Select Page

Step 3: Set up the Server Configuration and Start OpenVPN

Back to the overview
Back to step 2
Forward to step 4

To set up an OpenVPN server, you must:

  • Put together an appropriate configuration file.
  • Set the sysctl value, net.ipv4.ip_forward = 1 to enable routing.
  • Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
  • Set OpenVPN to start with the configuration file from the previous step.
  • Configure your organization firewall.

Configuration file

The server config file goes in /etc/openvpn/server/.

If you want to start from scratch

OpenVPN includes several sample configuration files to use as a starting point. Here is a directory.

[root@ovpn2020 pki]# cd /usr/share/doc/openvpn/sample/sample-config-files/
[root@ovpn2020 sample-config-files]# ls -al
total 84
drwxr-xr-x. 2 root root  4096 Mar 29 01:48 .
drwxr-xr-x. 5 root root    77 Mar 29 01:48 ..
-rw-r--r--. 1 root root  3585 Oct 30 07:37 client.conf
-rw-r--r--. 1 root root  3562 Oct 30 07:37 firewall.sh
-rw-r--r--. 1 root root    62 Oct 30 07:37 home.up
-rw-r--r--. 1 root root   672 Oct 30 07:37 loopback-client
-rw-r--r--. 1 root root   675 Oct 30 07:37 loopback-server
-rw-r--r--. 1 root root    62 Oct 30 07:37 office.up
-rw-r--r--. 1 root root    63 Oct 30 07:37 openvpn-shutdown.sh
-rw-r--r--. 1 root root   776 Oct 30 07:37 openvpn-startup.sh
-rw-r--r--. 1 root root   131 Oct 30 07:37 README
-rw-r--r--. 1 root root   820 Nov  1 07:09 roadwarrior-client.conf
-rw-r--r--. 1 root root  1498 Nov  1 07:09 roadwarrior-server.conf
-rw-r--r--. 1 root root 10784 Oct 30 07:37 server.conf
-rw-r--r--. 1 root root  1778 Oct 30 07:37 static-home.conf
-rw-r--r--. 1 root root  1724 Oct 30 07:37 static-office.conf
-rw-r--r--. 1 root root  1937 Oct 30 07:37 tls-home.conf
-rw-r--r--. 1 root root  1948 Oct 30 07:37 tls-office.conf
-rw-r--r--. 1 root root   199 Oct 30 07:37 xinetd-client-config
-rw-r--r--. 1 root root   989 Oct 30 07:37 xinetd-server-config
[root@ovpn2020 sample-config-files]#

If you want to build a config file by hand, start with either server.conf or roadwarrior-server.conf above as appropriate and place your config file in /etc/openvpn/server. Both are extensively commented. Read the comments and decide what makes most sense for your situation.

Semi-automated to save time and aggravation

Save time and aggravation by using the server and client configuration file templates I built and tested, along with my pre-built sysctl file to turn on network routing. My configuration also includes a customization to log connects and disconnects. It keeps logs on the OpenVPN server in /etc/openvpn/server/logs.

If you use my pre-built templates, you’ll need to edit them to use your IP Addresses and names.

To use my pre-built config templates, scripts, and sysctl to turn on IP forwarding, login as root on your your OpenVPN server and paste these commands:

curl https://www.dgregscott.com/ovpn/OVPNdownloads.sh > OVPNdownloads.sh
chmod 755 OVPNdownloads.sh

This will save a copy of a script named OVPNdownloads.sh on your system. It’s always dangerous to execute a script downloaded from a website, so look this over before running it. It:

  • Creates the appropriate directories on your OpenVPN server.
  • Downloads server and client config file templates from my website.
  • downloads my custom scripts and places them into the correct directory with correct permissions.
  • Downloads 99-ipforward.conf and places it into /etc/sysctl.d to turn on IP forwarding at next boot.
  • Sets up ownership for everything in /etc/openvpn.

When you’re comfortable with what it does, execute it like this:

./OVPNdownloads.sh

Here is how it should look and what it sets up on your OpenVPN server.

[root@DESKTOP-2MS4LSA ~]# curl https://www.dgregscott.com/ovpn/OVPNdownloads.sh > OVPNdownloads.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1514  100  1514    0     0  72095      0 --:--:-- --:--:-- --:--:-- 72095
[root@DESKTOP-2MS4LSA ~]# chmod 755 OVPNdownloads.sh
[root@DESKTOP-2MS4LSA ~]#
[root@DESKTOP-2MS4LSA ~]# ./OVPNdownloads.sh
Setting up directories for custom scripts.
Copying server and Windows client config template files.
Edit these to put in correct IP Addresses and certificate and key file names.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2588  100  2588    0     0   126k      0 --:--:-- --:--:-- --:--:--  126k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1764  100  1764    0     0  88200      0 --:--:-- --:--:-- --:--:-- 88200
Setting up ip_forward sysctl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    84  100    84    0     0   4200      0 --:--:-- --:--:-- --:--:--  4200
Copying custom scripts.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   917  100   917    0     0  43666      0 --:--:-- --:--:-- --:--:-- 43666
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   990  100   990    0     0  49500      0 --:--:-- --:--:-- --:--:-- 49500
Making custom scripts executable.
Setting ownership for everything in /etc/openvpn to openvpn.openvpn.
[root@DESKTOP-2MS4LSA ~]#

Here are the files it copies and the ip_forward sysctl. Notice the file ownership.

[root@DESKTOP-2MS4LSA ~]# ls -al -R /etc/openvpn
/etc/openvpn:
total 12
drwxr-xr-x.   4 openvpn openvpn   34 Apr  6 20:35 .
drwxr-xr-x. 139 root    root    8192 Apr  6 20:35 ..
drwxr-xr-x.   2 openvpn openvpn   33 Apr  6 20:35 client
drwxr-xr-x.   4 openvpn openvpn   56 Apr  6 20:35 server

/etc/openvpn/client:
total 4
drwxr-xr-x. 2 openvpn openvpn   33 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 ..
-rw-r--r--. 1 openvpn openvpn 1764 Apr  6 20:35 OVPNclient2020.ovpn

/etc/openvpn/server:
total 4
drwxr-xr-x. 4 openvpn openvpn   56 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 ..
drwxr-xr-x. 2 openvpn openvpn   59 Apr  6 20:35 ccd
drwxr-xr-x. 2 openvpn openvpn    6 Apr  6 20:35 logs
-rw-r--r--. 1 openvpn openvpn 2588 Apr  6 20:35 OVPNserver2020.conf

/etc/openvpn/server/ccd:
total 8
drwxr-xr-x. 2 openvpn openvpn  59 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn  56 Apr  6 20:35 ..
-rwxr-xr-x. 1 openvpn openvpn 917 Apr  6 20:35 client-connect.sh
-rwxr-xr-x. 1 openvpn openvpn 990 Apr  6 20:35 client-disconnect.sh

/etc/openvpn/server/logs:
total 0
drwxr-xr-x. 2 openvpn openvpn  6 Apr  6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 56 Apr  6 20:35 ..
[root@DESKTOP-2MS4LSA ~]#
[root@DESKTOP-2MS4LSA ~]# cat /etc/sysctl.d/99-ipforward.conf
# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1
[root@DESKTOP-2MS4LSA ~]#

Edit OVPNserver2020.conf and OVPNclient2020.ovpn to include your IP Addresses. Also edit OVPNserver2020.conf to include your server certificate names from earlier. You will need to rename and edit a copy of OVPNclient2020.ovpn from your Windows client to include your Windows certificate filenames in a later step. See the blocks that start with “***?” for where to edit.

Set the sysctl net.ipv4.ip_forward = 1

If you used the automation from my website, this should already be in place.
If not, create a file, /etc/sysctl.d/99-ipforward.conf, that looks ike this.

# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1

File ownership

If you used the automation from my website, this should already be in place. If not, then ensure the system has a user, openvpn, which is a member of a group named openvpn, and set the ownership for everything in /etc/openvpn.

useradd openvpn # This will probably return "User 'openvpn' already exists."
chown openvpn.openvpn /etc/openvpn -R

Startup

Fire it up and set it to start automatically when the system boots, like this:

systemctl start openvpn-server@OVPNserver2020.service
systemctl enable openvpn-server@OVPNserver2020.service
# Where OVPNserver2020.conf is the name of your server configuration file.

Firewall settings

You will need at least one public static IP Address from your internet service provider. Put your OpenVPN server behind the company firewall and give it a private IP Address in your network. Use the firewall to advertise a public IP Address on UDP port 1194 to the world and NAT that public IP Address to your internal OpenVPN server.

Here are suggested settings for a Linux-based iptables firewall. Use as a guide for your network perimeter settings.

# Set up variables
INET_IFACE="enp2s0"
PUBLIC_OVPN_IP="1.2.3.4"	# OpenVPN server
PUBLIC_OVPN_IP_SLASH="1.2.3.4/27"
PRIVATE_OVPN_IP="10.10.10.97"
TUNNEL_OVPN_RANGE="10.8.0.0/24"

# Set up a public IP Address and let the world know we're here.
ip addr add $PUBLIC_OVPN_IP_SLASH dev $INET_IFACE
arping -A $PUBLIC_OVPN_IP -c 1 -I $BR_IFACE

# Do not source NAT (SNAT) outbound tunneled packets.
$IPTABLES -t nat -A POSTROUTING -d $TUNNEL_OVPN_RANGE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $TUNNEL_OVPN_RANGE -j ACCEPT

# Forward inbound OpenVPN packets after they've been NATed (UDP 1194)
$IPTABLES -A FORWARD -p UDP --dport 1194 -d $PRIVATE_OVPN_IP -j ACCEPT

# DNAT (destination NAT) inbound OpenVPN packets to the OpenVPN server
$IPTABLES -t nat -A PREROUTING -i ${INET_IFACE} -d $PUBLIC_OVPN_IP \
		-p udp --dport 1194 -j DNAT --to $PRIVATE_OVPN_IP

echo "Adding OpenVPN route"
ip route add $TUNNEL_OVPN_RANGE via $PRIVATE_OVPN_IP

Back to the overview
Back to step 2
Forward to step 4