OpenVPN 2.1.0 Testing on Ubuntu 10.04 LTS

  1. Installation
  2. Bridge Configuration
  3. Server/Client Certificates
  4. Server Configuration
  5. Client Configuration
  6. Adding Username / Password Auth
  7. NAT/Routed Configuration
  8. Links
  9. Woes

Server Installation

apt-get install openvpn openssl bridge-utils

Bridge Configuration

Edit /etc/network/interfaces to create the bridge, updating the example below with values for your network: auto lo
iface lo inet loopback
auto br0 iface br0 inet static address network netmask broadcast gateway bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off
Note: For my inital testing on a virtual machine, I used dhcp instead of static and eliminated the 5 definition lines immediately below

Restart networking to enable the bridge interface:sudo /etc/init.d/networking restart

The new bridge interface should now be up and running. The brctl command provides useful information about the state of the bridge, controls which interfaces are part of the bridge, etc.

Create Certificates

sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ sudo chown -R $USER /etc/openvpn/easy-rsa/ Edit /etc/openvpn/easy-rsa/vars and adjust the following: export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="Example City" export KEY_ORG="Example Company" export KEY_EMAIL=""

Create server certificates

cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server server cd keys openvpn --genkey --secret ta.key sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Create client certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool client_hostname

The following files will need to be copied (scp) to the client:

For example: scp root@openvpn_server:/etc/openvpn/easy-rsa/keys/\{client_hostname*,ca.crt,ta.key\} /Users/admin/Library/openvpn/

Key Files

Here is a brief explanation of the newly generated key files:
FilenameNeeded ByPurposeSecret
ca.crt server + all clientsRoot CA certificateNO
ca.key key signing machine onlyRoot CA key YES
dh{n}.pemserver onlyDiffie Hellman parameters NO
server.crtserver onlyServer Certificate NO
server.keyserver onlyServer Key YES
client_hostname.crtclient only (unique for each)Client CertificateNO
client_hostname.keyclient only (unique for each)Client Key YES

Files endinge in .key need to be kept secret and those ending in .crt may be shared.

Server Configuration

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz Edit /etc/openvpn/server.conf: local dev tap0 up "/etc/openvpn/ br0" down "/etc/openvpn/ br0" ;server server-bridge push "route" push "dhcp-option DNS" push "dhcp-option DOMAIN" tls-auth ta.key 0 # This file is secret user nobody group nogroup

You may also have to enable IP forwarding in /etc/sysctl.conf by uncommenting the net.ipv4.ip_forward=1 line.

Next, create the /etc/openvpn/ and /etc/openvpn/ helper scripts with the content shown below:

/etc/openvpn/ /etc/openvpn/


/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV


/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Then make them executeable: chmod 755 /etc/openvpn/ /etc/openvpn/ Restart OpenVPN: /etc/init.d/openvpn restart Check /var/log/syslog for ovpn-server messages.

Client Installation and Configuration


Install the openvpn client:apt-get install openvpn Copy the client certificates you created above to /etc/openvpn/ and create a client configuration file using the example in /usr/share/doc/openvpn/examples/sample-config-files/client.conf: cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ Edit /etc/openvpn/client.conf dev tap remote 1194 cert client_hostname.crt key client_hostname.key tls-auth ta.key 1 restart the openvpn client:/etc/init.d/openvpn restart You should now be able to connect to the remote LAN through the VPN.


Download and install Tunnelblick. It will guide you through most of these steps and give you an opportunity to edit config.ovpn (similar to client.conf) as described above.


Checking VPN Connection

Edit /etc/openvpn/server.conf and restart openvpn: status status.log 5
status-version 2
This will write the current status of the OpenVPN server to /etc/openvpn/openvpn-status.log every 5 seconds (default is one minute). Lines starting with CLIENT_LIST describe the connected users. This could be parsed by a script for mrtg/cacti graphs.

If the telnet interface is installed...


OSX Links


Date 4/13/2011
Problem Openvpn 2.1.0 will not start on Ubuntu 10.04.1 LTS. # /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
* Autostarting VPN 'server'!
Resolution /var/log/syslog showed the following: ovpn-server[pid]: TCP/UDP: Socket bind failed on local address [AF_INET]ipaddress:port: Cannot assign requested address It appears that openvpn starts before ip-binding does. The easy fix is to comment out or remove the line "local" from /etc/openvpn/server.conf and restart openvpn.
Links [karmic] openvpn service starts before dhclient - OpenVPN Bridge Troubleshooting
Date 4/13/2011
Problem Tunnelblick on OSX 10.6.7 not connecting to Ubuntu openvpn server. Tunnelblick "Details..." shows the following:

  WARNING: No server certificate verification method has been enabled.
  Cannot load private key file host-127-69.key: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
  Error: private key password verification failed

Resolution Corrected type-o in /Users/admin/Library/openvpn/config.ovpn for cert and key definitions.
Links Possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to

OpenVPN with NAT Setup Notes (In Progress)


OpenVPN Server   OpenVPN Client
eth0192.168.75.130 eth0whatever
tap010.10.10.1 tap010.10.10.10-20

  1. Update the following in /etc/openvpn/server.conf: server-bridge
    push "route"
  2. Configure the TAP interface: ip addr add dev tap0
    ip link set tap0 up
    ifconfig tap0
    route add -net netmask gw dev tap0
    netcfg tap0 up
  3. Set up the NAT: iptables -v -t nat -A PREROUTING -d -j NETMAP --to iptables -v -t nat -A PREROUTING -i tap0 -d -j NETMAP --to iptables -v -t nat -A POSTROUTING -o tap0 -s -j NETMAP --to iptables -v -t nat -A POSTROUTING -o eth0 -s -j NETMAP --to echo 1 > /proc/sys/net/ipv4/ip_forward
  4. Setup Proxy ARP: ip addr add dev tap0 echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp