OpenVPN is a tried and true VPN solution. It is totally secure and infinitely configurable. You can install and run this software without relying on a third party. The fact that it’s open source and free really makes it stand out though. OpenVPN can be a little daunting to configure the first time you jump into it, but once you get your configuration worked out, it’s a pleasure to use. Once you have the software running on your network, it’s possible to seamlessly perform a great number of tasks. One of the most popular and practical uses for OpenVPN is to enable secure surfing and home network access when out travelling or on an open wifi access point. It can also be used to connect separate remote networks together into one large network that is fully routable. There’s really no limit to what you can do with OpenVPN.
For the purposes of this article I am going to demonstrate how to set up OpenVPN on a typical home network. The below configuration will give your client PCs a secure internet access anywhere, as well as full access to your home network. The info contained in this tutorial will be aimed at Windows users with a router that has capabilities similiar to the Linksys WRT54G.
First, download the install file from http://openvpn.se/download.html (openvpn-2.0.5-gui-1.0.3-install.exe). This is the GUI version of OpenVPN. It’s basically good ole OpenVPN with a minimal graphic interface that is accessible from the system tray.
Install it on the computer that is going to be your OpenVPN server first. This computer is going to need to be turned on and running OpenVPN at all times that you wish to have your virtual network accessible.
If you have any previous versions of OpenVPN installed, then shut down any running instance of it before running the install file.
Run the install program. During the installation you can choose if the GUI program will be started automatically at system startup. The default is yes. I recommend leaving all of the options on the default. All the instructions below assume that you have installed the program in the default directory. At the end of the install you will need to reboot the machine.
After rebooting you are going to need to configure the OpenVPN files on your server using the command prompt and a text editor like Notepad.
Go to Start - Run - and type cmd to open the command prompt.
Then enter the command below to move to the correct directory:
cd C:\Program Files\OpenVPN\easy-rsa
Then type this command to run the batch file that will copy the configuration files into place:
Now open the file vars.bat in a text editor. It should be located here: C:\Program Files\OpenVPN\easy-rsa\ You should change the values of the following variables at the bottom of the file KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Don’t leave any of these parameters blank.
Back at the command prompt you are going to enter the following commands in order:
When you run build-ca you will be prompted for several entries. You can simply hit Enter to accept the default values taken from the vars.bat file you customized. The only parameter that must be explicitly entered is the Common Name. Enter the name of your VPN for this entry. An example would be MyVPN.
Next enter the following command to generate a certificate and private key for the server:
Make sure you enter server for the Common Name. The rest of the settings can be left on the defaults. You can leave the challenge password and optional company name blank if you like. Type y for yes at the last two queries, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.
Now enter the following command one at a time changing the name for each:
and so on…
You will be prompted to enter data just like when you built the server key. Make sure if you typed the command build-key client1 that you enter client1 for the Common Name. These entries much match up.
Run the above commands for as many clients as you would like to have on your VPN. I suggest you create more than you think you will need now because it will save you the hassle of having to do it at a later time. Always use a unique common name for each client.
If you would like to password-protect your client keys, substitute build-key-pass for build-key
The final step in this process is to generate Diffie Hellman parameters for the OpenVPN server.
Enter this command to begin the process:
This might take a long time.
Note: You only need to do the certificate process listed above on the server.
The below config files and settings are configured for the following network scenerio:
Your home router’s IP address is 192.168.1.1 and its subnet mask is 255.255.255.0
Your OpenVPN server attached to that router has its network interface manually set to the IP address of 192.168.1.150 with the subnet mask 255.255.255.0 and a default gateway of 192.168.1.1
The router is configured to port forward port 1194 to the server’s IP address of 192.168.1.150
Note: 1194 is the default port for OpenVPN. It’s probably a good idea to change every instance of the port number 1194 to another port number for better security. Just make sure the router and all the config files are set to the same number.
If any aspect of your network is different, you will need to take that into consideration when following the rest of this guide.
Creating the config files:
Now it’s time to create configuration files for the server and your clients. There should be sample config files in the config directory, but I recommend using the ones below if you have a network similiar to the one defined in this tutorial.
Create a config file for each client. The config file can be exactly the same for each client except for the two lines that contain the file path of the .key and .crt files.
Server config file:
server.ovpn (right-click, save, and open in txt editor)
You will only need to change the IP addresses of the DNS servers in the server.ovpn file, if everything else on your network is the same as described below.
You need to edit the client config files to enter the address of your DynDNS.org account (or other similiar service), unless you have a staic IP address from your ISP.
These configuration files are going to be placed in the config directory (C:\Program Files\OpenVPN\config) of each corresponding computer. Each PC is only going to need one config file.
The example config files I’ve provided will route all traffic from the client computers through the server’s internet connection. This will enable secure web browsing from anywhere, as well as access to any network resource on the home network. Examine the sample config files that come installed with the OpenVPN software to see other options and more detailed comments.
Configuring the router:
You are going to need to make some changes to the settings of the router that is running on the home network that your OpenVPN server is attached to. The particular router I used for testing is a Linksys WRT54G version 1.1 running Sveasoft’s Alchemy firmware. You will need a router that is capable of updating itself to DynDNS.org or some other service if you have a dynamic IP address.
You need to make sure the port you configured OpenVPN to listen on is forwarded on the router to the IP address of your server. On the WRT54G, port forwarding is configured in the “Applications & Gaming” section. Enter 1194 for the port, UDP for the protocol, and 192.168.1.150 for the IP address. Make sure the entry is enabled and then save the setting.
Next, you need to add an entry to the router’s Routing Table. This will enable the router to properly route requests from the clients to the TAP interface of the server.
On the WRT54G you would go to the “Setup” page and then the “Advanced Routing” section.
Enter the follwing info to make the entry:
Enter Route Name: openVPN
Destination LAN IP: 192.168.10.0
Subnet Mask: 255.255.255.252
Default Gateway: 192.168.1.150
Interface: LAN & Wireless
Once the info has been typed in make sure you save the setting.
This entry for the Routing Table assumes you have all the same settings mentioned above for your network. The names of the variables may vary on other routers.
Configuring the server:
Depending on which verison of Windows you have, you will need to make some changes on the server.
Disable the Windows firewall for you network connections.
The buit-in Windows firewall (as well as some third party ones) causes problems if it is running on the server, but I had no problem with it on the client PCs.
Edit registry key value:
Routing registry key.reg (right-click, save, and run)
IPEnableRouter = dword:00000001
This registry key will enable the routing set in the config file to work correctly.
WINDOWS 2000 SERVER:
For routing to work properly on W2K server I had to enable and configure some settings in Routing and Remote Access.
Go to Control Panel - Admin tools - Routing and remote access
Right-click computer name - Select: Configure and enable Routing and remote access
Select: Internet Connection Server
Select: Set up a router with the Network Address Translation (NAT) routing protocol
Highlight the real network interface connected to the router when prompted: Use the selected Internet connection
Highlight the TAP-Win32 Adapter V8 when prompted: Select the routing interface for the network that should have access to the internet
This should take care of the routing on your server.
You are going to install OpenVPN on each of the client computers using the same install file you used above. You can leave all the install settings on their defaults for the clients. Once you rebooted, go ahead and copy the correct .ovpn configuration file into the config directory (C:\Program Files\OpenVPN\config) of each client. Then copy the three necessary certificate files into the C:\Program Files\OpenVPN\easy-rsa\keys folder (create it if not there). The three needed files are ca.crt (each client and the server share a copy of this one file), clientX.key, and clientX.crt. Replace “clientX” with the file name/Common Name of each client cert.
If everything went smoothly up to now, you should be able to start up OpenVPN and connect.
On the server:
Go to OpenVPN GUI in the system tray and click connect. It should successfully connect and display that it has an IP address.
On the clients:
Once the server has been connected, you should be able to connect the clients. They should be able to connect to the VPN even when on the same local network, but testing from a separate network, like a neighbor’s wifi (that you have “permission” to use, of course), is preferable.
Using OpenVPN GUI:
When OpenVPN GUI is started your config folder (C:\Program Files\OpenVPN\config) will be scanned for any .ovpn files, and an icon will be displayed in the system tray.
When you want to connect to a network, right-click the OpenVPN GUI and click connect. If you have more than one config file you will be able to choose between them. If you use a passphrase protected key you will be prompted for the password.
OpenVPN GUI can start a connection automatically when it runs. To enable autoconnect simply add this string to the command that starts the OpenVPN app:
In Windows, you need to append it to the following registry key:
OpenVPN Startup.reg (right-click, save, and run)
openvpn-gui = C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe
Change client1 as needed for the name of each client config file.
If for some reason you cannot connect or have limited connectivity across the VPN, then there is any number of reasons is is not working. There is no way to cover all the different scenarios here. Double-check everything covered above and make sure the syntax is correct. One little error in an entry can make it all simply not work. You can also examine the log file to look over any errors. If you have any problems, try to simplify the network as much as possible to take out any unnecessary variables. The above settings and config files are for a fairly common home network. So, if your network is much different from this, the example settings will not work for you. If you are able to connect successfully, but are not able to surf the web or access other computers on your network, then something is wrong with the routing. You can search the forums at http://openvpn.se/bb/index.php for any particular problems you might encounter.
The above configuration has worked well for me in a variety of situations. If you have any suggestions, feel free to comment below.