Openvpn client configuration file. Organizing channels between offices using OpenVPN with additional password protection

OpenVPN is deservedly popular among system administrators when they need to quickly and efficiently connect VPN channels remote offices. Today we offer you an article from our reader in which he will tell you how to set up a secure channel between offices with additional password protection on the Windows platform.

And so we need to organize a VPN channel between two offices. Network Office 1 (let's call it S_OF1) and Network Office 2 (let's call it S_OF2).

I’ll say right away that in my case OpenVPN is installed on Windows 7 in both offices.

S_OF1 includes:
The machine where we install OpenVPN Server has 2 network interfaces.
It also has a proxy server installed that distributes the Internet to the local area, thereby serving as the main gateway for all machines on the local area (192.168.0.100)
192.168.0.100 looks into the network
192.168.1.2 looks out into the world through the router. The router has a static IP, say 111.222.333.444. The router forwarded port 1190 (in my case, port 1190 was forwarded to 192.168.1.2)
Online user: 192.168.0.50

S_OF2 includes:
The machine where we install OpenVPN Client has 2 network interfaces.
It also has a proxy server installed that distributes the Internet to the local area, thereby serving as the main gateway for all machines on the local area (172.17.10.10)
172.17.10.10 looks at the network
192.168.1.2 looks out into the world through the router.
Online user: 172.17.10.50

Task: User S_OF1 (192.168.0.50) should see shared resources on User S_OF2 (172.17.10.50) and vice versa.

Let's start setting up

Download OpenVPN according to the system bit depth.

We start the installation, in the 3rd step we activate inactive items.

The next step is the installation path. To make your future life easier, install it to the root of drive C.

During the installation process, a virtual network adapter TAP-Win32 Adapter V9 and, accordingly, the driver for it. The OpenVPN program will assign an IP address and OpenVPN virtual network mask to this interface. In our case, it is assigned the address 10.10.10.1 with a mask of 255.255.255.0 on the S_OF1 server and 10.10.10.2 with a similar mask on the S_OF2 client.

Let's rename it "VPN"

In the directory "C:\OpenVPN" you should immediately create an additional folder ssl(this is where we will store the authentication keys) folder ccd(here will be the configuration of the server settings for the client).

In folder easy-rsa create a file vars.bat, the batch file will set variables for the certificate generation session, insofar as the organization and location are concerned, fill in with your data.

Set HOME=C:\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf
set KEY_DIR=C:\OpenVPN\ssl
set KEY_SIZE=1024
set KEY_COUNTRY=RU
set KEY_PROVINCE=Stavropol
set KEY_CITY= Stavropol
set KEY_ORG=ServerVPN
set KEY_EMAIL=admin@localhost
set KEY_CN=test
set KEY_NAME=test
set KEY_OU=test
set PKCS11_MODULE_PATH=test
set PKCS11_PIN=1234

Launch the command line as administrator.

Go to the path C:\OpenVPN\easy-rsa, typing the command in the command line to go

Cd C:\OpenVPN\easy-rsa

Let's launch vars.bat:

Now let's launch build-ca.bat. Since we have already filled in all the information about the server, we leave everything unchanged:

after this we will have two files in the ssl folder ca.crt And ca.key.

Let's launch build-dh.bat:

as a result, a file will appear in the ssl folder dh1024.pem.

We create a server key by entering the command:

Build-key-server.bat ServerVPN

Where " ServerVPN" this is the name of our VPN server, as in my case,

Important! We specify the "commonname" parameter - write the name of our VPN server. We leave all other parameters as default and answer yes to all questions.

as a result, we will have files in the ssl folder ServerVPN.crt, ServerVPN.csr, ServerVPN.key.

Let's start generating client keys.

We execute the command:

Build-key.bat UserVPN_1

Where " UserVPN_1"Our client's name.

Important! We specify the "commonname" parameter - write the name of our VPN client (UserVPN_1). We leave all other parameters as default and answer yes to all questions.

As a result, we will have files in the ssl folder UserVPN_1.crt, UserVPN_1.csr, UserVPN_1.key.

If you have several clients, then repeat the generation of keys; not forgetting to assign their names to each client

Build-key.bat UserVPN_2
build-key.bat UserVPN_3

Generating a tls-auth key (ta.key) for packet authentication, for this go to root folder OpenVPN:

and run the command:

Openvpn --genkey --secret ssl/ta.key

As a result, we receive the file in the ssl folder ta.key.

Let's start creating the server config. Create a file in the config folder OpenVPN.ovpn:

#Port for OpenVPN operation
port 1190

proto udp

#Interface type
dev tune

#Interface name
dev-node "VPN"

#Certificate for connection encryption
dh C:\\OpenVPN\\ssl\\dh1024.pem

ca C:\\OpenVPN\\ssl\\ca.crt

#Server certificate
cert C:\\OpenVPN\\ssl\\ServerVPN.crt

#server key
key C:\\OpenVPN\\ssl\\ServerVPN.key

# Protection against DOS attacks (for the server, after the path to the key, set 0 and for the client 1)
tls-server
tls-auth C:\\OpenVPN\\keys\\ta.key 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#Range of IP addresses for VPN network
server 10.10.10.0 255.255.255.0

cipher AES-256-CBC

#Logs

#A directory containing a file with the name of our client, in my case UserVPN_1 without an extension, and in it write the commands that will be executed on the client:
client-config-dir "C:\\OpenVPN\\ccd"

verb 3

mute 20

# Maximum amount we want to allow simultaneously connected clients
max-clients 2

#Lifetime of an inactive session
keepalive 10 120

#We allow clients to see each other
client-to-client

#Enable compression
comp-lzo
persist-key
persist-tun

#Routes are added via .exe, if without it, then not everyone has routes registered
route-method-exe

#Delay before adding route
route-delay 5

#A command that tells clients that there is a local network behind the server with addresses 192.168.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"

#Registers a route on the server to see the network behind the client
route 172.17.10.0 255.255.255.0 10.10.10.2

#Gateway
route-gateway 10.10.10.1

# each client is given 1 address, without virtual router ports
topology subnet

In folder ccd create a file without an extension and name it exactly like the client UserVPN_1, open it with notepad and write the following:

#Assign the client a permanent IP 10.10.10.2
ifconfig-push 10.10.10.2 255.255.255.0

#inform the server that the client’s network is 172.17.10.0
iroute 172.17.10.0 255.255.255.0

#if you uncomment the following line, the client will be disabled (in case you need to disconnect this client from the server, and the others will work)
#disable

Create a client config.

#We tell the client to take routing information from the server (push options)
client

#Port for OpenVPN operation
port 1190

#Indicate what protocol OpenVPN uses
proto udp

#Interface type
dev tune

#Interface name
dev-node "VPN"

# Address of the server to which we connect
remote 444.333.222.111 1190

#protection
remote-cert-tls server

#Certificate Authority Certificate
ca C:\\OpenVPN\\ssl\\ca.crt

#Server certificate
cert C:\\OpenVPN\\ssl\\UserVPN_1.crt

#key
key C:\\OpenVPN\\ssl\\UserVPN_1.key

# Protection against DOS attacks
tls-auth C:\\OpenVPN\\keys\\ta.key 1
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping-restart 60
ping 10

#Enable compression
comp-lzo
persist-key
persist-tun

# Select a cryptographic cipher
cipher AES-256-CBC

#Logs
status C:\\OpenVPN\\log\\openvpn-status.log
log C:\\OpenVPN\\log\\openvpn.log

#Debug information level
verb 3

#Number of duplicate messages
mute 20

We install OpenVPN on the client and transfer it to it ca.crt, UserVPN_1.crt, UserVPN_1.key, ta.key.

We configure firewalls and antiviruses on the client and server for the smooth passage of packets. I won’t describe it, it all depends installed antiviruses and firewalls.

After all this, we launch our server and client.

If everything is done correctly, our server will receive IP 10.10.10.1 and the client will connect to it and receive IP 10.10.10.2. And so we connected, now the server and the client ping each other via the IP of our VPN network, that is, 10.10.10.1 and 10.10.10.2.

In order for the ping to go through internal addresses our S_OF1 and S_OF2 need to enable the service Routing and Remote Access.

You need to go to the properties of the service, configure it to automatic switching on and run.

After this, we will be able to ping the internal IP of the server and client (172.17.10.10 client and 192.168.0.100 server).

But this method has a small drawback: after enabling this service and connecting to our VPN channel on the icon network connection A red cross will appear until the VPN is disconnected.

At the same time, all networks are operating normally. Personally, this cross irritates and sometimes confuses me.

There is a second way to make the internal IP networks of our server and client visible.

To do this, go to the registry and open the registry branch:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIP\Parameters

Find the parameter and change the value: IPEnableRouter type REG_DWORD meaning 1 .

Don't forget to reboot the machine for the settings to take effect!

This needs to be done on both the server and the client.

So we ping our networks using internal IPs, and since both the server and the client are gateways for their networks, machines from network 1 can see machines from network 2 and vice versa. that is, User S_OF1 (192.168.0.50) can see the shared folders of User S_OF2 (172.17.10.50) and vice versa.

If the server and client are not gateways for their networks, then you will have to register routes manually.

Example for S_OF1:

Route -p 172.17.10.0 255.255.255.0 192.168.0.100 (the machine where OpenVPN is installed)

Example for S_OF2:

Route -p 192.168.0.0 255.255.255.0 172.17.10.10 (the machine where OpenVPN is installed)

in my case this was not needed.

To automatically start the server and client, we need to enable the OpenVPN Service

Now when the machine boots, the server automatically starts, and when the client’s machine is turned on, it will also automatically connect to the server.

Additional protection

As you know, OpenVPN has the ability to authenticate using certificates, as described above, as well as using a login and password, but you can also combine them together. As far as I know, only Linux has the ability to set up login and password authentication using standard means, but this can also be solved in Windows. To do this in the folder config create a file auth.vbs and write the following into it

"VBscript auth.vbs for authentication in OpenVPN - auth-user-pass-verify auth.vbs via-file "(c) 2007 vinni http://forum.ixbt.com/users.cgi?id=info:vinni "Support : http://forum.ixbt.com/topic.cgi?id=14:49976 "The script compares the username in a case-insensitive manner. "If you need otherwise, remove UCase(...) in 2 or 4 places On Error Resume Next " open the file whose name was transferred by OpenVPN to the script through the parameter Set fso = CreateObject("scripting.filesystemobject") Set CurrentUserPasswordFile = fso .OpenTextFile(WScript.Arguments(0),1) "1 = for reading if Err.Number<>0 Then WScript.Quit(1) " read 2 lines from this file - the name and password entered by the user "at the other end" if CurrentUserPasswordFile.AtEndOfStream then WScript.Quit(1) UserName=CurrentUserPasswordFile.ReadLine if CurrentUserPasswordFile.AtEndOfStream then WScript .Quit(1) Password=CurrentUserPasswordFile.ReadLine CurrentUserPasswordFile.Close " open the common_name environment variable (this is the CN of the certificate presented by the client) " and compare it with the entered user name " if this comparison is not needed, then delete the following 2 lines or comment out CurrentCommonName =. CreateObject("Wscript.Shell").ExpandEnvironmentStrings("%common_name%") if UCase(CurrentCommonName)<>UCase(UserName) then WScript.Quit(1) " open our file with the database of logins and passwords " by default this is Users.pw in the current directory Set UserPasswordFileBase = fso.OpenTextFile("Users.pw",1) "1 = for reading if Err.Number<>0 Then WScript.Quit(1) " read pairs of lines in a loop, skipping the empty ones BETWEEN THESE PAIRS, " and compare them with what the user entered. Do while not(UserPasswordFileBase.AtEndOfStream) NextUserName=UserPasswordFileBase.ReadLine if Err.Number<>0 Then WScript.Quit(1) if NextUserName<>"" then " if the username needs to be compared case sensitive, then remove UCase(...) here if UCase(UserName)=UCase(NextUserName) then if Password=UserPasswordFileBase.ReadLine then " if the name and password match the pair from the database , then we end the script with the result 0 "this is necessary for OpenVPN"a, this is a sign of successful authentication UserPasswordFileBase.Close WScript.Quit(0) end if else UserPasswordFileBase.ReadLine end if end if Loop "if the search was unsuccessful, then we end the script with the result 1 "this is necessary for OpenVPN"a, this is a sign of UNSUCCESSFUL authentication UserPasswordFileBase.Close WScript.Quit(1)

Also in the config folder we create a file Users.pw there write the login and password of our client

UserVPN_1
123456

If there are several clients then:

UserVPN_1
123456

UserVPN_2
365214

UserVPN_3
14578

Next you need to write the line in the client config auth-user-pass, now when the client connects to the server, an authorization window will pop up where you need to enter the login and password that you assigned to him in Users.pw,they will need to be communicated to the client.

I have it configured that the user name (login) matches the client name in the certificate, that is UserVPN_1. but you can set another name different from the name in the certificate; for this you need to look at the settings in auth.vbs.

" open the common_name environment variable (this is the CN of the certificate presented by the client)
" and compare it with the entered username.
" if this comparison is not needed, then delete or comment out the next 2 lines

CurrentCommonName = CreateObject("WscrIPt.Shell").ExpandEnvironmentStrings("%common_name%")
if UCase(CurrentCommonName)<>UCase(UserName) then WScrIPt.Quit(1)
WScrIPt.Echo "Debug: CurrentCommonName= " & CurrentCommonName

And in order for authentication to work both using a certificate and using a login with a password, but at the same time the user authorization window does not pop up, since this will delay the client’s connection to the server if, for example, you have enabled automatic download OpenVPN Service (as configured for me) or you just don’t want to enter your login and password every time, in this case on the client in the folder ssl create a file pass.txt and write our username and password into it like this:

UserVPN_1
123456

and in the client config we change the line auth-user-pass on auth-user-pass C:\\OpenVPN\\ssl\\pass.txt.

Now I turn on the machine where OpenVPN -Server is installed, the service starts and the VPN server automatically goes up. The client starts the machine and also automatically connects to my server. Now you can go to shared folders or work via RDP, for example, in 1C installed in another organization.

contacts [email protected]

Tags:

Please enable JavaScript to view the

This is primarily a maintenance release with bugfixes and improvements. One of the big things is enhanced TLS 1.3 support. A summary of the changes is available in Changes.rst , and a full list of changes is available .

. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.

will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as and versions.

If you find a bug in this release, please file a bug report to our . In uncertain cases please contact our developers first, either using the or the developer IRC channel (#openvpn-devel at irc.freenode.net). For generic help take a look at our official , and user IRC channel (#openvpn at irc.freenode.net).

Source Tarball (gzip)	GnuPG Signature	openvpn-2.4.7.tar.gz
Source Tarball (xz)	GnuPG Signature	openvpn-2.4.7.tar.xz
Source Zip	GnuPG Signature	openvpn-2.4.7.zip
Windows installer (NSIS)	GnuPG Signature	openvpn-install-2.4.7-I603.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available.

We also provide static URLs pointing to latest releases to ease automation. For a list of files look .

This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look .

OpenVPN 2.4.6 - released on 2018.04.24

This is primarily a maintenance release with minor bugfixes and improvements, and one security relevant fix for the Windows Interactive Service. Windows installer includes updated OpenVPN GUI and OpenSSL. Installer I601 included tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista support. However, in installer I602 we had to revert back to tap-windows 9.21.2 due to driver getting rejected on freshly installed Windows 10 rev 1607 and later when Secure Boot was enabled. The failure was due to the new, more strict driver signing requirements. The 9.22.1 version of the driver is in the process of getting approved and signed by Microsoft and will be bundled in an upcoming Windows installer.

Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has been patched against several . Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. Our long-term plan is to migrate to using MSI installers instead.

Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client"s IP address changes (Peer-ID). Also, the new -- tls-crypt feature can be used to increase users" connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the . The new OpenVPN GUI features are documented.

Please note that OpenVPN 2.4 installers will not work on Windows XP.

This instruction demonstrates how to connect to the VPN Gate relay server using the OpenVPN client on Windows XP, 7, 8, 10, Server 2003, 2008, 2012.

1. Install the OpenVPN client application for your operating system. Run installation file. The installation wizard will open. Follow the on-screen prompts to install the application.

2. Download and upload the configuration file OpenVPN connections(file.ovpn). This procedure required only when setting up the connection for the first time.

You can download the configuration file (OpenVPN Config file) on the list page of open free relay servers http://www.vpngate.net/en/. Select the VPN server you want to connect to and click on the corresponding *.ovpn file to download it to your desktop or download folder.

After saving the file on your computer, it will appear as the OpenVPN icon. However, you will not be able to establish a connection by simply double-clicking on the file.

You need to move the *.ovpn file to the “config” folder of the main directory OpenVPN installations.

Open the C:\Program Files\OpenVPN\config folder and copy the *.ovpn file into it.

Right-click on the “OpenVPN GUI” icon on your desktop and select the “Run as administrator” option. Otherwise, you will not be able to establish a VPN connection.

The OpenVPN GUI icon will appear in the taskbar notification area (system tray). In some cases the icon may be hidden, click on the arrow icon to show all hidden icons.

Right-click on the OpenVPN GUI icon and click “Connect”.

The VPN connection will start. The connection status will be displayed on the screen. If you see a dialog box asking for username and password. Enter “vpn” in both fields. This window appears very rarely.

If the VPN connection is successfully established, a pop-up message will appear as in the screenshot.

4. Internet without restrictions

When VPN connection installed, a virtual network adapter TAP-Windows Adapter V9 is created in the Windows system. This adapter will receive an IP address that starts with “ 10.211 " The virtual adapter will receive the default gateway address.

You can check your network configuration by running ipconfig /all in the Windows Command Prompt.

Once the connection is established, all traffic will go through the VPN server. You can verify this using the tracert 8.8.8.8 command in the Windows command line.

As shown in the screenshot above, if the packets pass through "10.211.254.254", then your connection is relayed through one of the VPN Gate servers. You can also go to the main VPN Gate page to view the global IP address.

You will be able to see the location visible from the network, which will be different from your actual location.

Setting up OpenVPN for MacOS

This tutorial demonstrates how to connect to a VPN Gate relay server using the Tunnelblick app. Tunnelblick is a graphical version of the OpenVPN client. for MacOS systems.

1. Install the Tunnelblick app

Download and install latest version Tunnelblick applications. Instructions will appear on the screen during installation.

Once the installation is complete, the following screen will appear. Select the “I have configuration files” option.

The screen will show instructions for adding the configuration to Tunnelblick.

Click OK to close the window.

2. Download and upload the OpenVPN connection configuration file (.ovpn file). This procedure is required only when setting up the connection for the first time.

A configuration file in *.ovpn format is needed to connect to the VPN Gate relay server via the OpenVPN protocol.

To install a *.ovpn configuration file, drag it onto the Tunnelblick icon in the menu bar, or onto the list of configurations in the Configurations tab of the VPN Details window. If you need to install several configuration files at once, select them all and then drag them.

When adding, you will need to enter your username and password. account MacOS.

Click on the Tunnelblick icon on top panel MacOS tools and select the “Connect [configuration name]” option. The VPN connection will start.

The VPN connection status will appear as shown in the screenshot. Once the connection has been successfully established, the Tunnelblick main window will show the “Connected” status.

4. Internet without restrictions

Once the connection is established, all traffic will go through the VPN server. You can also go to the main VPN Gate page to view the global IP address. You will be able to see the location visible from the network, which will be different from your actual location.

When connected to a VPN, you will be able to visit blocked websites and play blocked games.

Found a typo? Press Ctrl + Enter

The Internet has firmly entered the life of the average person. Communication based on interests, meeting new people, gaining additional skills and knowledge, searching for the necessary information - all this is just the beginning of a long list of what you can do online.

Internet yesterday and today

Fifteen years ago, no one could have imagined how much we would become attached to the global web. Appeared new disease- Internet addiction, which is also treated by recently emerging specialists. A previously unknown, vast sales market opened up. The horizons for marketing and advertising have expanded. Knowledge and technology have become available like never before. What are people doing online today? Someone publishes interesting thoughts in blog format, someone runs a business, and someone is undergoing online training at a prestigious university. Everyone has their own interests, but there are general concepts and phenomena that almost every user has encountered sooner or later. These are viruses and spyware, security software and proxy servers, social networks, VPN. It is the latter that will be discussed in the article.

What is VPN

A VPN is a network within a network. An additional connection that is created on top of an existing one. Most often, this is a separate space within the Internet, an island of protected information in an ocean of free access. What is the difference between a VPN zone or tunnel? First of all, because only authenticated users who have been previously added to the list of VPN service clients have access to it. In addition, all internal traffic is transmitted encrypted and is inaccessible from the outside. A VPN also provides anonymity and helps bypass proxy settings, if any. Of course, everyone would like security, which means this service is quite in demand. The law of the market, which states that due to growing demand, the number of offers also increases, is still in force, so the choice of service providers is very wide. But we will look at the general using the example of the particular. Setting up OpenVPN- a fairly popular tunneling solution - and will be a model for working with technology as a whole.

Advantages

First of all, it should be noted that OpenVPN, unlike its paid analogues, distributed freely. At the same time, the program has full functionality. An anonymous and secure tunnel can be created even from an office with a corporate firewall.

An undoubted advantage of the OpenVPN client-server implementation is the most simplified application installation process. Successful installation does not require deep knowledge or special skills. You don't even have to get used to a new operating system because OpenVPN is available for Windows too. The second decisive advantage of the program is cost minimization. There is no need to buy a license or specialized equipment. No need for a powerful server - just a regular one personal computer quite enough. If you have not yet decided on the choice of software for your VPN channel, it makes sense to try the free, stable and convenient software from James Yonan.

OpenVPN: client setup

Typically, services of this kind are usually deployed on *nix systems: Gentoo, CentOS, Ubuntu, etc. However, in the case of OpenVPN (especially with the client part), it doesn’t matter to us whether Ubuntu is installed on the computer where OpenVPN will be configured , Windows 7: at least the initial steps will not be much different. For convenience, we will choose a fairly common, familiar and convenient OS from Windows. The program distribution package can be easily found in free access. Download the latest version of the OpenVPN client to your computer, run the installer and agree one by one with everything it recommends. In the component selection window, you must tick the required ones. After installation is complete, it makes sense to additionally install user interface OpenVPN GUI, which will greatly facilitate the process of setting up and further managing the client. To work correctly, OpenVPN must be launched in. To achieve this, you just need to check the box in the shortcut properties. This completes the VPN client deployment process. All that remains is to receive from the administrator a file with keys and certificates, as well as a configuration file for your connection.

The next step is setting up the OpenVPN server. Windows supports not only the client side, but also the server side of the application.

OpenVPN-server on Windows

The OpenVPN server part is installed in the same way as the client: download the distribution and one by one agree with what is proposed. But here you yourself will act as an administrator. Accordingly, you will have to make changes to the configuration file and generate keys and certificates yourself. But don’t be scared: setting up an OpenVPN server on Windows is not an impossible task, this applies even to beginners. Operations are performed through command line. You can find the exact command text in any OpenVPN installation guide. If everything is done correctly, the status of the new virtual adapter created in the system after installing the VPN server will change from “Cable not connected” to “Connected”. In the adapter properties you will see the configured internal network address.

OpenVPN off the computer

We have discussed with you the options for deploying the client and server parts of OpenVPN on the Windows operating system. Considering the cross-platform nature of the program, it can be installed on other versions of the OS (Debian, Linux Mint etc.). What else but desktop computer, can act as a VPN client or server? They can serve by activating the service of the server we are considering there, you will be able to connect directly to the drive with a VPN client. Most routers also support OpenVPN. With rapid development information technologies All modern devices are produced to be as functional as possible. This is not just a printer, but a 3 in 1, combining both a scanner and a copy machine. This is not only a mobile phone, but also a camera, player, GPS navigator, QR code reader and much more. If built-in functionality is not enough, constantly updated content from application stores will help expand the capabilities of handheld devices. So it's not unusual to choose a new field to install OpenVPN. Windows is already a passed stage, now we will talk about the Mikrotik router.

Deploying OpenVPN on Mikrotik

Despite the fact that bold experiments are always welcome, the result sometimes does not live up to hopes and aspirations. It also happens that by combining different technologies, you can achieve the exact opposite of what was expected. In the case of Mikrotik, of course, there will be no serious disappointments, but there is still some reduction in functionality. For example, UDP transport is not available on the router. But, unlike a computer, on a Mikrotik router you just need to import ready-made certificate and key files, and then run the wizard, without a command line. The settings are not complicated: you need to register a range of addresses for VPN clients and enable the “OpenVPN server” function. which does not take much time, and is in no way inferior in stability to a VPN server on a computer. The only thing you need to remember is the order of the allowing and denying rules, which is the same for all devices that perform the firewall function.

A little about VPN servers instead of a conclusion

There is a saying that no technology will gain widespread acceptance until the average user or System Administrator will not be able to install it easily. It is advisable that this be done within one wizard, where you just need to click on the “Next” button. In reality, each product will have its fans, regardless of what steps you have to take before using it. Setting up OpenVPN on Windows requires the command line, but is not particularly difficult. While the built-in tools of the operating system or some individual solutions are really installed and configured in a few clicks of the mouse. But in 12 years, OpenVPN has not disappeared, but continued to develop, and still remains a popular product, high-quality and unpretentious.

The more states try to control the Internet and establish their own censorship there, the more popular they gain various services bypass. One of the free solutions for organizing private virtual systems- this is OpenVPN. You can use one of the servers already deployed on the network or deploy software in your system.

In one of the previous articles we looked at. In this article, we will dwell in more detail on setting up a connection to the server using various programs in Linux and Android, and also try to understand how this service works.

You already know what the program organizes virtual network between computers and all data on this network is encrypted and inaccessible to users outside it. To achieve this goal, the program creates in the system virtual device tun0. This is the same interface as eth0 or wlan0, it has its own IP address. All traffic that is transmitted to this interface is encrypted and transferred to the virtual network.

Therefore, to transmit traffic through OpenVPN, it will be enough to add several rules that will force traffic to go through the tun0 interface.

How to use OpenVPN on Linux

First, let's look at how to connect to OpenVPN from Ubuntu or any other Linux distribution via terminal. Let's say you downloaded the .ovpn server configuration file and want to connect to this network. To do this you need to install the openvpn client:

sudo openvpn ~/Downloads/config.ovpn

After this, the terminal window cannot be closed, and if the OpenVPN server was configured correctly, then it has already transferred the correct routes to the machine and your traffic goes through the virtual network. Let's see the routes:

There are two lines worth paying attention to here:

0.0.0.0/1 via 192.168.243.1 dev tun0
169.254.0.0/16 dev enp2s0 scope link metric 1000

The first directs all system traffic to the tun0 interface, and the second is more interesting, it deploys IP network traffic 169.254.0.0 to the real interface. If it is not there, then all traffic will go to tun0, including traffic from the OpenVPN program, which has already passed through this interface and the result will be a loop. To terminate the connection in this option, just press Ctrl+C in the terminal where you launched openvpn.

The second way to use OpenVPN on Linux is to install the openvpn plugin for NetworkManager and connect using it. To install this package on Ubuntu, run the following command:

sudo apt-get install network-manager-openvpn

Now open the Network Manager applet, expand "VPN connection" and select "Set up connection":

In the window that opens, click the button "+" :

Then select the caption "VPN".

Look at the routing table again:

In general, NetworkManager creates different rules, but they work the same. Setting up the openvpn client on ubuntu is complete.

Using OpenVPN on Android

You can use OpenVPN on any platform, including Android. It was released for devices official application OpenVPN Connect. With it, you can connect to the network, as in the previous option, using an ovpn file. You can install this application from Google Play:

Open the app, tap the menu button, then select "Import" -> "Import profile from SDCard":

Select required file and press "Select":

Then all you have to do is click "Connect" to connect to the network:

Setting up the openvpn client only involves importing the configuration file, nothing else is needed. Next, your traffic will be routed through the VPN; here you can also view the routing table if a terminal emulator is installed:

True, here we will not see the same situation as in Linux; routing to VPN in Android is carried out a little differently.

How to use OpenVPN on Windows

It was impossible not to tell in this article how to use OpenVPN GUI in Windows, especially since it is not much more complicated than in Android. We need to install the OpenVPN client. You can download it from the official website: