openvpn is a vpn solution that implements connections for the layer 2 or 3, using the SSL/TLS protocol stack. Configuring a vpn SSL/TLS is a good idea and enhance the security of our communications due to the data cipher using the pki infraestructure (pair public/private key) and the verification and authentication of the data. Some advantages of the use openvpn are:

  • Not necessary a static ip address for the server.
  • The virtual interfaces used by the vpn may be filtered by iptables.
  • Easy configuration.
  • No problems with NAT, the server and the client may be in a LAN with a router using NAT.
  • A single port used for the connectivity with the server, by default use 1194/udp.

Basically we can configure openvpn of two ways:

  • tun (layer 3): simulate a point to point connection using IP protocol.
  • tap (layer 2): simulate a virtual ethernet adapter. This method may encapsulate other protocols different than IP.

The method used in this post is tun, and the addressing configured here is:

– VPN client: LAN: –> NAT (public IP address)

– VPN server: (public ip address) –> LAN

– VPN network:

The objective is create a vpn from the client to the vpn server using his public ip address to connect for the LAN, for this we’ll encapsulate the packages using the virtual network created by the vpn


OpenVPN server

– Install openvpn:

# apt-get install openvpn

– Copying openvpn easy rsa scripts to the openvpn default config directory:

# cp -rp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

– Update the variables used by the scripts to create the certificates with our own information:

# vi /etc/openvpn/easy-rsa/vars

export KEY_CITY="Barcelona"
export KEY_ORG=""
export KEY_EMAIL="[email protected]"

– Create a new CA to sign the new certificates for the vpn:

# cd /etc/openvpn/easy-rsa/
# chmod +x vars
# source ./vars
# ./clean-all
# ./build-ca

– Generate a certificate and private key for the server:

# ./build-key-server opentodo-vpn

– Generate a certificate and private key for the vpn client:

# ./build-key vpn-client

– Generate diffie hellman parameters:

# ./build-dh

– Copying the keys generated for the openvpn server to the directory /etc/openvpn/:

# cp ca.key ca.crt dh1024.pem opentodo-vpn.crt opentodo-vpn.key /etc/openvpn/

– Configuring the vpn server config file:

# cd /usr/share/doc/openvpn/examples/sample-config-files/
# gunzip server.conf.gz
# cp server.conf /etc/openvpn/


# vi /etc/openvpn/server.conf

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
dev tun
ca ca.crt
cert opentodo-vpn.crt
key opentodo-vpn.key
dh dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on Comment this line out if you are
# ethernet bridging. See the man page for more info.
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
push "route"
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

Basically with this configuration we create the vpn with the virtual network and route to the local network for the clients, setting up the parameter push route. The ip address provided to the clients are saved in the file /etc/openvpn/ipp.txt.

– Enabling routing:

# vi /etc/sysctl.conf


# sysctl -p

– Starting openvpn daemon:

# /etc/init.d/openvpn start

OpenVPN client

– Install openvpn:

# apt-get install openvpn

– Copying the key and certificates for the client:

# scp [email protected]:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
# scp [email protected]:/etc/openvpn/easy-rsa/keys/vpn-client.crt /etc/openvpn/
# scp [email protected]:/etc/openvpn/easy-rsa/keys/vpn-client.key /etc/openvpn/

– Edit the configuration for the client with the name of the certificates, key and the ip address of the server:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
# vi /etc/openvpn/client.conf

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn-server 1194

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert vpn-client.crt
key vpn-client.key

– Starting openvpn daemon:

# /etc/init.d/openvpn start

– Checking if the LAN of the remote vpn is accessible by the client:



Configuring a SSL/TLS VPN with OpenVPN
Tagged on:         

5 thoughts on “Configuring a SSL/TLS VPN with OpenVPN

  • April 13, 2013 at 13:52

    Is there any way to force client and server to use SSL instead of TLS from the beginning (authentication) , because in iran they filter us and analyse the packets?

    • April 14, 2013 at 19:34

      Hey amir!! TLS is the successor of SSL see the wikipedia entry Do you try to configure a vpn server?

      • April 14, 2013 at 19:46

        hi ivan, yes i configured open vpn appliance on windows server 2008 r2 and vmware workstation , it work on iphone and ipad but did’t work on windows and said TLS handshake error and it is because of login authentication using TLS in windows (I think)
        , is there any way to solve this problem?

        • April 18, 2013 at 18:41

          It can be error from the configuration file of the client for the certificate entry, check it


Leave a Reply


Get every new post delivered to your Inbox

Join other followers: