Setting up OpenVPN on linux server with windows client

This tutorial will teach you how to install & configure OpenVPN on debian server, and connect to windows client

1. Server
Preparation & installation:
Make sure your package repositories and installed programs are up to date by issuing the following commands:

#aptgetinstallopenvpn

The OpenVPN package provides a set of encryption-related tools called easy-rsa. These scripts are located by
default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these
scripts should be located in the /etc/openvpn directory. Copy these files with the following command:

#cpR/usr/share/doc/openvpn/examples/easyrsa//etc/openvpn

Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easyrsa/2.0/, and much of our configuration will be located in this directory.

Generating keys & certificates:

Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easyrsa scripts will use to generate the scripts. These variables are set near the end of the /etc/openvpn/easy-rsa/2.0/vars
file. Edit the file /etc/openvpn/easy-rsa/2.0/vars

#nano/etc/openvpn/easyrsa/2.0/vars

Alter the examples to reflect your configuration. This information will be included in certificates you create and it is
important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.

exportKEY_COUNTRY=XXputvariablesuitsyoursettings
exportKEY_PROVINCE=XXputvariablesuitsyoursettings
exportKEY_CITY=XXXXXXputvariablesuitsyoursettings
exportKEY_ORG=XXXXXXXXXputvariablesuitsyoursettings

exportKEY_EMAIL=XXXX@XXXXX.XXXputanemailhere.Itcanbefakeoneif
youlike.

Save and exit.

Then, issue the following three commands in sequence to initialize the certificate authority and the public key
infrastructure:

#cd/etc/openvpn/easyrsa/2.0/
#sourcevars
#./cleanall
#./buildca

With the certificate authority configured, you can generate the private key for the server. To accomplish this, issue the
following command, changing server to the name of your OpenVPN server.

#./buildkeyserverserver

This script will also prompt you for additional information. By default, the Common Name for this key will be server.
You can change these values in cases where it makes sense to use alternate values. The challenge password and
company names are optional and can be left blank. When youve completed the question section you can confirm the
signing of the certificate and the certificate requests certified by answering yes to these questions.
With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command,
replacing client1 with the name of your first OpenVPN client.

#./buildkeyclient1

If you need to add users to your OpenVPN at any time, repeat this step to create additional keys.

#./buildkeyclient2

Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for
every user of the VPN. Each key should have its own unique identifier. All other information can remain the same.

Generate Diffie Hellman Parameters

The Diffie Hellman Parameters govern the method of key exchange and authentication used by the OpenVPN
server. Issue the following command to generate these parameters:

#./builddh

This may take some time, dont worry

The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys that you have generated using the easy-rsa
tools. In order to authenticate to the VPN, youll need to copy a number of certificate and key files to the remote client
machines. For each client, you will be needing the following files:

ca.crt

client1.crt (or the name you chose for your client)

client1.key (or the name you chose for your client)

Copy those 3 files to the client computer, which will be in c:/Program Files/OpenVPN/config with the .ovpn client
config file
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server
process can access them. Copy those files to the same directory which server config file is located (/etc/openvpn)

#cpca.crtca.keyserver.crtserver.keydh1024.pem/etc/openvpn/

These files must not leave your server. Maintaining integrity and control over these files is of the utmost importance to
the integrity of your server. If you ever need to move or back up these keys, ensure that theyre encrypted and
secured. If these files are compromised, they will need to be re-created along with all client keys.

Server configuration:
create a file, named server.conf in /etc/openvpn/

#nano/etc/openvpn/server.conf

and paste the following lines:

#Dontforgettomodifysettingtomatchyourneeds
#Connectionport:thisistheportthatOpenVPNwilllistento(forclientconnection)
port1194
#Connectionprotocol:chooseTCPorUDP(TCPisrecommendedifyouintendtouse
obfsproxyorstunnel)
prototcp
#Devicename:OpenVPNnetworkinterface
devtun
#Credentialfileslocation:wealreadyputthemin/etc/openvpn
ca/etc/openvpn/ca.crt
cert/etc/openvpn/server.crt
key/etc/openvpn/server.key
dh/etc/openvpn/dh1024.pem

#OpenVPNinternalIPsandrange:canchangethemasdesired
server10.9.8.0255.255.255.0
ifconfigpoolpersistipp.txt
#Nowweusethepushdirective,whichwillmaketheclientexecute.
#First,wemaketheclientaddtheserversIPtoitsdefaultroutes
pushroute<serversIP>255.255.255.0
pushdhcpoptionDNS8.8.8.8
keepalive10120
#Cipher:OpenVPNwayofencryption.Thereare3kindsofCiphers,butherewewill
chooseAES
cipherAES128CBC
#Compression:Addingsomecompressiontoyoudatapackets,butthisisoptional
complzo
usernobody
groupnogroup
persistkey
persisttun
verb3

Save and exit

Now, everything should be set correctly, and were good to launch this service, by issuing the command:

#servicesopenvpnrestart

Setting up firewall and port forwarding:

Linuxs firewall is very powerful, and can lock you out of the machine if you messed with it. So I will recommend
creating a file with all the rules you want to put, so you have the chance to make sure you havent done anything
wrong.

WARNING:
iptables (linux firewall command) is a dangerous tool Please think twice, and read twice before you execute.
Lets create a file, and put all the rules in it:

#nano/etc/openvpn/iptables.sh

and paste the following lines:

#!/bin/sh
#
#First,weflushallcurrentrulesfromiptables,foracleanstart
iptablesF
iptablestnatF
iptablestmangleF
#Now,weallowthe3mainpolicies:input/output/forward
iptablesPINPUTACCEPT

iptablesPFORWARDACCEPT
iptablesPOUTPUTACCEPT
#Allowthesshport(bydefaultits22,butyouhavetochangeittothesamesshport)

iptablesAINPUTptcpdport22jACCEPT
#AllowOpenVPNconnectionport
#NOTE:RemembertochangeprotocolfromTCPtoUDPaccordingtoserver.conf
iptablesAINPUTptcpdport1194jACCEPT
#Allowlocalhostconnection
iptablesAINPUTilojACCEPT
iptablesAINPUTmstatestateESTABLISHED,RELATEDjACCEPT
#AllowOpenVPNinternalnetworkforwarding,andrejecteverythingelse
iptablesAFORWARDs10.9.8.0/24jACCEPT
iptablestnatAPOSTROUTINGs10.9.8.0/24oeth0jMASQUERADE
iptablesAFORWARDjREJECT
#Enableforwarding
echo1>/proc/sys/net/ipv4/ip_forward
#Listrules
iptablesLv

Save and exit.

Make this file executable by root only

#chmod700/etc/openvpn/iptables.sh

Again: Please think twice, and read twice before you execute this file
Execute the iptables.sh file, to apply rules and forwarding:

#/etc/openvpn/iptables.sh

you should see a list of chains and policies you chose to apply. And by that, our work on the server is done.
For more information (if needed) please check the OpenVPN example page

2. Client
Download and install this version of OpenVPN client for windows
As we mentioned earlier, a four files should be located in C:\program Files\OpenVPN\config which they are:

client.ovpn (the client configuration file)

ca.crt

client.crt

client.key

Now, we have to edit the client.ovpn to match setting on server.conf

Create a file client.ovpn and paste the following lines:

client
devtun
prototcp
remote<yourserversIP>1194
pull
route<yourserversIP>255.255.255.255net_gateway
resolvretryinfinite
nobind
persistkey
persisttun
scriptsecurity3
caca.crt
certclient1.crt
keyclient1.key
cipherAES128CBC
complzo
verb3

REMEMBER:

Most directives in server.conf and client.ovpn must be identical (like compression, cipher, protocol).

Connection port should be the same on client and server (Here we used the TCP 1194 port).

Dont forget to rename the file from client.txt to client.ovpn

Make sure that the 4 files (client.ovpn, ca.crt, client1.crt, client1.key) are together in C:\Program
Files\OpenVPN\config directory

The client file may already exist, the you have to edit the contents instead of creating new one.

If you dont want to redirect all your traffic through OpenVPN, Remove the 6th line (route <ip> <subnet>
net_gateway) from client config file, and restart OpenVPN.

Do a right click on OpenVPN icon, and run as administrator

The OpenVPN icon will appear on the taskbar

Do a right click on the OpenVPN icon, in the taskbar, you will find a sub-menu, with the same name you chose for the
client .ovpn file (assuming its client.ovpn), and choose Connect.

Special cases:
Service Block:
In case your ISP Blocks OpenVPN connection, you can use obfsproxy [click here for details] to proxy your
connection, or you can wrap it in stunnel [click here for details].

Proxify Service:
In case you chose to proxify your OpenVPN connection, or wrapping it with stunnel, remember that remote directive
in client should connect to 127.0.0.1 and designated port.

Port Block:
In case connection port is blocked by your ISP, you can simply choose another port (we suggest high port nubmers
like 63520). But make sure you change it in both client and server.

Using username/password authentication:

By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual
authentication, requiring that both client-certificate and username/password authentication succeed in order for the
client to be authenticated.
While it is discouraged from a security perspective, it is also possible to disable the use of client certificates, and force
username/password authentication only.
On server, add the following directive:

clientcertnotrequired

Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server
which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not
the ca directive, because it is necessary for the client to verify the server certificate.
So On client, comment out (by adding ; ) the certificate/key directives:

;certclient1.crt
;keyclient1.key

And add (or replace) with the following:

authuserpass

And while connecting, you will prompted to enter username/password (but anything will work, since we didnt assign
any users/passwords on server). You can also put any username/password in a file (lets name it key.txt for example)
each on a single line, then the directive on client will be:

authuserpasskey.txt

Then, OpenVPN will read username/password from key.txt but remember to put the key.txt file in the same
directory C:\Program Files\OpenVPN\config\ or you have to assign the full path to the key.txt file