OpenVPN

The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:

• Uses Public Key Infrastructure (PKI) for authentication.
• Creates a VPN using a virtual TUN network interface (OSI Layer-3 IP routing).
• Listens for client connections on UDP port 1194 (OpenVPN's official IANA port number).
• Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

For more advanced configurations, please see the man page and the OpenVPN documentation.

Copy the example server configuration file to .

Edit the file making a minimum of the following changes:

/etc/openvpn/server/server.conf

ca ca.crt
cert servername.crt
key servername.key
dh dh.pem

tls-crypt ta.key # Replaces ''tls-auth ta.key 0''

user nobody
group nobody

If TLS with elliptic curves is used, specify and (or ). DH parameters file is not used when using elliptic curves. Starting from OpenVPN 2.4.8, it is required to specify the type of elliptic curves in server configuration. Otherwise the server would fail to recognize the curve type and possibly use an incompatible one, resulting in authentication errors.

If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and (optionally) limiting the set of enabled TLS ciphers to the newer ciphers. Starting from OpenVPN 2.4, the server and the client will automatically negotiate AES-256-GCM in TLS mode.

Add the following to :

Bleeding edge security

Compatibility with most devices

Enabling compression is not recommended by upstream; doing so opens to the server the so-called VORACLE attack vector. See this article.

It is generally recommended to use OpenVPN over UDP, because TCP over TCP is a bad idea.

Some networks may disallow OpenVPN connections on the default port and/or protocol. One strategy to circumvent this is to mimic HTTPS traffic which is very likely unobstructed.

To do so, configure as such:

One can have multiple, concurrent instances of OpenVPN running on the same box. Each server needs to be defined in /etc/openvpn/server/ as a separate .conf file. At a minimum, the parallel servers need to be running on different ports. A simple setup directs traffic connecting in to a separate IP pool. More advanced setups are beyond the scope of this guide.

Consider this example, running 2 concurrent servers, one port 443/udp and another on port 80/tcp.

First modify created as so:

Now copy it and modify the copy to run on 80/tcp:

Be sure to setup the corresponding entries in the firewall, see the relevant sections in #Firewall configuration.

Copy the example client configuration file /usr/share/openvpn/examples/client.conf to .

Edit the following:

• The directive to reflect either the server's Fully Qualified Domain Name, hostname (as known to the client), or its IP address.
• Uncomment the and directives to drop privileges.
• The , , and parameters to reflect the path and names of the keys and certificates.
• Enable the TLS HMAC handshake protection ( or --tls-auth).

Using the options and group nobody in the configuration file makes OpenVPN drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, then lingering routes may be considered beneficial. It can also happen, however, that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error.

As it could seem to require manual action to manage the routes, the options and group nobody might seem undesirable. Depending on setup, however, there are different ways to handle these situations:

• For errors of the unit, a simple way is to edit it and add a to the section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly.
• The package contains the , which can be used to let openvpn fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges (see also its README).

The OpenVPN HowTo's linked below go further by creating a dedicated non-privileged user/group, instead of the already existing . The advantage is that this avoids potential risks when sharing a user among daemons:

• The OpenVPN HowTo explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically.
• It is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see this OpenVPN wiki (howto). The howto assumes the presence of System V init, rather than Systemd and does not cover the handling of / scripts - those should be handled the same way as the ip command, with additional attention to access rights.
• It is also possible to run OpenVPN from within unprivileged podman container, see this section of OpenVPN HowTo

Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:

Run (as the root user) on the server, and (as the root user) on the client. Example output should be similar to the following:

# openvpn /etc/openvpn/client/client.conf

Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
...
Wed Dec 28 14:41:57 2011 GID set to nobody
Wed Dec 28 14:41:57 2011 UID set to nobody
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed

Find the IP address assigned to the tunX interface on the server, and ping it from the client.

Find the IP address assigned to the tunX interface on the client, and ping it from the server.

If experiencing issues when using (remote) services over OpenVPN (e.g. web browsing, DNS, NFS), it may be needed to set a MTU value manually.

The following message may indicate the MTU value should be adjusted:

read UDPv4 [EMSGSIZE Path-MTU=1407]: Message too long (code=90)

In order to get the maximum segment size (MSS), the client needs to discover the smallest MTU along the path to the server. In order to do this ping the server and disable fragmentation, then specify the maximum packet size :

# ping -M do -s 1500 -c 1 example.com

Decrease the 1500 value by 10 each time, until the ping succeeds.

Update the client configuration to use the succeeded MTU value, e.g.:

OpenVPN may be instructed to test the MTU every time on client connect. Be patient, since the client may not inform about the test being run and the connection may appear as nonfunctional until finished. The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless a client will be connecting over many different networks and the bottle neck is not on the server side:

Starting from OpenVPN 2.4, OpenVPN will use defined by the OS when just using proto udp or , which in most cases will be IPv4 only. To use both IPv4 and IPv6, use or . To enforce only IPv4-only, use or . On older OpenVPN versions, one server instance can only support either IPv4 or IPv6.

In order to provide IPv6 inside the tunnel, have an IPv6 prefix routed to the OpenVPN server. Either set up a static route on the gateway (if a static block is assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see IPv6 Prefix delegation for details). Also consider using a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:

• Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so change the server.conf every time the prefix is changed (Maybe can be automated with a script).
• ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. This means one cannot route the entire traffic over the tunnel. Those wanting to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, may want to use the ULA addresses for ease.

Alternatively, a NDP proxy should work. See this StackExchange post.

After having received a prefix (a /64 is recommended), append the following to the server.conf:

server-ipv6 2001:db8:0:123::/64

This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.

Those wanting to push a route to a home network (192.168.1.0/24 equivalent), need to also append:

push "route-ipv6 2001:db8:0:abc::/64"

OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The OpenVPN Wiki provides some other configuration options.

To troubleshoot a VPN connection, start the client's daemon manually with as root. The server can be started the same way using its own configuration file (e.g., ).

To start the OpenVPN server automatically at system boot, enable openvpn-server@configuration.service on the applicable machine. For a client, enable instead. (Leave out of the string.)

For example, if the client configuration file is /etc/openvpn/client/client.conf, the service name is . Or, if the server configuration file is , the service name is .

One might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to . In the following example "Provider" is the name of the NetworkManager connection:

See NetworkManager#Network services with NetworkManager dispatcher for more details.

NetworkManager supports OpenVPN management using networkmanager-openvpn.

In your desktop environment network settings (or ). Click the plus sign to add a new connection and choose OpenVPN and manually enter the settings. You also can optionally import #The client configuration profile by selecting Import a saved VPN configuration... and selecting the appropriate file.

For importing a configuration:

$ nmcli connection import type openvpn file file.ovpn

To do a manual configuration:

$ nmcli connection add type vpn vpn-type openvpn ...

See nm-settings-nmcli(5) § vpn setting for the detailed options.

NetworkManager supports syncing the VPN state with a interface connection state, i.e start the VPN together with the connection and bringing it down when the connection goes down.

To achieve this, open and select a network connection (not the VPN), then head to the General section, tick Automatically connect to VPN and select the appropriate configuration in the dropdown menu.

List connections

nmcli connection

NAME     UUID                                  TYPE      DEVICE
zrh-003  d46e4a92-778e-4792-b085-e1f638ecb8e3  vpn       enp1s0
enp1s0   1715b889-3c47-3e21-a86f-94ce207297a9  ethernet  enp1s0
tun0     7405f329-255d-4b50-b98d-c2e865a443a4  tun       tun0

Copy UUID of VPN Connection you want to connect automatically (d46e4a92-778e-4792-b085-e1f638ecb8e3)

nmcli c edit enp1s0
nmcli> set connection.secondaries d46e4a92-778e-4792-b085-e1f638ecb8e3
nmcli> save persistent
Connection 'enp1s0' (1715b889-3c47-3e21-a86f-94ce207297a9) successfully updated.

systemctl restart NetworkManager

If you get:

Warning: password for 'vpn.secrets.password' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: No valid secrets

Even with

[vpn]
cert-pass-flags=0

You can add:

[vpn-secrets]
cert-pass=anything_you_want

If using the default port 1194, enable the service. Otherwise, create a new service with a different port.

# firewall-cmd --zone=public --add-service openvpn

Now add masquerade to the zone:

# firewall-cmd --zone=FedoraServer --add-masquerade

Make these changes permanent:

# firewall-cmd --runtime-to-permanent

In order to allow ufw forwarding (VPN) traffic append the following to /etc/default/ufw:

Change , and append the following code after the header and before the "*filter" line:

• Change the IP/subnet mask to match the set in the OpenVPN server configuration.
• Change the network interface to the connection used by OpenVPN server.

Make sure to open the chosen OpenVPN port (default 1194/udp):

# ufw allow 1194/udp

To apply the changes. reload/restart ufw:

# ufw reload

In order to allow VPN traffic through an iptables firewall, first create an iptables rule for NAT forwarding on the server. An example (assuming the interface to forward to is named ):

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

If running multiple servers on different IP pools, add a corresponding line for each one, for example:

# iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE

If the server cannot be pinged through the VPN, one may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following :

# iptables -A INPUT -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -j ACCEPT
# iptables -A INPUT -i tap+ -j ACCEPT
# iptables -A FORWARD -i tap+ -j ACCEPT

Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface:

# iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i tap+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o tap+ -m state --state RELATED,ESTABLISHED -j ACCEPT

When satisfied, make the changes permanent as shown in iptables#Configuration and usage.

Those with multiple tun or tap interfaces, or more than one VPN configuration can "pin" the name of the interface by specifying it in the OpenVPN configuration file, e.g. instead of tun. This is advantageous if different firewall rules for different interfaces or OpenVPN configurations are wanted.

This prevents all traffic through the default interface (enp3s0 for example) and only allows traffic through tun0. If the OpenVPN connection drops, the system will lose its internet access thereby preventing connections through the default network interface.

One may want to set up a script to restart OpenVPN if it goes down.

 # Default policies
 ufw default deny incoming
 ufw default deny outgoing
 
 # Openvpn interface (adjust interface accordingly to your configuration)
 ufw allow in on tun0
 ufw allow out on tun0
 
 # Local Network (adjust ip accordingly to your configuration)
 ufw allow in on enp3s0 from 192.168.1.0/24
 ufw allow out on enp3s0 to 192.168.1.0/24
 
 # Openvpn (adjust port accordingly to your configuration)
 ufw allow in on enp3s0 from any port 1194
 ufw allow out on enp3s0 to any port 1194

Alternatively, the vpnfailsafe () script can be used by the client to prevent DNS leaks and ensure that all traffic to the internet goes over the VPN. If the VPN tunnel goes down, internet access will be cut off, except for connections to the VPN server(s). The script contains the functionality of update-resolv-conf, so the two do not need to be combined.

For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See Internet sharing#Enable packet forwarding for configuration details.

By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.

• Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.
• Add a static route on each host on the LAN that needs to send IP packets back to the VPN.
• Use iptables' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.

The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:

Prerequisites:

• Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.
• Each client's certificate has a unique Common Name, in this case bugs.
• The server may not use the duplicate-cn directive in its configuration file.
• The CCD folder must be accessible via user and group defined in the server configuration file (typically nobody:nobody)

Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.

# mkdir -p /etc/openvpn/ccd

Create a file in the client configuration directory called bugs, containing the directive. It tells the server what subnet should be routed to the client:

Add the client-config-dir and the directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:

/etc/openvpn/server/server.conf

client-config-dir ccd
route 192.168.4.0 255.255.255.0

If accessing a machine in the client LAN from a machine in the server LAN, remember that packet forwarding needs to be enabled on the client (Internet sharing#Enable packet forwarding).

Combine the two previous sections:

By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file:

/etc/openvpn/server/server.conf

client-to-client

In order for another client or client LAN to see a specific client LAN, add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):

These scripts are maintained by OpenVPN. They are and , and they are packaged in . The following is an excerpt of a resulting client configuration using the scripts in conjunction with the down-root plugin:

These scripts use the command if present. Systemd-resolvconf and Openresolv both implement this command. See their wiki pages for more information on getting a working implementation.

If no implementation of is present, preserves the existing at /etc/resolv.conf.ovpnsave and writes a new one. This new one will not have any of the original DNS servers.

When editing these scripts, copy them somewhere else and edit them there, so that the changes do not get overwritten by the next package upgrade. is a pretty good place.

# cp /usr/share/openvpn/contrib/pull-resolv-conf/* /etc/openvpn/client
# $EDITOR /etc/openvpn/client/client.{up,down}
# # etc ...

The openvpn-update-resolv-conf script is available as an alternative to packaged scripts. It needs to be saved for example at /etc/openvpn/update-resolv-conf and made executable.

Users preferring a package may use but will still need to do the following:

Once the script is installed add lines like the following into the OpenVPN client configuration file:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Now, when launching the OpenVPN connection, should be updated accordingly, and also should get returned to normal when the connection is closed.

The update-systemd-resolved script links OpenVPN with via DBus to update the DNS records.

Copy the script into /etc/openvpn/scripts and mark as executable (or install ) and append the following lines into the OpenVPN client configuration file:

In order to send all DNS traffic through the VPN tunnel and prevent DNS leaks, also add the following line (see ):

Make sure that the systemd-resolved service is configured and running. Also, since openvpn 2.5.0-3 scripts are running as openvpn user instead of root. Thus, add a PolicyKit rule to allow OpenVPN systemd units to call DBus with SetLinkDNS:

By default networkmanager-openvpn plugin appends DNS servers provided by OpenVPN to .

To verify that the correct DNS server(s) are configured, see if systemd-resolved is in use, for other resolvers see Domain name resolution.

The package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the OpenVPN Connect app for Android and iOS.

Simply invoke the script with 5 tokens:

1. Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
2. Full path to the CA cert.
3. Full path to the client cert.
4. Full path to the client private key.
5. Full path to the server TLS shared secret key.
6. Optionally a port number.
7. Optionally a protocol (udp or tcp).

Example:

# ovpngen example.org /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/server/ta.key > foo.ovpn

If the server is configured to use tls-crypt, as is suggested in #The server configuration file, manually edit the resulting replacing <tls-auth> and with and .

The resulting can be edited if desired as the script does insert some commented lines. will not automatically route all traffic through the VPN, so consider following #Routing client traffic through the server to enable redirection.

The client expects this file to be located in . Note the change in file extension from 'ovpn' to 'conf' in this case.

The steps necessary for OpenVPN to #Run as unprivileged user, can be performed automatically using openvpn-unroot ().

It automates the actions required for the OpenVPN howto by adapting it to systemd, and also working around the bug for persistent tun devices mentioned in the note.

, available on the AUR, solves this problem by sending a SIGHUP to openvpn after waking up from suspend.

Alternatively, restart OpenVPN after suspend by creating the following systemd service:

Enable this service for it to take effect.

If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a keepalivedirective to the server's configuration:

In this case the server will send ping-like messages to all of its clients every 10 seconds, thus keeping the tunnel up. If the server does not receive a response within 120 seconds from a specific client, it will assume this client is down.

A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on the connection, also try lower intervals than 10 seconds.

The default systemd service file for openvpn-client does not have the --writepid flag enabled, despite creating /run/openvpn-client. If this breaks a configuration (such as an i3bar VPN indicator), simply change openvpn-client@.service using a drop-in snippet:

[Service]
ExecStart=
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf --writepid /run/openvpn-client/%i.pid

When using systemd-networkd to manage network connections and attempting to tunnel all outgoing traffic through the VPN, OpenVPN may fail to add routes. This is a result of systemd-networkd attempting to manage the tun interface before OpenVPN finishes configuring the routes. When this happens, the following message will appear in the OpenVPN log.

openvpn[458]: RTNETLINK answers: Network is unreachable
openvpn[458]: ERROR: Linux route add command failed: external program exited with error status: 2

From systemd-233, systemd-networkd can be configured to ignore the tun connections and allow OpenVPN to manage them. To do this, create the following file:

Restart to apply the changes. To verify that the changes took effect, start the previously problematic OpenVPN connection and run . The output should have a line similar to the following:

7 tun0             none               routable    unmanaged

This error shows up in the server log when a client that does not support tls-crypt, or a client that is misconfigured to use tls-auth while the server is configured to use tls-crypt, attempts to connect.

To support clients that do not support tls-crypt, replace tls-crypt ta.key with (the default) in . Also replace tls-crypt ta.key with (the default) in .

There is a known upstream bug in conjunction with importing existing OpenVPN configurations (.ovpn files) under KDE via the GUI ( not nm-connection-editor) that causes certain advanced options such as to be silently ignored. The created NetworkManager connection profile will therefore be incomplete and the connection ultimately fails.

Logs might reveal errors such as the following:

TLS Error: TLS handshake failed
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

A workaround is to resort to NetworkManager's command-line utility nmcli to import the connection profile as is shown in #CLI configuration.

There exists an issue with PKCS#12 encoded user certificates/private key files (usually denoted by a .pfx or .p12 file ending) with OpenSSL3, c.f. also . This leads to connections which worked perfectly before updating to OpenSSL3 not being able to connect with the following log messages produced (in this case via NetworkManager):

The reason is that older versions of OpenSSL used algorithms, which are now deprecated, to encrypt the PKCS#12 files.

To solve this issue the PKCS#12 file must be re-encrypted with a non-legacy algorithm.