OpenVPN server and client configuration guide

This guide is largely based on the one provided by OpenVPN with a few tweaks to the configuration to increase security.

The HW configuration used for this guide consisted of a Raspberry Pi 2 Model B as the server and Iphone 6 as the client.

The server was running Raspbian Jessie as the OS with OpenSSL 1.0.1t and OpenVPN 2.3.4.

The client has the app OpenVPN Connect 1.1.1 installed.

Server side

Login to the server via ssh.

Install OpenVPN and Easy-RSA by running:

The Easy-RSA files are in /usr/share/easy-rsa, copy them to the OpenVPN directory with:

I suggest using this version of easy-rsa. I tried using the latest version from Github, but had trouble getting the configuration to work.

Instantiate the Certificate Authority

Run the following commands to instantiate the local Certificate Authority used to issue certificates to the server and clients. The default key size is 2048 bits, which is suitable for home users, but can be increased by modifying the line export KEY_SIZE in the file ‘vars’. Maybe 4096 to put those paranoid at ease.

Follow the instructions on the screen, the more important field to fill in is the Common Name.

This creates a new directory called keys where the CA certificate and private key is stored. It will also be the location of the server and client certificates, keys, and certificate signing requests.

Generate the server key and certificate

Run the following command in the shell:

Again, the most important field is the Common Name, you can use “server” or better yet, the FQDN of the server (if you have one), such as “openvpn.mydomain.com”.

Next, you want to generate the Diffie Hellman parameters.

This will take some time on the Raspberry Pi, and even longer if you increased the key size from the default. So, take the opportunity and fill up on some coffee.

When this is done, copy the files dh2048.pem, ca.crt, server.crt, and server.key files in the keys directory to the openvpn root directory.

We also want to generate a pre-shared key to increase the security further. This key will be included in both the server and client configurations and creates second line of defence.

Generate client keys and certificates

The Easy-RSA script is also used to generate client keys and certificates. Run the following commands for each client you want to create credentials. The keys and certificates are stored in the keys subdirectory.

The <client-name> is a unique name for the client. Take care also to provide a unique Common Name when prompted.

Copy the files <client-name>.key and <client-name>.crt from the keys subdirectory to the client or device where the files will be installed on to the client. Copy also the file ca.crt and ta.key to the client. This information will be included in the client configuration file.

Configure server.conf

User your favorit editor and create the file /etc/openvpn/server.conf and include the following:

Save the server configuration and restart OpenVPN with:

Enable IP Traffic forwarding

Great, we’re almost there. The OpenVPN server should be configured. Raspbian does not forward IP traffic by default, which means traffic to and from the VPN tunnel won’t go anywhere.

Uncomment the line “net.ipv4.ip_forward=1″ to allow relaying of packets and save the change. Run the following command configure the kernel to apply the change.

Firewall rules

The firewall rules on the Raspberry Pi server need to be updated to allow for the VPN service, to route and NAT traffic. The following shell script includes basic firewall (iptables) rules to get things working and can be tweaked for purpose. Here is another sample script.

Save the file as, e.g. firewall.sh and make it executable.

The iptable rules are not persistent and need to be applied after every restart. An easy fix is to include a line in /etc/rc.local that calls the script on boot.

Client side

OpenVPN Connect client profiles are installed on Apple devices thru iTunes. These configurations are stored in a file with the file extension .ovpn. This tutorial includes all data in the ovpn file. An example client configuration file, iphone.ovpn, is shown below.