{"id":3359,"date":"2015-12-09T22:51:06","date_gmt":"2015-12-09T21:51:06","guid":{"rendered":"http:\/\/michlstechblog.info\/blog\/?p=3359"},"modified":"2015-12-11T13:50:43","modified_gmt":"2015-12-11T12:50:43","slug":"openvpn-a-default-config-template-for-server-and-client","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/openvpn-a-default-config-template-for-server-and-client\/","title":{"rendered":"OpenVPN: A default config template for server and client"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_3359 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_3359')){$('.twoclick_social_bookmarks_post_3359').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"OpenVPN%3A%20A%20default%20config%20template%20for%20server%20and%20client\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Athese%20are%20just%202%20templates%20for%20a%20OpenVPN%20Server%20and%20a%20clients%20based%20on%20the%20post.%0D%0A%0D%0AThe%20Server%20side%2C%20based%20on%20Debian%20Linux%208.%20Copy%20Key%2C%20Certificate%20%26%20CRL%20to%20the%20right%20place%20and%20create%20the%20diffie%20hellmann%20key%20for%20key%20exchange.%0D%0A%5Bshell%5D%0D%0A%23%20Root%20Directory%20of%20the%20CA%0D%0Aexport%20CA_ROOT_DIRECTORY%3D%24%7BHOME%7D%2Fopenvpn%2FCA%0D%0A%23%20The%20common%20directory%0D%0Aexport%20CA_COMMON_DIR%3D%24%7BCA_ROOT_DIRECTORY%7D%2Fcommon%0D%0A%23%20Dire%20...\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/openvpn-a-default-config-template-for-server-and-client\\\/\",\"post_id\":3359,\"post_title_referrer_track\":\"OpenVPN%3A+A+default+config+template+for+server+and+client\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>these are just 2 templates for a OpenVPN Server and a clients based on <a href=\"http:\/\/michlstechblog.info\/blog\/openvpn-built-a-certification-authority-from-scratch-with-openssl\/\" title=\"OpenVPN: Built a certification authority from scratch with openssl\" target=\"_blank\">the post<\/a>.<\/p>\n<p>The Server side, based on Debian Linux 8. Copy Key, Certificate &#038; CRL to the right place and create the diffie hellmann key for key exchange.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n# Root Directory of the CA\r\nexport CA_ROOT_DIRECTORY=${HOME}\/openvpn\/CA\r\n# The common directory\r\nexport CA_COMMON_DIR=${CA_ROOT_DIRECTORY}\/common\r\n# Directory for Server Certificate\r\nexport CA_SERVER_DIR=${CA_ROOT_DIRECTORY}\/Server\r\n# The CRL\r\nexport CA_CRL=${CA_COMMON_DIR}\/crl.pem\r\n# The Environment variable where openssl looking for its config\r\nexport OPENSSL_CONF=${CA_COMMON_DIR}\/openssl.cfg\r\n# Move default config\r\nmv \/etc\/openvpn\/server  \/etc\/openvpn\/server.old 2&gt; \/dev\/null\r\n# Copy Key &amp; Certificate\r\nmkdir \/etc\/openvpn\/vpnsrv\r\ncp $CA_SERVER_DIR\/server.p12 \/etc\/openvpn\/vpnsrv\r\ncp $CA_CRL \/etc\/openvpn\/vpnsrv\r\n# Create Diffie Hellmenn key for key exchange\r\nexport OPENSSL_BIN=`which openssl`\r\n$OPENSSL_BIN gendh -out &quot;\/etc\/openvpn\/vpnsrv\/dh.pem&quot; 2048\r\n# Create a Logfolder\r\nmkdir -p  \/var\/log\/openvpn\r\n<\/pre>\n<p><!--more--><br \/>\nCreate a <strong>.conf<\/strong> file in <strong>\/etc\/openvpn<\/strong>. For example \/etc\/openvpn\/vpnsrv.conf.<br \/>\n<code><br \/>\n# daemon openvpn<br \/>\n# http:\/\/openvpn.net\/index.php\/open-source\/faq\/77-server\/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html<br \/>\n# Topology Subnet needs no \/30 Subnet for Clients, requieres OpenVPN 2.1<br \/>\n# http:\/\/none.of-the-above.com\/archives\/276-openvpn-routing.html<br \/>\nport 1194<br \/>\nproto udp<br \/>\n# dev tun<br \/>\ndev tap0<br \/>\npkcs12 \"\/etc\/openvpn\/vpnsrv\/server.p12\"<br \/>\ndh \"\/etc\/openvpn\/vpnsrv\/dh.pem\"<br \/>\ncrl-verify      \/etc\/openvpn\/vpnsrv\/crl.pem<br \/>\nmode server<br \/>\ntls-server<br \/>\nifconfig 10.100.1.1 255.255.255.128<br \/>\nifconfig-pool 10.100.1.10 10.100.1.126 255.255.255.128<br \/>\n# server-bridge 10.100.1.1 255.255.255.128 10.100.1.10 10.100.1.126<br \/>\ntopology subnet<br \/>\n# client-to-client<br \/>\n# client-config-dir \/etc\/openvpn\/staticclients<br \/>\nifconfig-pool-persist \"\/var\/run\/openvpn\/ips.txt\"<br \/>\nstatus \/var\/log\/openvpn\/openvpn-status.log<br \/>\nlog \/var\/log\/openvpn\/openvpn.log<br \/>\nkeepalive 10 30<br \/>\n# link-mtu 1400<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nverb 3<br \/>\n# http:\/\/openvpn.net\/index.php\/open-source\/documentation\/manuals\/65-openvpn-20x-manpage.html, see --dhcp-option type [parm]<br \/>\npush \"dhcp-option DOMAIN yourdomain.local\"<br \/>\npush \"dhcp-option DNS 10.100.1.1\"<br \/>\npush \"route 10.100.2.0 255.255.255.0 10.113.71.1\"<br \/>\npush \"explicit-exit-notify 3\"<br \/>\n<\/code><\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\napt-get install openvpn\r\nsystemctl enable openvpn.service\r\nsystemctl start openvpn.service\r\n<\/pre>\n<p>And the (Windows) client. Generate Key and Certificate, copy those and the diffie hellman file to the clients. Goto the openvpn config directory &#8220;C:\\Program Files\\OpenVPN\\config&#8221; and create a <strong>.ovpn<\/strong> file there. For example &#8220;C:\\Program Files\\OpenVPN\\config\\yourvpn.ovpn&#8221;.<br \/>\n<code><br \/>\nclient<br \/>\n# vpn server dns name<br \/>\nremote openvpn.yourdomain.org 1194<br \/>\n# Fallback in case of name cannot resolve<br \/>\nremote 192.168.100.1 1194<br \/>\nproto udp<br \/>\ndev tap<br \/>\ndh \"C:\\\\Program Files\\\\OpenVPN\\\\config\\\\dh.pem\"<br \/>\npkcs12 \"C:\\\\Program Files\\\\OpenVPN\\\\config\\\\client.p12\"<br \/>\nns-cert-type server<br \/>\nkeepalive 10 30<br \/>\n# link-mtu 1400<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nverb 3<br \/>\nmanagement 127.0.0.1 45698<br \/>\nscript-security 2<br \/>\n# Scripts must resides in the same directory where the .ovpn file is stored<br \/>\n# up \"config\\\\tin_up.bat\"<br \/>\n# up tin_up.bat<br \/>\n# ipchange ipchg.cmd<br \/>\n# down \"config\\\\tin_down.bat\"<br \/>\n# down tin_down.bat<br \/>\n<\/code><\/p>\n<p>Read this <a href=\"http:\/\/michlstechblog.info\/blog\/openvpn-running-openvpn-and-a-webserver-at-same-tcp-port\/\" title=\"OpenVPN: Running OpenVPN and a Webserver at same TCP Port\" target=\"_blank\">post <\/a>if you want to setup openvpn and a webserver so that they are reachable at the same TCP Port.<\/p>\n<p>Michael<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, these are just 2 templates for a OpenVPN Server and a clients based on the post. The Server side, based on Debian Linux 8. Copy Key, Certificate &#038; CRL to the right place and create the diffie hellmann key for key exchange. # Root Directory of the CA export CA_ROOT_DIRECTORY=${HOME}\/openvpn\/CA # The common directory &hellip; <a href=\"https:\/\/michlstechblog.info\/blog\/openvpn-a-default-config-template-for-server-and-client\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">OpenVPN: A default config template for server and client<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,466],"tags":[369,224,857,776,20],"class_list":["post-3359","post","type-post","status-publish","format-standard","hentry","category-openvpn","category-security","tag-config","tag-linux-2","tag-openvpn","tag-template","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=3359"}],"version-history":[{"count":30,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3359\/revisions"}],"predecessor-version":[{"id":3399,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/3359\/revisions\/3399"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=3359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=3359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=3359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}