SoHo - OpenVPN

| IP Tables< |

1. Requirements

In our setup OpenVPN server runs on RHEL 4 or CentOS 5 with clients on Ubuntu and Windows.
Both server and clients should run NTP<, and their clocks should be synchronized before OpenVPN is started.If clocks are out of synch, connection attempts will complain:

TLS Error: Unroutable control packet
           received from xx.xx.xx.xx:xxxx<


2.1. Setup

Obtain the OpenVPN RPM for RHEL4:

General info:

2.2. Create certificates

Set up central certificate authority as explained here<. This will create the CA certificate /etc/pki/ca/ca.crt

Create VPN server certificate

mkdir /etc/pki/openvpn
cd /etc/pki/openvpn
/etc/pki/ca/auto-sign /etc/pki/openvpn vpn
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) []<

This creates /etc/pki/openvpn/vpn.crt and /etc/pki/openvpn/vpn.key

Create a client certificate

/etc/pki/ca/auto-sign . client-f11
Organizational Unit Name (eg, section) []:VPN
Common Name (eg, your name or your server's hostname) []:client-f11<

In the same way create remaining client certificates: client-win, client-tk, client-uk, client-ut, client-pella.

Build Diffie-Hellman parameters for the server side of SSL/TLS connection.

openssl dhparam -out diffie-helman.pem 2048<

Build TLS key

openvpn --genkey --secret tls.key<

2.3. Server configuration

Edit /etc/openvpn/server.conf:

local xx.xx.xx.xx
port 13578
proto udp
dev tun0
ca /etc/pki/ca/ca.crt
cert /etc/pki/openvpn/vpn.crt
key /etc/pki/openvpn/vpn.key
dh /etc/pki/openvpn/diffie-helman.pem
tls-auth /etc/pki/openvpn/tls.key 0
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /etc/openvpn/ipp.txt
status /var/log/openvpn-status.log
cipher DES-EDE3-CBC
push "dhcp-option DNS"
push "dhcp-option WINS"
push "route"
push "route"
keepalive 10 120
max-clients 100
verb 4
mute 20
;user nobody
;group nobody
;log-append  openvpn.log<

We use non-standard port for OpenVPN to increase security. soho/prerequisites< should be set accordingly

For additional security we use triple-DES (DES-EDE3-CBC) and TLS key.


2.4. Static Clients

The clients win, tk and some more should have static IP addresses:

win   :
tk    :
ttk   :
el    :
pella :<

Создаем файлы:

  • /etc/openvpn/ccd/winsrv:
push "redirect-gateway"<
  • /etc/openvpn/ccd/tk:
push "redirect-gateway"<
  • /etc/openvpn/ccd/ttk:
push "route"
push "route"
push "redirect-gateway"<
  • /etc/openvpn/ccd/el:
push "route"
push "route"<
  • /etc/openvpn/ccd/pella:
push "route"
push "route"<

Clients of types uk and ut use static routing and might use a shared certificate.Create /etc/openvpn/ccd/uk and /etc/openvpn/ccd/ut:

push "redirect-gateway"

2.5. Forwarding

Edit /etc/sysctl.conf:

net.ipv4.ip_forward = 1
# for VPN forwarding
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.vmnet1.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1<

Apply the rules

sysctl -p /etc/sysctl.conf<

2.6. Firewall

VPN network is similar to semiconductor. Packets from outer world should be prohibited from entering the VPN kiosk. So we add the following iptables rule

-A INPUT -i eth0-o tun0 -j REJECT --reject-with icmp-host-prohibited<

2.7. Fix permissions and run server

chown -R root:root /etc/pki/openvpn /etc/openvpn
chmod 600 /etc/pki/openvpn/*.crt /etc/pki/openvpn/*.key /etc/openvpn/*.conf
chkconfig openvpn on
service openvpn restart<

3. VPN Client on Ubuntu

Install OpenVPN

apt-get install openvpn<

Copy keys from server to client

ssh [email protected]
cd /etc/pki/openvpn
scp ../ca/ca.crt tls.key XXX.crt XXX.key XXX:/etc/openvpn<

Create /etc/openvpn/client.conf on client. The same file is used on all clients except for windows

dev tun0
remote xx.xx.xx.xx 13578
proto udp
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
cipher DES-EDE3-CBC
tls-auth tls.key 1
;ns-cert-type server
verb 3
mute 20<

Set secure file permissions

ssh [email protected]
cd /etc/openvpn
mv XXX.crt client.crt
mv XXX.key client.key
chown -R root.root .
chmod 600 *.conf *.crt *.keys<

Run openvpn on client

chkconfig openvpn on
/etc/init.d/openvpn restart<

4. Windows

First, install Windows<. :)

4.1. Windows setup

Obtain installer for version 2.1 from< or 2.1.rc7/win64< or 2.0.9/win32<.

Install the software. If your installation aborts with message "The software you are installing has not passed Windows Logo testing", right-click "My Computer" and go to "My Computer >> Properties >> Hardware >> Drivers >> Driver Signing". Change "Block" to "Warn - Prompt me each time to choose an action".
Copy windows-specific files from VPN server: /etc/pki/ca/ca.crt /etc/pki/openvpn/tls.key /etc/pki/openvpn/client.conf /etc/pki/openvpn/client-win.crt /etc/pki/openvpn/client-win.key to Windows and copy C:\Program Files (x86)\OpenVPN\config. Edit client.ovpn<.

OpenVPN for windows does not like when IP address has last octet of 0 (e.g. We have taken care of it already by properly configuring ccd on the server.

Go to "Start >> Administration >> Services". Right-click on the "OpenVPN Service", choose Properties and set it ito "Start automatically".

Optionally go to "Control Panel >> Network Interfaces", rename new "Connection 2 (TAP)" (or whatever) connection to "VPN" and in its properties check "Show icon in notification area".

4.2. Routing problem

Windows Server 2003 i386 manifested following problem for me:VPN's TUN interface did not accept the VPN-address and chose local-site instead.This was fixed by the following additional lines in the client config file:

ip-win32 dynamic
;route-method exe

However OpenVPN on Windows sometimes temporarily lost connection andset incorrect interface mask when the connection was restored.Similar problems are reportedin IXBT OpenVPN FAQ<:

A route is not added to the routing table, probably when the RRAS service is turned on (this happens most frequently on server OSes like Windows Server 2003, but I came across this on XP too) - error:

NOTE: FlushIpNetTable failed on interface [2] {427E6BDF-...}
      (status=1413) : Invalid index.<

Probably there is a Windows bug, because the Windows API command must add route to the table. And, when you add show-net-up to the OpenVPN config file, OpenVPN at startup will query the whole Windows routing table and log it - our route will be in. But issuing "route print" does not find the route...


Solution: "route-method exe" in config file - this tells OpenVPN, that the route should be add not via API, but via route.exe. Besides, you probably need a small delay before adding the route via route.exe (it happened that without a delay route.exe did not see just added interface and did not add the route). Do this using route-delay 10 (I don't care about 10 second delay on a server, on a client you can lower the value after experimenting).

So I tried to adjust client.ovpn< using following options<:

ip-win32 dynamic
route-method exe
route-delay 5
tap-sleep 5<

This seems to have helped.

Also have to look at the registry parameter

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter = 1<

This problem manifested itself many times, e.g. discussedhere1 (route method)<,here2 (route delay)<,here3 (IP enable router)<,here4 (ifconfig, <reply)<.

4.3. SSH

Install cygwin< on Windows.

5. Troubleshooting

Obtaining VPN message log on server:

grep openvpn /var/log/messages<

Obtaining VPN client status on server

cat /etc/openvpn/openvpn/openvpn-status.log<

See routing table on Windows

route print
netstat -rn<

See VPN message log on Windows

cd "/cygdrive/c/Program Files (x86)/OpenVPN"
cat log/client.log<

See VPN service status on Windows

sc query | grep -i vpn
sc query OpenVPNService<

Restart VPN service on windows

sc stop openvpnservice
sc start openvpnservice<


net stop openvpnservice
net start openvpnservice<

How to improve VPN performance<

6.2. OpenVPN tuning

Because OpenVPN is implemented by openvpn.exe user space process with Normal Priority assigned by default,connection speed drops dramatically when using CPU intensive programs (eg. compiling a big project)since both programs are competing for CPU. Solve by assigning High Priority to OpenVPN after loading.