OpenVPN is an open-source SSL VPN software. It allows you to connect different (private) networks securely over the internet. It’s the perfect alternative to all the crappy SSL VPN appliances that the salesmen desperately try to sell. See my OpenVPN FAQ for additional questions and answers.
(This is not the official OpenVPN FAQ. It’s just my personal answers to my personal questions.)
IPs and routing
How do I assign my users fixed IP addresses?
Use ”client-config-dir” and push the IP addresses to a certain client using this line in the client-specific configuration file:
ifconfig-push 10.100.8.1 10.100.8.2
This will assign John_Doe the IP address 10.100.8.1. The other IP address is assigned to the OpenVPN server – you won’t see it there through ifconfig though.
The server also needs to route this IP (or a range) through the tunnel. So your server.conf needs to contain a route entry for all the static IPs that you will assign:
route 10.100.8.0 255.255.255.0
Which iptables rules are needed to allow OpenVPN connections?
First you need to allow UDP 1194 incoming and outgoing connections on your main interface:
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT
Next you need to allow certain traffic going through the tunnel. If you don’t want any restrictions then use:
iptables -A INPUT -i tun0 -j ACCEPT iptables -A OUTPUT -o tun0 -j ACCEPT iptables -A FORWARD -o tun0 -j ACCEPT
How do I make a network on the remote side of the tunnel accessible?
You need both a route and an iroute configuration directive on your server.
iroute 192.168.152.128 255.255.255.128 route 192.168.152.128 255.255.255.128
Note: the iroute statement best belongs in the ”client-config-dir” directory. The route statement needs to be in your global server configuration file.
Also don’t forget to route that network to your OpenVPN server. The route and iroute statements will just tell OpenVPN that this network is supposed to be reached through a VPN tunnel.
How do I let remote Windows clients browse my network?
Network browsing requires WINS to function across a router even in a full AD network. You will need to configure a WINS server and point your remote users to it.
You will also need to prevent them from assuming responsibility for maintaining the browse list. This is done with a couple of registry changes:
Make sure that IsDomainMaster and MaintainServerList are both set to FALSE.
Of course, any firewalling you are doing in the tunnel will need to allow the underlying NetBIOS traffic.
John A. Sullivan III
How do I revoke a certificate?
If you want to permanently revoke access for a certain user you need to revoke the certificate that you issued. Revoking means that you list that certificate in a certificate revocation list (CRL). Once your OpenVPN server has a crl-verify option set that points to your CRL the certificates of new incoming connections will be checked against that CRL. If a certificate is listed there the access is denied. See the make-crl and revoke-full commands as part of Easy-RSA. And don’t forget to copy the new CRL to the OpenVPN server. You do not need to restart the server since the CRL is considered automatically everytime a user connects.
Why is it bad to use static keys?
- anyone can create an OpenVPN server and fool users (man-in-the-middle-attack)
- you cannot revoke access for one user but need to distribute a new static key to everyone else
Which files do I need to keep secret?
The private keys (suffix ‘.key’) need to be kept secret. The certitifcates (suffix ‘.crt’) can be exchanged freely and even sent through unsecured channels like email.
Who is currently connected to my OpenVPN server?
Use the TELNET interface and issue a status command.
Add these lines to your server configuration file:
status status.log 5 status-version 2
This will write the current status of the OpenVPN server to the given logfile every 5 seconds in the configuration directory. Lines starting with CLIENT_LIST show you the connected users.
If you like to collect statistics on how many users are online at a given time (MRTG creates nice graphs) you can use this one-liner:
grep ^CLIENT_LIST /etc/openvpn/status.log | wc -l
How can I disconnect a client from the OpenVPN server?
Use the TELNET interface and issue a kill command on the common name of the client. The client will be able to reconnect though unless you revoke its certificate. Killing a client may be useful if you have changed a configuration file in the client-config-dir.
Do I have to restart OpenVPN after every configuration change?
Changes to the global configuration file (e.g. /etc/openvpn/server.conf) require a restart of the OpenVPN service. Consider using the ”client-config-dir” option to set client-specific parameters. Such configuration files will be read when a client connects and do not require a restart.
From time to time you will need to restart the server e.g. if you need to add a route entry. Consider adding this lien to your server configuration though:
keepalive 1 5 persist-tun persist-key persist-local-ip persist-remote-ip push "persist-key" push "persist-tun"
It will make the client send a "ping" to the server every second. If there is no reply to that "ping" after 5 seconds then the connection will be re-initiated. The default connection timeout is very large and will surely annoy your users. If they get disconnected for less than 10 seconds they will complain less likely. The persist-* settings will make the client keep the tunnel device open so existing connections won’t be interrupted during the renegotiation. Otherwise permanent connections like shell sessions would be disconnected.
How do I use the ‘client-config-dir’ parameter?
The client config directory is a location where you put custom client-specific configuration files. Example in your global configuration (e.g. /etc/openvpn/server.conf):
Then put files with the common names of your users there. The common name must match the filename exactly. Let’s pretend you have a user with the common name "John_Doe" on his certificate. Create a file /etc/openvpn/clients/John_Doe and make it contain configuration directives that should only apply to John Doe. The following directives are allowed there:
iroute 22.214.171.124 255.255.255.240 ifconfig-push 10.100.8.1 10.100.8.2
This will assign John Doe the IP 10.100.8.1 on his side of the VPN tunnel. Also the server will learn that the network 126.96.36.199/28 is on John’s side of the VPN tunnel and route packets there. (Note that you also need to create a "route 188.8.131.52 255.255.255.240" in your global configuration to make the OpenVPN server learn this route. The "route" command does not work within a client-config-dir configuration file.)
The charming advantage of client-config-dir configurations is that you don’t need to restart your OpenVPN server to make changes to these files work. Every time a client connects the client-config-dir will be searched for an appropriate file and if one is found the configuration will be applied.
There is also a special DEFAULT file that contains settings in case there is no configuration file for a certain client.
How can I access the TELNET management console?
You need to start OpenVPN with the --management option. For example --management 127.0.0.1 12345 as a startup parameter will get you access to the TELNET console on port 12345 on localhost. Accessing the console then is as easy as telnet localhost 12345. This is what you get:
Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
This is a security risk though because everybody can access the console without any further authentication.
Does OpenVPN work with Juniper/Nortel/Checkpoint VPNs?
No. OpenVPN just works with other OpenVPN clients/servers. OpenVPN is not an IPSEC software. It uses SSL to create VPN tunnels instead.