How to configure TKL OpenVPN by Stas Grishin This document will provide step-by-step instructions for configuring a routed openvpn server. Definitions (i.e. information to have before starting): ovpn-lan-ip = the lan IP of the openvpn machine (e.g. 192.168.1.125) ovpn-int-ip = the internet IP of the openvpn machine (if intended for internet use) ovpn-net = the internal network openvpn will use for client connections (e.g. 10.0.0.0) ovpn-mask = the subnet mask of ovpn-net (e.g. 255.255.255.0) openvpn config = webmin: Servers > OpenVPN+CA (this is where most of the configuration is done) It is best to assign a static IP to the OpenVPN machine. This can be done via the gui provided by Turnkey Linux, via webmin, or via command line. *Creating the certificate authority: 1. Login to webmin and go to the openvpn config. 2. Choose a name for the certification authority. 3. Select a different key size is desired. 4. Modify the rest of the fields to suit the organization. 5. Save. This will take a while depending on the key size. *Creating keys 6. Go back to the openvpn config and click on the "Certificate Authority List" icon. 7. Find the currently created certificate authority in the list and click on "Keys list" on the right. 8. Create a server key by selecting "server" for the Key Server. Give this key an easily recognizable name since this is the key that the openvpn server will use on the server-side. Most values should be correct. I like to change the email for each key. Passwords are not required for keys. 9. Repeat steps 6-8 to create client keys, except leave the Key Server value set to "client". Client keys can also be added after the server is started. *Creating the openpvn server 10. Go back to the openvpn config and click on the "VPN Lists" icon. 11. Make sure the proper certificate authority is selected and click "New VPN server". 12. Give the server a name. The port can be changed or left at the default. 13. Select "yes" for "enable TLS and assume server role during TLS handshake". 14. Under "Net IP assigns (option server)" enter the ovpn-net and ovpn-mask. 15. Select "yes" for "Persist/unpersist ifconfig-pool data to file... (option ifconfig-pool-persist). 16. For "Encrypt packets with cipher algorithm" choose anything with CBC. AES-256-CBC works. Various online sources state there are problems with OFB and CFB algorithms. Your mileage may vary. 17. Add a route to the server-side network in "Additional Configuration" if desired. An example is given. 18. Save. 19. On the next screen, find the vpn server and "Start". Then continue reading, it is not ready yet. *Setup users If client keys have not been created from steps 6-9, create at least one key now. 20. Click on "Client List" in the same area that you started the openvpn server. 21. Click "New VPN Client". 22. Under "Name", select the key to use for the user. 23. On "remote (Remote IP)" enter the ovpn-int-ip, or the ip that clients will use to connect to the server. The gateway router may need to be configured to forward connections from the internet to the internal LAN IP of the openvpn server. 24. Save. 25. Repeat steps 20-24 for all users which will have access to the server. *OpenVPN client configuration The beauty of the openvpn wembin interface is that it auto-generates the client configuration files. 26. On the the "Client List" page from the previous step, click "Export" for the user to export that user's client-side configuration. 27. If using OpenVPN GUI on Windows, extract the files to the openvpn config directory (e.g. C:\Program Files\OpenVPN\config) *Routing SSH in to the OpenVPN machine and execute this to enable forwarding from the server-side LAN to the connected clients: echo 1 > /proc/sys/net/ipv4/ip_forward To allow OpenVPN LAN-side machines access to connected clients, create a route on the gateway router. This step various by router. In DD-WRT: Setup > Advanced Routing Route Name: any Destination LAN NET: ovpn-net Subnet Mast: ovpn-mask Gateway: ovpn-lan-ip Make sure any services such as samba will allow connections from the openvpn network (ovpn-net).