OpenVPN is a tried and true VPN solution. It is totally secure and infinitely configurable. You can install and run this software without relying on a third party. The fact that it’s open source and free really makes it stand out though. OpenVPN can be a little daunting to configure the first time you jump into it, but once you get your configuration worked out, it’s a pleasure to use. Once you have the software running on your network, it’s possible to seamlessly perform a great number of tasks. One of the most popular and practical uses for OpenVPN is to enable secure surfing and home network access when out travelling or on an open wifi access point. It can also be used to connect separate remote networks together into one large network that is fully routable. There’s really no limit to what you can do with OpenVPN.
For the purposes of this article I am going to demonstrate how to set up OpenVPN on a typical home network. The below configuration will give your client PCs a secure internet access anywhere, as well as full access to your home network. The info contained in this tutorial will be aimed at Windows users with a router that has capabilities similiar to the Linksys WRT54G.
OpenVPN Installation:
First, download the install file from http://openvpn.se/download.html (openvpn-2.0.5-gui-1.0.3-install.exe). This is the GUI version of OpenVPN. It’s basically good ole OpenVPN with a minimal graphic interface that is accessible from the system tray.
Install it on the computer that is going to be your OpenVPN server first. This computer is going to need to be turned on and running OpenVPN at all times that you wish to have your virtual network accessible.
If you have any previous versions of OpenVPN installed, then shut down any running instance of it before running the install file.
Run the install program. During the installation you can choose if the GUI program will be started automatically at system startup. The default is yes. I recommend leaving all of the options on the default. All the instructions below assume that you have installed the program in the default directory. At the end of the install you will need to reboot the machine.
Creating certificates:
After rebooting you are going to need to configure the OpenVPN files on your server using the command prompt and a text editor like Notepad.
Go to Start – Run – and type cmd to open the command prompt.
Then enter the command below to move to the correct directory:
cd C:\Program Files\OpenVPN\easy-rsa
Then type this command to run the batch file that will copy the configuration files into place:
init-config
Now open the file vars.bat in a text editor. It should be located here: C:\Program Files\OpenVPN\easy-rsa\ You should change the values of the following variables at the bottom of the file KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Don’t leave any of these parameters blank.
Back at the command prompt you are going to enter the following commands in order:
vars
clean-all
build-ca
When you run build-ca you will be prompted for several entries. You can simply hit Enter to accept the default values taken from the vars.bat file you customized. The only parameter that must be explicitly entered is the Common Name. Enter the name of your VPN for this entry. An example would be MyVPN.
Next enter the following command to generate a certificate and private key for the server:
build-key-server server
Make sure you enter server for the Common Name. The rest of the settings can be left on the defaults. You can leave the challenge password and optional company name blank if you like. Type y for yes at the last two queries, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.
Now enter the following command one at a time changing the name for each:
build-key client1
build-key client2
build-key client3
build-key client4
and so on…
You will be prompted to enter data just like when you built the server key. Make sure if you typed the command build-key client1 that you enter client1 for the Common Name. These entries much match up.
Run the above commands for as many clients as you would like to have on your VPN. I suggest you create more than you think you will need now because it will save you the hassle of having to do it at a later time. Always use a unique common name for each client.
If you would like to password-protect your client keys, substitute build-key-pass for build-key
The final step in this process is to generate Diffie Hellman parameters for the OpenVPN server.
Enter this command to begin the process:
build-dh
This might take a long time.
Note: You only need to do the certificate process listed above on the server.
Example network:
The below config files and settings are configured for the following network scenerio:
Your home router’s IP address is 192.168.1.1 and its subnet mask is 255.255.255.0
Your OpenVPN server attached to that router has its network interface manually set to the IP address of 192.168.1.150 with the subnet mask 255.255.255.0 and a default gateway of 192.168.1.1
The router is configured to port forward port 1194 to the server’s IP address of 192.168.1.150
Note: 1194 is the default port for OpenVPN. It’s probably a good idea to change every instance of the port number 1194 to another port number for better security. Just make sure the router and all the config files are set to the same number.
If any aspect of your network is different, you will need to take that into consideration when following the rest of this guide.