Sample OpenVPN configuration files to help with OpenVPN setup
Below is a sample OpenVPN configuration file, this is running a server with an internal IP address of 10.8.0.0. This is using UDP and port 1194. If you set it up on port 443 instead, it can be hidden amongst other SSL traffic. That is a good tip for getting past a proxy in certain educational institutions for example.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | server 10.8.0.0 255.255.255.0 verb 3 duplicate-cn key server-key.pem ca ca.pem cert server-cert.pem dh dh.pem keepalive 10 120 persist-key persist-tun comp-lzo push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" user nobody group nogroup proto udp port 1194 dev tun1194 status openvpn-status-1194.log |
This is the client configuration file. This defines the remote IP address of the OpenVPN server and also contains the client keys to allow access to the remote server and the resources therein. The client connection is using TCP protocol.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | client nobind dev tun redirect-gateway def1 bypass-dhcp remote 54.66.223.254 443 tcp comp-lzo yes <key> -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAsSq4DqHc4+z2Tpz1hsx9MizIUmtTukIY0PCOxSIaME3uXO/F UX0oeKv1a7ko08UFk3jQq+x9d9iLKQXj69UcHG84Bw7RiYOnJ7NVVR3c2Zm+bbqK Tx0dP8LT8Hbpm3fm+XCHxKLCVZYcNF4QvSuOdd9kbm3c2wRPtKhC+rEqU51Ue8HN p0PqE8Q75cv5pH5T2ZlmKCwjuyreTd+B6qJojF6FSRqwkonzsl/y+DkBGbjS+Bdm Hm2GvCI1xtYZO0QQMyeZABFUPFBXv0hxaj6nB+dkRob2GHYVaTqaWp3lMOhMn9Tm sRL8n6zB3IX7nnjJ46e2qXqGhgohYs4JCMKYCwIDAQABAoIBAGhU4eMsCurmpv4Q jL5/OdMMcEOpFLuBJSAWKd2JgaaknhR41thwPh8iFPsFJTfgtLHt2eUE9bZX/UuB PoGpFE7iaDovzdGPiCZnA3+GgIJcebogukZwvMLJtwnK3TNC3vBSBoIT3yGLrrxg ELd2KQTdM0WcyQzpcw7Ob/M11dk6t1IfD/2ooTSy3dyl+Z8AlO/wXKDzuuavkWr0 XSouOGXXzPIPygYvMmo/cBs1TZ/5+HVooAQNQeqGOCIiFusE0WOb2rmFTckytz9L GXfQa9lqEBcSEfy5BcR9868OAi4SO5KJLR+tHGONGPQdE472THYLVpzlQYx7zmFx xK35xRECgYEA7DdB9cYzS8o85hvEmLE7I901SKhRmTQzBwdE+bhcgvDtW7CZrO1N THFELTbs0Bzsp9ilpOsz1LzOb94UKE48Ktq2xw2HngFuTKj9DdA5NLnF/v+mEkAE gloSrugJOTdEkUTRhSJDgoDMqRwF7lKKji9Zgnnzvu/UC9vAKAmR1Q0CgYEAwAFh 8LV7ILZ4mxUT0hr6/hnjAPRy6z/HKogdN7glv7EQl36oBEGBhy4ZTXcTl3zfiMzk 6Ps04T16oDDU/AyKQt7A/HhXfXyWcuwlJoffqpGXGPzxuzE3ERel8tElIjsDYmL0 az/3m3DxtgQa6Wk11dfjFlkhaKee9jlaOcbVC3cCgYEAt2bf67eLtFi9l9wPdI6G 4H2sFVG6qT0CMX7PayRdj70ITZx8dOt6jNOUn5Z5n8wVYuyvD7EeeRpvHiRLek/k H1HZgAtdNKzfut2qPMNi5zEmLarIgnr6BUtyHiNCpg3nSvMnyjqkN/tQ7Cw53qRv t53D3a5aNfF3rg1c0Lk9ZTECgYB8pekhTY/7srolY8+UTPO41rFqQ0f/tU3lLKxb Ke9HvPmagB0vdh9S1PiUM8PCSs0LkIjjP4Ia38CmEk2Su8lelCIRRUb3LlS1ktyj YP4xS4ceL8f20IKBVCrlsiU7TbhqvPcUUVi7ztz8XznhYe4TP64rKf3oZTlre9w5 Of3BDQKBgCr7Vmf3CzlOsbG41/KlAvT6vmx24Uyb/NhHPQK4MATwPWiEeKpoKFmo mxUApB88O2gawAncxElZ6QxEfN5riks2T6eF3FK2Gm8b2hFyGWjwCX/VGxQb9aWc X56ZryeBtbJdsVNgL0dq1LWCe46W8PqaeE6K20mWLwnq8FHY3Oyk -----END RSA PRIVATE KEY----- </key> <cert> -----BEGIN CERTIFICATE----- MIICpDCCAYwCAQMwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UEAwwKT3BlblZQTi1D QTAgFw0xNTAyMjIwNDI1MDFaGA8yMTE1MDIyMzA0MjUwMVowGTEXMBUGA1UEAwwO T3BlblZQTi1DbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx KrgOodzj7PZOnPWGzH0yLMhSa1O6QhjQ8I7FIhowTe5c78VRfSh4q/VruSjTxQWT eNCr7H132IspBePr1RwcbzgHDtGJg6cns1VVHdzZmb5tuopPHR0/wtPwdumbd+b5 cIfEosJVlhw0XhC9K45132RubdzbBE+0qEL6sSpTnVR7wc2nQ+oTxDvly/mkflPZ mWYoLCO7Kt5N34HqomiMXoVJGrCSifOyX/L4OQEZuNL4F2YebYa8IjXG1hk7RBAz J5kAEVQ8UFe/SHFqPqcH52RGhvYYdhVpOppaneUw6Eyf1OaxEvyfrMHchfueeMnj p7apeoaGCiFizgkIwpgLAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB1tr0Urni7N //+LPLEWGWLZiZ+khZHiYmDQCLPQRhg0bnogCGVHQNnb+VEyO61d9KWRyRp5eCxw yGohRuDXT0IVF4MbXBcV0qNV3GYF8HEH3zXH7t5ny6ldWvAPhNSxny2vtIxXFmNM BFvkl7s/1F67v2+kQAsxy3k+wyYlK+Ym/yByjB3RurEL35VQhNwbVRwTsZXe/ohC rKCpEHG8j0jzUI/Uo7jBtNg1UifaLkQh9u6F+VWHz+GvV1tg9aDOrbDZelG3Xcrj CqM1pioKFdhbvHV39vUHEsJMbIH62RlvrO+7EbzROXuzNTtrxdNJu/YbZJDy+Pck 0UmayaINKnw= -----END CERTIFICATE----- </cert> <ca> -----BEGIN CERTIFICATE----- MIICpjCCAY4CCQD/WyXBOT2bmjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApP cGVuVlBOLUNBMB4XDTE1MDIyMjA0MjUwMVoXDTE2MDIyMjA0MjUwMVowFTETMBEG A1UEAwwKT3BlblZQTi1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANXE+z1uONhkT4FamK03KXN/5KGtRK/qQLRAjBvL5kd5BIBSjDt+HjLoP76gOsP+ GrxB3wzGA8iX/S2IgNZPuC6KrnD7qJ43bD17By1ks3Fh3Y+VlSkI5yBasuxcA27F hUPq3iYUVDjKU2hvN85q/nYKTlEd5WYm+K3XG2YTrfZBiS4MSkd/CoBU74u0knog /W3WpoashrkBnDbcGrJl7U10a1zmxnQ5TfUA2zpGlhabClaFtUHKH6Z3XtCrUzkM HJ8NUUw4QI3XcJ+4dMgdV8BAQcejwIrP1XlE4JyBfVoH6fafoYf35d0Rl2ddYV0I A6XcJ/BQ773kULbeupUXT6ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAPF/uXBQH bZDkZqPSS8UrcFhYUZntPEk4+FWLm8BWj+9kNcvD4QtNQE4idfXydGWSKr2+FhH7 j/AlJxxa/2+eKZnE9Tw6kx2Wv4FqriNXsARo3IIbIlAaCtNyKF3COjTS2lLmmfOW mPmhsf6fMDoYIPWbhzim6Q89tSf9KezIr80inCVueStUqQ4mqQN5UjtlxMKjtLSW CNl3cWvTwVsCFmtNcXXlSiQLmk3f3A72DDYrZucDlcQGsyABVI6QvOiHTwvmCFiq +ok7dDOqnTFwFg5rswnTKeuebBH7F3ugjXNXOiXvb5YhmhuAttFc8wcM+6ylze5S 3fgeDe6t1tpzbQ== -----END CERTIFICATE----- </ca> |
An OpenVPN setup on a server as the sole way to access resources is very secure, once the client has access to the server and can use a local IP address like 10.8.0.1, then they may use SSH to access the machine and make changes without worry.
This very useful script can automatically generate a perfect OpenVPN config, but this is cheating, or is it?
https://www.rosehosting.com/blog/openvpn-setup-script-for-debian-and-ubuntu/.
Set or change a passphrase for an OpenVPN server key.
https://securitronlinux.com/bejiitaswrath/set-or-change-a-passphrase-for-an-openvpn-server-key/.
Iptables config for mapping an OpenVPN IP address to a physical machine address.
https://securitronlinux.com/debian-testing/iptables-config-for-mapping-an-openvpn-ip-address-to-a-physical-machine-address/.
How to create keys with easy-rsa without a password prompt.
https://securitronlinux.com/bejiitaswrath/how-to-create-keys-with-easy-rsa-without-a-password-prompt/.
This is how to generate new keys for your OpenVPN configuration if they have expired. This can be annoying. But it is easily fixed with admin access to the OpenVPN server. You must be careful when creating keys and make sure that the expiry dates are set correctly. This is very important.