OpenVPN is an open-source virtual private network (VPN) solution that provides a secure and encrypted connection between networks. It allows you to securely access remote networks and protect your online activities from being monitored. In this article, we’ll take a step-by-step approach to configuring OpenVPN on your system.
Install and Set up OpenVPN
Install OpenVPN: The first step in configuring OpenVPN is to install it on your system. On Windows systems, you can download the OpenVPN client from the official website and follow the installation instructions. On Linux and macOS systems, you can use your system’s package manager to install OpenVPN. For example, on a Debian-based system, you can use the following command to install OpenVPN:
sudo apt-get install openvpn
Obtain a Configuration File: OpenVPN requires a configuration file to connect to a VPN server. You can obtain the configuration file from your VPN provider or create your own. The configuration file contains information such as the VPN server’s address, the encryption methods used, and other settings.
Start OpenVPN: Once you have obtained a configuration file, you can use it to start OpenVPN. On Windows, you can start OpenVPN by clicking the OpenVPN GUI icon in the system tray. On Linux and macOS, you can start OpenVPN using the following command:
sudo openvpn --config /path/to/config.ovpn
In this command, replace /path/to/config.ovpn with the path to your configuration file.
Here’s a sample OpenVPN configuration file (
config.ovpn) that you can use as a starting point for your own configuration:
client dev tun proto udp remote VPN_SERVER_ADDRESS 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key tls-client tls-auth ta.key 1 comp-lzo verb 3
This sample configuration uses the UDP protocol, connects to the VPN server at
VPN_SERVER_ADDRESS on port
1194, and uses a client certificate and key for authentication. The encryption method used is LZO compression with TLS encryption.
resolv-retry option is set to infinite to retry DNS resolution if it fails.
nobind option prevents the client from binding to a specific IP address and port.
persist-tun options persist the encryption keys across restarts.
ca option specifies the path to the root certificate authority (CA) certificate, while the
key options specify the path to the client certificate and private key, respectively.
tls-auth option enables the use of a shared key for extra security.
comp-lzo option enables compression, which can improve VPN performance.
verb option sets the verbosity level to
3, which outputs more detailed logs for debugging purposes.
Note that this is just a sample configuration file and you’ll need to modify it to match your specific requirements and setup. In particular, you’ll need to replace
VPN_SERVER_ADDRESS with the address of your VPN server, and ensure that the paths to the certificate and key files are correct.
It’s important to thoroughly research and understand the options available in OpenVPN configuration files before using this sample configuration or creating your own. It’s also important to consult with a security professional to ensure that your configuration is secure and meets your specific requirements.
Connect to the VPN Server: Once OpenVPN is started, it will attempt to connect to the VPN server specified in the configuration file. If the connection is successful, you will be able to access remote networks securely. You can check the status of the VPN connection using the following command:
Here are some steps to test your OpenVPN connection:
Verify that OpenVPN is running: Ensure that the OpenVPN service is running on the server and client machines. You can check the status of the service using the
systemctl status openvpn command on Linux, or the
sc query openvpn command on Windows.
Check the log files: OpenVPN generates log files on the server and client machines. These logs can provide valuable information about the status of the VPN connection. On Linux, the log files are usually located in the
/var/log/openvpn directory. On Windows, the log files are located in the
Verify that the client can reach the server: Ping the server’s IP address from the client machine to verify that the client can reach the server. If the ping is successful, it means that the VPN connection is working and the client can reach the server.
Check the routing table: Verify that the client machine is using the VPN connection as the default route by checking the routing table. On Linux, you can check the routing table using the
route command. On Windows, you can check the routing table using the route print command.
Browse the internet: Try accessing a website from the client machine to verify that the VPN connection is working properly. You can also use tools like
mtr to verify that the client machine is using the VPN connection.
Verify Your Connection: To verify that your VPN connection is working, you can check your IP address and compare it to your public IP address. You can obtain your public IP address by visiting a website such as https://api.ipify.org . If your IP address has changed and matches the IP address of the VPN server, then your VPN connection is working correctly.
These are some basic steps to test your OpenVPN connection. If you encounter any issues, refer to the log files or consult the OpenVPN documentation for further assistance. It’s important to thoroughly test your VPN connection to ensure that it’s working properly and that your online activities are protected.
These are the basic steps to configure OpenVPN and use it to securely access remote networks. With OpenVPN, you can protect your online activities from being monitored and securely access resources on remote networks.
Note: This is just a basic example and may not reflect best practices for using OpenVPN in a real-world environment. It’s important to thoroughly research and understand the options available when using OpenVPN and to consult with a security professional before implementing it in a production environment.
OpenVPN Best Practices
Here are some best practices to follow when configuring OpenVPN:
Use Strong Encryption: OpenVPN supports a range of encryption algorithms, including AES and Blowfish. It’s important to use strong encryption to ensure that your VPN connection is secure. A good encryption algorithm to use is AES-256, as it provides a high level of security.
Authenticate Users: OpenVPN supports several authentication methods, including username/password authentication, certificate authentication, and biometric authentication. It’s important to authenticate users to ensure that only authorized users have access to the VPN.
Use a Firewall: A firewall can help prevent unauthorized access to your VPN server. It’s important to configure your firewall to allow only the necessary traffic to reach your VPN server.
Use a VPN Kill Switch: A VPN kill switch is a feature that automatically terminates your internet connection if the VPN connection is lost. This helps ensure that your online activities are protected even if the VPN connection is interrupted.
Regularly Update Software: Regularly updating your OpenVPN software and configuration files can help ensure that your VPN connection is secure. It’s important to stay up-to-date with the latest security patches and fixes.
Use a Dedicated VPN Server: It’s best to use a dedicated VPN server, rather than a shared VPN server, to ensure that your VPN connection is secure. This can help prevent other users from accessing your VPN connection and compromising your privacy.
Configure Logging: Configuring logging can help you monitor your VPN connection and detect any potential security threats. It’s important to regularly review the logs to ensure that your VPN connection is secure.
These are some of the best practices to follow when configuring OpenVPN. By following these best practices, you can help ensure that your VPN connection is secure and protect your online activities from being monitored.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
In Debian, when attempting to establish a VPN connection using openvpn, I encounter the following error message from openssl.
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. ... several more lines OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, process restarting
Solution to fix OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:
With the introduction of openssl version 1.1.1 in Debian, the default settings are configured for enhanced security by default. This adjustment is made in the /etc/ssl/openssl.cnf configuration file. Towards the end of the file, you’ll find:
[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2
Debian now mandates a minimum TLS version of 1.2, replacing TLS 1.0. If the counterpart does not support TLS 1.2 or a higher version, connection errors may arise.
I recommend upgrading the openvpn server to a newer version that supports TLS 1.2.
Alternatively (though less secure), you can modify MinProtocol to TLSv1 or TLSv1.1.
How make openvpn work with docker?
When I try to run docker-compose up i get following error
ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network
Solution to make openvpn work with docker
/etc/openvpn/fix-routes.sh script with following contents:
#!/bin/sh echo "Adding default route to $route_vpn_gateway with /0 mask..." ip route add default via $route_vpn_gateway echo "Removing /1 routes..." ip route del 0.0.0.0/1 via $route_vpn_gateway ip route del 126.96.36.199/1 via $route_vpn_gateway
Grant executable permissions to the file:
chmod o+x /etc/openvpn/fix-routes.sh
Change the owner of this file to root:
chown root:root /etc/openvpn/fix-routes.sh
In your configuration, add the following two lines:
script-security 2 route-up /etc/openvpn/fix-routes.sh
How does this solution facilitate the compatibility between OpenVPN and Docker?
OpenVPN automatically includes routes for the networks
188.8.131.52/1 (encompassing the entire IP range), causing Docker to be unable to determine the IP address range for creating its private network.
To resolve this, you must establish a default route (directing all traffic through OpenVPN) and disable the aforementioned specific routes. The
fix-routes.sh script accomplishes this task.
This script is executed after OpenVPN adds its own routes. To enable script execution, set
2, permitting the execution of Bash scripts within the OpenVPN context.
How to use the command line to connect OpenVPN on Windows?
I require the command line functionality, as I intend to integrate OpenVPN into a script designed to download content from the internet.
"C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command connect yourconfigfile.ovpn
"C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command disconnect yourconfigfile.ovpn