This recipe will demonstrate how to set up a connection in the client or server mode using certificates.
Install OpenVPN 2.3.9 or higher on two computers. Make sure the computers are connected over a network. Set up the client and server certificates using the previous recipe. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.9 and the client was running Fedora 22 Linux and OpenVPN 2.3.10.
proto udp port 1194 dev tun server 10.200.0.0 255.255.255.0 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dh2048.pem
Then save it as example2-2-server.conf
.
/etc/openvpn/cookbook/keys
directory:[server]$ cd /etc/openvpn/cookbook [server]$ cp keys/ca.crt ca.crt [server]$ cp keys/openvpnserver.crt server.crt [server]$ cp keys/openvpnserver.key server.key [server]$ cp keys/dh2048.pem dh2048.pem
[root@server]# openvpn --config example2-2-server.conf
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/client1.crt key /etc/openvpn/cookbook/client1.key
Then save it as example2-2-client.conf
.
ca.crt
, client1.crt
, and client1.key
to the client machine using a secure channel; for example, using the scp
command:[root@client]# openvpn --config example2-2-client.conf [...] [openvpnserver] Peer Connection Initiated with openvpnserver:1194 TUN/TAP device tun0 opened /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 local 10.200.0.6 peer 10.200.0.5 Initialization Sequence Completed
After the connection is established, we can verify that it is working by pinging the server (notice the IP address):
[client]$ ping -c 2 10.200.0.1 PING 10.200.0.1 (10.200.0.1) 56(84) bytes of data. 64 bytes from 10.200.0.1: icmp_seq=1 ttl=64 time=30.6 ms 64 bytes from 10.200.0.1: icmp_seq=2 ttl=64 time=30.7 ms
When the server starts, it configures the first available TUN interface with the IP address 10.200.0.1
and with a fake remote address of 10.200.0.2
. After that, the server listens on the UDP port 1194
for incoming connections.
The client connects to the server on this port. After the initial TLS handshake, using both the client and server certificates, the client is assigned the IP address 10.200.0.6
(or rather the mini-network 10.200.0.4
- 10.200.0.7
). The client configures its first available TUN interface using this information, after which the VPN is established.
After the connection is established, you can query the tun0
interface like this:
[client]$ /sbin/ifconfig tun0 | grep inet
Then, look for the following:
inet addr:10.200.0.6 P-t-P:10.200.0.5
The IP address 10.200.0.5
is a placeholder address and can never be reached. Starting with OpenVPN 2.1, it has also become possible to assign linear addresses to the clients that allow you to have more clients in the same range of IP addresses. This will be explained in the next recipe.
The first address is the VPN client address from a /30
subnet, and the second address is the fake remote endpoint address. Each /30
subnet has to start at a multiple of four, and the VPN client IP address is at the starting address plus two:
10.200.0.[0-3]
, the VPN IP is 10.200.0.1
. Normally, this block is for the OpenVPN server itself.10.200.0.[4-7]
, the client IP is 10.200.0.6
. Normally, this block is for the first client to connect.10.200.0.[8-11]
, [12-15]
, [16-19]
, and so on are used for consecutive clients.Because of the /30
subnet for each address, this topology mode is known as net30. It is still the default topology mode, but this will change in the near future.
3.15.226.147