This recipe will demonstrate how to set up a connection in the client or server mode using certificates.
Install OpenVPN 2.0 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, both computers were running Linux and OpenVPN 2.1.1.
- Create the server configuration file:
proto udp port 1194 dev tun server 192.168.200.0 255.255.255.0 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dp024.pem
Then save it as
example2-2-server.conf. - Copy over the public certificates and the server private key from the
/etc/openvpn/cookbook/keysdirectory:[server]$ cd /etc/openvpn/cookbook [server]$ cp keys/ca.crt ca.crt [server]$ cp keys/openvpnserver.crt server.crt [server]$ cp keys/openvpnserver.key server.key [server]$ cp keys/dp024.pem dp024.pem
- Note that there is no need to run the above commands as user 'root', provided that write access to the above directories has been given.
- Start the server:
[root@server]# openvpn --config example2-2-server.conf - Next, create the client configuration file:
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key
Then save it as
example2-2-client.conf. - Transfer the files such as
ca.crt,openvpnclient1.crt, andopenvpnclient1.keyto the client machine using a secure channel; for example, using thescpcommand:
- And start the client:
[root@client]# openvpn --config example2-2-client.conf […] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 192.168.200.6 peer 192.168.200.5 Initialization Sequence Completed
After the connection is established, we can verify that it is working by pinging the server (notice the IP address!):
[client]$ ping -c 2 192.168.200.1
PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data.
64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=30.6 ms
64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=30.7 ms
When the server starts, it configures the first available TUN interface with IP address 192.168.200.1 and with a fake remote address of 192.168.200.2. After that, the server listens on the UDP port 1194 for incoming connections.
The client connects to the server on this port. After the initial TLS handshake, using both the client and server certificates, the client is assigned the IP address 192.168.200.6 (or rather the mini-network 192.168.200.4 - 192.168.200.7). The client configures its first available TUN interface using this information, after which the VPN is established.
After the connection is established, you can query the tun0 interface like this:
[client]$ /sbin/ifconfig tun0 | grep inet
Look for the following:
inet addr:192.168.200.6 P-t-P:192.168.200.5
The IP address 192.168.200.5 is a placeholder address and can never be reached. With OpenVPN 2.1, it is also possible to assign "linear" addresses to the clients that allow you to have more clients in the same range of IP addresses. This will be explained in the next recipe.
The first address is the VPN client address from a '/30' subnet and the second address is the fake remote endpoint address. Each '/30' subnet has to start at a multiple of four and the VPN client IP address is at the starting address plus two:
- 192.168.200.[0-3] , VPN IP is 192.168.200.1. This block normally is for the OpenVPN server itself.
- 192.168.200.[4-7] , client IP is 192.168.200.6. This block normally is for the first client to connect.
- 192.168.200.[8-11], [12-15], [16-19], and so on, are used for the consecutive clients.