Implement a free VPN with OpenVPN

June 8, 2005

Takeaway:
If you want to implement a VPN in your organization but don't have the budget necessary for a
dedicated VPN device or to deploy ISA Server 2004, you're in luck. Here's how you can set up a
VPN for mobile users quickly and inexpensively using OpenVPN.

VPN solutions are more abundant than they were a few years ago. In fact, there are tons of
choices on the market, but some of them can be very expensive. If you need to provide remote
access to the office, or even provide access to a remote office, and don't have a huge budget for
a dedicated VPN device or ISA Server 2004, consider the open source OpenVPN project to fulfill
your VPN needs. In this article, I'll provide an overview of both OpenVPN and the OpenVPN GUI
for Windows.

What is OpenVPN?
OpenVPN is an open source, cross platform, SSL-based VPN solution capable of
accommodating a number of situations; including both remote access and site-to-site secure
communication (a remote office, for example). Available for a number of platforms, including
Windows, Linux, BSD, Mac OS X and Solaris, OpenVPN is fairly simple to get up and running.

OpenVPN sports a multitude features that make it an ideal choice in the "free VPN" space,
including the ability to build VPN tunnels over NAT devices, to read certificates and private keys
from smart cards on Windows clients, as well as being able to run on fairly low-end hardware,
perfect for when costs need to be kept as low as possible.

OpenVPN, however, does not support the PPTP, IPSec or L2TP protocols, instead favoring SSL-
based technology for all of its functionality. Everything you want to know about what OpenVPN
includes can be found on the front page of the OpenVPN site.

Obtaining OpenVPN
There are currently two versions of OpenVPN available: 1.6 and 2.0. 2.0 is the upcoming release
that is not yet considered "final" whereas 1.6 is the most recent stable release. I'm installing
OpenVPN onto a Windows Server 2003 system running a prerelease of SP1, and I'm using
version 2.0 for this article.

To get an OpenVPN installer for Windows or tarball for Linux, head to OpenVPN's handy
download page.

If you're installing OpenVPN onto a Windows system, you can instead opt to use a different
download package that includes OpenVPN 2.0 and a really nice graphical user interface. This is
one of the great things about open source. A package is available from this site's download page
that packages OpenVPN with the GUI. Packages are also available for download for those that
are already running OpenVPN and just want a graphical front-end to manage the system. The
GUI is only for Windows systems, though.
For this article, I'm using the download package that includes both OpenVPN and the GUI. Note
that this installer is used for both the server and the client.

Installation
The installation of OpenVPN is surprisingly easy, particularly since everything you need is built
right into the installer, including the TAP-Win32 virtual Ethernet driver and OpenSSL. The first
screen of the installer asks you to read the obligatory license agreement, while the second
screen, shown below in Figure A, shows you exactly what the installer will be putting on your
system.

Figure A

The OpenVPN list of components

By default, OpenVPN installs to C:\Program Files\OpenVPN, but you can choose your own
installation directory on the next screen of the installer, if you like. That's the whole initial
installation. Two screens to work with: (1) pick what you want to install and (2) choose a directory
into which to put everything.

During the installation, you'll probably get a driver installation message indicating that the TAP-
Win32 driver is not certified by Microsoft. This driver is used by a number of Open Source
programs (including coLinux), and is, in my experience, stable.

Here's a look at the Start menu after the installation completes.

Figure B
The OpenVPN menu options

Now, open up your Network Control Panel. You'll see an additional entry for the TAP driver, which
OpenVPN uses for communication across the tunnels it creates. One best practice with regard to
the TAP driver is to rename it to something other than "Local Area Connection". In particular,
spaces in the TAP adapter name have been known to create problems, so I renamed mine to
"VPN-TAP".

Figure C

The TAP diver on my system

Now that OpenVPN is installed, it's time to move on to the configuration tasks.

Creating certificates for use with OpenVPN

OpenVPN requires the use of certificates to help establish the authenticity of clients connecting to
an OpenVPN system and vice-versa. After all, you probably wouldn't want a situation in which a
client was connecting to an untrusted server. To help prevent this, OpenVPN supports
bidirectional authentication.

To use OpenVPN, you need to establish a public key infrastructure that will be used by the
system. You need a master certificate authority certificate and key, which will sign each server
and client certificate. Table A will walk you through the steps necessary to configure certificates
for OpenVPN.

Table A
Generate the master certificate and key by following these steps:
Command Purpose
Go to a command prompt
C: Change to the C:
drive, unless
you're already
there. If you
installed
OpenVPN to a
different drive, go
to that drive
instead.
Cd \program files\OpenVPN\easy-rsa Change to the
easy-rsa
directory, which is
where certificate
functions are
carried out.
init-config Copies the
sample vars.bat
and openssl.cnf
files to version
that you can
safely modify
while still
maintaining the
samples.
edit vars.bat Modify the
contents of the
Contents: vars.bat file to
correctly reflect
your location. If
@echo off
necessary,
change the
set HOME=%ProgramFiles%\OpenVPN\easy-rsa HOME option to
reflect the correct
set KEY_CONFIG=openssl.cnf location of the
easy-rsa folder
set KEY_DIR=keys on your Windows
system.
set KEY_SIZE=1024
The option
KEY_CONFIG,
by default, points
to openssl.cnf file
set KEY_COUNTRY=US
included with
easy-rsa.
set KEY_PROVINCE=NY
The KEY_DIR
set KEY_CITY= Elmira option is the
directory in which
set KEY_ORG=TechRepublic keys will be
stored.
set KEY_EMAIL=mail@example.com
The KEY_SIZE
Follow these commands to configure certificates for OpenVPN.

Copy keys to appropriate locations

The best way to with OpenVPN is to copy the key files to the local OpenVPN config directory on
both the server and the clients. For the server, copy the following files to C:\Program
Files\OpenVPN\config:

• ca.crt : the certificate authority. This file will also be copied to each client later on.
• server.key : the server's key. Your server key will probably have a name that matches that
of your server.
• server.crt : the server's certificate file. Your server certificate will probably have a name
that matches that of your server.
• dh1024.pem : The Diffie-Hellman parameters for the VPN.
• tls.key : the TLS authentication key.

Configuring the server

OpenVPN works on the concept of text-based configuration files: one for the server and one on
each client for that client. OpenVPN comes with some sample configuration files found in the
C:\Program Files\OpenVPN\sample-config directory. Under Windows, these sample files carry a
.ovpn extension.

The OpenVPN sample server configuration file is a good starting point. To use this sample, you
need to copy it from C:\Program Files\OpenVPN\sample-config to C:\Program
Files\OpenVPN\config. When the OpenVPN service starts up, it will look in this directory for
configuration files and start a separate OpenVPN process for each one. For this example, I just
have the sample server.ovpn file in the config directory.

Before you start configuration, you should make note of a couple of things. First, you can
configure OpenVPN to bridge your Ethernet network across the VPN (TAP mode), or you can
configure the VPN using a virtual point-to-point IP link (TUN mode). I'm going to use TAP mode
for this article.

Note: TAP mode is required if you want to pass different protocols over the VPN. TAP mode
provides a layer 2 tunnel between the client and the server that can pass TCP/IP, IPX, NetBEUI
and more. TAP also provides a mechanism by which network broadcasts can traverse the VPN,
which is required for some applications. TUN mode is more efficient and easier to administer, but
doesn't pass anything except TCP/IP. These days, that's not a problem for many applications.

Some versions of Windows don't support TAP devices. If you're using older versions of Windows,
plan to use TUN mode.

Table B goes over the sample configuration file included with OpenVPN and outlines what each
parameter is and what it does.

Table B
Configuration file parameters
;local a.b.c.d Optional parameter – on which
local IP address should OpenVPN
listen for connections?
port 1194 On which local port should
OpenVPN listen for connections.
Port 1994 is OpenVPN's official
port number. If you plan to run
multiple OpenVPN instances,
each needs its own port.
;proto tcp Do you want to use TCP or UDP
for connections? The default is
proto udp UDP. If you want to use TCP,
uncomment TCP and comment
UDP with a semicolon.
;dev tap Do you want to use a TAP
connection or a TUN connection?
dev tun The default is TUN.
dev-node MyTap (Windows only) Provide the name
of the TAP device on your system.
ca ca.crt Provide the name of each of your
certificate and key files as well as
cert server.crt the file name that holds your
Diffie-Hellman parameters.
key server.key

dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4
255.255.255.0 10.8.0.50
10.8.0.100
;push "route 192.168.10.0
255.255.255.0"
;push "route 192.168.20.0
255.255.255.0"
The "server" directive configures
OpenVPN in server mode. The IP
network and subnet mask
provided is the VPN subnet on
which OpenVPN will operate. The
server will take the first address in
the pool. In this example, that
would be 10.8.0.1. This line
should be commented out for
TAP-based servers.
Provides a way for OpenVPN to
track assigned client VPN
addresses so that they can be
reused for future connections.
This directive enables TAP
bridging, assigns the bridge an IP
address, and assigns a range of
IP addresses that will be assigned
to clients connecting through this
interface.
Pushes routes to VPN-connected
clients so that they can connect to
other private networks behind the
OpenVPN server.
Based on the information in the previous table, this is the configuration file I could use on my
sample VPN server:

port 1194

proto udp

dev tap

dev-node TAP-VPN

ca ca.crt

cert server.crt

key server.key

dh dh1024.pem

ifconfig-pool-persist ipp.txt

server-bridge 192.168.152.100 255.255.255.0 192.168.152.150

192.168.152.200

keepalive 10 120

comp-lzo

status openvpn-status.log

verb 3

Start the server

With the server configuration file now built, you can start the server process on your OpenVPN
server. Since I'm using the GUI, I'll right-click the GUI icon and choose Connect. A status window
pops up, which is shown in Figure D.

Figure D
This screen will tell you everything you need to know about how your VPN operates

Note: If you want to start OpenVPN with a specific configuration file, go to the config directory,
right-click a configuration file and choose "Start OpenVPN with this configuration file" from the
shortcut menu. You can also start OpenVPN directly from the command line. Refer to the
OpenVPN docs for more details on this.

Client configuration
With your OpenVPN server up and running, you can start connecting clients. This is the easy
part, believe it or not. The client side uses the same installer as the server side of things. So, to
get started, install the OpenVPN software and GUI on to your client computer using the
instructions found earlier in this article.

Build key and certificate for the client

On the server side, you'll need to run the 'build-key client-name' command for each client that you
want to allow to connect to the OpenVPN server. Once you do this, copy the client-name.key,
client-name.crt, and ca.crt files from the server to your client's C:\Program Files\OpenVPN\config
directory.

Configure the client

Like the server, each client has a configuration file that you use to provide the client with its
configuration information. Also like the server, you'll find a sample client file in the C:\Program
Files\OpenVPN\sample-config directory. I used this file as a starting point for my installation.

Table C lists some of the unique client parameters:

Table C
 client
remote my-server-1 1194
resolv-retry infinite
Indicates to OpenVPN that this is
a client rather than a server.
Connect to the server named 'my-
server-1' using port 1194. You can
also specify the IP address of the
server instead of the hostname, if
you like.
Will continue to try indefinitely to
resolve the host name of the
OpenVPN server.

Here is a configuration file that I might use on a client to connect to the OpenVPN server I set up:

client

dev tap

dev-node client-TAP

proto udp

remote 192.168.152.100 1194 (if I was using NAT on the server side, I
would instead use the external IP address of the NAT rule here)

resolv-retry infinite

nobind

ca ca.crt

cert vpnclient.crt

key vpnclient.key

comp-lzo

verb 3

Make sure that you also modify the ca, cert, and key values in the client configuration file to point
to the file containing these critical pieces of information.

Once you get the client configured, start it with the GUI controls, or from the command line. From
the GUI in the system tray, right-click the OpenVPN icon and choose Connect.

Keep in mind
Before you start the client, make sure that any firewall that you might traverse into the remote
network is forwarding port 1194 to your OpenVPN server and, if you're using NAT, that you've
provided an appropriate NAT rule for said server, thus providing it with an externally accessible IP
address.
Remember, each client needs its own certificate/key pair, each generated on the OpenVPN
server. Make sure also that you copy the master ca.crt file from the server to any client that you
want to allow to connect to the OpenVPN server. If you fail to do this, you won't be able to
connect.

Also consider the use of a TLS shared key to help keep your communication secure.