- What Is Generate A Static Openvpn Key Password
- What Is Generate A Static Openvpn Key Windows 10
- What Is Generate A Static Openvpn Key Number
- What Is Generate A Static Openvpn Key Code
Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key: openvpn -genkey -secret ta.key. This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. Once the OpenVPN peers are sure about each other's identity, DH can be used to create a shared secret key for the hash function and the cipher algorithm. By combining a DH private key with the other OpenVPN box DH public key, it is possible to calculate a shared secret that only the two OpenVPN peers know.
Translation(s): English - Français - Русский - Polski
Contents
- Configuration
- Test VPN
- Application to a VPN passing through a http proxy
OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explains briefly how to configure a VPN with OpenVPN, from both server-side and client-side.
Install the openvpn package on both client and server.
To enable OpenVPN in the Gnome NetworkManager applet for the taskbar notification area, the additional package network-manager-openvpn-gnome has to be installed:
OpenVPN can authenticate users via user/pass, pre-shared key, certificates, etc.
Test VPN
Test a raw connection.
server test
From a server shell, run
if your client has a static IP#; otherwise, run
You should see console output resembling
While openvpn is running, check your network configuration with sudo ifconfig -a. Output should include
Note that, if you kill openvpn (e.g., with Control-c in its console), you will not see the above network interface.
client test
You may also test with ping.
Static-Key VPN
In the server's /etc/openvpn directory, run the following command to generate a static key:
Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.
On the server, create a new /etc/openvpn/tun0.conf file and add the following:
Where 10.9.8.x is your VPN subnetwork, 10.9.8.1 will be IP of the server, 10.9.8.2 is IP of client.
On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following:
On the server's firewall, open up UDP 1194 (default port).
If you are using ?shorewall, on both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall:
- zone
- interfaces
- policy
Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
Start OpenVPN by hand on both sides with the following command:
You should probably configure your route at this step.
To verify that the VPN is running, you should be able to ping 10.9.8.2 from the server and 10.9.8.1 from the client.
TLS-enabled VPN
In server, copy key generating script from openvpn example to /etc/openvpn and add executable permission:
In Jessie and above easy-rsa is a separate package. So you'll have to install that in addition to openvpn.
On Wheezy:
On Jessie and above:
Edit /etc/openvpn/easy-rsa/vars bottom according to your organization.
Execute the following command:
Create a symbolic link of the OpenSSL config file with the correct version, so it can be used by the commands of Easy-RSA. In Debian Stretch, it can be done by executing the following command:
Remember:
- only .key files should be kept confidential.
- .crt and .csr files can be sent over insecure channels such as plaintext email.
- do not need to copy a .key file between computers.
- each computer will have its own certificate/key pair.
Generate CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY:
It will generate ca.crt and ca.key in /etc/openvpn/easy-rsa/keys/ directory.
Generate BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional):
It will generate server.crt and server.key in /etc/openvpn/easy-rsa/keys/, and signed with your root certificate.
Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection):
Generate key for each client: Use one of the two (build-key or build-key-pass). You'll be asked for 'Enter PEM pass phrase', this is the passphrase you'll need to login at the client.
Generate key with password (this protect the key and request the password every time that you connect to the server), for each client:
It will generate keys in /etc/openvpn/easy-rsa/keys/
Copy the ca.crt, clientname.crt, clientname.key from Server to Client/etc/openvpn/easy-rsa/keys/ directory.
Check OpenVPN RSA Key and code.mixpanel.com VPN for details.
Test the connectivity from command line.
Server:
Client:
If the connection is successful create file configuration.
In Server create /etc/openvpn/server.conf as follows:
Check code.mixpanel.com VPN and rackspace OpenVPN for details.
Create log directory:
Restart OpenVPN.
Note that the /etc/init.d/openvpn script will start an openvpn server for every .conf file in /etc/openvpn/, so if you still have the tun0.conf file from above, rename it to something else than *.conf. In the case of systemd only one openvpn server is started by default.
In Client create /etc/openvpn/client.conf as follows:
(note: you may use graphical vpn tool network-manager UI by providing the key and certificates)
Restart OpenVPN:
Debian Server with Android / iOS devices
OpenVPN can be configured to use with Android / iOS devices.
In Debian Server, create required certificates if you have a fresh installation of ?OpenVpn:
Modify below lines in /etc/openvpn/server.conf:
8.8.8.8 is Google DNS server. You may change to your preferred DNS server.
Test that the configuration works:
If it does, Ctrl-C out of this and restart OpenVPN server to use the new configuration:
Or on systems using systemd:
Create client profile file /etc/openvpn/client.ovpn and attach certificates to it:
Modify below lines in client profile file /etc/openvpn/client.ovpn:
where ?YourServerIp and ?YourServerPort should be changed to your server. Three lines (#ca, #cert, #key) are remarked as the required certificates were attached to the profile file instead of individual files.
e-mail or upload the client configuration file /etc/openvpn/client.ovpn to google drive in order to download to iPhone.
For iOS devices, install OpenVPN Connect client. Then transfer the client configuration file /etc/openvpn/client.ovpn to the device by e-mail or by Google Drive. Open the configuration file in Mail apps or Google Drive apps.
For Android devices, install OpenVPN Connect client. Then copy the client configuration file /etc/openvpn/client.ovpn to the storage of the device. Open the configuration file in OpenVPN apps.
You'll also want to run the server parts of the 'Forward traffic via VPN' steps below. Your phone OpenVPN client should take care of the client parts automatically.
In Server enable runtime IP forwarding:
Edit /etc/sysctl.conf uncomment the following line to make it permanent:
Execute the following command in server for testing:
You may also use the rc.firewall-iptables script from TLDP Masquerade as an alternative.
In client:
If you use graphical client generally you may not need to execute these command.
If everying is working fine, save the iptables rules:
To restore:
add this to startup script. Debian wiki iptables page for details.
By default, all configured VPNs are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. Systemd users may need to run systemctl daemon-reload once to enable new VPNs.
openvpn ifupdown hooks are also available for starting/stopping tunnels using /etc/network/interfaces, e.g.:
See /usr/share/doc/openvpn/README.Debian.gz for more information.
To automatically start a VPN located in /etc/openvpn/client/ or /etc/openvpn/server/, enable openvpn-client@<name>.service or openvpn-server@<name>.service. For instance, a client configuration located in /etc/openvpn/client/vpn0.conf would be automatically started by enabling openvpn-client@vpn0.service.
This part describe how to configure a VPN to pass through a http proxy, which allow only trafic on port 443 (and 80). This use the http_proxy of OpenVPN.
- First of all, check that the port 443 isn't already used by another service on your server.
Configure OpenVPN on server side by adding port 443 and proto tcp-server to the configuration file.
Configure OpenVPN on the client side by adding port 443, proto tcp-client and http-proxy 1.1.1.1 8080 to the configuration file.
Where 1.1.1.1 and 8080 are IP and port of your proxy.
- Now you should launch OpenVPN on the server and next on the client.
- At this time, you should configure routes to use the VPN tunnel:
Remove the default route through the proxy: route del default eth0
Add default route through your VPN: route add default gw 10.9.8.1 dev tun0
You should keep the route to the proxy with: route add 1.1.1.1 eth0
Update your /etc/resolv.conf according to your needs.
TODO
Explain how to enable the management interface (http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html)
OpenVPN home-page
code.mixpanel.com VPN
rackspace OpenVPN
openvpn pki how to
RSA key Management OpenVPN
OpnVPN Howto
Ubuntu OpenVPN
TLDP Masquerade
Other VPN clients
Important
Netgate is offering COVID-19 aid for pfSense software users, learn more.
Using pfSense® software, connecting two sites using OpenVPN is very simple. Oneside is configured as a client, and the other as a server. OpenVPN in shared keymode is the recommend method for site to site connections, unless there are ahalf dozen or more sites. For PKI and advanced options/configurations seeConfiguring a Site-to-Site PKI (SSL) OpenVPN Instance.
The instructions below are for basic site to site connectivity. For other modessuch as SSL/TLS, or remote access, look in the OpenVPN sectionand the OpenVPN chapter of the pfSense Book.
Notes¶
Both IPsec and OpenVPN may be enabled/in use at the same time, however,not for the same subnets. Any IPsec tunnel that references the same pairof subnets configured for use in OpenVPN must be disabled. IPsec andOpenVPN do not conflict otherwise.
The way OpenVPN works is that one end of the tunnel needs to be the“server” and the other the “client”, it does not matter which, though ifthere is more than one remote site, the main “hub” site should be theserver. If one site has a dynamic IP address and the other has a staticIP address, then the static IP address end should be the server.
For more than 6 site to site connections, SSL/TLS (PKI)can be a better fit for ease of management. Both methods work and require a fairamount of configuration on the server for each site, but there is lower overheadwith SSL/TLS since it runs a single server process.
A firewall rule must be created on the Server to allow traffic throughto the interface and port where the server is running, otherwise thetraffic will be blocked and the VPN will fail to connect. To allow orfilter incoming traffic inside the VPN tunnel, add rules to theOpenVPN tab under Firewall > Rules.
Server Settings¶
Navigate to VPN > OpenVPN, on the Servers tab. Click to createa new OpenVPN server and use the following options:
Peer to Peer (Shared Key)
UDP - TCP is undesirable because every lost packet isretransmitted, and if TCP is used inside the tunnel it will beretransmitted anyway. This will slow down the VPN if there is a lot oflost traffic on the WAN connection. TCP is really only useful to bypassfirewalls, in which case the port should be set to 443 as almost noone blocks access to that port. The protocol must match on each side.
tun
Whichever interface server will use for incoming connections.Typically WAN, but may be an OPT WAN.
The port this OpenVPN server will listen on. 1194 is thedefault OpenVPN port. Each server requires a unique port. Make surenot to use a port in use by another service otherwise problems canoccur. If using port 443, ensure the WebGUI is not running on thatport first.
A name for this VPN. Shows up in various places wherethe VPN can be selected from a list, such as Status > Services, orDiagnostics > Packet Capture.
The keys can be made in the GUI. Check Automaticallygenerate a shared key, and when the settings are saved, a key will begenerated. Then copy/paste the key into the client.
This setting must match on both sides. Any of the cryptooptions are fine, it depends on the user preference. For most hardware,aes-256-cbc is a good choice, see Cryptographic Accelerator Support.
If the device has hardware crypto support, choose it from thislist. For ALIX and many others, use BSD cryptodev engine to use supportedonboard devices.
The suggested default in the GUI of 10.0.8.0/24 issufficient, but any random unused network inside of the RFC1918 space isrecommended. For site-to-site shared key, only a /30 is used, not a /24, evenif /24 is specified.
What Is Generate A Static Openvpn Key Password
Enter the remote (Client Side) LAN here. To access morethan one network, add them all here separated by a comma (e.g.10.10.10.0/24,192.168.10.0/24).
Set this if to compress data on the tunnel. If bulk data orencrypted protocols like https/ssh are used primarily, this may only addunnecessary overhead. Enabled with Adaptive Compression is agood compromise as it will periodically test the compression of data andenable/disable as needed when it can help.
Set the TOS IP header value of tunnel packets tomatch the encapsulated packet value. Useful for traffic shaping on theOpenVPN traffic itself, but it does expose some data about the contentsof the packet so it is a potential security risk.
Don’t forget to add a firewall rule on the WAN tabunder Firewall > Rules (or whichever interface the server is runningon) to allow traffic to reach the OpenVPN server’s IP and port where it islistening. Also don’t forget rules on the OpenVPN tab to allow trafficinside the tunnel.
Client Settings¶
What Is Generate A Static Openvpn Key Windows 10
Navigate to VPN > OpenVPN, on the Clients tab. Click to createa new OpenVPN client and use the following options:
Peer to Peer (Shared Key)
Match the setting from the server side.
tun
Interface to use for outbound traffic. Typically WAN, but may bean OPT WAN.
Leave this blank for a random port. The port this OpenVPN clientwill use for its side (source port). Each process requires a unique port.Make sure not to use a port in use by another service otherwise problems canoccur. Leaving this box blank is best.
IP (203.0.113.19) or FQDN (vpn.example.com).
The port used by the OpenVPN server.
A name for this VPN. Free guild wars access key generator.
What Is Generate A Static Openvpn Key Number
Copy/paste the key from the server.
Match the setting from the server side.
What Is Generate A Static Openvpn Key Code
Hardware specific. See the same setting in the server section.
Match the setting from the server side.
Enter the remote (Server Side) LAN here. To access morethan one network, add them all here separated by a comma (e.g.10.10.9.0/24,192.168.9.0/24).
Match the setting from the server side.
See the same setting in the server section.
Don’t forget to add rules to Firewall > Rules on theOpenVPN tab to allow traffic inside the tunnel.