How to setup OpenVPN server and client (Amazon EC2)

Setup and configuration

Install OpenVPN

    sudo apt-get install openvpn

Server setup

I don’t want to work inside /etc/openvpn directly, so let’s create a working folder first:

    mkdir vpnserver
    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* vpnserver/
    cd vpnserver

Create certificates for server

My vpn server is call vhost, but of course you can use whatever name you want.

During the creation of certificates, you will be promoted to a number questions, use default if you don’t know what they means:

    source vars
    ./clean-all

    cp openssl-1.0.0.cnf openssl.cnf

    ./build-ca

    mkdir vhost

    ./build-dh
    mv keys/dh1024.pem vhost/

    ./build-key-server vhost
    cp keys/vhost.* vhost/
    cp keys/ca.crt  vhost/

Copy the server certificates to /etc/openvpn:

    cp vhost/* /etc/openvpn

Configure server

create a vhost configuration file vhost.confunder /etc/openvpn, with the following content:

    proto udp
    dev tun

    ca ca.crt
    cert vhost.crt
    key vhost.key
    dh dh1024.pem
    server 10.8.0.0 255.255.255.0

    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3

for explanations of the configure file, please refer to the default example:

    sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /home/username/
    sudo gzip -d /home/username/server.conf.gz

or page http://openvpn.net/index.php/open-source/documentation/howto.htm

Restart OpenVPN

    /etc/init.d/openvpn restart

Client Setup

Go to the vpnserver folder on the server:

    cd vpnserver

Create certificates for client

    mkdir alice

    ./build-key alice

    # If you would like to password-protect your client keys, substitute the build-key-pass script.
    # ./build-key-pass alice

    cp keys/alice.* alice/
    cp keys/ca.crt  alice/

Download client certificates

Download client certificates from server to client and copy them into /etc/openvpn

    scp username@vpnserver:/path/to/alice/* /etc/openvpn

Client configuration

    client
    dev tun
    proto udp

    remote your.vpnserver.com 1194

    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    ca ca.crt
    cert alice.crt
    key alice.key

    comp-lzo
    verb 3

Start OpenVPN client

sudo openvpn /etc/openvpn/alice.conf

normally you should get "Initialization Sequence Completed":

    Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb  5 2005
    Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
    Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened
    Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
    Sun Feb  6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
    Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
    Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
    Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]
    Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
    Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
    Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST
    Sun Feb  6 20:46:38 2005 Initialization Sequence Completed

and you should be able to reach the server:

    ping 10.185.0.1

Q&A & Trouble shooting & Amazon EC2

Different ways of starting openvpn

    /etc/init.d/openvpn

By default, this script will start a list of OpenVPN in /etc/openvpn/*.conf. You can change this default behavior by editing /etc/default/openvpn.

    openvpn /path/to/vpn.conf

Start a specific vpn config. CRTL-C to terminate.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Check if the port 1194 of the server is reachable.

For Amazon EC2, create a rule that opens port 1194 for UDP.

Can’t access Internet on client

It’s mostly because the server is behind a NAT’d network, like Amazon EC2. So more configuration is needed:

    sudo modprobe iptable_nat

    # enable IP forwarding
    echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

    # Masquerade ip
    # Masquerade ip source 10.8.0.1/6
    sudo iptables -t nat -A POSTROUTING -s 10.8.0.1/16 -o eth0 -j MASQUERADE

Comments !