How to set up an OpenVPN server

The openvpn.spec files

Installation Notes
Better is to set up no-ip on your server and use their free dynamic dns service as it'll work even if your home IP changes. When asked, provide a name for the connection anything will do and the Internet address this can be a domain name or IP address. You won't be able to connect when outside of campus and depending on how the campus network is set up: It only happened on a few of my computers, so it may or may not happen to you if it does, see if you can access any website. Tun device support via the --dev tun option was first included in OpenVPN 1.

The standard INSTALL file included in the source distribution

Easy Windows Guide

Visit the Trac open source project at http: Install OpenVPN on each client. This step can be skipped for now and done at any convenient time Certificates and Keys Preparatory Steps Navigate to the C: Only run init-config once, during installation. Run the following commands: These will have default values, which appear in brackets.

For your "Common Name," a good choice is to pick a name to identify your company's Certificate Authority. Country Name 2 letter code [US]: State or Province Name full name [CA]: Locality Name eg, city [SanFrancisco]: Organizational Unit Name eg, section []: Common Name eg, your name or your server's hostname []: The server certificate and key: For each client, choose a name to identify that computer, such as "mike-laptop" in this example.

Generate Diffie Hellman parameters This is necessary to set up the encryption build-dh Configuration Files Find the sample configuration files: You can also include the ca, cert and key content in the client file.

If you need help, see Static Internet IP below. Routes can be conveniently specified in the OpenVPN config file itself using the --route option:. If the OpenVPN server in the main office is also the gateway for machines on the remote subnet, no special route is required on the main office side. Ethernet bridging is a powerful networking capability that allows remote systems such as "Road Warriors" to connect over a VPN to an ethernet LAN in such a way that their system appears to be directly connected to the LAN, i.

I have tested ethernet bridging with Windows clients connecting to a Linux server. This script will set up ethernet bridging between eth1 , tap0 , and tap1. Change the br0 ifconfig to match the ifconfig that would be used for eth1 under normal, non-bridged configuration. Use as many tapX virtual adapters as you will have remote clients connecting. For additional clients, copy the configuration above, but use a different port number, tapX unit number, and secret key.

Now run OpenVPN on both sides with the appropriate configuration file, using the --config option. On the Linux side, you probably want to run as a daemon, so include --daemon and --cd [dir] , where dir is the directory that contains the key file.

If everything worked correctly, the Linux server or any host on its subnet should be able to ping The Windows client should be able to ping any address on the If Windows machines or Samba servers exist on the LAN bridged by the Linux server including Samba running on the Linux server itself , the Windows client should see them in its network neighborhood, and vice versa.

Furthermore, ethernet bridging allows for the transport of all protocols which are compatible with Ethernet, including IPv6 and IPX. Ethernet bridging is a great way to work when on the road, and I personally use it for securely connecting to home or office from WiFi Internet cafes.

This configuration requires Windows XP or higher on the bridge side. I am assuming that the bridged network address is The connecting client will use an address of Note that if your ethernet adapter is a DHCP client, the act of bridging the connection may cause it to get a new IP address lease. Use this config on the remote which in this case is a linux box but could also be a windows box:.

Dave Lau contributed a config file for ISC's dhcp3 server that does just this. I've been using openVPN since you ported it to windows, and I must say it is fantastic.

One thing that I have found to be immensely useful is the ethernet bridging. I would rather bridge than route for my particular situation, because I want my remote vpn clients to be on the same subnet as the office-bound clients for myriad reasons.

I did not like having to manually configure IP addresses for each client, so I elected to use a dhcp server to serve my remote clients an IP address through the openVPN tunnel. The reason this is necessary for me is that I do not want to hand out a default gateway or DNS server to my openVPN clients, I only want local traffic going through the tunnel.

I'm sure there are many other possible instances in which the dhcp server would like to handle openVPN clients differently from standard clients, so I though I would share my dhcp server config with you on the off chance that it might be useful to others.

This particular config is for ISC's dhcp3 server, but I'm sure it would work with just about anything. There is nothing particularly clever or tricky about this config file, I just did not happen to see any examples of it anywhere, so if this could save someone some time and effort, that would be great: The stability of the TAP-Windows driver is obviously of great concern since any crash by a driver will also crash the entire system, producing the infamous blue screen of death BSOD.

Versions of the TAP-Windows driver prior to 1. Tun device support via the --dev tun option was first included in OpenVPN 1. Using --dev tun also requires that you use --ifconfig to tell OpenVPN the local and remote IP endpoints for the point-to-point tunnel. The --ifconfig option also calls the Windows "netsh" command, and some problems have been reported with this command on Win2K at lower service packet levels.

A "tap" device is a virtual ethernet adapter, while a "tun" device is a virtual point-to-point IP link. You cannot mix --dev tun and --dev tap on different ends of the connection.

Use one or the other consistently. There are some caveats to be aware of when using "tun" style devices on Windows: The other caveat concerns MTU. If you then need to lower the MTU because of fragmentation or router problems, use something like.

The MTU maximum transmission units is the maximum packet size in bytes that can be sent or received by a real or virtual network adapter. The common symptom of MTU problems is a VPN connection which appears to start up fine, but then locks up under real usage.

Typical usage would be:. OpenVPN can be on the chatty side when it comes to error messages, and sleep-resume activity often produces a flurry of non-fatal messages. Most of these messages can be safely ignored and are provided for informational and debugging purposes only.

To suppress repeating messages, the --mute option can be used. For example --mute 10 will print no more than 10 consecutive messages in the same error class. To suppress all error messages except those that are fatal, use --verb 0. If OpenVPN running on Windows disconnects and reconnects to a remote peer, it is possible that that peer will reinitialize its TAP device and generate a new random MAC, causing Windows to temporarily lose access to the IP addresses exported by that remote peer.

Luckily, there is an easy solution to this problem. Create a batch file with one or more of the following commands:. The "arp -d" command will cause Windows to "forget" the MAC address which it previously associated with the given IP address. Next time that IP address is used, Windows will actively query the remote peer with an "arp who-has" message to get the new MAC address. You can use the --up option in OpenVPN to automatically run a given batch file immediately after TAP device initialization -- such a batch file can contain "arp" commands as described above.

Note that OpenVPN 1. The following features which are normally available in the Posix version of OpenVPN are either missing or implemented differently in the Windows version as of 1.

This section has been moved here. This documentation has been moved to the Wiki. All tests with OpenVPN 1. In general, OpenVPN is word size and endian independent, so most processors should be supported.

See the comments in openvpn. Note that the current openvpn. Therefore all of these packages will need to be present prior to the RPM build, unless you edit the openvpn. If you install from RPM see above and use the openvpn. To load the TAP driver, enter: OpenVPN installers include this driver, so installing it separately is not usually required.

The driver source code is available here: This is usually seen as tunnels where small packets and pings get through but large packets and "regular traffic" don't. To circumvent this, add "no-df" to the scrub directive so that the packet filter will let fragments with the "dont fragment"-flag set through anyway.

You can also run from a command prompt window: When you install OpenVPN as a service, you are actually installing openvpnserv. If the OpenVPN service wrapper openvpnserv. If the OpenVPN processes themselves encounter errors, they will write them to their respective log files in the log file directory.

OpenVPN tunnels are point-to-point in their simplest form, but can be made point-to-multi-point through the use of bridging or routing see below. If you change any of these parameters, you should be able to upgrade OpenVPN to a new version without the installer overwriting your changes: Routing Bridging and routing are two methods of linking systems via a VPN.