How to setup OpenVPN server and client (Amazon EC2)

Setup and configuration

Install OpenVPN

    sudo apt-get install openvpn

Server setup

I don’t want to work inside /etc/openvpn directly, so let’s create a working folder first:

    mkdir vpnserver
    cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* vpnserver/
    cd vpnserver

Create certificates for server

My vpn server is call vhost, but of course you can use whatever name you want.

During the creation of certificates, you will be promoted to a number questions, use default if you don’t know what they means:

    source vars

    cp openssl-1.0.0.cnf openssl.cnf


    mkdir vhost

    mv keys/dh1024.pem vhost/

    ./build-key-server vhost
    cp keys/vhost.* vhost/
    cp keys/ca.crt  vhost/

Copy the server certificates to /etc/openvpn:

    cp vhost/* /etc/openvpn

Configure server

create a vhost configuration file vhost.confunder /etc/openvpn, with the following content:

    proto udp
    dev tun

    ca ca.crt
    cert vhost.crt
    key vhost.key
    dh dh1024.pem

    ifconfig-pool-persist ipp.txt
    push "redirect-gateway def1 bypass-dhcp"
    keepalive 10 120
    status openvpn-status.log
    verb 3

for explanations of the configure file, please refer to the default example:

    sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /home/username/
    sudo gzip -d /home/username/server.conf.gz

or page

Restart OpenVPN

    /etc/init.d/openvpn restart

Client Setup

Go to the vpnserver folder on the server:

    cd vpnserver

Create certificates for client

    mkdir alice

    ./build-key alice

    # If you would like to password-protect your client keys, substitute the build-key-pass script.
    # ./build-key-pass alice

    cp keys/alice.* alice/
    cp keys/ca.crt  alice/

Download client certificates

Download client certificates from server to client and copy them into /etc/openvpn

    scp username@vpnserver:/path/to/alice/* /etc/openvpn

Client configuration

    dev tun
    proto udp

    remote 1194

    resolv-retry infinite

    ca ca.crt
    cert alice.crt
    key alice.key

    verb 3

Start OpenVPN client

sudo openvpn /etc/openvpn/alice.conf

normally you should get "Initialization Sequence Completed":

    Sun Feb  6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb  5 2005
    Sun Feb  6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
    Sun Feb  6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Sun Feb  6 20:46:38 2005 TUN/TAP device tun1 opened
    Sun Feb  6 20:46:38 2005 /sbin/ifconfig tun1 pointopoint mtu 1500
    Sun Feb  6 20:46:38 2005 /sbin/route add -net netmask gw
    Sun Feb  6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
    Sun Feb  6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
    Sun Feb  6 20:46:38 2005 UDPv4 link remote: [undef]
    Sun Feb  6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
    Sun Feb  6 20:46:38 2005 IFCONFIG POOL: base= size=62
    Sun Feb  6 20:46:38 2005 IFCONFIG POOL LIST
    Sun Feb  6 20:46:38 2005 Initialization Sequence Completed

and you should be able to reach the server:


Q&A & Trouble shooting & Amazon EC2

Different ways of starting openvpn


By default, this script will start a list of OpenVPN in /etc/openvpn/*.conf. You can change this default behavior by editing /etc/default/openvpn.

    openvpn /path/to/vpn.conf

Start a specific vpn config. CRTL-C to terminate.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Check if the port 1194 of the server is reachable.

For Amazon EC2, create a rule that opens port 1194 for UDP.

Can’t access Internet on client

It’s mostly because the server is behind a NAT’d network, like Amazon EC2. So more configuration is needed:

    sudo modprobe iptable_nat

    # enable IP forwarding
    echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

    # Masquerade ip
    # Masquerade ip source
    sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Comments !