Install and Configure OpenVPN using a TUN interface

With this procedure we will configure OpenVPN server using TUN instead of TAP.

We will use a scenario where:

192.168.1.0/24 –> Is your network

192.168.1.1 –> Is your Gateway and DNS server

192.168.1.2 –> Is your OpenVPN Server

Let’s start.

1 – Install prerequisities.

 In Debian you will not find the “easy-rsa” package but don’t worry we will take care of that later.

2 – Enable the routing function on the server.

Uncomment the line  containing:

net.ipv4.ip_forward=1

3 – Create the easy-rsa directory.

In Ubuntu run this command:

 In Debian you have to create the directory and copy the files into it.

4 – Edit the variables.

Go into /etc/openvpn/easy-rsa/ and edit the vars file to your needs:

Change the key size from 1024 to 2048.

And comment the line:

5 – Generate the server keys.

While inside /etc/openvpn/easy-rsa/ run the following commands:

Now enter the keys directory:

generate the server keys:

and copy the necessary files to the openvpn directory

6 – Configure the server configuration file.

First copy the example configuration file:

Extract it:

Edit it:

Add the following to the beginning of the file:

Change

port 1194

to

port 8294

I like to change the default port.

Change

;dev tap
dev tun

to

;dev tap
dev tun2

Change

dh dh1024.pem

to

dh dh2048.pem

Change

;push “route 192.168.10.0 255.255.255.0”
;push “route 192.168.20.0 255.255.255.0”

to

push “route 192.168.1.0 255.255.255.0”

Change

;push “dhcp-option DNS 208.67.222.222”
;push “dhcp-option DNS 208.67.220.220”

to

push “dhcp-option DNS 192.168.1.1”

This is your DNS server IP address.

You can also push your domain with:

push “dhcp-option DOMAIN example.com”

Change

;client-to-client

to

client-to-client

Change

;user nobody
;group nogroup

to

user nobody
group nogroup

Look for the line containing log-append and edit it to look like this:

log-append  /var/log/openvpn/openvpn.log

Save and exit

Create the openvpn log folder:

7 – Configure Firewall

In your OpenVPN server type:

8 – Create the client keys.

Change to the easy-rsa folder:

Load the variables defined in the vars file:

Generate the key and certificate:

Set the PEM pass phrase (this is the password required when the openvpn client tries to connect )

Accept all the others options until you get to “A challenge password

When asked for “A challenge password” just press Enter

When asked for “An optional company name” just press Enter

When asked for “Sign the certificate? [y/n]:” say “yes

When asked for “1 out of 1 certificate requests certified, commit? [y/n]” say “yes

The files will be created in the /etc/openvpn/easy-rsa/keys folder

9 – Restart the server.

Now restart the server and check your network interfaces:

Your output should look similar to this:

IMPORTANT!!

If you are installing OpenVPN as a virtual machine, read this.

Leave a Reply