VPN client

Revision as of 21:26, 1 November 2019 by WikiFreak (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


This page describes how to configure OpenVPN client for IPv4 and IPv6.


Related articles:


Client

Client files

The client requires:

  • Authority of certification ca.cert (or content as text, section between ---begin certificate--- ---end certificate---- included)
  • Client private key client.key (or content as text)
  • Client certificate client.crt (or content as text)

Then, you can setup client configuration.


IMPORTANT NOTE for iOS:

  • You must have the CONTENT of each file and include it in the ".ovpn" file


Client configuration

Copy / paste the following configuration - just adjust your path according to your OS and file system:

##################################################
# OpenVPN 2.4 config file                        #
# ---------------------------------------------- #
# version 1.0 - April 2011 - Guillaume Diaz      #
# version 1.2 - June 2013 - Guillaume Diaz       #
#                           conf update + chroot #
# version 1.3 - April 2016 - Guillaume Diaz      #
#                           security increase    #
##################################################


# OpenVPN binding
##########################
# Tell TLS that we are building a CLIENT configuration
client

# Network interface to use
dev tun

# To support both IPv4 + IPv6
proto udp6

# VPN server @:port
remote myserver.mydomain 8080

# Do not bind to a specific port number
nobind

# keep trying indefinitely to resolve until connection is made
resolv-retry infinite

# Try to preserve state across restarts
persist-key
persist-tun



# SECURITY - certificates
########################
# SSL/TLS root certificate (ca)
# The server and all clients will use the same ca file.
ca "C:/Apps/OpenVPN/config/ca.crt"

# Client certificate and private key
<cert>
-----BEGIN CERTIFICATE-----
my_client_certificate
..
..
-----END CERTIFICATE-----
</cert>


<key>
-----BEGIN PRIVATE KEY-----
my_private_key
..
..
-----END PRIVATE KEY-----
</key>


# Security details (cryptography and communication settings)
##############################################################

# Encryption of data exchange
cipher AES-256-CBC

# Integrity check
auth SHA512

# Downgrade privileges after initialization (non-Windows only)
#user nobody
#group nogroup

# Compression of data exchange
# (i) Main setting will be push once connect

# Enable standard compression for the connection phase, it acts as failover too
comp-lzo

# Ensure VPN server certificate is of type "server": this reduce the man-in-the-middle attacks risks
remote-cert-tls server


# CLIENTS CONF
##########################
# Server security level
#script-security 2


# LOGS
##########################
# Log in a dedicated file instead of /var/log/messages
#log         "C:\Apps\OpenVPN\log\code.daxiongmao.eu.log"

# Log level
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages.
# At most xx sequential same messages will be output to the log file.
mute 10


Ubuntu VPN DNS

If DNS resolution doesn't work well you need to add the following line to your client configuration:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf


Source: http://blog.nicolargo.com/2015/02/resolution-du-probleme-de-dns-avec-openvpn-sous-ubuntu.html


Software

Linux

Installation

# VPN software
apt-get install openssl openssh-server openvpn 
# VPN manager (UI)
apt-get install network-manager-openvpn network-manager-openvpn-gnome


Security

See Firewall VPN


You must enable global FORWARDING

vim /etc/sysctl.conf


# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1


# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


DNS

You can set some DNS entries.

  • Network manager > Edit connections > VPN > Edit > IPv4 > Additional DNS servers
  • Add: 8.8.8.8, 8.8.4.4
Ubuntu additional DNS entries



Windows

On windows, many clients are available. The best one, for me, is: « OpenVPN.net Community » https://openvpn.net/index.php/open-source/downloads.html

  • Take the Installer (64-bit), Windows XP and later

Then, you have to copy your .OVPN configuration & certificates inside the ~/openvpn/config/ folder.


To use the VPN:

  • Run the OpenVPN client as administrator ==> right click on the icon ==> run as administrator
  • Right click on the icon close to the system clock ==> connect


!! Hint !! You can create a 1 click shortcut.

  • Edit the default shortcut
  • Set target = C:\apps\OpenVPN\bin\openvpn-gui.exe --connect devDaxiongmao.ovpn
VPN windows shortcut howto 01

In target the --connect option allows you to start a specific profile automatically. :-)


  • In Compatibility tab set the run as administrator option.
VPN windows shortcut howto 02



MacOSX

The best VPN client is “tunnelblick” http://code.google.com/p/tunnelblick

  • Configuration files are in ~/librairies/openvpn
  • That’s the libraries [“bibliothèque”] folder of the current user