| 277 | | It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in |
| 278 | | |
| 279 | | the sample-config-files directory of the OpenVPN source distribution |
| 280 | | the sample-config-files directory in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn if you installed from an RPM or DEB package |
| 281 | | Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows |
| 282 | | |
| 283 | | Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn. |
| 284 | | Editing the server configuration file |
| 285 | | |
| 286 | | The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections on UDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet. |
| | 277 | It's best to use the OpenVPN [https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files sample configuration files] as a starting point for your own configuration. These files can also be found in |
| | 278 | |
| | 279 | * the '''sample/sample-config-files''' directory of the OpenVPN source distribution |
| | 280 | * the '''sample-config-files''' directory in '''/usr/share/doc/packages/openvpn''' or '''/usr/share/doc/openvpn''' if you installed from an RPM or DEB package |
| | 281 | * '''Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files''' on Windows |
| | 282 | |
| | 283 | Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named '''server.conf''' and '''client.conf'''. On Windows they are named '''server.ovpn''' and '''client.ovpn'''. |
| | 284 | |
| | 285 | == Editing the server configuration file == |
| | 286 | |
| | 287 | The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual '''TUN''' network interface (for routing), will listen for client connections on '''UDP port 1194''' (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the '''10.8.0.0/24''' subnet. |
| 292 | | If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server and dev tun. |
| 293 | | If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances). |
| 294 | | If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the server directive. Remember that this virtual IP address range should be a private range which is currently unused on your network. |
| 295 | | Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server. |
| 296 | | If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives. |
| | 293 | * If you are using Ethernet bridging, you must use '''server-bridge''' and '''dev tap''' instead of '''server''' and '''dev tun'''. |
| | 294 | * If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use '''proto tcp''' instead of '''proto udp''' (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances). |
| | 295 | * If you want to use a virtual IP address range other than '''10.8.0.0/24''', you should modify the server directive. Remember that this virtual IP address range should be a private range which is currently unused on your network. |
| | 296 | * Uncomment out the '''client-to-client''' directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server. |
| | 297 | * If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the '''user nobody''' and '''group nobody''' directives. |
| 300 | | Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194). |
| 301 | | If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going to Start Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter. |
| 302 | | If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives include log, log-append, status, and ifconfig-pool-persist. |
| 303 | | |
| 304 | | Editing the client configuration files |
| 305 | | |
| 306 | | The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file. |
| 307 | | |
| 308 | | Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above. Note that each client should have its own cert/key pair. Only the cafile is universal across the OpenVPN server and all clients. |
| 309 | | |
| 310 | | |
| 311 | | Next, edit the remotedirective to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server). |
| 312 | | |
| 313 | | |
| 314 | | Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files. |
| 315 | | |
| 316 | | |
| 317 | | |
| 318 | | Starting up the VPN and testing for initial connectivity |
| 319 | | Starting the server |
| | 301 | * Use a different '''port''' number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194). |
| | 302 | * If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going to '''Start Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter'''. |
| | 303 | * If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives include '''log, log-append, status''', and '''ifconfig-pool-persist'''. |
| | 304 | |
| | 305 | == Editing the client configuration files == |
| | 306 | |
| | 307 | The sample client configuration file ('''client.conf''' on Linux/BSD/Unix or '''client.ovpn''' on Windows) mirrors the default directives set in the sample server configuration file. |
| | 308 | |
| | 309 | * Like the server configuration file, first edit the '''ca''', '''cert''', and '''key''' parameters to point to the files you generated in the PKI section above. Note that each client should have its own '''cert/key''' pair. Only the cafile is universal across the OpenVPN server and all clients. |
| | 310 | * Next, edit the '''remote''' directive to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server). |
| | 311 | * Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the '''dev''' (tun or tap) and '''proto''' (udp or tcp) directives are consistent. Also make sure that '''comp-lzo''' and '''fragment''', if used, are present in both client and server config files. |
| | 312 | |
| | 313 | = Starting up the VPN and testing for initial connectivity = |
| | 314 | |
| | 315 | == Starting the server == |
