OpenVPN server and client setup

Goal

To configure an OpenVPN server on a device using server-managed certificates, and to set up the OpenVPN configuration file for remote clients.

Setup

This article assumes you have a device that supports OpenVPN, a working knowledge of networking for the infrastructure you are trying to establish, and physical connection of network hardware. The configuration of OpenVPN servers and clients that use custom key files and certificates is not in the scope of this article. However, related information are available in these links:

Sample

The sample configuration below shows the connection arrangement and relevant network information between a device as the OpenVPN server, and the remote devices which are the OpenVPN clients. The network information are used in this article.

Sample Server Configuration

Open the configuration page and set the following configurations.

VPN > OpenVPN Section Configuration

  1. Specify a new server name in Add OpenVPN server: TestOVPN
  2. Specify the type of OpenVPN device in Device type: TUN/TAP (TUN is used in this walkthrough)
  3. Specify the firewall zone in Zone: internal
  4. Specify the address of the OpenVPN network in Address, which should be different from the LAN network: 192.168.30.1/24
  5. Enable Server managed certificates: Checked.

Authentication Section Configuration to add OpenVPN users

  1. In Authentication > Groups, specify a new OpenVPN group name and click Add Group: GroupOVPN
  2. In the newly created group (for example, GroupOVPN), enable OpenVPN access
  3. In the OpenVPN section, select the newly created OpenVPN server in the Tunnel dropdown: OpenVPN server: TestOVPN
  4. In Authentication > Users, specify a new OpenVPN user username and click Add User: UserOVPN
  5. Insert a password in the Password prompt: userpasswd
  6. In the Groups section, select the newly created (or as desired) OpenVPN group in the Group dropdown: GroupOVPN

Once all configurations are correct, click Save at the bottom of the configuration page to save the changes. Your TUN-style OpenVPN server is now set up and ready to accept client user connection using the appropriate credentials set up in the Authentication section.

Sample client configuration file

The minimum requirements for a remote client to connect to the OpenVPN server is the OpenVPN client configuration file and an OpenVPN client.  To obtain these:

The TestOVPN.ovpn file needs to be edited before use, and it can be edited in any text editing program.

When TestOVPN.ovpn file is opened, change the field <server address> with the public external IP address of your server. In this sample, <server address> is replaced with 172.16.10.1.

Custom routing (e.g. from the OpenVPN network to the internal corporate network) can also be achieved with route <destination network> <network submask> . In this sample, the destination (internal) network is 192.168.10.0/24, therefore a new line route 192.168.10.0 255.255.255.0 is added to the configuration.

# Note:
#
# Any lines with <...> in them need to be modified. For example
#
# remote <server address> 1234
# with a server address of 1.2.3.4, becomes
# remote 1.2.3.4 1234

#general
client
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC

# connection settings
dev tun
proto udp
# ==============================================================
# replaced 'remote <server address> 1194' with
remote 172.16.10.1 1194 # MODIFIED LINE
route 192.168.10.0 255.255.255.0 # ADDED LINE
# ==============================================================
<ca>
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgIJALkwivgA/CCDMA0GCSqGSIb3DQEBCwUAMIHKMQswCQYD
VQQGEwJBVTEMMAoGA1UECBMDUUxEMREwDwYDVQQHEwhCcmlzYmFuZTEdMBsGA1UE
ChMUQWNjZWxlcmF0ZWQgQ29uY2VwdHMxHTAbBgNVBAsTFEFjY2VsZXJhdGVkIENv
bmNlcHRzMSAwHgYDVQQDExdBY2NlbGVyYXRlZCBDb25jZXB0cyBDQTEQMA4GA1UE
KRMHRWFzeVJTQTEoMCYGCSqGSIb3DQEJARYZamVmZi5zaGF3QGFjY2VsZXJhdGVk
LmNvbTAeFw0xNzA5MTQwMzM5MDdaFw0yNzA5MTIwMzM5MDdaMIHKMQswCQYDVQQG
EwJBVTEMMAoGA1UECBMDUUxEMREwDwYDVQQHEwhCcmlzYmFuZTEdMBsGA1UEChMU
QWNjZWxlcmF0ZWQgQ29uY2VwdHMxHTAbBgNVBAsTFEFjY2VsZXJhdGVkIENvbmNl
cHRzMSAwHgYDVQQDExdBY2NlbGVyYXRlZCBDb25jZXB0cyBDQTEQMA4GA1UEKRMH
RWFzeVJTQTEoMCYGCSqGSIb3DQEJARYZamVmZi5zaGF3QGFjY2VsZXJhdGVkLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7S5xFLwGCAxeJPlO2K
AWf8uOu1LuXSHSANdCgdnjsJh3l31wRQ9c6cc8JmfcbLN5B3wwvaV0LsLbPVk1jk
pw7ImVbsN2k8+dto5WzTu/RfGPbjP4yML3ZtL0lkQWw3kmZ2vhPUa3YFG1x13Yk9
yHB+FfjhJivK7f5Bw+e8clkh3t6d2nyqOlDo9nmeYnvgaSXJgkFqUgUT3s72rpz3
Hb8+m8KihZ/yU09E0e3w767TXqCjcVcKWDr2YR9d5B5nf9FbMbLWaJoCmAFHjluf
pHdKVlDiHnCKwd0PUGKiWiWH3JTmrXK4nbnba5cWFKyF+fO7Kw+2NcyGcQUVeZg5
+X8CAwEAAaOCATMwggEvMB0GA1UdDgQWBBQ3wwwxUUgvxKEJlposwCjGV4hU/TCB
/wYDVR0jBIH3MIH0gBQ3wwwxUUgvxKEJlposwCjGV4hU/aGB0KSBzTCByjELMAkG
A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDERMA8GA1UEBxMIQnJpc2JhbmUxHTAbBgNV
BAoTFEFjY2VsZXJhdGVkIENvbmNlcHRzMR0wGwYDVQQLExRBY2NlbGVyYXRlZCBD
b25jZXB0czEgMB4GA1UEAxMXQWNjZWxlcmF0ZWQgQ29uY2VwdHMgQ0ExEDAOBgNV
BCkTB0Vhc3lSU0ExKDAmBgkqhkiG9w0BCQEWGWplZmYuc2hhd0BhY2NlbGVyYXRl
ZC5jb22CCQC5MIr4APwggzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAKv7/5NNS2ow4YFNwV/0tMvNP6yekNzomiL+Yx0QwP7yK+MvvcPXsW0jgicqqW
gEVvIDP5xK/DJC2gx0BAB0ZxH9EahDHd1cuHE5JabwD8zZzMOrPflPcAYdi+B+Zn
voQvMhoH9aMBNW13oNfLHmGg7I/6tDR9NgWFSpiwlyK63HLOeSxaZ8Jioac6slSO
4qUmfef8RGcBL4tO76ebsbi7FH03bWBGf+SftAT/Xw4EJ/O/VxITS1veFn0HRUfM
6YCDou/44JTc0GD2trekCiCuvDk5QhxzUja5DXB+fsSNvGMNbuyALV7y52jSrrw5
PUj4tJcN6F1p9WKhaDXnRClb
-----END CERTIFICATE-----

</ca>

#authentication
auth-user-pass

The remaining configuration process of the remote client uses this configuration file. For details, visit: