Open in app

Sign in

Write

Sign in

How to create an OpenVPN tunnel

Dylan Perdigão
3 min readApr 15, 2022

--

It is possible to interconnect two networks using a VPN tunnel. In this tutorial, we will use the OpenVPN tool. For this scenario, we assume a client-server configuration. The client is on the 192.168.172.50 network, and the server is on the 192.168.172.70 network. The OpenVPN tunnel is set on a local IPv4 network (10.7.0.0). The server has an internal network with the IPv4 10.8.0.0.

Create a Certification Authority

First of all, you need a Certification Authority (CA). You can see here how to create your own CA.

Set up an OCSP responder

Secondly, you need an Online Certificate Status Protocol (OCSP) service. You can see here how to create your OCSP server.

Install OpenVPN

You can install OpenVPN on your client and server with the following command.

sudo apt-get install openvpn

Create a certificate for each gateway

Like the CA and OCSP servers, we need to create certificates for each gateway of the OpenVPN tunnel.

We begin creating a directory for OpenVPN in the CA directory.

cd /etc/pki/CA/
mkdir openvpn

Then we need a Diffie-Hellman certificate and a key for TLS authentication.

openssl dhparam -out openvpn/dh2048.pem 2048
sudo openvpn --genkey secret private/ta.key

After that we create the RSA keys for each gateways.

openssl genrsa -des3 -out private/tun0-client.keyopenssl genrsa -des3 -out private/tun0-server.key

Then the Certificates Signing Requests (CSR).

openssl req -new -key private/tun0-client.key -out openvpn/tun0-client.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Client       -passin pass:example-passwordopenssl req -new -key private/tun0-server.key -out openvpn/tun0-server.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Server       -passin pass:example-password

Finally we sign the certificates with the CA.

openssl ca -in openvpn/tun0-client.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-client.crt -passin         pass:example-passwordopenssl ca -in openvpn/tun0-server.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-server.crt -passin       pass:example-password

Set up the OCSP_check script

Go to the PKI directory and download the script from OpenVPN’s GitHub

cd /etc/pki/
wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/contrib/OCSP_check/OCSP_check.sh

Give permissions to OpenVPN to run the script.

sudo chmod 777 OCSP_check.sh

Edit the script with your configuration.

nano OCSP_check.sh

Change the lines with the IPv4 and port you used in the previous OCSP configuration and the correct directories.

...
    ocsp_url="http://127.0.0.1:81/"
    issuer="/etc/pki/CA/certs/ca.crt"
    nonce="-nonce"
    verify="/etc/pki/CA/certs/ca.crt"
...

Configure the Server

Create the OpenVPN server configuration.

cd /etc/openvpn/
nano server.conf

Put the following configuration. Remember you need to use the right paths for certificates and keys. The server listens to connections on port 1195. Note that we can push routes to internal networks (for example of the server (10.8.0.0) internal network or a second OpenVPN tunnel connecting to a second server ).

local       192.168.172.70
port        1195
proto       udp
dev         tun
ca          /etc/pki/CA/certs/ca.crt
cert        /etc/pki/CA/certs/tun0-server.crt
key         /etc/pki/CA/private/tun0-server.key
dh          /etc/pki/CA/openvpn/dh2048.pem
server      10.7.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push        \"route 10.8.0.0 255.255.255.0\"
keepalive   10 120
tls-auth    /etc/pki/CA/private/ta.key 0 
cipher      AES-256-CBC
persist-key
persist-tun
status      /var/log/openvpn/openvpn-status.log
script-security 2
tls-verify /etc/pki/OCSP_check.sh
verb        3
explicit-exit-notify 1

Configure the Client

Create the OpenVPN client configuration. (On the client device!)

cd /etc/openvpn/
nano client.conf

Put the following configuration. Remember that you need to get the certificates and keys issued by the CA on the server. Also, use the right paths for certificates and keys (we will use the same directories as the server). The client uses default port 1194 and will connect to the server’s port 1995.

client
dev         tun
proto       udp
remote      192.168.172.70 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca          /etc/pki/CA/certs/ca.crt
cert        /etc/pki/CA/certs/tun0-client.crt
key         /etc/pki/CA/private/tun0-client.key
tls-auth    /etc/pki/CA/private/ta.key 1
cipher      AES-256-CBC
verb        3

Start the services on both sides

After starting the services down below, both terminals will prompt a message for authentication. Run this command with the password.

sudo systemd-tty-ask-password-agent --query

On the server-side:

sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

On the client-side:

sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@client
sudo systemctl enable openvpn@client

You can now ping your server with the 10.8.0.1 IPv4 from the client.

Openvpn
VPN
Openssl
Ocsp
Client Server

--

--

Dylan Perdigão
Dylan Perdigão

Written by Dylan Perdigão

0 Followers
13 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams