OpenVPN, or Open Virtual Private Network, is a tool for creating networking tunnels between and among groups of computers that are not on the same local network. This is useful if you want to remotely access services on a local network without making them publicly accessible. By integrating with OpenSSL, OpenVPN can encrypt all VPN traffic to provide a secure connection between machines.
Before installing OpenVPN, we assume that you have followed our Getting Started Guide. If you're new to Linux server administration you may be interested in our Using Linux document series, including the Beginner's Guide and Administration Basics Guide. If you're concerned about securing on your Linode, you might be interested in our Security Basics article as well.
For many private networking tasks, we suggest that you consider the functions of the OpenSSH package which can provide easier VPN and VPN-like services. OpenSSH is also installed and configured by default on all Linodes. For example, see Using SSHFS on Linux and MacOS X or our guide on Setting up an SSH Tunnel for more information. Nevertheless, if your deployment requires a more traditional VPN solution like OpenVPN, this document covers the installation and configuration of the OpenVPN software.
Once configured, the OpenVPN server encrypts traffic between your local computer and your Linode's local network. While all other traffic is handled in the conventional manner, the VPN allows traffic on non-public interfaces to be securely passed through your Linode. This means you can connect to the local area network in your Linode's data center. Using OpenVPN in this manner is supported by the default configuration
With the additional configuration we will set up at the end of this guide, all traffic coming from your local computer can be tunneled through the VPN server. This can be used to curcumvent local traffic restrictions, or to mask the traffic coming from your computer.
Please note that only one public IP address is required to use OpenVPN
Follow these instructions to install OpenVPN:
Update your package repositories with the following command:
Update your installed programs:
Install the OpenVPN software with the following command:
apt-get install openvpn
The OpenVPN package provides a set of encryption-related tools called easy-rsa. These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. In order for OpenVPN to function properly, these scripts should be located in the /etc/openvpn/ directory. Copy these files with the following command:
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in /etc/openvpn/easy-rsa/2.0/. We will create several files in this directory used to define the OpenVPN server and client security.
In this section, you will initialize the certificate authority and the public key infrastructure:
Move into the /etc/openvpn/easy-rsa/2.0/ directory:
Create a symbolic link from openssl-1.0.0.cnf to openssl.cnf:
ln -s openssl-1.0.0.cnf openssl.cnf
Execute the vars script:
This will return "NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys"
Execute the clean-all script.
Execute the build-ca script. At each prompt, fill out the information to be used in your certificate.
After doing this, your PKI should be configured properly.
With the certificate authority generated, you can generate the private key for the server and certificates for all the VPN clients.
Create the key with the following command:
. /etc/openvpn/easy-rsa/2.0/build-key-server server
You will be prompted for additional information. Change the default values as necessary. By default, the Common Name for this key will be server. The challenge password and company names are optional and can be left blank.
When you've completed the question section, confirm the signing of the certificate and the certificate requests certified by answering yes to these questions.
With the private keys generated, create certificates for all of your VPN clients. Issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key client1
Repeat the previous step for each client, replacing client1 with an appropriate identifier.
You should generate a unique key for every user of the VPN. Each key should have its own unique identifier, but all other information can remain the same. If you need to add users to your OpenVPN at any time, repeat step 4 to create additional keys.
The Diffie Hellman Parameters govern the method of key exchange used by the OpenVPN server. By creating a .pem file, you create the parameters by which the OpenVPN server will initiate secured connections with the clients.
Issue the following command to generate the .pem file:
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time
This will be followed by a quantity of seemingly random output. Once it brings you back to a command prompt, the task has succeeded. In the keys subdirectory it's created a file called dh1024.pem which will be used to generate secure connections to the VPN server's clients.
Move all of the secure keys to their proper locations by following these instructions:
The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys and certificates for the server and its clients generated using the easy-rsa tools. Copy the following certificate and key files to the remote client machines, using scp or another means of transferring:
Transfer these keys with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network. Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.
On your server, change to the /etc/openvpn/easy-rsa/2.0/keys directory:
Copy the keys to the /etc/openvpn directory of the server so the OpenVPN server process can access them:
cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Keeping control of these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they're encrypted and secured. If these files become compromised, they must be recreated along with all client keys.
If you need to remove a user's access to the VPN server, follow these instructions:
Run the vars script. Note that for this script to function properly your working (current) directory must be /etc/openvpn/easy-rsa/2.0/
Run the revoke-full script, substituting client1 with the name of the certificate you want to revoke:
. /etc/openvpn/easy-rsa/2.0/revoke-full client1
This will revoke the ability of all users using the client1 certificate to access the VPN. Make sure you don't accidentally revoke access for someone who still needs it, and who uses that certificate.
In this section, you'll create two important configuration files. One is for the server and defines the scope and settings for the VPN. The other is for your local computer, and defines the settings you will pass on to your VPN client. For each client connecting to the VPN you will need to generate a separate configuration file.
Configure your server file. There's an example file in /usr/share/doc/openvpn/examples/sample-config-files which you'll use as a starting point. First, move to the /usr/share/doc/openvpn/examples/sample-config-files directory:
Unarchive the file:
gunzip -d server.conf.gz
Copy it to the /etc/openvpn/ directory:
cp server.conf /etc/openvpn/
Copy the client.conf file to your home directory:
cp client.conf ~/
Move to your home directory:
Open your ~/client.conf file for editing, and update the remote line to reflect the OpenVPN server's name:
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote example.com 1194
In the same file, client.conf, edit the cert and key lines to reflect the name of your key. In this example we use client1 for the file name.
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert client1.crt key client1.key
Copy the ~/client.conf file to your client system.
Repeat the entire key generation and distribution process for every user and every key that will connect to your network.
To start the OpenVPN server, run the following command:
service openvpn start
This will scan the /etc/openvpn directory on the server for files with a .conf extension. For every file that it finds, it will create and run a VPN daemon (server).
The process for connecting to the VPN varies depending on the specific operating system and distribution running on the client machine. You will need to install the right OpenVPN package for your client operating system.
Most network management tools provide some facility for managing connections to a VPN. Configure connections to your OpenVPN through the same interface where you might configure wireless or ethernet connections. If you choose to install and manage OpenVPN manually, you will need to place the the client1.conf file and the requisite certificate files in the local machine's /etc/openvpn directory, or equivalent location.
If you use OS X on a Mac, we have found that the Tunnelblick tool provides an easy method for managing OpenVPN connections. If you use Windows, the OpenVPN GUI tool may be an effective tool for managing your connections too. Linux desktop users can install the OpenVPN package and use the network management tools that come with the desktop environment.
Here we will go through installing Tunneblick on OSX:
To download the latest version of Tunnelblick, click here. After opening the dmg file you can drag it into applications or open it immediately and it will copy itself.
After starting, you will see this splash screen:
At the next screen, click OpenVPN Configuration(s):
Tunnelblick will open a Finder window into which you can copy the client.conf and client1 ca, crt, and key files you created on the Linode and copied to this client machine. Follow the rest of the instructions shown in Tunnelblick to create and install your Tunnelblick configuration file.
If you are using Tunnelblick, click on the tray icon to initiate the connection:
A notification will show you the status as it connects:
Once you're connected to your VPN, you can SSH to another Linode over the private network. If you want to access files directly from your Linode, you will need to install a compatible network file sharing protocol, like Samba, NFS, or Appletalk.
By deploying the following configuration, you will be able to forward all traffic from client machines through your Linode, and encrypt it with transport layer security (TLS/SSL) between the client machine and the Linode.
Uncomment the following parameter by removing the semicolon to the /etc/openvpn/server.conf file to enable full tunneling:
push "redirect-gateway def1 bypass-dhcp"
Edit the /etc/sysctl.conf file to uncomment or add the following line to ensure that your system can forward IPv4 traffic:
Issue the following command to set this variable for the current session:
echo 1 > /proc/sys/net/ipv4/ip_forward
Issue the following set of commands, one line at a time, to configure iptables to properly forward traffic through the VPN:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT
Add the same iptables rules to your system's /etc/rc.local file, so they will be recreated following your next reboot cycle:
#!/bin/sh -e # # [...] # iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT exit 0
This will enable all client traffic except for DNS queries to be forwarded through the VPN.
To forward DNS traffic through the VPN, you will need to install the dnsmasq package and modify the /etc/opnevpn/server.conf package. Install and configure the dnsmasq package with the following command:
apt-get install dnsmasq && dpkg-reconfigure resolvconf
If you are using Debian 7, replace this command with apt-get install dnsmasq resolvconf and skip steps 7 thorugh 9
You will be presented with a series of options in an ncurses menu. First, choose yes to prepare /etc/resolv.conf for dynamic updates.
At the next option select No. This means that you will need to update /etc/network/interfaces but won't need to remove the workaround afterwards.
The third menu simply warns you that a reboot will be required to prevent a known bug.
Modify its configuration so that dnsmasq is not listening on a public interface. Open /etc/dnsmasq.conf for editing, and make sure the following lines are uncommented and have the appropriate values:
File excerpt:/etc/dnsmasq.conflisten-address=127.0.0.1,10.8.0.1 bind-interfaces
This will configure dnsmasq to listen on localhost and the gateway IP address of your OpenVPN's tun device.
Now that dnsmasq is configured, you will need to add two new lines to /etc/network/interfaces. First, go to the Linode's Remote Access page, shown below. You'll need the IP addresses listed under DNS Resolvers for the dns-nameservers line:
Open the interfaces file and insert the addresses listed under DNS Resolvers:
File excerpt:/etc/network/interfaces# The primary network interface auto eth0 iface eth0 inet dhcp dns-search members.linode.com dns-nameservers 188.8.131.52 184.108.40.206 220.127.116.11
If you're not utilizing IPv6, you can omit the addresses starting with 2600:
When your system boots, dnsmasq will try to start before the OpenVPN tun device has been enabled. This will cause dnsmasq to fail at boot. To rectify this, modify your /etc/rc.local file to add a line that will restart dnsmasq after all the init scripts have finished. You should place the restart command after your iptables rules:
File excerpt:/etc/rc.local/etc/init.d/dnsmasq restart exit 0
Add the following line to the /etc/openvpn/server.conf file:
File excerpt:/etc/openvpn/server.confpush "dhcp-option DNS 10.8.0.1"
Restart the Linode:
To test your connection, connect to the VPN connection from your local machine, then access one of the many websites that will display your public IP address. If the IP address displayed doesn't match the IP address of your Linode, your traffic is not being filtered through your Linode or encrypted by the VPN. If the IP matches, network traffic from your local machine is being filtered through your Linode and encrypted over the VPN, and you have succesfully completed your OpenVPN setup!
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
Last edited by Alex Fornuto on Monday, February 17th, 2014 (r4261).