Amanokami Kai


Tutorial: Setting up OpenVPN


I'm sure there are many tutorials of these on the internet, but either I couldn't get them to work, or I had to disregard some portion of the instructions. Also I had absolutely no guidance for how to connect to the VPN from NetworkManager, so this tutorial will cover that as well.

What this tutorial will cover:

  • How to set up an OpenVPN server on a Debian-based machine at home (In reality I use a Raspberry Pi with Raspbian)
  • How to connect to the OpenVPN server from NetworkManager (Desktop) and OpenVPN Connect (Android/iOS)
  • How to port forward from your (commercial) wireless router at home to your server at home

What this tutorial will not cover:

  • Why OpenVPN?
  • Why VPN?
  • How to use all of OpenVPN's features

How to set up OpenVPN

Our VPN will use the standard port 1194 with UDP, will have LZO compression, AES-128-CBC cipherm, HMAC Authentication, TLS Authentication to prevent DoSes, and will be certificate-based.

Router setup

  1. Get the internal IP address of your server (either sudo ifconfig from the server or look at the client list from the router setup page)
  2. Get the internal IP address of your router (you used it to get to the setup page)
  3. Get your external IP address (
  4. Go to port forwarding and forward port 1194 with UDP to the internal IP address of your server (feel free to change the port and protocol, just remember to put it in the server and client config files later)

Server-side setup

  1. Install OpenVPN
              $ sudo apt-get install openvpn
  1. Create keys and load scripts (might as well be superuser so that you don't need sudo for every line)
              $ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
              $ cd /etc/openvpn/easy-rsa
              $ su
              # ./source vars
  1. Build CA certificate
              # ./build ca
  1. Build Server key pair. The Common Name must be equal to server_name. Challenge password must remain blank and the certificate must be signed.
              # ./build-key-server server_name
  1. Build Client key pair. The Common Name must be equal to client_name. A PEM pass phrase that the user will remember must be set. Challenge password must remain blank and the certificate must be signed. Repeat this step for multiple clients.
              # ./build-key-pass client_name
  1. If the client key pair generated in the last step is for an Android/iOS device, then the keys must be encrypted. Repeat this step if necessary for multiple clients.
              # openssl rsa -in keys/client_name.key -des3 -out keys/client_name.des3.key
  1. Build the Diffie-Hellman keys
              # ./build-dh
  1. Create the HMAC keys
              # openvpn --genkey --secret keys/ta.key
  1. Edit or create /etc/openvpn/server.conf
              local ## Internal IP address of your OpenVPN Server
              dev tun 
              proto udp ## Change this to tcp if you want
              port 1194 ## Change this port if you want
              ca /etc/openvpn/easy-rsa/keys/ca.crt 
              cert /etc/openvpn/easy-rsa/keys/server_name.crt ## Change server_name to your server name
              key /etc/openvpn/easy-rsa/keys/server_name.key ## Change server_name to your server name
              dh /etc/openvpn/easy-rsa/keys/dh1024.pem
              # server and remote endpoints 
              # Add route to Client routing table for the OpenVPN Server 
              push "route" 
              # Add route to Client routing table for the OpenVPN Subnet 
              push "route" 
              # your local subnet 
              push "route" ## The first IP address should be the internal IP address of your OpenVPN Server
              # Set primary domain name server address to the SOHO Router 
              # If your router does not do DNS, you can use Google DNS 
              push "dhcp-option DNS" ## This IP should be the internal IP address of your router
              # Override the Client default gateway by using and 
              # rather than This has the benefit of 
              # overriding but not wiping out the original default gateway. 
              push "redirect-gateway def1" 
              keepalive 10 120 
              tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
              cipher AES-128-CBC 
              user nobody 
              group nogroup 
              status /var/log/openvpn-status.log 20 
              log /var/log/openvpn.log 
              verb 1

Follow the instructions that begin with ##. Basic IP knowledge is expected.

  1. Enable IP forwarding. Open /etc/sysctl.conf and uncomment
              net.ipv4.ip_forward = 1

then apply the change with

              # sysctl -p
  1. Not sure if this step is necessary, but it looks like it opens up port 1194 with UDP. Change udp and 1194 if necessary.
              # iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT

To allow another client to use the proxy, just repeat step 5 and if necessary, 6.

Client-side (NetworkManager)

  1. Copy client_name.crt, client_name.key, ca.crt, and ta.key from the server at /etc/openvpn/easy-rsa/keys. The copy must be done by scp or by offline methods, otherwise your key will become only as strong as the email service you wanted to use to send the keys. It may be a good idea to delete the keys from the server once you put them in your client.
  2. sudo apt-get install openvpn (or whatever your distro requires)
  3. Open NetworkManager
  4. Fill in the fields:
    • Connection name: Whatever you want.
    • General: Leave as is
    • VPN:
      • Gateway: External IP address or hostname of your server
      • Type: Certificates (TLS)
      • User Certificate: client_name.crt
      • CA Certificate: ca.crt
      • Private Key: client_name.key
      • Private Key Password: Pass phrase entered during the server-side setup
      • Advanced
        • General
          • Check "Use LZO data compression"
          • If you changed the port, check "Use custom gateway port" and input the port number
          • If you decided to use TCP, check "Use a TCP connection"
        • Security
          • Cipher: AES-128-CBC
          • HMAC Authentication: Default
        • TLS Authentication
          • Check "Use additional TLS authentication"
          • Key file: ta.key
          • Key direction: 1
    • IPV4 and IPv6 Settings: Leave as is

Client-side (Android/iOS)

  1. On a computer, follow step 1 of Client-side with NetworkManager, except copy client_name.3des.key instead of client_name.key.
  2. Create a new file and call it client_name.ovpn (changing client_name as appropriate)
  3. Input (= copy and paste) the following into client_name.ovpn, replacing hostname with your hostname or external IP, and following the instructions for pasting the certificates and keys.
              dev tun
              proto udp
              remote hostname 1194
              resolv-retry infinite
              ns-cert-type server
              key-direction 1
              cipher AES-128-CBC
              verb 1
              mute 20
              -----BEGIN CERTIFICATE-----
              <paste contents of ca.crt here>
              -----END CERTIFICATE-----
              -----BEGIN CERTIFICATE-----
              <paste contents of client_name.crt here>
              -----END CERTIFICATE-----
              -----BEGIN RSA PRIVATE KEY-----
              <paste contents of client_name.3des.key here>
              -----END RSA PRIVATE KEY-----
              -----BEGIN OpenVPN Static key V1-----
              <paste contents of ta.key here>
              -----END OpenVPN Static key V1-----

Don't forget to save!

  1. Install the OpenVPN Connect app on your Android/iOS
  2. Copy the client_name.ovpn file to the device and open it with the OpenVPN Connect app and connect to the VPN!


Hopefully that helps make setting up OpenVPN easier. I had the worst time trying to figure out how to get NetworkManager to work with it. I think the firewall rules might pose a problem as well. Hopefully this is more straightforward than the other tutorials out there.


2016-03-10 Paul Elder


comments powered by Disqus