OpenVPN is an SSL VPN solution that extends a level OSI 2 and OSI 3 level secure network, using the SSL/TLS sector standard protocol and covers a wide range of configurations. OpenVPN supports clients with Windows, Linux, FreeBSD, OpenBSD, macOS, iOS and Android operating systems.
It supports flexible client authentication methods based on certificates, smart cards and/or username and password credentials, and permits users or groups to implement access control policies using firewall rules applied to the virtual VPN.
The general principles, together with the steps required to create a VPN connection using OpenVPN, are set out below; links to sample guides for configuring/implementing for Windows Server 2019 and Ubuntu 20.04, are provided at the end.
Configuring a VPN often involves connecting private subnets from different places. L'IANA (Internet Assigned Numbers Authority
) has reserved the following three blocks of IP address space for private Internets (codified in RFC 1918):
- 10.0.0.0 – 10.255.255.255 (prefix 10/8)
- 172.16.0.0 – 172.31.255.255 (prefix 172.16/12)
- 192.168.0.0 – 192.168.255.255 (prefix 192.168/16)
It is important to choose addresses that reduce the probability of conflicting IP addresses or subnets, as far as possible. Certain aspects of the server’s network configuration must be optimized in order to route the traffic through the VPN correctly:
- forwarding IP addresses - the capability of an operating system to accept incoming network packages on an interface, recognize that they are not intended for that system, but instead need to be passed to another network and therefore forwarded;
- configuring the firewall - must be performed on the virtual machine that acts as remote access VPN server:
- SSH port;
- ports used by VPN solutions (for example, port UDP/1194 predefined for OpenVPN);
It is important to ensure that the servers in the virtual data center network to be connected to, using the VPN, route network traffic to the VPN server. One solution is to implement a one-to-many NAT for connected clients.
The first step in creating an OpenVPN
configuration is to set up a PKI (public key infrastructure). A PKI is made up of:
- a separate certificate (also known as a public key) and a private key for the server and each client;
- a certificate and key issued by the master certificate authority (CA) used to sign each server and client certificate;
OpenVPN supports bidirectional authentication based on the certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate. OpenVPN suggests managing PKI’s using easy-rsa
, a CLI (Command-Line Interface
) for creating and managing a CA PKI. The steps required to configure your own certificate authority and to generate certificates and keys can be found in the OpenVPN documentation
The OpenVPN server uses port 1194 and the UDP protocol as default settings to accept client connections. If the client is based in a limitative network environment and a different port needs to be used, the port and protocol options can be changed. Port 1194 is the official port number assigned by IANA for OpenVPN, but any port number between 1 and 65535 will work, as long as it is not already in use on the server. Port 443 is the most popular choice, as it is normally permitted by firewall regulations.
Configuration details are archived in the server.conf file, containing information such as the IP address and port on which the server is listening, the service encryption list, the service certificate, and so on.
As a starting point for your configuration, we recommend using sample OpenVPN configuration files, which can be found in:
- the sample-config-files directory, distributed by OpenVPN
- the sample-config-files directory located in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn if installed from an RPM or DEB package
- Start Menu > All Programs > OpenVPN > OpenVPN Sample Configuration Files on Windows
If you use the OpenVPN sample configuration files, a VPN will be created using a TUN (routed mode) virtual network interface, that will listen to Client connections on port UDP 1194 and will distribute virtual addresses to connection Clients from subnet 10.8.0.0/24. By editing the parameters of files found in the directory described above, this behaviour can be changed.
Before using the sample configuration files, the ca, cert, key and dh (Diffie hellman) parameters must be changed so that they point to the files generated in the PKI section. The server configuration file is then ready for use.
The following steps relate to configuring the client: generating the certificate and key pair and creating the client configuration file.
The final step relates to the client configuration file, which replicates the default directives set in the server configuration file:
- As with the server configuration file, you first need to change the ca, cert, key and dh parameters so that they point to the files already generated. Note that each client should have their own certificate/key pair. The ca file is the only one that is universal to the OpenVPN server and to all clients.
- Edit the remote directive to point to the host name/IP address and port number of the OpenVPN server: use the public IP address which is the NAT to the VPN server.
Examples of how to make a VPN connection with OpenVPN: