Note: This article was originally written for OpenVPN 2.0 rc6. It has now been updated for OpenVPN 2.0.5.

Introduction

My clients needed a secure way for their telecommuter employees to synchronize their contact manager software over the Internet with the contact manager application server in their office. After some research, I chose the open source, multi-platform OpenVPN as the solution. OpenVPN is a SSL VPN (Secure Socket Layer Virtual Private Network). It establishes an encrypted tunnel over the Internet, thus creating a private network over the public Internet. The advantages of the OpenVPN solution include:

• low cost
• simplicity
• well-tested security
• scalability
• flexibility
• multi-platform
• it operates in user-space, not kernel-space
• it handles multiple arbitrary protocols at the same time

For a good discussion of OpenVPN see the The SANS Institute document, “OpenVPN and the SSL VPN Revolution,” by Charlie Hosner. Also, see the presentation “The User-Space VPN and OpenVPN,” by James Yonan.

Scenario

Here is my clients’ scenario:

• Office LAN:
Router/Firewall/DHCP Server: Linksys BEFSR41 Ver. 3
External IP address: static, public
Internal IP address: static, private
• Application Server on LAN:
OS: Windows 2000 Server
IP address: static, private
• Remote Clients:
OS: Windows XP Pro SP2
IP address: dynamic, private

Expert Help

As I read about OpenVPN on its website, and in various articles available on the Internet, I knew that it was the right solution, but I found the installation and configuration information difficult to sort out. I needed someone to help me navigate through these waters so that I could get things working quickly for my clients. Fortunately, I saw that James Yonan, OpenVPN project founder and maintainer, does consulting. I contacted him by email, and found that he was available (via the phone and email). As a result, I eventually got things up and running. I could not have done it in a reasonable time without help from James. This article shares many of the things that I learned. Perhaps with this information you will be able to get OpenVPN running on your own. (Note: As OpenVPN continues to mature, I believe that it is gradually getting easier to configure, and to find documentation for specific issues, but starting out can still be daunting.)

Procedure

Here are the steps that you can follow for setting up a similar VPN:

1. The LAN firewall needs to be able to do port forwarding. Port 1194, UDP, is now the official OpenVPN port, assigned by IANA. Forward it to the static IP address of the application server.
Comments:
- For the Linksys router, this is set up under “Applications & Gaming > Port Range Forwarding.”
- The LAN firewall setup for OpenVPN is simple and affordable.
- UDP is a better transport for TCP in a VPN. TCP over UDP does not have the packet fragmentation problems that TCP over TCP has. Also, UDP is good at traversing NAT routers.
- It is possible to change the port number for OpenVPN. It would need to be changed in all of the OpenVPN config files that are in use on your VPN, as well as in the LAN firewall port forwarding.
- The OpenVPN 2.0 HOWTO has some information on running an OpenVPN server with a dynamic IP address.

2. Download the Windows installer of OpenVPN. Check the file signature.
Comments:
- There is a lot of good Windows installation information at http://openvpn.net/INSTALL-win32.html and http://openvpn.net/howto.html#install.
- You can check the OpenVPN version from the command line in the directory where openvpn.exe is installed by typing openvpn --version.
- If you want to update an existing OpenVPN 2.0 installation, uninstall the old version first. The uninstaller seems to know which files to leave alone for the next version, but you might want to make a backup before uninstalling, just in case. Then, run the new version OpenVPN installer.
- Another installation and admin option for Windows users is the OpenVPN GUI for Windows.

3. Run the installer on each VPN machine, including the application server on the LAN, which will become your VPN server. I recommend accepting the default installation. Continue the installation when it notifies you that no digital signature was found for the TAP-Win32 Adapter.
Comments:
- The default installation directory is C:\Program Files\OpenVPN.

4. To check the OpenSSL version, open a command prompt window to a directory containing openssl.exe, i.e., the OpenVPN bin directory. Then, type:
openssl
OpenSSL> version
You can compare this version to the latest version listed at The OpenSSL Project website. If you need Windows binaries for OpenSSL that are more recent than the ones packaged with OpenVPN you can obtain them from: http://www.slproweb.com/products/Win32OpenSSL.html. Install this OpenSLL on any machine, and then copy the following files to the OpenVPN bin directory (first, make a backup in case you need to reinstall the old files): openssl.exe, libeay32.dll, and libssl32.dll.
Comments:
- The Win32OpenSSL package from the link above places the openssl.exe file in the bin subdirectory of the OpenSSL installation directory, and the libeay32.dll and libssl32.dll files in the system32 subdirectory of the Windows installation directory.
- It is safer, however, to just wait for the next release of OpenVPN. It will probably have the updated OpenSSL files, as well as any files that needed to be updated to work with the new OpenSSL version.
- I once updated the OpenSSL files only and the TAP Adapter quit working. I fixed it by uninstalling the old version of OpenVPN and installing its new version. This was also around the time of a Windows Update installation, so I’m not sure what caused the problem.

5. Open a command window to C:\Program Files\OpenVPN\easy-rsa. Run init-config.bat. In the same easy-rsa directory, edit the vars.bat.sample file. Change the KEY_SIZE variable to 2048. Also, assign all of the default values for the fields which will be placed in the certificates. For example,
KEY_COUNTRY=US
KEY_PROVINCE=IL
KEY_CITY=CHICAGO
KEY_ORG=Company Name
KEY_EMAIL=certs@company.com
Now, save the file as vars.bat in the same directory, and then run it.
Comments:
- Paths with spaces do not need to be bracketed with double quote marks.
- Key renegotiation occurs once per hour, so a large key size will not adversely affect your VPN performance.
- In the easy-rsa directory there is a file named README.txt. It summarizes the uses for each of the batch files in that directory. Note that the vars batch file precedes each of the other batch files (except init-config.bat), though if the variables aren’t changing then the vars.bat file only needs to be run once before the other batch files are run in succession.

6. Run the clean-all.bat file. This removes any previous KEY_DIR directory, so if you need to preserve the old one, move it first, or set a different value for KEY_DIR in the vars.bat file.
Comments:
- The HOME variable must have been set correctly in vars.bat, and the vars batch file must be run before running the clean-all.bat file. If you change the HOME or KEY_DIR variables in the vars.bat file, then you must rerun vars.bat before running clean-all.bat.

7. Run the build-ca.bat file. You can accept the default values that you entered earlier in the vars.bat file. For the Common Name, a suggestion is to use the company name, followed by “ - CA“. This batch file creates a certificate authority key, and a certificate for your network which is used to sign all successive keys.
- The .key file is the private key, and the .crt file is the signed certificate.
- After use, ca.key should be stored in a very secure, offline location.

8. Choose a name appropriate for the VPN server. Then, run build-key-server.bat <server name>. When asked for a Common Name enter <server name>. When asked for a challenge password leave it blank. When asked to sign the certificate reply “Y.” When asked to commit reply “Y.” This batch file creates a private key and a public certificate, signed by the previously created certificate authority’ certificate, for the OpenVPN server.
Comments:
- The Common Name will be incorporated also in the filenames created in this step.
- The Common Name in this step is different from the Common Name in the previous step.

9. Choose names appropriate for each VPN client. Then, run build-key <client name> for each VPN client. When asked for a Common Name enter <client name>. This batch file creates a private key and a public certificate, signed by the previously created certificate authority’ certificate, for each OpenVPN client.
Comments:
- This step is similar to step 8.
- Again, the Common Names in this step are different from the Common Names in the previous steps.

10. Then, run the build-dh.bat file. This batch file creates a large prime number; it might take several minutes to run.
Comments:
- In order to speed up the process, try randomly wiggling the mouse in order to create more entropy in the system.
- “dh” stands for Diffie-Hellman.

11. Open a command prompt window to the OpenVPN bin directory (it doesn’t matter on which machine). Enter the command:
openvpn --genkey --secret ta.key
This creates a small keyfile named ta.key. Place a copy of this file in the OpenVPN config directory of each machine in the VPN.
Comments:
- This file is used for TLS authentication, which provides another layer of security for the VPN.

12. Now it is time to copy the files created in the previous steps from the newly created keys directory to the OpenVPN config directories on their respective machines.

Machine	Files
OpenVPN server	ca.crt	<server Common Name>.key	<server Common Name>.crt	ta.key	dh2048.pem
OpenVPN client	ca.crt	<client Common Name>.key	<client Common Name>.crt	ta.key
Secure, offline	ca.key

Comments:
- If later you need to add a new client to the VPN, repeat steps 9, 11, and 12.

13. Edit the VPN server config file. Go to the sample-config directory and save a copy of server.conf to the filename <server Common Name>.ovpn in the OpenVPN config directory of the VPN server. Then, open this .ovpn config file in a text editor, and make the following changes:
a. Sample:
cert server.crt
key server.key
New:
cert <server Common Name>.crt
key <server Common Name>.key
c. Sample:
;tls-auth ta.key 0 # This file is secret
New:
tls-auth ta.key 0 # This file is secret
d. Sample:
;max-clients 100
New:
max-clients <maximum number of concurrent clients on your VPN>
e. Sample:
dh dh1024.pem
New:
dh dh2048.pem
Changing the other settings in the config file is up to you.
Comments:
- Using the configurations outlined in this article, the VPN server won’t allow connections from anyone unless they have both the correct TLS authentication key and the correct X509 certificate and key.
- As stated before, in this example the VPN server is also the application server on the LAN.
- TAP vs. TUN interface: Use dev tap only if you want the client on the LAN subnet. This would require bridging, which Windows 2000 does not support, so the use of dev tap is not possible with Windows 2000. Windows XP does support bridging.
- Even though the OpenVPN network connection is called a “TAP” adapter, you can still configure OpenVPN to use dev tun instead of dev tap.
- See comments in the server config file for further information.
- This step assumes that you’ll run OpenVPN as a service. If you are not, leave the file extension of the config file as .conf.
- If you want clients to be able to communicate with (e.g. ping) each other, uncomment client-to-client.
- For information on how to configure the server to assign static IP addresses to clients see http://openvpn.net/howto.html#policy.
- My sample config files can be downloaded from the link in my comment below dated April 19th, 2006.

14. Edit the client config files. Go to the sample-config directory and save a copy of client.conf to the filename <client Common Name>.ovpn in the OpenVPN config directory of each VPN client. Then, open this .ovpn config file in a text editor, and make the following changes:
a. Sample:
remote my-server-1 1194
New:
remote <static external IP address of LAN gateway/firewall> 1194
b. Sample:
cert client.crt
key client.key
New:
cert <client Common Name>.crt
key <client Common Name>.key
c. Sample:
;ns-cert-type server
New:
ns-cert-type server
d. Sample:
;tls-auth ta.key 1
New:
tls-auth ta.key 1
Changing the other settings in the config file is up to you.
Comments:
- If you are not sure of the static external IP address of your LAN’s gateway/firewall, surf to the following URL from your application server on the LAN: http://checkip.dyndns.org/.
- The only differences between each client config file are the names of the .crt and .key files.
- See comments in the client config file for further information.
- This step assumes that you’ll run OpenVPN as a service. If you are not, leave the file extension of the config file as .conf.

15. VPN client firewall issues: My experience has been that OpenVPN will work with the Windows Firewall in Windows XP Pro SP2 turned on for all adapters, including the TAP adapter. Other software firewalls that may be running on the same machine may have to be configured to allow OpenVPN through.
Comments:
- For the TAP adapter, the use of the “Client for Microsoft Networks” and “File and Print Sharing for Microsoft Networks” bindings are optional, depending on your network needs. If you don’t need them turn them off. The “QoS Packet Scheduler” might also be optional; I left it on.
- If, for some reason, you want to turn off the Windows Firewall in Windows XP Pro SP2 for the TAP adapter, here are some instructions: Right-click the TAP adapter (sometimes named “Local Area Connection 2″) and select “Properties”; click on the “Advanced” tab; click on the “Settings” button under “Windows Firewall.” in the firewall control panel applet under the “General” tab, leave the firewall turned On; click on the “Advanced” tab; turn off the firewall for the TAP adapter (uncheck the box for that connection).
- Because remote VPN clients can potentially infect internal networks, as a minimum company policy should require them to operate behind a firewall, to maintain updated antivirus and antispyware software, and to keep their operating systems configured and updated against security vulnerabilities.
- For more information on the VPN server firewall see step 22 below.

16. The OpenVPN installer installs OpenVPN as a manual service. If you want OpenVPN to automatically start as a service when logging in then change the service “Startup type” to “Automatic.” Prior to running OpenVPN as a service, you can launch OpenVPN in a console by right-clicking the .ovpn config file and then selecting “Start OpenVPN on this config file.” Once started this way you can stop OpenVPN by pressing F4 in the OpenVPN console, followed by any other key, such as the spacebar. If you would rather restart OpenVPN from the console, perhaps to put into effect a config file change, then press F3 in the console.
Comments:
- You can change the verbosity of the messages to the console by increasing the verb value in the config file to 6. This will give you more feedback on what is occurring. If two machines are talking to each other you should see UDPREAD and UDPWRITE statements in the console. Be sure to set the verb value back to a lower value, such as 3, when you are done testing.
- If you don’t have “Start OpenVPN on this config file” in the right-click context menu, and if the OpenVPN icon isn’t used for the config file, then go to Windows Explorer | Tools | Folder Options | File Types, OPVN extension / OpenVPN Config File. If the Restore Defaults button is available, click it. This should fix the icon, the file extension associativity, and the context menu.

17. The TAP adapter should be set to receive the IP address, and DNS server address(es), automatically, i.e., that DHCP is enabled. To test whether an OpenVPN client can connect to the OpenVPN server, start the OpenVPN server, and then open a command prompt window in the client, and type:
ping 10.8.0.1
If you get a reply with times, rather than timeouts, then the client can see the server.
Comments:
- Hopefully, your LAN doesn’t use IP addresses that begin with 10.8.0, else there may be a conflict with OpenVPN. The default OpenVPN network and netmask is 10.8.0.0 255.255.255.0. For dev tun, the default available IP addresses for clients are 10.8.0.4 to 10.8.0.251 (248 addresses). This can be changed in the server config file. For more information, go to the OpenVPN Man Page, and look up the directive --server network netmask under the “Server Mode” section.
- If you need a network address calculator here is a good one: IPv4 Network Calculator.

18. Another test that can be run is to test the UDP packet size. This can be done by temporarily adding the line:
mtu-test
to the bottom of a client config file. Then, start the client OpenVPN process in the console, and wait several minutes. Keep an eye on the client OpenVPN console; it will report a pair of comma-separated numbers with square brackets. If these numbers are above 1500 then there is no problem, and no changes are required. If they are less than 1500 then add the following line to the config files:
tun-mtu <value from mtu-test>
Comments:
- Usually the MTU test results are above 1500.

19. If an OpenVPN client machine is compromised, e.g., if a VPN client laptop is lost or stolen, then you can revoke that machine’s certificate, and block that machine from the VPN. The instructions are in the README.txt file in the easy-rsa directory.
Comments:
- CRL stands for Certificate Revocation List.

20. Once OpenVPN is running, and you can ping the server from the client, your client application should see the application server. All traffic on all ports between the two machines will pass through the OpenVPN tunnel on port 1194. Assuming that the client application normally connects to port 1234 on the application server, for connecting over the VPN it should be configured to connect to 10.8.0.1:1234.
Comments:
- Usually, applications listen to all interfaces, and therefore they don’t have to be told to listen to the TAP interface.

21. On Windows, if OpenVPN is not running as a service then it can also be configured to require a password or a smart card in order to start. For more information, see the OpenVPN Man Page.
Comments:
- Apparently, this works now even when OpenVPN is running as a Windows service. (I have not tested this.)

22. VPN client firewall issues: Assuming that the VPN is used only for access to specific applications, like the contact manager application server in the present example, the practical solution for protecting the LAN from a possible malware infection from an Internet-connected VPN client (in addition to your security policy for VPN clients) is to firewall the VPN server’s TAP adapter so that it only allows in the port(s) needed for the application server(s), from IP addresses that may be assigned to the VPN clients. If you have clients with differing access needs, then have the server pass out client VPN IP addresses from different ranges depending on the common name of the client, and set up the TAP adapter firewall rules to grant different access based on the IP range, and only allow access through the application’s port(s).
Comments:
- I recommend that you first get OpenVPN running without firewalling the server’s TAP adapter. Then you can experiment with the firewall configuration.
- For Windows 2000, it appears to me that its built-in TCP/IP Filtering can not be applied only to specific adapters; it must be applied to all adapters. I have gotten good results so far from the Look ‘n’ Stop 2.05 personal firewall. I’m using it to firewall the TAP-Win32 adapter on Windows 2000 Server. Look ‘n’ Stop only works on one adapter per firewall instance. I’ve used it also on Windows Server 2003, but I’ve been advised by it’s developer that the packet filter has not been optimized for a large number of simultaneous connections (e.g., 1000), and TCP SPI only handles 256 simultaneous entries.
- If your application server is running on Windows XP Pro SP2, it appears to me that using the Windows Firewall you can filter the TAP adapter independently of the other adapters. You would need to activate Windows Firewall (see step 15 above), and then either create an exception for the application program, or open a port on the “Exceptions” tab. If possible, perhaps the easiest and most secure way would be to firewall the adapter and then unblock the application program if the Windows Firewall asks about it. That way, the port would only be opened when the application program needed it.
- To learn how to assign static IP addresses to clients read about the --client-config-dir and the --ifconfig-push directives on the man page. Client configuration files can be changed without restarting the server.
- These steps are additional layers of protection, but they are not complete bullet-proof ways to protect against threats launched from within the network. For example, if you have to open port 80 for a remote client to have access to a web-based intranet/extranet, then additional protection might be needed because some malware can piggyback on the http protocol. That subject is beyond the scope of this article.
- The OpenVPN on Windows notes page has a section near the bottom titled “Notes — Firewall on the Windows client” which may counter some of my firewall comments in this article.

Acknowledgements

Thanks to James Yonan for his assistance with this article’s first version. Subsequent errors and omissions, if any, are my responsibility.

This entry was posted on Tuesday, February 1st, 2005 at 9:27 pm and is filed under OpenVPN, Security. It was last edited on Sunday, July 29th, 2007. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.