ovpn file extension is what the clients will expect to use. In the copy process, we are changing the name of the example file from nf to client.ovpn because the. We’ll use it as a template which will be downloaded to client devices for editing. The example client configuration file should be copied to the Easy-RSA key directory too. You can repeat this section again for each client, replacing client1 with the appropriate client name throughout. You should not enter a challenge password. 1Īgain you need to respond positively when presented with yes or no prompts. You should still be working out of /etc/openvpn/easy-rsa.
The remaining examples in this tutorial will use client1 as our example client device’s name.Īs we did with the server’s key, now we build one for our client1 example. With separate credentials per device, they can later be deactivated at the server individually, if need be.
To create separate authentication credentials for each device you intend to connect to the VPN, you should complete this step for each device, but change the name client1 below to something different such as client2 or iphone2. These files will later be installed onto the client devices such as a laptop or smartphone. In this step, we use the server’s CA to generate certificates and keys for each client device which will be connecting to the VPN. So far we’ve installed and configured the OpenVPN server, created a Certificate Authority, and created the server’s own certificate and key. If the server is not running, look in /var/log/syslog for errors Generate Certificates and Keys for Clients Next, move the key files over to the openvpn directory 1Ĭp /etc/openvpn/easy-rsa/keys/ /etc/openvpn Make sure that you responded positively to the prompts, otherwise the defaults are no and the key creation will not complete. Now move to the easy-rsa dir, source the variables, clean the working directory and build everything: 1 Openssl dhparam -out /etc/openvpn/dh2048.pem 2048 You must also set the KEY_NAME="server", the value is referenced by the openvpn config. 1Įxport KEY_EMAIL= KEY_OU= "MYOrganizationalUnit" Open up /etc/openvpn/easy-rsa/vars and configure your defaults, e.g. If ! brctl show $BR | egrep -q "\W+$DEV$" thenĬhmod a+x /etc/openvpn/down.sh /etc/openvpn/up.shĬopy over the easy-rsa variables file and make the keys directory 1 Ip link set " $DEV" up promisc on mtu " $MTU" These scripts add and remove the OpenVPN interface to the servers br0 interface. vim /etc/openvpn/nfĬonfigure the following, yours may be different depending on your topology: 1 Gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/ > /etc/openvpn/nf Configure OpenVPNĮxtract the example VPN server configuration into /etc/openvpn. The simplest way to check this is to reboot shutdown -r now and then test if the outside internet is still accessible ping and to look at the output of ifconfig. Everything after bridge_ports is from a different TAP tutorial – I don’t know what they do! 1 I looked into the ubuntu wiki on bridging (see references) and discovered a configuration for a simple, dhcp based bridge. I would not be able to access the outside internet.
#ADD OPENVPN TUNNELBLICK INSTALL#
Install OpenVPN, bridge tools, and Easy-RSA 1Īpt-get install openvpn bridge-utils easy-rsaĪlthough you will see examples of bridge configurations with static addresses defined, this did not work for me. This is our basic network topology, or rather, the topology we hope to configure towards:ĭHCP Range: 192.168.1.10 to 192.168.1.237 It took gathering information from a few different sources (referenced at the end of this article) to produce an up-to-date tutorial for a TAP-based VPN configuration. OpenVPN is relatively simple to setup in TUN mode, but TAP mode is more complicated due to bridging. It turns out that you can do this via VPN. I wanted to use Steam’s in-home streaming feature outside of my home.