Configuring the Server Side OpenVPN Machine

The server side OpenVPN machine is the heart of the VPN. In routed mode, all clients will connect to the OpenVPN server and all communication between clients (if the "client-to-client" option is enabled) is routed by the OpenVPN server, so it's best to have a dedicated, always-up machine to run it on.

Clients need the server side IP address hardcoded in their config files, so it's usually best and easiest to set up a domain name to point to your server side network. (There are many free services out there for free domain names. You'll also need a dynamic DNS service, such as TZO or DynDNS, if the IP address of your server's WAN connection changes frequently.)

First, we need to create a configuration directory for OpenVPN. Elevate yourself to root and create the directory /etc/openvpn with subdirectories /etc/openvpn/certs and /etc/openvpn/keys.

~ # mkdir /etc/openvpn
~ # mkdir /etc/openvpn/certs /etc/openvpn/keys

Next, copy the server's certificate (server.crt) and the CA's certificate (ca.crt) we created earlier with OpenVPN's easy-rsa into /etc/openvpn/certs. Likewise, copy the server's key (server.key) into /etc/openvpn/keys. The server's key should be kept secret, lock down the permissions on the key with:

~ # chmod -R 600 /etc/openvpn/keys/

Next, we need to create the Diffie-Hellman parameters for symmetric key agreement and exchange. After creation, copy the DH parameters (dh2048.pem) to /etc/openvpn.

~ $ openssl dhparam -out dh2048.pem 2048

One of the great features of OpenVPN is the ability to "push" specific configurations to individual clients. This allows you to set up a very powerful and flexable VPN network with multiple types of clients all connecting back to one central server.

This is accomplished by setting up a client configuration directory on the OpenVPN server that contains short configuration files for each client that connects to the server. When a client connects, the server looks for the configuration file with the same common name as the client's certificate and executes any configuration parameters in that file.

Create the directory /etc/openvpn/client-configs and in it, create a file with the same common name as the client network (remote_office in this example).

~ # mkdir /etc/openvpn/client-configs
~ # touch /etc/openvpn/client-configs/remote_office

Open up remote_office with your favorite text editor and enter the following configuration:

iroute 192.168.1.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"

The iroute directive sets an internal route on the OpenVPN server, so it knows to route all traffic bound for the network 192.168.1.0/24 through the remote_office client. Pushing the route 10.1.1.0/24 allows the client advertises the server's network to the client.

Note: Another handy option to push to clients is the redirect-gateway option. This redirects all the client's traffic though the VPN which can be a great way to surf the Internet safely from an insecure wireless hot spot.

Finally, we need to edit the OpenVPN config file. OpenVPN ships with a collection of good example config files (found in ~/openvpn-2.0.9/sample-config-files) that are very well documented starting points. The man page is also very well written and contains loads of useful information.

For this example, the OpenVPN server's config file (server.conf) looks like this.

Note: If you plan of have multiple clients connecting to the OpenVPN server, you can allow them to "see" each other using the "client-to-client" option. Otherwise, clients will only be able to see the server.

Configuring the Server Side Router

In order to route traffic from the server-side network through OpenVPN to the client, the machines on the server's network need to know how to reach the client. So we need to add a route to the server-side router to route all traffic bound for the client subnet (192.168.1.0/24) to the OpenVPN machine (10.1.1.2).

On the DGL-4300, this is found under Advanced > Routing (Figure 3).

Figure 3: Adding a Route to the Server-side Router

Now we can start up the OpenVPN server:

 ~ # openvpn --config /etc/openvpn/server.conf

Tags: IPsec, OpenVPN, VPN,

Related Articles: