How to Configure OpenVPN (lockup Version)

You can download a PDF version of this guide here.

This guide is based on Riley’s “How to Configure OpenVPN” [http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/], which is extremely useful for anyone interested in the product. I used Riley’s guide myself, but in several parts I hit roadblocks or felt the security could be enhanced. As such, I have written this updated guide with several changes. I have done so without Riley’s permission or knowledge, but with the same motivation; to assist people with this great product. I hope you don’t mind Riley.

Other than formatting changes, I’ve added/amended building password protected key files, 2048-bit keys, tls-auth, AES for symmetric encryption, as well as expanding explanations and the troubleshooting section. The core structure of Riley’s setup remains the same though.

This guide is for using a Windows XP OpenVPN server. If you want to install it on any other operating system (including any other Windows version), this guide may help, but I’d suggest running XP in a virtual machine. The client computers may run any operating system.

All commands in this tutorial are denoted by the use of inverted commas.
eg. ‘command argument’ is typed as command argument.

Table of Contents

1. What is OpenVPN
2. Choice of Server Operating System
3. Sample Network Configuration
4. OpenVPN Installation and Setup

a. Download
b. Install
c. Create a Certificate Authority
d. Create a Server Certificate
e. Create the Client Certificates
f. Generate the Diffie-Hellman Parameters
g. Generate an HMAC signature
h. Edit the Config Files
i. Configure your Router
j. Configure your Server
k. Configure your Client
l. Connect

5. Troubleshooting

a. Lost Clients
b. Double-Check
c. Port Forwarding
d. Network Shares
e. DynDNS
f. Missing Files
g. Windows Update/Auto-Connect
h. Help

1. What is OpenVPN

OpenVPN is a free, open source Virtual Private Network package which uses SSL/TLS to create an encrypted tunnel from a computer on a remote network (eg. an office, airport or cafe) to a host network (eg. a home or office). This encrypted connection then allows the computer to be a part of that network and have access to any of the files or services available. For a more detailed explanation, please see my post here [https://lockup.wordpress.com/2008/06/10/openvpn-really-good-vpn/].

2. Choice of Server Operating System

Initially my inclination was to install OpenVPN on a Linux system. This was due to it being, generally speaking, less exploited than Windows. There are also a few security features only available on Linux installations [https://lockup.wordpress.com/2008/06/10/openvpn-really-good-vpn/].

However, there were a few reasons decided against it. The most significant being the complexity of an OpenVPN installation on Linux, which involves a lot more command line and having to manually run scripts to install network drivers. Bruce Schneier put it well when he said “complexity is the worst enemy of security” and, particularly because I have limited Linux experience, I decided to go with what was familiar, ie. Windows. There was too great a chance that I would make a mistake on Linux.

As I didn’t have a spare XP box that I could always leave on, I created a Windows XP virtual machine using VMware Workstation running on Windows Server. I fully patched it and allocated it 512MB of RAM.

The server operating system does not affect compatibility with the client machines. Windows, OS X and Linux clients will all be able to connect to an XP server.

3. Sample Network Configuration

This guide assumes that you have a network configuration similar to the following

Router IP: 192.168.1.1
Subnet Mask: 255.255.255.0

OpenVPN Server Static IP: 192.168.1.150
Subnet Mask: 255.255.255.0
Default Gateway of 192.168.1.1

If any aspect of your network is different, it’s not an issue, but you will need to take that into consideration when following the rest of this guide.

4. OpenVPN Installation and Setup

a. Download

Download the install file from http://openvpn.net/index.php/open-source/downloads.html. The “Windows Installer” includes the base OpenVPN application and a simple GUI.

b. Install

Install it on the computer that is going to be your OpenVPN server. This computer is going to need to be turned on and running at all times that you wish to have your virtual network accessible. For most people that means 24/7.

If you have any previous versions of OpenVPN installed, shut down any running instance of it before running the install file.

During the installation you can choose if the GUI program will be started automatically at system startup. The default is yes. It is best to leave all of the options on the default. All the instructions below assume that you have installed the program in the default directory. At the end of the install you should reboot the machine.

c. Create a Certificate Authority

After rebooting you are going to need to configure the OpenVPN files on your server using the command prompt and a text editor like Notepad.

Go to Start > Run and type ‘cmd’ to open the command prompt.

Then enter the command below to move to the correct directory:

‘cd C:\Program Files\OpenVPN\easy-rsa’

Then type this command to run the batch file that will copy the configuration files into place:

‘init-config’

Now open up Windows Explorer and navigate to C:\Program Files\OpenVPN\easy-rsa. Open the file “vars.bat” in a text editor. Something other than Notepad will make it easier to edit, but whatever you have will do.

You should change the value of KEY_SIZE to 2048. This will set OpenVPN to generate a 2048-bit certificate pair, which is extremely secure. The performance effect of this change is a one or two second delay more than a 1024-bit pair, and only when you connect to the VPN server. You’ll hardly notice it and it will not affect transfer speed once you have connected.

You should change the values of the following variables at the bottom of the file KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. It doesn’t really matter what you put for these values, they’re just a required part of signing a cryptographic certificate. This being the case, don’t leave any of these parameters blank.

Back at the command prompt you are going to enter the following commands in order:

‘vars’
‘clean-all’
‘build-ca’

When you run ‘build-ca’ you will be prompted for several entries. You can simply hit Enter for the first five. These will be taken from the vars.bat file you customised. Ignore “Organisational Unit Name”.

The only parameter that must be explicitly entered is the “Common Name”. Enter a name for your VPN for this entry. An example would be “MyVPN”.

Again, you can just hit enter for “Email Address”, provided that you added a value for it in “vars.bat”.

d. Create a Server Certificate

Next enter the following command to generate a certificate/key for the server:

‘build-key-server server’

Again, most entries can be left on default so just hit enter, but make sure you enter “server” for the Common Name. When it prompts for a “Challenge Password” and “Optional Company Name”, don’t enter anything, just hit enter (the password you need to set is in the next step). Type ‘y’ for yes at the last two prompts, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

e. Create the Client Certificates:

In Windows Explorer, navigate to C:\Program Files\OpenVPN\easy-rsa and make a copy of the file “build-key.bat” into that same folder. Rename it to “build-key-pass.bat”, then open it in a text editor. Find the text “-nodes” and remove it along with the preceding space. You have just created the batch file which will create password protected certificates/keys.

Now run the following command one at a time to generate as many client certificates/keys as you need. These can be called whatever you like but they must all be different. If you are going to have a lot of clients, something like “client1-Tom” makes things easier to manage.

‘build-key-pass client1’
‘build-key-pass client2’
‘build-key-pass client3’
‘build-key-pass client4’

and so on…

The first thing you will be prompted for is a “PEM pass phrase”. This is the password that will have to be entered every time a client initiates a connection. Each client can have a different PEM password or they can all be the same. It can also be changed by each user later on. You will then be prompted to enter data just like when you built the server key, and you can just hit enter for most of them, but make sure the Common Name you enter matches the name you typed in the command, eg. client1, client2, etc. These entries must match up. Again, you can just hit enter when asked for a “Challenge Password” and “Optional Company Name”. Then type ‘y’ and ‘y’ at the next two prompts.

Run the above commands for as many clients as you would like to have on your VPN, making sure you change the client name each time.

f. Generate the Diffie-Hellman Parameters

The next step in this process is to generate Diffie-Hellman parameters for the OpenVPN server.

Enter this command to begin the process:

‘build-dh’

Unfortunately, this can take over an hour, but you don’t need to be there while it is generating. It will need to complete before you move onto the next step though.

g. Genertate an HMAC Signature

This is the final step requiring command line, so hang in there.

Enter (without spaces between the dashes):

‘openvpn – -genkey – -secret ta.key’

This will create an HMAC signature (another key) file that will sign the handshake packets each time a client starts a connection with the server. In the server config file, we’ll enforce the use of this key so that any packets without it will be dropped. You can read about this feature, called “tls-auth”, here [http://openvpn.net/index.php/documentation/howto.html#security].

You are now done with the command line.

h. Edit the Config Files

Now it’s time to create configuration files for the server and your clients. There should be sample config files in the config directory, but I recommend using the ones below if you have a network similar to the one defined earlier.

Where changes or checks are needed, it is marked in the file with “####”. If you would like more information on any of the settings, have a look at the files in the “sample-config” directory. They have detailed comments.

The following files have “.doc” filename (just so I could upload them to WordPress). Change the filename to “.ovpn”.

Server Config File:
server.ovpn (save, change “.doc” to “.ovpn” and open in a text editor)

https://lockup.wordpress.com/wp-content/uploads/2008/06/server.doc

You will only need to change the IP addresses of the DNS servers in the “server.ovpn” file, if everything else on your network is the same as described below.

Client Config File:
client1.ovpn (save, change “.doc” to “.ovpn” and open in a text editor)

https://lockup.wordpress.com/wp-content/uploads/2008/06/client1.doc

You will need a config file for each client. The config file can be exactly the same for each client except for the two lines that contain the file path of the .key and .crt files and the filename. Once you’ve edited the first one, you can copy it and make the changes for each additional client.

You also need to edit the client config files to change the address of your DynDNS.org account (you’ll need one if you have a dynamic IP, it’s free), unless you have a static IP address from your ISP. This is how the client locates your server network.

These configuration files are going to be placed in the config directory (C:\Program Files\OpenVPN\config) of each corresponding computer. Each client is only going to need one config file.

The config files provided will route all traffic from the client computers through the server’s internet connection. This will enable secure web browsing from anywhere, as well as access to any network resource on the home network.

i. Configure your Router

You are going to need to make some changes to the settings of the router that is running on the server’s network.

DynDNS: First off, if you have a dynamic IP address and are using DynDNS.org, I would not recommend using the update client built into your router, as most send your username and password in plain text. Download the DynDNS Windows client [http://cdn.dyndns.com/dyndns-setup-win.zip] and run it on your server. It uses a secure connection.

Port Forwarding: You need to make sure the port you configured OpenVPN to listen on (eg. port 12345) is forwarded on the router to the IP address of your server. This can be any port you like, but there are some things to consider. The most secure is to randomly pick a port above 10000, as it is less likely that an attacker will scan ports that high. On the other hand, some corporate and public Wi-Fi networks only allow communication to common ports (such as 80 [http] & 443 [https]), however, these are more likely to be scanned on your router. Then again, with tls-auth enabled, you can afford to do this if necessary. Don’t use port 1194 as that is the default. Any automated attack on OpenVPN would go to this port first.

Once you have chosen a port, you need to forward it in your router settings. This will be slightly different for each router, but some menus you might look for are “Applications & Gaming”, “Virtual Server” or “Port Forwarding”. If in doubt, search your manual. The settings you should enter are:

Port: 12345 (or whichever port you decided on)
Protocol: UDP
IP Address/Host: 192.168.1.150
Host Port: 12345 (or whichever port you decided on)

Make sure the entry is enabled and then save the settings, apply or whatever you have to do on your router to commit changes.

Routing Table: You need make an entry in your router’s Routing Table to enable proper routing of requests from the clients to the TAP interface of the server. Again this can be different for each router. Look for menus like “Setup”, “Advanced Settings”, “Routing Table” or “Advanced Routing”. The settings you should enter are:

Route Name: OpenVPN
Destination LAN IP: 192.168.10.0
Subnet Mask: 255.255.255.252
Default Gateway: 192.168.1.150
Interface: LAN & Wireless

Once the info has been typed in make sure you save the setting.

This entry for the Routing Table assumes you have all the same settings mentioned above for your network. You may have noticed that the subnet masks don’t match between here and the server config file. This isn’t a mistake, it’s just the way it works.

If your router has “Firewall” settings which restrict the ports and protocols that each machine on the network uses, you’ll need to make an entry for this. On my router, I enabled inbound and outbound for all ports and protocols for 192.168.1.150. This “Firewall” operates behind the NAT layer so it does not pose a great security risk, ie. this doesn’t open any ports on the router, it just tells the router that it is OK to send all packets to and from the OpenVPN server after they pass through NAT. Check your manual if you are unsure of any settings on your router.

j. Configure your Server

Make sure your server has a static IP on the real (not tun/tap) network adapter. This guide assumes 192.168.1.150, but make changes according to what you set.

Then, disable the Windows firewall or any other firewall you may be running. The built-in Windows firewall (as well as some third party ones) cause problems if it is running on the server. Most will work fine on client PCs.

Next, edit the registry key value (Run > Regedit):

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters”

Change it to the following:

“IPEnableRouter = dword:00000001”

This registry key will enable the routing set in the config file to work correctly.

k. Configure your Client

The clients machines can have pretty much any operating system, but this guide is for Windows systems. You can find other GUI clients here [http://openvpn.net/gui.html].

Install OpenVPN on each of the client computers using the same install file you used for the server. You can leave all the install settings on their defaults for the clients, but you might consider hiding the TAP Adapter so you don’t have it crowding your system tray.

Do a reboot once install completes. After that, copy (use a USB key, don’t email) the correct .ovpn configuration file into the config directory (C:\Program Files\OpenVPN\config) of each client. Then copy the three necessary certificate files into the C:\Program Files\OpenVPN\easy-rsa\keys folder (create it if not there). The three needed files are:

ca.crt (each client and the server share a copy of this one file)
clientX.key
clientX.crt

Then copy the file “ta.key” from C:\Program Files\OpenVPN\easy-rsa on the server to C:\Program Files\OpenVPN\config on each client.

When you have done all this, you should delete all the files from your USB key. You can leave them on the server though.

l. Connect

If everything went smoothly up to now, you should be able to start up OpenVPN and connect.

On the server:

Go to OpenVPN GUI in the system tray, right click and click connect. It should successfully connect and display that it has an IP address.

On the clients:

Once the server has been connected, you should be able to connect the clients by double clicking the OpenVPN tray icon and entering the password. They should be able to connect to the VPN even when on the same local network, but testing from a separate network, like a neighbour’s Wi-Fi (that you have “permission” to use, of course), is preferable.

Using OpenVPN GUI:

When OpenVPN GUI is started, your config folder (C:\Program Files\OpenVPN\config) will be scanned for any .ovpn files, and an icon will be displayed in the system tray. If you have more than one config file you will be able to choose between them.

5. Troubleshooting

There are too many possible issues to cover in this document, but I’ll cover a few common ones. I’ll also list some websites to go for help.

a. Lost Clients

If you lose control of your client machine or key files (eg. stolen laptop, giving your machine away, lost USB key), you need to make sure that you invalidate the keys. For example, if the “client1” keys are lost, you should enter the following on the server:

‘vars’
‘revoke-full client1’

If you like, you can generate another “client1” certificate/key (which will generate a different key), but it’s better to use a different client name to avoid confusion. Even though your client keys are password protected, you should revoke keys as soon as possible.

b. Double-Check

If anything isn’t working, double check all the steps in this guide as a small error can prevent it from working.

c. Port Forwarding

I had an issue where I would get an error saying something like “ TLS negotiation is taking more than 60 secs, check connectivity”. This was because my router had old firmware and wasn’t port-forwarding, upgrading it fixed the issue. This can also be caused by port restrictions on Wi-Fi access points or routers. Try changing the inbound port on your server router to something like 80 or 443 (see section 4i). It may also be the case that these ports are restricted to TCP packets, so you may need to change the config files to use TCP that rather than UDP. That said, I strongly advise against using TCP, as it will impact performance.

d. Network Shares

On my clients, the paths of my mapped drives use host names rather than IP addresses and Windows wasn’t able to resolve them from the VPN subnet (192.168.10.0). You can rectify this by re-mapping the network drives using their IP address rather than hostnames. You can also access them by entering the IP address straight into Windows Explorer.

e. DynDNS

If you are having problems connecting, check that your DynDNS client is updating your IP address correctly. The best way to do this is to log onto the website (dyndns.org) and click “My Hosts”. Check that this IP matches what your router has been assigned and the IP you see resolved on the client OpenVPN connection initiation screen. If it doesn’t match, open up the DynDNS client and have a look at the log.

f. Missing Files

If your connection initiation screen says that it can’t find a file, check that you have put it where it has been specified in the config file (usually easy-rsa\keys). Also check that “ta.key” is in the “config” folder. I found that it would not work anywhere else, even if I specified a path in the config file.

g. Windows Update/Auto-Connect

While I recommend turning/leaving automatic updates on, you may find that if the server reboots or doesn’t like a patch, it will prevent you connecting. It’s best not to have it automatically reboot, but if you really want to, you’ll need to do the following so that the OpenVPN connection starts with Windows.

In the registry (Run > Regedit) go to:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

Change the data for “openvpn-gui” to “C:\Program Files\OpenVPN\bin\openvpn-gui.exe –connect server.ovpn”. This will also work if you want the connection to auto-start on any client machines. As always though, you’ll have to change the “server.ovpn” part to match the client name.

h. Help
http://openvpn.net/index.php/documentation/howto.html
http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html
http://www.google.com/ (Search any error messages you get)

That’s the end of my version of Riley’s “How to configure OpenVPN”. This covers all the issues I ran into while using Riley’s guide and includes a number of security enhancements. If you have any issues or suggestions, feel free to comment below. I hope this has helped.