Jul 032008

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN offers a cost-effective, lightweight alternative to other VPN technologies available in the market.

OpenVPN’s lightweight design sheds many of the complexities and the security model is based on SSL, the industry standard for secure communications via the internet. OpenVPN implements OSI layer 2 or 3 secure network extension using the SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or 2-factor authentication, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser.

Let’s see how to install and configure OpenVPN in SUSE Linux and openSUSE

Install OpenVPN

Before installation begins, plan your vpn setup accordingly. This includes choosing routed [recommended] or bridged mode (routed mode seperates the subnets and hence broadcast doesnt traverse while bridged drops in the same LAN subnet and hence broadcasts are allowed over vpn ), IP Range for the private vpn etc.

opensuse:~ # yast2 –install openvpn

This installs the OpenVPN software in /usr/share/openvpn directory

Copy to /etc/ directory

Copy the directory /usr/share/openvpn to the /etc/ directoty to avoid an update overiding the configurations. Also, the default installation loads a startup script /etc/init.d/openvpn that looks for configurations in the /etc/openvpn directory and hence makes more sense.

opensuse:~ # cp -r /usr/share/openvpn /etc/

Generate Master Certificate Authority (CA) certificate and key

Change Directory to /etc/openvpn/easy-rsa/2.0/ directory and run the following commands to cleanup initialize, cleanup any existing keys and build the CA.

Opensuse:~ # cd /etc/opensuse/easy-rsa/2.0/

opensuse:/etc/opensuse/easy-rsa/2.0/ # . ./vars

opensuse:/etc/opensuse/easy-rsa/2.0/ # ./clean-all

opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-ca

Answer the questions prompted to create the master CA certificate and key

Generate Certificate & Key for Server

opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key-server server

Answer the questions prompted to create the server certificate and key.

Generate Certificate & Key for Client

Here, I create a key for a client named vpnhost1.

Opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-key vpnhost1

Answer the questions prompted to create the Client certificate and key. Repeat procedure to as many client certificate and key as required.

Generate Diffie Hellman (DH) parameters

Generate the Diffie Hellman parameters for the OpenVPN server

opensuse:/etc/opensuse/easy-rsa/2.0/ # ./build-dh

Now, you can see all the Key files created in the directory



ca.crt – Root certificate for server & all clients

ca.key Root CA key for key signing machine only

dh<n>.pem – DH paramters for server (dh1024.pem here)

server.crt & server.key – Server Certificate and key (the name will be the common name entered aat the time of certificate generation)

client.crt & client.key – Client Certificate and key (the name will be the common name entered aat the time of certificate generation)

Create Server configuration file

The sample config files are installed in the /usr/share/docs/packages/openvpn/sample-config-files/ directory. Copy the server.conf file to /etc/openvpn/ directory.

Opensuse:/etc/openvpn/ # cp /usr/share/docs/packages/openvpn/server.conf .

Edit the file and modify the parameters,

Network Port to listen

The default port is 1194. If you want to change it. Change the parameter

port 1194


Choose if you want to use TCP or UDP protocol. Default is UDP. If you would like to change it then edit the following line accordingly

proto udp

Edit the lines

ca ca.crt

cert server.crt

key server.key

and change it as per your setup. According to our config, the files should be in /etc/openvpn/easy-rsa/2.0/keys/. On my server it is as

ca /etc//openvpn/easy-rsa/2.0/keys/opensuse.crt

cert /etc/openvpn/easy-rsa/2.0/keys/opensuse.crt

key /etc/openvpn/easy-rsa/2.0/keys/opensuse.key

Routed or Bridged

If the VPN setup is routed as in most cases (and here) then leave the following lines untouched

dev tun



If you choose to use Bridged environment then comment the above lines and uncomment the lines

dev tap



In both the cases, if you would want the IP Pool to be different to the default, feel free to change as per your network requirement.

If you need to push routes to client then uncomment lines

;push “route″

;push “route″

and add as many as required for the network

There are lot more one can customize. Feel free to go ahead and change as required.

If you want to remote manage the OpenVPN setup from telnet or a GUI like Webmin the add the line

management localhost 7505

to the bottom. This allows you to directly connect to the port and manage. Of using telnet

telnet localhost 7505

Type help for command options.

Now, we are all set to test run the server.

Start OpenVPN

opensuse:~ # openvpn /etc/openvpn/server.conf

If all was well, the service should and run listening on port 1194 (udp in our case). The errors should there be any are self explanatory to troubleshoot.

Setup Client

On the client install openvpn as above and we need to copy the client.conf file from the sample Config files as with server into the /etc/openvpn directive and edit the file as much the same as the server.conf except

We choose “client” to make it clear that we are a client.

Enter the remote IP of the OpenVPN Server. Multi server load balancing list can be added as well.

Copy the appropriate Certificate & Key files generated on the server onto this client. Ensure this is done securely. Modify the ca.crt,client.crt,client.key entries with appropriate paths and file names.

To start the client

vpnhost:~ # openvpn /etc/openvpn/client.conf

Try connecting (may be a ping of an IP address) and check if you are able to connect to the private network.

Hope you found this useful!!!