VPN client
Contents
Introduction
See VPN introduction
Client
Client files
The client requires:
- Authority of certification ca.cert
- Client private key client.key
- Client certificate client.crt
Then, you can setup client configuration.
Client configuration
Copy / paste the following configuration - just adjust your path according to your OS and file system:
#################################################
# OpenVPN 2.0 client config #
# --------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz
# version 1.2 - June 2013 - Guillaume Diaz
# conf update + chroot
#################################################
# OpenVPN configuration
##########################
# Client mode
client
# VPN mode
dev tun
########
# IPV4 #
########
proto udp
########
# IPV6 #
########
# Enable IPv6 support
tun-ipv6
# Protocol
proto udp6
##########
# Remote server
remote dev.daxiongmao.eu 8080
# Do not bind to a specific local port number
nobind
# Keep trying indefinitely to resolve the hostname of the OpenVPN server.
resolv-retry infinite
# Compression of data exchange
comp-lzo
# SECURITY
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:\\Apps\\OpenVPN\\config\\ca.crt"
# Client certificate and private key
cert "C:\\Apps\\OpenVPN\\config\\xinxiongmao.crt"
key "C:\\Apps\\OpenVPN\\config\\xinxiongmao.key"
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# Encryption of data exchange
cipher AES-256-CBC
# Integrity check
auth SHA256
# Control server certificate
ns-cert-type server
##-- Logs --##
# Set log file verbosity.
verb 4
# Wireless networks often produce a lot of duplicate packets.
# Set this flag to silence duplicate packet warnings.
mute-replay-warnings
# Silence repeating messages
mute 10
# Allow DNS entries to be received and programs to be called before / after OpenVPN start|stop
script-security 2
### Ubuntu 16.04 bug
# See http://www.ubuntubuzz.com/2015/09/how-to-fix-openvpn-dns-leak-in-linux.html
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Notes:
You have to edit the configuration file.
- Adjust paths on lines 30-38
- On Windows you must you the double slash \\
- On Linux don’t forget to uncomment the following lines for better security:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
- Linux: depending on your distribution you might need to adjust user / group default name.
Ubuntu VPN DNS
If DNS resolution doesn't work well you need to add the following line to your client configuration:
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html
Software
Linux
Installation
# VPN software
apt-get install openssl openssh-server openvpn
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome
Security
See Firewall VPN
You must enable global FORWARDING
vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
DNS
You can set some DNS entries.
- Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
- Add:
8.8.8.8, 8.8.4.4
Windows
On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html
- Take the Installer (64-bit), Windows XP and later
Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/
folder.
To use the VPN:
- Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
- Right click on the icon close to the system clock ==> connect
!! Hint !! You can create a 1 click shortcut.
- Edit the default shortcut
- Set target =
C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
In target the --connect option allows you to start a specific profile automatically. :-)
- In Compatibility tab set the run as administrator option.
MacOSX
The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick
- Configuration files are in ~/librairies/openvpn
- That’s the libraries [“bibliothèque”] folder of the current user