OpenVPN

OpenVPN

This topic is destined to users with some basic knowledge about VPN, who know how to create and setup a VPN client/server.

Creating the PKI

PKI management

VPN Server Setup/Configuration

Here an example of creating and configuring an OpenVPN server

OpenVPN server configuration

VPN Client Setup/Configuration

Modify the configuration file

The configuration of the VPN requires:

A client configuration file, named client-openvpn.conf. This is the main configuration file.
Make sure that non-interactive authentication is enabled (the connection is established by a daemon, the password cannot be entered manually)
A “Certification Authority Certificate” file, authenticating the remote server, ca.crt
A “User key and certificate archive” file, authenticating the Wanesy SPN gateway (the client), client.p12

All those files have to be uploaded via the web UI.

Here is an example of a client configuration file:

client-openvpn.conf.conf

#################################################
#                                               #
# Client-side OpenVPN 2.X config file for       #
# connecting to multi-client server.            #
#                                               #
# Comments are preceded with '#' or ';'         #
#                                               #
#################################################
 
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
 
tls-client
#remote-cert-tls server
 
 
# Protocol
proto udp
 
#Tunnel
dev tun
 
#Server
remote 192.168.1.14
 
#Certification Authority Certificate - Server Authentication
ca ca.crt
 
#User Key and Certificate - Client Authentication
pkcs12 client.p12
 
cipher AES-256-CBC
 
#auth SHA256
 
tls-version-min "1.0"
tls-version-max "1.0"
 
mssfix 1200
comp-lzo

Note: if you set a passphrase to access your private key, just add the following line in your configuration file :

askpass pass.txt

Fill the pass.txt file with your password and protect it from reading to others that are not root:

# chmod 600 pass.txt

The two other files (.crt and .p12) have to be generated using the PKI.

Enable OpenVPN over the kerlink gateway Web interface

Select the “Enable” button from the Administration > OpenVPN menu option and drag and drop the following files :

ca.crt
client.p12
client-openvpn.conf

Automatically the openvpn process will be launch at boot time and be monitored by the monit tool.

Connection

Once the files are uploaded and the VPN feature is activated in the administration page, the VPN tunnel will automatically be created.

Table of Contents