my laptop, and I am a little concerned that on my travels anybody who manages to access my laptop without my knowledge will be able to just right-click on the OpenVPN icon in the system tray and then connect to my server and network. It seems I should have a password to protect the OpenVPN connection. However after hours of scouring the official OpenVPN sites I am really no nearer understanding how to achieve this. My biggest fear is breaking my vpn now that I have it working so well!

    Your guide mentions using build-key-pass instead of just build-key to password protect the client keys, but I’m not sure how the password protected keys would then work. Is that what I would need to do to stop unauthorised access to my OpenVPN client? Also, I notice that the OpenVPN icon right-click menu has a “Change password” option – maybe this is what I need to do? Any advice much appreciated.

  45.  
    45
    timinator 03/03/08 @ 10:44am
     

    Hi, I was considering setting up an OpenVPN server behind my DMZ with 2 nics. One public, one private and route between them to my lan. Is this possible?

    Thanks
    Tim

  46.  
    46
    minardi 04/04/08 @ 8:20am
     

    Hi.

    I have the exact same setup as in this guide, and everything is working except when i connect the client to the server, i loose all internet on the client, yet i still have connection to the server.

    I have put in the DNS information on the server config, and it sends the DNS info to the client, yet it still isnt getting any internet connection.

  47.  
    47
    openfish 04/12/08 @ 12:27pm
     

    Thank you Riley for the well defined VPN set up using OpenVpn.
    Though my actual job is to create a site-to-site VPN using OpenVPN, first I tried between two computers within the same LAN, one as the server and the other as a client.
    The network address of my LAN is 192.168.1.0. And the pcs’ address is 192.168.1.x1 and 192.168.1.x2. And I used virtual address( with its netmask) 10.8.0.0 255.255.255.0.
    I successfully established the VPN between the two computers, that is, when I tried to
    ping using the IP of virtual tunnel 10.8.0.1 to other machine whose vpn tunnel ip (virtual ) is 10.8.0.2 it works fine and it works also from other direction.

    Again, when i tried to ping byHost ID 192.168.1.12 to other host ID 192.168.1.133 it also pings normally

    As per OpenVPN when tunnel get created all traffic should run between the tunnel.
    what i guess by this
    only Pinging is possible through virtual Ip adresses of the tunnel

    not through the actual host ID like 192.168.1.12 to 192.168.1.133 between the two machines if virtual tunnel is already established.

    My first question is, is it possible to ping using normal host id, in addition to using virtual address, while tunnel is already created?

    My second question, even other machines can ping to the tunneled machines( to the OpenVPN server and client); and the server and the client can ping normally to the other PCs in the LAN using the their host IP addresses.
    What I guessed was, only the machines in the tunnel can only ping one another, nothing else, , though they are physically connected in the LAN.
    Is it possible, with explanations?
    I am looking forward to reading your replies.

    Thank you, forum members, in advance.

  48.  
    48
    shukalo83 05/13/08 @ 12:57pm
     

    Thank You really on such a great tutorial. I think it’s unique in its simplicity and effectiveness. Everything work flawless for me but when I try to connect from Windows XP client that has no admin privileges the virtual tap interface doesn’t get the default gateway by DHCP. When I am admin from the same machine, everything works perfectly. I don’t know what could be the problem. I installed openvpn gui as an administrator on the client side. So once more, to be specific, I received client address by dhcp 192.168.10.3 but i don’t have def gateway of 192.168.10.1 an that only when I am not logged in as an administrator. I realize that this tutorial is a bit old but there are maybe someone outhere who is willing to give me a hand. Thanks in advance

  49.  
    49
    compsafe 05/22/08 @ 8:56pm
     

    Hi, i am trying to configure openvpn and having some queries. For the Intial set up; i configured my desktop as server and laptop as a client, which works fine.Now,I want to take it to the next step. I want the client to connect to my desktop and should be able to access the main webserver throgh my PC. Thatis my PC should be able to act as an interface to allow the laptop to connect the main webserver. Please help. What changes should i make in the congig.files.

  50.  
    50
    bebopblues 05/28/08 @ 4:30am
     

    Riley, first off, many thanks for the tutorial and providing the sample config files. I followed your instructions carefully and established connections between server and clients. The only problem I have is what peter stated a few posts above, my internet dies when openvpn is connected. If I disconnect openvpn, then internet works again. I’ve tried on several local machines, and all seems to be the same problem. Now this only happens on local machines on the local network with the server. I tested a machine outside the network, and it does not lose internet connection, it works perfectly.

    Regarding the DNS settings, I used the WAN DNS settings from my cable modem, I’m assuming thats the correct one and not the local gateway (192.168.1.1). I’ve been trying to figure out why the local machines lose internet connection, but I’m still scratching my head and clueless. If you have advice to solve this issue, please reply. Much appreciated.

  51.  
    51
    abc 07/16/08 @ 2:52pm
     

    How to share óne vpn client connection to multiple pcs?

    I’m connected to an openVPN Server using the openvpn client (dev tun).
    The client pc(xp sp2) has 2 nics. one to connect to lan/adsl & the
    other to connect to a voice gateway (spa3102)via crossover. How can I
    configure the spa3102 connected over nic2 to go through only the open
    vpn connection to connect to its sip server? or in other words how can
    i share the open vpn client connection?

  52.  
    52
    glenn0 07/17/08 @ 1:39am
     

    Hey guys,

    I used this guide to setup my VPN (thanks Riley!) but made a few security enhancements along the way. I decided to write up a version of Riley’s guide with my additions. I hope that’s ok Riley.

    I’ve added TLS-Auth, password protected 2048-bit keys, AES encryption and explanations in a lot of sections.

    It seems you can’t post links in comments here, but if you Google “openvpn lockup”, my blog (called lockup) will be the first result.

    Hope it helps.

  53.  
    53
    Wasser 08/03/08 @ 6:42pm
     

    Hi!
    I have the following problem:
    I configured everything [almost] like you said, but when I go to the Routing table on my dir-655 (I went to Advanced/Routing, think it’s the same) and fill everything, it says that the ip of the gateway is not on the same subnet of the interface. The interface is fixed on WAN and the router does not allow me to change it. The only IP I could fill for the gateway was my external IP, but it’s not working…
    Help?

  54.  
    54
    mich2212001 12/29/08 @ 1:28pm
     

    this is a great help … i have been trying to make sense of Openvpn for a long time now. thanks for the help. however, i have a cisco 1721 router in charge of DHCP. & i do have a local Domain with dns server configured as well. my question is how do i go about configuring the server to work with that …. please help

  55.  
    55
    jojoba 03/08/09 @ 12:57am
     

    Wonderful article! Only qualms, you could explain the “TAP” acronym – it’s not as common as “DNS” and “DHCP.” Other qualm: a bit more explanation on the DynDNS part. Like, “DynDNS” is a service you can subscribe to that will keep track of your dynamic IP from your ISP and associate it with a DNS name; so that, if/when your DSL or Cable Modem ip address changes, DynDNS will track that change, and will update your corresponding public DNS name with the new address that your ISP has assigned to your external interface.”

    Anyway, I think that’s my guess on what the DynDNS does, from some things I’ve read in the past, and I’ve been meaning to try it, and now, thanks to your superb tutorial, I have a good reason. :) Also note: You could mention that, “Oh, btw, even if you don’t have a static IP addre, you [can] find your current external IP address of your home network by surfing to “http://www.whatismyip.com” – and you can enter that in the config files.” WARNING: That address is subject to change but, until it changes, your VPN connections will work.

    OR… if you DON’T want to deal with DynDNS and you DON’T want pay the extra $5 /month for a static IP (or you have cable and they don’t offer static IP), you can just setup a scheduled daily job on your server to grab your current external IP and “blat” it (email it) to one of your public email accounts, say, once per day – that way, you always will be able to hop on your email and see your current public IP is – in case you have to modify your client VPN configs. Okay, it’s funky, but it works.

    Bottom line: RILEY – YOU ROCK! Now, let’s find equivalent steps for D-Link & DSL routers. I have a Netopia DSL router I would like to set this up on, and some D-Link routers also.

    many thanks!