Back to the overview
Back to step 2
Forward to step 4
To set up an OpenVPN server, you must:
- Put together an appropriate configuration file.
- Set the sysctl value, net.ipv4.ip_forward = 1 to enable routing.
- Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
- Set OpenVPN to start with the configuration file from the previous step.
- Configure your organization firewall.
Configuration file
The server config file goes in /etc/openvpn/server/.
If you want to start from scratch
OpenVPN includes several sample configuration files to use as a starting point. Here is a directory.
[root@ovpn2020 pki]# cd /usr/share/doc/openvpn/sample/sample-config-files/
[root@ovpn2020 sample-config-files]# ls -al
total 84
drwxr-xr-x. 2 root root 4096 Mar 29 01:48 .
drwxr-xr-x. 5 root root 77 Mar 29 01:48 ..
-rw-r--r--. 1 root root 3585 Oct 30 07:37 client.conf
-rw-r--r--. 1 root root 3562 Oct 30 07:37 firewall.sh
-rw-r--r--. 1 root root 62 Oct 30 07:37 home.up
-rw-r--r--. 1 root root 672 Oct 30 07:37 loopback-client
-rw-r--r--. 1 root root 675 Oct 30 07:37 loopback-server
-rw-r--r--. 1 root root 62 Oct 30 07:37 office.up
-rw-r--r--. 1 root root 63 Oct 30 07:37 openvpn-shutdown.sh
-rw-r--r--. 1 root root 776 Oct 30 07:37 openvpn-startup.sh
-rw-r--r--. 1 root root 131 Oct 30 07:37 README
-rw-r--r--. 1 root root 820 Nov 1 07:09 roadwarrior-client.conf
-rw-r--r--. 1 root root 1498 Nov 1 07:09 roadwarrior-server.conf
-rw-r--r--. 1 root root 10784 Oct 30 07:37 server.conf
-rw-r--r--. 1 root root 1778 Oct 30 07:37 static-home.conf
-rw-r--r--. 1 root root 1724 Oct 30 07:37 static-office.conf
-rw-r--r--. 1 root root 1937 Oct 30 07:37 tls-home.conf
-rw-r--r--. 1 root root 1948 Oct 30 07:37 tls-office.conf
-rw-r--r--. 1 root root 199 Oct 30 07:37 xinetd-client-config
-rw-r--r--. 1 root root 989 Oct 30 07:37 xinetd-server-config
[root@ovpn2020 sample-config-files]#
If you want to build a config file by hand, start with either server.conf or roadwarrior-server.conf above as appropriate and place your config file in /etc/openvpn/server. Both are extensively commented. Read the comments and decide what makes most sense for your situation.
Semi-automated to save time and aggravation
Save time and aggravation by using the server and client configuration file templates I built and tested, along with my pre-built sysctl file to turn on network routing. My configuration also includes a customization to log connects and disconnects. It keeps logs on the OpenVPN server in /etc/openvpn/server/logs.
If you use my pre-built templates, you’ll need to edit them to use your IP Addresses and names.
To use my pre-built config templates, scripts, and sysctl to turn on IP forwarding, login as root on your your OpenVPN server and paste these commands:
curl https://www.dgregscott.com/ovpn/OVPNdownloads.sh > OVPNdownloads.sh
chmod 755 OVPNdownloads.sh
This will save a copy of a script named OVPNdownloads.sh on your system. It’s always dangerous to execute a script downloaded from a website, so look this over before running it. It:
- Creates the appropriate directories on your OpenVPN server.
- Downloads server and client config file templates from my website.
- downloads my custom scripts and places them into the correct directory with correct permissions.
- Downloads 99-ipforward.conf and places it into /etc/sysctl.d to turn on IP forwarding at next boot.
- Sets up ownership for everything in /etc/openvpn.
When you’re comfortable with what it does, execute it like this:
./OVPNdownloads.sh
Here is how it should look and what it sets up on your OpenVPN server.
[root@DESKTOP-2MS4LSA ~]# curl https://www.dgregscott.com/ovpn/OVPNdownloads.sh > OVPNdownloads.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1514 100 1514 0 0 72095 0 --:--:-- --:--:-- --:--:-- 72095
[root@DESKTOP-2MS4LSA ~]# chmod 755 OVPNdownloads.sh
[root@DESKTOP-2MS4LSA ~]#
[root@DESKTOP-2MS4LSA ~]# ./OVPNdownloads.sh
Setting up directories for custom scripts.
Copying server and Windows client config template files.
Edit these to put in correct IP Addresses and certificate and key file names.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2588 100 2588 0 0 126k 0 --:--:-- --:--:-- --:--:-- 126k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1764 100 1764 0 0 88200 0 --:--:-- --:--:-- --:--:-- 88200
Setting up ip_forward sysctl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 84 100 84 0 0 4200 0 --:--:-- --:--:-- --:--:-- 4200
Copying custom scripts.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 917 100 917 0 0 43666 0 --:--:-- --:--:-- --:--:-- 43666
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 990 100 990 0 0 49500 0 --:--:-- --:--:-- --:--:-- 49500
Making custom scripts executable.
Setting ownership for everything in /etc/openvpn to openvpn.openvpn.
[root@DESKTOP-2MS4LSA ~]#
Here are the files it copies and the ip_forward sysctl. Notice the file ownership.
[root@DESKTOP-2MS4LSA ~]# ls -al -R /etc/openvpn
/etc/openvpn:
total 12
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 .
drwxr-xr-x. 139 root root 8192 Apr 6 20:35 ..
drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 client
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 server
/etc/openvpn/client:
total 4
drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..
-rw-r--r--. 1 openvpn openvpn 1764 Apr 6 20:35 OVPNclient2020.ovpn
/etc/openvpn/server:
total 4
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..
drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 ccd
drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 logs
-rw-r--r--. 1 openvpn openvpn 2588 Apr 6 20:35 OVPNserver2020.conf
/etc/openvpn/server/ccd:
total 8
drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..
-rwxr-xr-x. 1 openvpn openvpn 917 Apr 6 20:35 client-connect.sh
-rwxr-xr-x. 1 openvpn openvpn 990 Apr 6 20:35 client-disconnect.sh
/etc/openvpn/server/logs:
total 0
drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 .
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..
[root@DESKTOP-2MS4LSA ~]#
[root@DESKTOP-2MS4LSA ~]# cat /etc/sysctl.d/99-ipforward.conf
# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1
[root@DESKTOP-2MS4LSA ~]#
Edit OVPNserver2020.conf and OVPNclient2020.ovpn to include your IP Addresses. Also edit OVPNserver2020.conf to include your server certificate names from earlier. You will need to rename and edit a copy of OVPNclient2020.ovpn from your Windows client to include your Windows certificate filenames in a later step. See the blocks that start with “***?” for where to edit.
Set the sysctl net.ipv4.ip_forward = 1
If you used the automation from my website, this should already be in place.
If not, create a file, /etc/sysctl.d/99-ipforward.conf, that looks ike this.
# Turn on IP forwarding. OpenVPN servers need to do routing
net.ipv4.ip_forward = 1
File ownership
If you used the automation from my website, this should already be in place. If not, then ensure the system has a user, openvpn, which is a member of a group named openvpn, and set the ownership for everything in /etc/openvpn.
useradd openvpn # This will probably return "User 'openvpn' already exists."
chown openvpn.openvpn /etc/openvpn -R
Startup
Fire it up and set it to start automatically when the system boots, like this:
systemctl start openvpn-server@OVPNserver2020.service
systemctl enable openvpn-server@OVPNserver2020.service
# Where OVPNserver2020.conf is the name of your server configuration file.
Firewall settings
You will need at least one public static IP Address from your internet service provider. Put your OpenVPN server behind the company firewall and give it a private IP Address in your network. Use the firewall to advertise a public IP Address on UDP port 1194 to the world and NAT that public IP Address to your internal OpenVPN server.
Here are suggested settings for a Linux-based iptables firewall. Use as a guide for your network perimeter settings.
# Set up variables
INET_IFACE="enp2s0"
PUBLIC_OVPN_IP="1.2.3.4" # OpenVPN server
PUBLIC_OVPN_IP_SLASH="1.2.3.4/27"
PRIVATE_OVPN_IP="10.10.10.97"
TUNNEL_OVPN_RANGE="10.8.0.0/24"
# Set up a public IP Address and let the world know we're here.
ip addr add $PUBLIC_OVPN_IP_SLASH dev $INET_IFACE
arping -A $PUBLIC_OVPN_IP -c 1 -I $BR_IFACE
# Do not source NAT (SNAT) outbound tunneled packets.
$IPTABLES -t nat -A POSTROUTING -d $TUNNEL_OVPN_RANGE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s $TUNNEL_OVPN_RANGE -j ACCEPT
# Forward inbound OpenVPN packets after they've been NATed (UDP 1194)
$IPTABLES -A FORWARD -p UDP --dport 1194 -d $PRIVATE_OVPN_IP -j ACCEPT
# DNAT (destination NAT) inbound OpenVPN packets to the OpenVPN server
$IPTABLES -t nat -A PREROUTING -i ${INET_IFACE} -d $PUBLIC_OVPN_IP \
-p udp --dport 1194 -j DNAT --to $PRIVATE_OVPN_IP
echo "Adding OpenVPN route"
ip route add $TUNNEL_OVPN_RANGE via $PRIVATE_OVPN_IP
Recent Comments