Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Security How To

Configuring the Server Side OpenVPN Machine

The server side OpenVPN machine is the heart of the VPN. In routed mode, all clients will connect to the OpenVPN server and all communication between clients (if the "client-to-client" option is enabled) is routed by the OpenVPN server, so it's best to have a dedicated, always-up machine to run it on.

Clients need the server side IP address hardcoded in their config files, so it's usually best and easiest to set up a domain name to point to your server side network. (There are many free services out there for free domain names. You'll also need a dynamic DNS service, such as TZO or DynDNS, if the IP address of your server's WAN connection changes frequently.)

First, we need to create a configuration directory for OpenVPN. Elevate yourself to root and create the directory /etc/openvpn with subdirectories /etc/openvpn/certs and /etc/openvpn/keys.

~ # mkdir /etc/openvpn
~ # mkdir /etc/openvpn/certs /etc/openvpn/keys

Next, copy the server's certificate (server.crt) and the CA's certificate (ca.crt) we created earlier with OpenVPN's easy-rsa into /etc/openvpn/certs. Likewise, copy the server's key (server.key) into /etc/openvpn/keys. The server's key should be kept secret, lock down the permissions on the key with:

~ # chmod -R 600 /etc/openvpn/keys/

Next, we need to create the Diffie-Hellman parameters for symmetric key agreement and exchange. After creation, copy the DH parameters (dh2048.pem) to /etc/openvpn.

~ $ openssl dhparam -out dh2048.pem 2048

One of the great features of OpenVPN is the ability to "push" specific configurations to individual clients. This allows you to set up a very powerful and flexable VPN network with multiple types of clients all connecting back to one central server.

This is accomplished by setting up a client configuration directory on the OpenVPN server that contains short configuration files for each client that connects to the server. When a client connects, the server looks for the configuration file with the same common name as the client's certificate and executes any configuration parameters in that file.

Create the directory /etc/openvpn/client-configs and in it, create a file with the same common name as the client network (remote_office in this example).

~ # mkdir /etc/openvpn/client-configs
~ # touch /etc/openvpn/client-configs/remote_office

Open up remote_office with your favorite text editor and enter the following configuration:

push "route vpn_gateway"

The iroute directive sets an internal route on the OpenVPN server, so it knows to route all traffic bound for the network through the remote_office client. Pushing the route allows the client advertises the server's network to the client.

NOTE!Note: Another handy option to push to clients is the redirect-gateway option. This redirects all the client's traffic though the VPN which can be a great way to surf the Internet safely from an insecure wireless hot spot.

Finally, we need to edit the OpenVPN config file. OpenVPN ships with a collection of good example config files (found in ~/openvpn-2.0.9/sample-config-files) that are very well documented starting points. The man page is also very well written and contains loads of useful information.

For this example, the OpenVPN server's config file (server.conf) looks like this.

NOTE!Note: If you plan of have multiple clients connecting to the OpenVPN server, you can allow them to "see" each other using the "client-to-client" option. Otherwise, clients will only be able to see the server.

Configuring the Server Side Router

In order to route traffic from the server-side network through OpenVPN to the client, the machines on the server's network need to know how to reach the client. So we need to add a route to the server-side router to route all traffic bound for the client subnet ( to the OpenVPN machine (

On the DGL-4300, this is found under Advanced > Routing (Figure 3).

Adding a Route to the Server-side Router
Click to enlarge image

Figure 3: Adding a Route to the Server-side Router

Now we can start up the OpenVPN server:

 ~ # openvpn --config /etc/openvpn/server.conf

More Stuff

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

So I've got two AX88U - one is the router and one is the mesh node. My house isn't designed with technology with mind - as such, we don't have etherne...
I have 2 Lyra running firmware connected to my DSL-AC68 router running using Ethernet backhaul. These fir...
I'm looking for a router that can be used with different internet providers. I'm moving from ATT Uverse internet to a cable provider for a year, then ...
I am considering replacing my Linksys Velop mesh system with a new WiFi6 system. In your opinion, which system do you think gives you the best bang fo...
I've recently got a pair of ASUS ZenWiFi AX (XT8) from my ISP ViewQwest. My apartment isn't that big so having mesh wifi isn't really required. I've s...

Don't Miss These

  • 1
  • 2
  • 3