User Tools

Site Tools


Several open source solutions are available to build your own virtual private network. These solutions have different ways to do their job. E.g. some use ipsec, others use plain TCP/IP. Anyway, we chose the Openvpn software to build our vpn. It does not require an ipsec-supporting network infrastructure, but it is save nontheless as it supports all of the encryption, authentication, and certification features of the Openssl library (any cipher, key size, or HMAC digest). Openvpn supplies our functional needs, is able to create vpn tunnels between datacenters as well as to support roadwarriors. It just does it's job. Openvpn is available for GNU/Linux, Apple MacOSX and Microsoft Windows.

Further information is available at the openvpn homepage.


This documentation describes how to create a VPN between roadwarriors and your main office that homes the Hannibal servers. The configuration supports NAT traversal and we assume an UDP portmapping (by default port 1194) exists from your firewall to the openvpn server.

In our example the hannibal-servers live in a subnet. The Openvpn server will use a subnet for your VPN-clients. If you want them to be able to connect to other servers in the subnet, you'll have to create static routes on those servers or on your firewall.

Server side


Installation of the server part of the software is fairly simple. In addition to the package itself, Openvpn uses the LZO-package for compression.

apt-get install openvpn lzop openssl


Create a server side configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/xenvpn.crt
key /etc/openvpn/easy-rsa/keys/xenvpn.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
keepalive 10 120
push "route"
push "dhcp-option DNS"
push "dhcp-option WINS"
status openvpn-status.log
verb 4

You need to enable IP forwarding on your Openvpn server, so add this line to /etc/sysctl.conf

net.ipv4.ip_forward = 1

Activate this option by running:

/etc/init.d/procps restart

After you'll have created your certficates you can start the Openvpn server. Netstat should show a listener on UDP port 1194. Also check the file /var/log/daemon.log

/etc/init.d/openvpn start


At this moment our vpn-server only checks for a valid client-certificate on vpn-clients. You might want to also add username/password authentication. As the Debian Openvpn-package already includes a plugin for PAM/NSSwitch, let's enable this plugin. We usually configure PAM/NSSwitch to check our corporate LDAP-infrastructure for authentication/authorization. Read this section for documentation on how to connect PAM/NSSwitch to LDAP.

Edit /etc/openvpn/server.conf and add a line for the plugin:

plugin /usr/lib/openvpn/ /etc/pam.d/openvpn

Create a configuration file /etc/pam.d/openvpn

@include common-auth
@include common-account
@include common-session

After a restart of the Openvpn service your clients will be required to provide valid credentials. Don't forget to make sure that the Openvpn clientsoftware will prompt the user for input of credentials. Add a line to the client configurationfile:


If you want to only grant VPN-access to members of a specific group then you could use the module pam_succeed_if. Modify /etc/pam.d/openvpn to look like this:

@include common-auth
account     required user ingroup vpnusers
@include common-account
@include common-session


Of course you can create the required certificates on your existing CA. However, the Debian Openvpn-package conveniently includes a tiny CA called Easy-RSA. We'll use Easy-RSA to create a CA, our server certificate and the client certificates.

Copy the software to the desired location:

cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn

Adjust the file /etc/openvpn/easy-rsa/vars to your situation. After that you have to source in this file and create your CA. You also need to build a Diffie-Hellman parameter file for the Openvpn server.

cd /etc/openvpn/easy-rsa
. vars

Now you can build a certificate for your Openvpn server. In our example the hostname is 'xenvpn':

./build-key-server xenvpn

For authentication you'll need a key-pair per Openvpn client. Obviously a unique client_id is required.

./build-key your_client_id

Client side

The Openvpn client configuration requires three certificate files beside the main configuration file. A CA-root cert, a client cert and a client key file. These certificates have to be provided by the OpenVPN-server administrator (for instance by usage of the easy-rsa software as described earlier in this chapter).


Generic cli (including Asus EeePC)

If CLI-tools are sufficient for you, just install the openvpn package:

apt-get install openvpn

Use the openvpn.conf sample from usr/share/doc to create /etc/openvpn/openvpn.conf Add the correct path/filenames from the three certificate files and add the line below to let you type in your credentials on execution:


Ubuntu GUI

An easy to use graphical client (needs sudo permissions) is available as a plug-in. After:

sudo apt-get install network-manager-openvpn

the configuration and enabling can be done with the regular network configuration. Use the network dock-icon in the taskbar.

Mac OS X

Download and install Tunnelblick, the OpenVPN GUI for OSX at and follow the installation instructions.

Afterwards move your client-certificate, private key and the public CA-certificate to the directory /Users/your_username/Library/openvpn

In the same directory create an 'openvpn.conf' file with content like this:

dev tun
proto udp
remote fqdn_your_openvpn_server 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
verb 3

MS-Win 2000/XP

Download and install the OpenVPN GUI for windows at and follow the installation instructions.

hannibal/openvpn.txt · Last modified: 2011/02/25 23:32 by Luc Nieland