OpenVPN notes

From Noah.org
Jump to: navigation, search


general client setup

Put all of the user's config files in ~/.openvpn. Note that each user will have their own client.key and client.crt files. The client.conf file will need to be slightly updated for each user.

  • client.conf
  • ca.crt
  • client.crt
  • client.key
  • openvpn-dns-config.sh

client.conf

Note that you will have to edit ~/.openvpn/client.conf to set the full path your the ca.crt, client.crt, and client.key files. OpenVPN does not expand '~' notation in paths to the user's home directory. Otherwise all users could have the exact same client.conf file. The only difference would be the paths to ca, cert, and key and path to the external script for 'up' and 'down' events. This seems like a stupid oversight that complicates the config process. Perhaps there is some other idiom to handle this problem. Find the following lines in client.conf and replace USERNAME with the username in question:

ca /home/USERNAME/.openvpn/ca.crt
cert /home/USERNAME/.openvpn/client.crt
key /home/USERNAME/.openvpn/client.key

You will also want to add up and down hooks in your ~/.openvpn/client.conf for this script, openvpn-dns-config.sh. You can drop this script in ~/.openvpn. This will allow OpenVPN to automatically update your /etc/resolv.conf with the DNS server on the remote side of the VPN. Note that this script was originally written for OSX, but it works fine without changes on Ubuntu Linux. These are the lines you will want to add to ~/.openvpn/client.conf to support automatic DNS config:

up "/home/USERNAME/.openvpn/openvpn-dns-config.sh up"
down "/home/USERNAME/.openvpn/openvpn-dns-config.sh down"

VPN startup and shutdown

Add these alias to your .bash_aliases file or wherever you keep them:

alias vpnup='sudo /usr/sbin/openvpn --script-security 2 --config ~/.openvpn/client.conf --writepid ~/.openvpn/openvpn.pid --daemon'
alias vpndown='sudo kill -INT `cat ~/.openvpn/openvpn.pid`'

Older versions of OpenVPN might not like the "--script-security" option. Remove that if your version does not support script-security.

Remove the password from an OpenVPN key

The user's client.key generated by `openvpn --genkey` is an OpenSSL RSA key. You can use `openssl` commands on the key. This will overwrite the existing user.key file:

openssl rsa -in client.key -out client.key

ERROR: "Cannot load certificate file" or "Cannot load private key file" or "Cannot load CA certificate file"

This error is most likely due to using '~' in paths in your client.conf config file. Openvpn does not expand ~ to user home directories. You would see an error like this when you try to start openvpn:

Wed Oct 29 12:56:05 2008 Cannot load certificate file ~/.openvpn/client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Oct 29 12:56:05 2008 Exiting

ERROR: "script failed: could not execute external program"

This error is most likely due to using '~' in paths in your client.conf config file. Openvpn does not expand ~ to user home directories. You would see an error like this when you try to start openvpn:

Wed Oct 29 12:32:09 2008 ~/.openvpn/openvpn-dns-config.sh up tun0 1500 1542 10.2.16.234 10.2.16.233 init
Wed Oct 29 12:32:09 2008 script failed: could not execute external program
Wed Oct 29 12:32:09 2008 Exiting