Stas Grishin's picture

Location: see attached file

Intended for: TKL Core

Description: Installs openvpn (+bridge-utils) and the webmin openvpn module to TKL Core, allowing easier configuration and management of openvpn servers and certificates.

Alon Swartz's picture

I just took a look at the patch, nicely done! I would like to test it but to do so it would be great if you could supply a use-case type tutorial (client configuration howto, server configuration, connect commands, etc.).

Regarding the webmin openvpn package, can you provide a link to the source you used. How did you build the package? I'd like to add it to the webmin package in the TurnKey package repo.

BTW, when using sed to change paths, I find it more readable to use a different delimiter and then you don't need to escape slashes:
sed -i "s/cmd=\/opt/cmd=\/usr\/share/" $OVPN_CONFIG
sed -i "s|cmd=/opt|cmd=/usr/share|" $OVPN_CONFIG
Stas Grishin's picture

Thanks for the advice about sed syntax Alon, it makes the conf file a bit more readable.

I am also attaching a step-by-step tutorial on how to setup a routed openvpn server.

Bonus: I am attaching a all-in-one installation script I used when creating the openvpn machine. I documented the exact commands I used. I later used this script to create the tklpatch, simplifying various parts to fit the tklpatch model.

I will create a new topic to post information about how I made the webmin package. The all-in-one script is a good example as well.


Oh, there appears to be a bug in the forum code which messes up the uploads when I try to re-upload a newer version of tkl-openvpn.tar.gz. For now just right-click, save as, rename.

James Lewis's picture


Thank you for this article and script.  It was exactly what I was looking for my simple OpenVPN solution.  One configuration setting I had to perform on the TKL system after enabling IP forwarding was to also enable NAT on the server.

sudo iptables -t nat -A POSTROUTING -s (ovpn-net + ovpn-net mask) -o eth0 -j MASQUERADE

Everything else worked perfectly.

Some other options I added to force all vpn clients to pass all traffic through the VPN was to add the option below the push "route"

push "redirect-gateway def1"

Again thank you very much for this detailed and awesome article / walkthrough.


Liraz Siri's picture

Your work on this patch will be the basis for an excellent addition to the appliance library in the next release batch. I'm very excited because this is the first new appliance developed using tklpatch by a community developer. Up until now the bottleneck has been the limited resources Alon and I can devote to TurnKey. We can only work on so many features and appliances at a given time.

But with the help of contributors from the community the sky is the limit! This is why I love open source. We'll be sure to give you credit for this when we make the announcement.

Stas Grishin's picture

I just logged in and noticed the karma bonus and this message. Thanks so much. I knew I was one of the first outside developers but didn't realize I was the first with a release. I am working on a few more random patches.

Thanks to the TKL team for making an excellent linux-based VM appliance platform.

Alon Swartz's picture

I have created a new section in the development wiki for TKLPatches, and have added this patch to the list. Feel free to update the patch page as you see fit.
Carlos's picture

Can I use this patch on the LAMP appliance?

Liraz Siri's picture

I can't think of any reason it wouldn't work but the only way to know for sure is to try it.

Hi Guys

Is a non-beta OpenVPN appliance available yet? Looking forward to it!!

It's so helpful that you thought of many things (like instructions) that us newbies really need.

Could the appliance include best-practice instructions for security lock-down of production servers? I'm concerned someone would hack the VPN server and gain access to the entire cloud.

Jeremy Davis's picture

But I imagine it will be one of the appliances in "Part 2" of the current v11.0RC release.

IMO unfortunately documentation is one area where TKL could do with some serious improvement. Stas has provided some documentation of this above in the tklopenvpn-howto.txt which should be helpful; beyond that you're out of luck other than having a google and crossing your fingers.

Sef's picture

Why is everybody talking about PC-to-PC (Level 2 Bridging)? I want level 3 bridging (TAP Tunneling) aka LAN/Ethernet bridging. Can anyone create instructions for this one? Thanks!

slbmeh's picture

In reply to DEV TUN/TAP, I believe you have that backwards.  You are correct that Tap exists at Layer 3, and Tun exists at Layer 2.  Layer 3 stacks on top of Layer 2, Layer 3 gives you the IP layer that TCP/IP is on top of, and Layer 2 is the ethernet bridging you say that you would like.

Either way should work just as well.  IMO, Layer 2 is unnecessary in almost all circumstances.  It introduces ARP through hops, which is not the design intended.  ARP just wastes bandwith on your local net before the router forwards the connection whereas a route defined over Layer 3 would have been a more direct approach.


In reply to the patch, looking forward to trying it out.  I'm just getting started with TKL, and my end goal is to have all of my appliances on Squeeze opposed to Lenny.  I'm going to take a look at the mechanics of this and post a patch if needed to apply to the current Debian Core RC.

user's picture


First I would like to thank you all for developing TKL. It is a wonderful tool.

Then I would like to ask if this appliance, TKL OpenVPN, is still in development or was it abandoned?

I would really like deploying such a tool and was about to use TKL core to install one.

Is there a "TKL from core to OpenVPN gateway" tutorial somewhere?

Also, regarding other appliances, it would be nice to have a one liner command to specify the security parameters (such as RSA key lenght) of certificates, secret keys, ...  and to renew/change them.

It seems at boot that some RSA-1024 keys are still generated whereas I would prefer 4096 by default (and the possibility to choose 8192).

I tried to do it for instance on TKL Mediawiki but failed. So it was either using my TKL Core with custom install of media wiki and custom self signed certificate with the key lenght of my choice or to use TKL Media wiki as is without managing to chance the security level.

Kind regards,

A big fan :)

Jeremy Davis's picture

But you could possibly still use the patch. It may require some updating but could be a starting point. Have a read about TKLPatch in the docs.

As for the RSA stuff I have no idea TBH, so I'm no help there...

Ric Moore's picture

...for your installed to metal OS, would this enable  VPn for me safely enough?? I'm using the most recent proxmox 2.2-31  Or, is there a better way to do this running Debian Sqeeze?

Thanks, Ric

gklonis's picture

Where can i configure openvpn ??? On the webmin GUI there is nothing about openvpn!!!!


Please help

Alon Swartz's picture

The appliance page is here. Don't forget to take a look at the usage documentation (link at the bottom of the appliance page).

Add new comment