Menu
homeInternet

Installing and configuring an openvpn server on windows. Installing OpenVPN on Windows VPS

A true private virtual network or Virtual Private Network (VPN) is an encrypted, connected tunnel between two networks that connects two trusted points. Is not HTTPS web protocol, which considers all clients trusted. Only those clients who have special access keys can connect to the VPN.

The concept of VPN has become very loose these days, with the advent of private virtual networks that are trusted by everyone and the spread of HTTPS. Many of VPN networks are commercial solutions with a minimum number of settings to ensure remote access employees. But not everyone trusts these decisions. A private virtual network connects two networks into one, for example, an office network and home network employee. VPN Server necessary so that the server and client can authenticate with each other.

Setting up server and client authentication requires a lot of work, and therefore commercial solutions with a minimum of settings lose in this regard. But it's actually not that difficult to install an OpenVPN server. You will need two nodes in different networks to organize a test environment, for example, you can use several virtual machines or real servers. As you already understand, this article will discuss setting up OpenVPN in Ubuntu to create a full-fledged private virtual network.

Both machines must have OpenVPN installed, this is quite popular program, so you can install it from the official repositories. We also need Easy-RSA to work with secret keys. To install programs on Ubuntu, use the following command:

sudo apt install openvpn easy-rsa

Both packages must be installed on both the server and the client. They will be needed to configure the program. The first stage of the article, installing and configuring openvpn, is completed.

Setting up a certificate authority

The first thing you need to do is create the right public key infrastructure on the server. We consider the server to be the machine to which users will connect. Own center certification has several benefits, you will have your own certification authority, which will simplify key distribution and management. For example, you can revoke client certificates on the server. Also, now there is no need to store all client certificates; it will be enough for the certification authority to know that the certificate is signed by a CA. Except complex system keys, you can use static keys if you only need to provide access to a few users.

Please note that all private keys must be kept in a safe place. On OpenVPN public key is called a certificate and has a .crt extension, and private key This is what is called a key, its extension is .key.

First, create a folder to store Easy-RSA certificates. In fact, OpenVPN configuration is done manually, so the folder can be placed anywhere:

sudo mkdir /etc/openvpn/easy-rsa

Then copy all the necessary easy-rsa scripts into this folder:

cd /etc/openvpn/easy-rsa/

sudo -i
# source ./vars
# ./clear-all
# ./build-ca

With the first command we switch to the console as superuser, the second we load environment variables from the file ./vars. The command ./clear-all creates the keys folder if it does not exist and clears its contents. And the last command initializes our certificate authority. Now all the necessary keys have appeared in the .keys folder:

Setting up client certificates

sudo cp -R /usr/share/easy-rsa /etc/openvpn/

Now we need to copy the certificate, a file with the .crt extension, to the /etc/openvpn folder on all clients. For example, let's download this file for our client using scp:

sudo scp user@host:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys

Only now you can create your own private key based on the CA certificate:

cd /etc/openvpn/easy-rsa/

sudo -i
# source ./vars
# build-req Sergiy

Please note that ca.crt must be in the folder with the keys, otherwise nothing will work. Now the utility will create a key based on which you can connect to the OpenVPN server, but you still have to sign it on the server. Send the resulting .csr file to the server using the same scp:

scp /etc/openvpn/easy-rsa/keys/Sergiy.csr user@host:~/

Then on the server in the /etc/openvpn/easy-rsa folder you need to run the certificate signing command:

./sign-req ~/Sergiy

The certificate signature must be confirmed. Then the program will report that it has been signed and added to the database. A .crt file will appear in the folder with the csr certificate, which needs to be returned back to the client machine:

sudo scp user@host:/home/Sergiy.crt /etc/openvpn/easy-rsa/keys

Only after this the server and client have all the necessary keys to connect and establish communication. There are still a few settings left. If you plan to use TLS encryption, then you need to create a Diffie-Huffman dataset on the server, to do this use the command:

Setting up OpenVPN

Now setup the OpenVPN server. By default, there is nothing in the OpenVPN configuration files folder. You need to create them yourself, depending on what you plan to configure, server or client. Required file OpenVPN configurations can be found at /usr/share/doc/openvpn/examples/sample-config-files/. First, let's create a configuration file for the server:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Here you need to configure several parameters:

port And proto- port and protocol on which the program will work;

port 1194
proto udp

All created keys must be written in the configuration file. Our keys are stored at /etc/openvpn/easy-rsa/keys:


cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key
dh /etc/openvpn/easy-rsa/keys/dh.pem

We configure the range of addresses for the virtual network, our server will be accessible through the first of them - 10.8.0.1:

server 10.8.0.0 255.255.255.0

After completing the configuration, save the changes to a file, you can either paste this entire configuration to yourself or edit the example file. Ready working server settings:

port 1194
proto udp
comp-lzo
dev tune
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ca.crt
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.conf

You can create multiple client configuration files to connect to different servers. Open the configuration file and change the following parameters in it:

remote- this is your OpenVPN server address, the address and port must match those configured on the server, for example:

remote 194.67.215.125 1194

ca- the key that you received from the certification authority, we have located it in the /etc/openvpn/ folder.

cert and key- it is open and secret keys client, with the help of them you will connect to the server. As you remember, we saved them in the /etc/openvpn/easy-rsa/keys/ folder.

ca /etc/openvpn/easy-rsa/keys/ca.crt

The rest of the settings can be left as they are. Here is the entire configuration file that you can copy:

client
dev tune
proto udp
remote 194.67.215.125 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Sergiy.crt
key /etc/openvpn/easy-rsa/keys/Sergiy.key
tls-auth ta.key 1
comp-lzo
verb 3

Save the settings, now the client is ready to connect. Please note that the configuration files must match as much as possible; missing certain options in one of the files may lead to errors. This does not mean that the files will be identical, but the basic openvpn parameters should be the same. All you have to do is run OpenVPN on this machine using this configuration file:

openvpn /etc/openvpn/client.conf

Done, now everything works, if you run ifconfig you will see that the tun0 interface has been added:

You can also try ping addresses 10.8.0.1, this is the address we configured for our OpenVPN server, ping packets will be sent normally. If the packets are not coming, or something else is not working, pay attention to the output of both programs, there may be any errors or warnings, also make sure that the server firewall allows access from outside via udp for port 1194. You can also start the server or client, setting the detail level in the config to a maximum of verb 9. Very often this helps to understand why something does not work. But you can't route traffic through the tunnel yet. To do this, you need to enable forwarding and add several iptables rules. First, we allow the transit of packets on the server:

sysctl -w net.ipv4.ip_forward=1

Then add rules like this. We allow everyone to connect to our server:

iptables -A INPUT -p udp --dport 1194 -j ACCEPT

We allow OpenVPN users access to the Internet:

iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
# iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

conclusions

In this article, we looked at how to install and configure OpenVPN Ubuntu, as well as how to configure openvpn to work with key authentication. Organizing private virtual networks can be very useful not only in organizations, but also for exchanging data between two of your computers or for increasing network security.

OpenVPN is one of the VPN options (virtual private network or private virtual networks) that allows data transmission over a specially created encrypted channel. In this way, you can connect two computers or build a centralized network with a server and several clients. In this article we will learn how to create such a server and configure it.

As mentioned above, using the technology about which we're talking about, we can transmit information over a secure communication channel. This could be file sharing or secure Internet access through a server that serves as a shared gateway. To create it we don't need optional equipment and special knowledge - everything is done on the computer that is planned to be used as a VPN server.

For further work It will also be necessary to configure the client part on the machines of network users. All work comes down to creating keys and certificates, which are then transferred to clients. These files allow you to obtain an IP address when connecting to a server and create the encrypted channel mentioned above. All information transmitted through it can only be read if the key is available. This feature can significantly improve security and ensure data safety.

Installing OpenVPN on a server machine

The installation is standard procedure with some nuances, which we’ll talk about in more detail.


Setting up the server side

By doing next steps you should be as careful as possible. Any errors will lead to server inoperability. Another required condition– yours Account must have administrator rights.

  1. Let's go to the catalog "easy-rsa", which in our case is located at

    C:\OpenVPN\easy-rsa

    Finding the file vars.bat.sample.

    Rename it to vars.bat(remove the word "sample" along with a period).

    Open this file in the editor. This is important, since it is this notepad that allows you to correctly edit and save codes, which helps to avoid errors when executing them.

  2. First of all, delete all comments highlighted green– they will only disturb us. We get the following:

  3. Next, change the path to the folder "easy-rsa" to the one we specified during installation. IN in this case just remove the variable %ProgramFiles% and change it to C:.

  4. We leave the next four parameters unchanged.

  5. The remaining lines are filled in randomly. Example in the screenshot.

  6. Save the file.

  7. You also need to edit the following files:
    • build-ca.bat
    • build-dh.bat
    • build-key.bat
    • build-key-pass.bat
    • build-key-pkcs12.bat
    • build-key-server.bat

    They need to change the team

    on absolute path to the corresponding file openssl.exe. Don't forget to save the changes.

  8. Now open the folder "easy-rsa", clamp SHIFT and right-click on free space(not by files). IN context menu select an item "Open command window".

    Will start "Command line" with the transition to the target directory already completed.

  9. Enter the command below and click ENTER.

  10. Next, we launch another batch file.

  11. We repeat the first command.

  12. The next step is to create necessary files. To do this we use the command

    After execution, the system will prompt you to confirm the data that we entered into the vars.bat file. Just press it a few times ENTER until the original line appears.

  13. Create a DH key by running a file

  14. We are preparing a certificate for the server part. There's one here important point. It needs to be given the name that we wrote in vars.bat in line "KEY_NAME". In our example this is Lumpics. The command looks like this:

    build-key-server.bat Lumpics

    Here you also need to confirm the data using the key ENTER, and also enter the letter twice "y"(yes), where required (see screenshot). Command line can be closed.

  15. In our catalog "easy-rsa" appeared new folder with title "keys".

  16. Its contents must be copied and pasted into the folder "ssl", which must be created in root directory programs.

    View of the folder after pasting the copied files:

  17. Now let's go to the catalog

    C:\OpenVPN\config

    Create a text document here (RMB – Create – Text Document), rename it to server.ovpn and open it in Notepad++. Enter the following code:

    port 443
    proto udp
    dev tune
    dev-node "VPN Lumpics"
    dh C:\\OpenVPN\\ssl\\dh2048.pem
    ca C:\\OpenVPN\\ssl\\ca.crt
    cert C:\\OpenVPN\\ssl\\Lumpics.crt
    key C:\\OpenVPN\\ssl\\Lumpics.key
    server 172.16.10.0 255.255.255.0
    max-clients 32
    keepalive 10 120
    client-to-client
    comp-lzo
    persist-key
    persist-tun
    cipher DES-CBC
    status C:\\OpenVPN\\log\\status.log
    log C:\\OpenVPN\\log\\openvpn.log
    verb 4
    mute 20

    Please note that the names of certificates and keys must match those located in the folder "ssl".

  18. Next we open "Control Panel" and go to "Network Control Center".

  19. Click on the link "Change adapter settings".

  20. Here we need to find the connection made through "TAP-Windows Adapter V9". This can be done by right-clicking on the connection and going to its properties.

  21. Rename it to "VPN Lumps" without quotes. This name must match the parameter "dev-node" in file server.ovpn.

  22. The final stage is starting the service. Press the key combination Win+R, enter the line below and click ENTER.

  23. We find a service with the name "OpenVpnService", right-click and go to its properties.

  24. Change the startup type to "Automatically", start the service and click "Apply".

  25. If we did everything correctly, then a red cross should disappear near the adapter. This means that the connection is ready for use.

Setting up the client side

Before you start setting up the client, you need to perform several actions on the server machine - generate keys and a certificate to set up the connection.


Work that needs to be done on the client machine:


This completes the configuration of the OpenVPN server and client.

Conclusion

Organizing your own VPN network will allow you to protect as much as possible transmitted information, and also make Internet surfing safer. The main thing is to be more careful when setting up the server and client parts, when correct actions You will be able to enjoy all the benefits of a private virtual network.

The more states try to control the Internet and establish their own censorship there, the more popular they gain various services bypass. One of free decisions for organizing private virtual systems- this is OpenVPN. You can use one of the servers already deployed on the network or deploy software in your system.

In one of the previous articles we looked at. In this article we will dwell in more detail on setting up a connection to the server using various programs in Linux and Android, and also try to understand how this service works.

You already know what the program organizes virtual network between computers and all data on this network is encrypted and inaccessible to users outside it. To achieve this goal, the program creates in the system virtual device tun0. This is the same interface as eth0 or wlan0, it has its own IP address. All traffic that is transmitted to this interface is encrypted and transferred to the virtual network.

Therefore, to transmit traffic through OpenVPN, it will be enough to add several rules that will force traffic to go through the tun0 interface.

How to use OpenVPN on Linux

First, let's look at how to connect to OpenVPN from Ubuntu or any other Linux distribution via terminal. Let's say you downloaded the .ovpn server configuration file and want to connect to this network. To do this you need to install the openvpn client:

sudo openvpn ~/Downloads/config.ovpn

After this, the terminal window cannot be closed, and if the OpenVPN server was configured correctly, then it has already transferred the correct routes to the machine and your traffic goes through the virtual network. Let's see the routes:

There are two lines worth paying attention to here:

0.0.0.0/1 via 192.168.243.1 dev tun0
169.254.0.0/16 dev enp2s0 scope link metric 1000

The first directs all system traffic to the tun0 interface, and the second is more interesting, it deploys IP network traffic 169.254.0.0 to real interface. If it is not there, then all traffic will go to tun0, including traffic from the OpenVPN program, which has already passed through this interface and the result will be a loop. To terminate the connection in this option, just press Ctrl+C in the terminal where you launched openvpn.

The second way to use OpenVPN on Linux is to install the openvpn plugin for NetworkManager and connect using it. To install this package on Ubuntu, run the following command:

sudo apt-get install network-manager-openvpn

Now open the Network Manager applet, expand "VPN connection" and select "Set up connection":

In the window that opens, click the button "+" :

Then select the caption "VPN".

Look at the routing table again:

In general, NetworkManager creates different rules, but they work the same. Setting up the openvpn client on ubuntu is complete.

Using OpenVPN on Android

You can use OpenVPN on any platform, including Android. It was released for devices official application OpenVPN Connect. With it, you can connect to the network, as in the previous option, using an ovpn file. You can install this application from Google Play:

Open the app, tap the menu button, then select "Import" -> "Import profile from SDCard":

Select required file and press "Select":

Then all you have to do is click "Connect" to connect to the network:

Openvpn client setup only includes import configuration file, nothing else is needed. Next, your traffic will be routed through the VPN; here you can also view the routing table if a terminal emulator is installed:

True, here we will not see the same situation as in Linux; routing to VPN in Android is carried out a little differently.

How to use OpenVPN on Windows

It was impossible not to tell in this article how to use OpenVPN GUI in Windows, especially since it is not much more complicated than in Android. We need to install the OpenVPN client. You can download it from the official website:

After downloading, run the program as an administrator and go through all the steps of the wizard:





When to use openvpn Windows client is limited to connecting to only one server. This is due to the fact that when installing openvpn, only 1 tap adapter is created, which serves only one vpn connection.

If at active connection try to connect to another server, you get the error:

TCP/UDP: Socket bind failed on local address : Address already in use (WSAEADDRINUSE)

the essence of which boils down to the fact that network interface already taken. It is necessary to terminate the existing connection and only then try to establish another one.

As it turned out, bypass this limitation very simple. After installing the openvpn client in windows, the following folder is created:

C:\Program Files\TAP-Windows\bin

This folder also contains a file addtap.bat. Using this script, launched with administrator rights, you can add another TAP adapter to the system. Just click on it and that's it. IN network connections another adapter is created with the name - TAP-Windows Adapter V9 #2:

Now you need it in the folder

C:\Program Files\OpenVPN\config

Create for each connection separate folder and put the config with certificates in it. When connecting, you can select the server you want to connect to. In this case, there can be as many connections as you added network adapters openvpn:

This is how the problem of creating several active ones is easily solved openvpn connections in windows.

Did the article help? There is a possibility for the author

Online course "Network engineer"

If you have a desire to learn how to build and maintain highly available and reliable networks, learn how to set up a VPN with encryption, understand, find and fix problems in OSPF routing and BGP, filter and balance routes, I recommend taking the online course “Network Engineer” at OTUS. The course is not for beginners; basic knowledge of networks is required for admission. The training lasts 4 months, after which successful course graduates will be able to undergo interviews with partners. Test yourself on the entrance test and see the program for more details.
  • Detailed article on.
  • How to configure for Freebsd.