Personal tools
You are here: Home Support Documentation OpenVPN
Document Actions

OpenVPN Configuration and Use


OpenVPN Introduction

The OpenVPN package is a reasonably simple tool allowing VPN (Virtual Private Network) connections between computers. This article describes the installation and configuration of the server side, pointers to OpenVPN clients for Microsoft Windows and Mac OS X, and creation of keys for clients. This article is specific to the tools in Celestial's csadmin package as installed on our systems, and in the Atramax Servers We have developed.

The OpenVPN package is installed under the OpenPKG portable packaging system.


Initial Configuration

The configuration files for OpenVPN on our systems are under the directory /csoft/etc/openvpn. After the initialization, one will cd (change directory) to this directory to create new keys for users, revoke keys, etc.

The initial configuration of OpenVPN on our systems uses our csadmin tool which creates files for many systems under the directory, /csoft/etc/csadmin. This directory is readable only by the root user.

Run csadmin, select the OpenVPN module from the main menu. This will display several configuration options. There should not be anything to change here. Press F4 or PageDown to save the configuration, and create the initial openvpn.conf and vars files in the OpenVPN configuration directory, /csoft/etc/openvpn directory.


Create Server Keys

Change directory to /csoft/etc/openvpn.

Run the initializtion script by typing the command ./mkinitial.sh. This will create all necessary keys, certificates, and Certificate Authority (CA) files for the server. You will be prompted for information relating the the keys. There is probably no reason to do anything other than press <Enter> at each prompt.


Edit the openpkg.conf configuration

This file controls the overall server operations. There probably shouldn't be anything to change at this time.


Start the OpenVPN Server

Start the server with the OpenPKG run control script:


/csoft/etc/rc openvpn stop start

The OpenVPN package's log and run control files are on the directory, /csoft/var/openpkg/.


Firewall Modifications

The firewall may need to be modified to allow incoming ``udp'' traffic on the OpenVPN port, 1194 by default, and to permit traffic from the OpenVPN device, normally "tun*".

If you are running the Celestial/Atramax csboot package to handle the firewall and routing functions, you will need to open the udp port, and probably change the ppp* references to tun* (these are defined by default for the insecure Microsoft PPTP VPN program). This is in the file, /csoft/etc/csboot/IPTables.sh. After editing this file, execute this command to restart the csboot firewall.


/csoft/etc/rc csboot stop start

NOTE: If you are not running the csboot package, it is necessary to turn on IP forwarding on the system.


Client/User Programs and Keys

The OpenVPN client software and a set of signed keys are required for a user's system to connect to the OpenVPN server. Recent versions of the client software, and links to the sites with the originals are available in Celestial's OpenVPN Downloads Directory.

The user needs to install the software appropriate to their operating system.


Create Client Keys

Each client (user) machine requires a set of files containing the necessary keys to connect to the OpenVPN server. To create a set of files, ``cd'' to the /csoft/etc/openpkg directory. Execute the following command replacing FileID and user@example.com with appropriate values for the user (the leading ``./'' is critical)


	./mkzipclient.py FileID user@example.com

The FileID is the name that will be assigned to the main part of all files (e.g. FileID.zip, FileID.key, etc.), and will generally be what the user sees after they install the keys on their system. I normally use something with a system abbreviation and user name in this. Something like CsoftBill, or CSBillLaptop so that it isn't difficult to identify it.

The e-mail address is used in creating the keys, and the FileID.zip file will be e-mailed to that e-mail address.

NOTE: It is not a great idea to e-mail sensitive files to accounts that are on untrusted systems. If there is doubt about this, it might be a Good Idea(tm) to e-mail it to an internal support address, and get the file to the user by other means.

The FileID.zip file, and the other FileID.* files will be in the keys subdirectory.


Install Client Keys

The user will need to extract the keys in the appropriate directory on their system where the OpenVPN client software will find it. On Mac OS X, this will be in the $HOME/Library/openvpn directory.

On Mac OS X Systems, save the file from the e-mail to your system. Double clicking on the FileID.zip file should automatically extract the files from the zip file creating a subdirectory with the name FileID. You can drag and drop these into the $HOME/Library/openvpn directory.


Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: