OpenVPN: Instalasi di Ubuntu 16.04
Sumber: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
Ingin mengakses Internet dengan aman dari smartphone atau laptop anda ketika terhubung ke jaringan tidak bisa dipercaya seperti WiFi dari hotel atau cafe? Virtual Private Network (VPN) memungkinkan Anda untuk melintasi jaringan yang tidak bisa dipercaya secara private dan aman seolah-olah Anda berada di jaringan private. Lalu lintas muncul dari server VPN dan melanjutkan perjalanannya ke tujuan.
Ketika dikombinasikan dengan sambungan HTTPS, pengaturan ini memungkinkan anda untuk mengamankan login dan transaksi wireless anda. Anda dapat menghindari pembatasan geografis dan penyensoran, dan melindungi lokasi anda dan lalu lintas HTTP yang tidak terenkripsi dari jaringan yang tidak dipercaya.
OpenVPN adalah solusi VPN Secure Socket Layer (SSL) open source dengan fitur lengkap yang mengakomodasi berbagai konfigurasi. Dalam tutorial ini, kami akan menyiapkan server OpenVPN pada Droplet dan kemudian mengonfigurasi aksesnya dari Windows, OS X, iOS dan Android. Tutorial ini berusaha agar proses instalasi dan langkah-langkah konfigurasi dijaga sesederhana mungkin.
Persyaratan
Untuk bisa menyelesaikan tutorial ini, anda membutuhkan
- Ubuntu 16.04 server
- bisa akses root (sudo) dari non-root user
Step 1: Install OpenVPN
Instalasi aplikasi yang dibutuhkan
sudo su apt update apt -y install openvpn easy-rsa
paket easy-rsa dibutuhkan untuk membantu kita dalam men-setup internal CA (certificate authority)
Step 2: Set Up CA Directory
OpenVPN adalah VPN TLS / SSL. Ini berarti bahwa ia menggunakan sertifikat untuk mengenkripsi lalu lintas antara server dan klien. Untuk mengeluarkan sertifikat tepercaya, kita perlu menyiapkan otoritas sertifikat / certificate authority (CA) sendiri yang sederhana.
Untuk itu, kita copy template directory easy-rsa ke home directory dengan perintah make-cadir
make-cadir ~/openvpn-ca
Pindah ke directory CA tersebut untuk memulai konfigurasi CA
cd ~/openvpn-ca
Step 3: Konfigurasi variabel CA
Untuk mengkonfigurasi nilai CA, kita perlu mengedit file
cd ~/openvpn-ca nano vars
Minimal yang perlu di edit adalah variabel yang berada di bagian agak bawah file tersebut, sebagai berikut,
. . . export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" . . .
Edit sesuai dengan nilai yang anda sukai, jangan di kosongkan, misalnya,
. . . export KEY_COUNTRY="ID" export KEY_PROVINCE="DKI" export KEY_CITY="Jakarta" export KEY_ORG="CobaSaja" export KEY_EMAIL="admin@cobasaja.com" export KEY_OU="Riset" . . .
Di bagian bawah parameter di atas, kita juga dapat mengedit nilai KEY_NAME, yang akan mengisi field subject. Untuk membuat sederhana, kita dapat saja menyebutnya "server".
export KEY_NAME="server"
Jika kita selesai, save dan tutup file.
Step 4: Build Certificate Authority
Sekarang, kita dapat menggunakan variabel yang telah kita tetapkan dan utilitas easy-rsa untuk membangun Certificate Authority (CA). Pastikan anda berada di directory CA, dan coba melihat isi file vars yang sudah kita edit,
cd ~/openvpn-ca source ./vars
Sampai keluar kata2
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-ca/keys
Jalankan
cd ~/openvpn-ca ./clean-all
Setelah lingkungan bersih, kita dapat membuat root CA dengan menulis
cd ~/openvpn-ca ./build-ca
Pada dasarnya kita cukup meng-ENTER semua varibel, sebagai berikut,
Generating a 2048 bit RSA private key .............................+++ .....................................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [CobaSaja]: Organizational Unit Name (eg, section) [Riset]: Common Name (eg, your name or your server's hostname) [CobaSaja CA]: Name [server]: Email Address [admin@cobasaja.com]:
CA sekarang sudah dibuat. Selanjutnya kita perlu membuat berbagai file lainnya yang dibutuhkan.
Step 5: Membuat Server Certificate, Key, dan Encryption File
Selanjutnya, kita perlu membuat certificate server dan pasangan key, maupun berbagai file yang digunakan saat proses enkripsi.
Jika anda menggunakan nama server lain, selain "server". Maka kita perlu memodifikasi /etc/openvpn/server.conf . Juga arah ke file .crt dan .key. Jika kita menggunakan nama "server, maka dapat menggunakan perintah berikut,
cd ~/openvpn-ca/ ./build-key-server server
Hasilnya kira-kira,
Generating a 2048 bit RSA private key ........................+++ ......+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [CobaSaja]: Organizational Unit Name (eg, section) [Riset]: Common Name (eg, your name or your server's hostname) [server]: Name [server]: Email Address [admin@cobasaja.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:CobaSaja.com
Masukan password & company name yang anda suka / inginkan, output akan berlanjut sebagai berikut,
Using configuration from /root/openvpn-ca/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'DKI' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'CobaSaja' organizationalUnitName:PRINTABLE:'Riset' commonName :PRINTABLE:'server' name :PRINTABLE:'server' emailAddress :IA5STRING:'admin@cobasaja.com' Certificate is to be certified until Jun 21 02:42:33 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
Tekan "y" untuk menanda tangani sertifikat, hasilnya adalah
Write out database with 1 new entries Data Base Updated
Selanjutnya, kita akan membuat beberapa file lainnya. Kita akan men-generate key Diffie-Hellman yang kuat untuk digunakan saat exchange key dengan menuliskan perintah,
./build-dh
Ini akan membutuhkan beberapa waktu untuk selesai. Selanjutnya, kita men-generate HMAC signature untuk menguatkan kemampuan server dalam TLS integrity verification, melalui perintah:
openvpn --genkey --secret keys/ta.key
Step 6: Generate Client Certificate & Key Pair
Selanjutnya, kita dapat men-generate sertifikat client dan pasangan kunci. Meskipun ini dapat dilakukan pada mesin klien dan kemudian ditandatangani oleh server / CA untuk tujuan keamanan, untuk panduan ini kita akan men-generate kunci yang ditandatangani langsung di server supaya lebih sederhana saja. Pada prakteknya, sebetulnya proses ini sebaiknya dilakukan di client.
Kita akan membuat satu (sebuah) kunci / sertifikat klien untuk panduan ini, tetapi jika anda memiliki lebih dari satu client, anda dapat mengulangi proses ini sebanyak yang anda mau. Berikan nilai unik pada skrip untuk setiap client.
Karena anda dapat kembali ke langkah ini di lain waktu, kami akan men-source ulang file vars. Kita akan menggunakan client1 sebagai nilai untuk sertifikat / pasangan kunci pertama kita untuk panduan ini.
Untuk menghasilkan kredensial tanpa password, untuk membantu dalam koneksi otomatis, gunakan perintah build-key seperti ini:
cd ~/openvpn-ca source vars ./build-key client1
Jika sebaliknya, anda ingin membuat kredensial yang dilindungi password, gunakan perintah build-key-pass:
cd ~/openvpn-ca source vars ./build-key-pass client1
Sekali lagi, default seharusnya sudah terisi, jadi anda cukup menekan ENTER untuk melanjutkan. Tinggalkan pasword kosong dan pastikan untuk memasukkan y untuk petunjuk yang menanyakan apakah akan menandatangani dan komit sertifikat.
Step 7: Konfigurasi OpenVPN Service
Selanjutnya, kita dapat mulai mengkonfigurasi layanan OpenVPN menggunakan kredensial dan file yang telah kita buat.
Copy File ke Direktori OpenVPN
Untuk memulai, kita perlu mengcopy file yang kita butuhkan ke direktori konfigurasi /etc/openvpn.
Kita bisa mulai dengan semua file yang baru kita buat. File tersebut ditempatkan di dalam direktori ~/openvpn-ca/keys saat dibuat. Kita perlu memindahkan sertifikat CA, sertifikat dan key server, tanda tangan digital HMAC, dan file Diffie-Hellman:
cd ~/openvpn-ca/keys sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
Selanjutnya, kita perlu mengcopy dan unzip file konfigurasi OpenVPN contoh ke dalam direktori konfigurasi sehingga kita dapat menggunakannya sebagai dasar untuk setup:
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Atur Konfigurasi OpenVPN
Setelah file kita di tempat yang benar, kiita dapat memodifikasi file konfigurasi server:
sudo nano /etc/openvpn/server.conf
Basic Configuration
Pertama, temukan bagian HMAC dengan mencari petunjuk tls-auth. Hapus ";" untuk menghapus tanda komentar pada baris tls-auth. Di bawah ini, tambahkan parameter key-direction dan set "0": /etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret key-direction 0
Selanjutnya, temukan bagian pada cipher cryptographic dengan mencari baris cipher yang dikomentari. Cipher AES-128-CBC menawarkan tingkat enkripsi yang baik dan didukung dengan baik. Hapus ";" untuk menghapus tanda komentar pada cipher AES-128-CBC line: /etc/openvpn/server.conf
cipher AES-128-CBC
Di bawah ini, tambahkan baris auth untuk memilih algoritma message digest HMAC. Untuk ini, SHA256 adalah pilihan yang baik: /etc/openvpn/server.conf
auth SHA256
Akhirnya, temukan pengaturan user dan grup dan hapus ";" pada awal untuk menghapus tanda komentar baris-baris itu: /etc/openvpn/server.conf
user nobody group nogroup
(Optional) Paksa perubahan DNS untuk Redirect semua Traffic melalui VPN
Pengaturan di atas akan membuat koneksi VPN antara dua mesin, tetapi tidak akan memaksa koneksi apa pun untuk menggunakan tunnel. Jika anda ingin menggunakan VPN untuk mengarahkan semua lalu lintas anda, anda mungkin ingin memaksa pengaturan DNS ke komputer klien.
Anda dapat melakukan ini, menghilangkan komentar beberapa arahan yang akan mengkonfigurasi mesin klien untuk mengalihkan semua lalu lintas web melalui VPN. Temukan bagian redirect-gateway dan hapus titik koma ";" dari awal kalimat redirect-gateway: /etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"
Tepat di bawah ini, temukan bagian dhcp-option. Sekali lagi, hapus ";" dari depan kedua baris untuk menghilangkan komentar: /etc/openvpn/server.conf
push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
Ini harus membantu klien dalam konfigurasi ulang pengaturan DNS mereka untuk menggunakan tunnel VPN sebagai gateway default. Pastikan IP address DNS adalah IP address yang dilalukan oleh melalui VPN.
(Optional) Atur Port dan Protocol
Secara default, server OpenVPN menggunakan port 1194 dan protokol UDP untuk menerima koneksi klien. Jika Anda perlu menggunakan port yang berbeda karena lingkungan jaringan yang terbatas di mana klien Anda mungkin berada, Anda dapat mengubah opsi port. Jika anda tidak menghosting konten web server OpenVPN anda, port 443 adalah pilihan populer karena ini biasanya diizinkan melalui aturan firewall. /etc/openvpn/server.conf
# Optional! port 443
Seringkali protokol yang menggunakan port tersebut di batasi juga. Jika demikian, ubah proto dari UDP ke TCP: /etc/openvpn/server.conf
# Optional! proto tcp
Jika anda tidak perlu menggunakan port yang berbeda, sebaiknya biarkan kedua pengaturan ini sebagai default.
(Optional) Penggunaan Kredensial Non-Default
Jika anda memilih nama yang berbeda selama ./build-key-server command sebelumnya, ubah cert dan key lines yang anda lihat untuk menunjuk ke file .crt dan .key yang sesuai. Jika anda menggunakan server default, ini harus sudah diatur dengan benar: /etc/openvpn/server.conf
cert server.crt key server.key
Setelah selesai, simpan dan tutup file.
Step 8: Mengatur Konfigurasi Network Server
Next, we need to adjust some aspects of the server's networking so that OpenVPN can correctly route traffic.
Allow IP Forwarding
First, we need to allow the server to forward traffic. This is fairly essential to the functionality we want our VPN server to provide.
We can adjust this setting by modifying the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Inside, look for the line that sets net.ipv4.ip_forward. Remove the "#" character from the beginning of the line to uncomment that setting: /etc/sysctl.conf
net.ipv4.ip_forward=1
Save and close the file when you are finished.
To read the file and adjust the values for the current session, type:
sudo sysctl -p
Adjust the UFW Rules to Masquerade Client Connections
If you followed the Ubuntu 16.04 initial server setup guide in the prerequisites, you should have the UFW firewall in place. Regardless of whether you use the firewall to block unwanted traffic (which you almost always should do), we need the firewall in this guide to manipulate some of the traffic coming into the server. We need to modify the rules file to set up masquerading, an iptables concept that provides on-the-fly dynamic NAT to correctly route client connections.
Before we open the firewall configuration file to add masquerading, we need to find the public network interface of our machine. To do this, type:
ip route | grep default
Your public interface should follow the word "dev". For example, this result shows the interface named wlp11s0, which is highlighted below:
Output
default via 203.0.113.1 dev wlp11s0 proto static metric 600
When you have the interface associated with your default route, open the /etc/ufw/before.rules file to add the relevant configuration:
sudo nano /etc/ufw/before.rules
This file handles configuration that should be put into place before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming from the VPN:
Note: Remember to replace wlp11s0 in the -A POSTROUTING line below with the interface you found in the above command. /etc/ufw/before.rules
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward # # START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!) -A POSTROUTING -s 10.8.0.0/8 -o wlp11s0 -j MASQUERADE COMMIT # END OPENVPN RULES # Don't delete these required lines, otherwise there will be errors *filter . . .
Save and close the file when you are finished.
We need to tell UFW to allow forwarded packets by default as well. To do this, we will open the /etc/default/ufw file:
sudo nano /etc/default/ufw
Inside, find the DEFAULT_FORWARD_POLICY directive. We will change the value from DROP to ACCEPT: /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
Save and close the file when you are finished.
Open the OpenVPN Port and Enable the Changes
Next, we'll adjust the firewall itself to allow traffic to OpenVPN.
If you did not change the port and protocol in the /etc/openvpn/server.conf file, you will need to open up UDP traffic to port 1194. If you modified the port and/or protocol, substitute the values you selected here.
We'll also add the SSH port in case you forgot to add it when following the prerequisite tutorial:
sudo ufw allow 1194/udp sudo ufw allow OpenSSH
Now, we can disable and re-enable UFW to load the changes from all of the files we've modified:
sudo ufw disable sudo ufw enable
Our server is now configured to correctly handle OpenVPN traffic.
Step 9: Start and Enable the OpenVPN Service
We're finally ready to start the OpenVPN service on our server. We can do this using systemd.
We need to start the OpenVPN server by specifying our configuration file name as an instance variable after the systemd unit file name. Our configuration file for our server is called /etc/openvpn/server.conf, so we will add @server to end of our unit file when calling it:
sudo systemctl start openvpn@server
Double-check that the service has started successfully by typing:
sudo systemctl status openvpn@server
If everything went well, your output should look something that looks like this:
Output
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2016-05-03 15:30:05 EDT; 47s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 5852 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, sta
Main PID: 5856 (openvpn)
Tasks: 1 (limit: 512)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─5856 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn /server.conf --writepid /run/openvpn/server.pid
May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
May 03 15:30:05 openvpn2 ovpn-server[5856]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
May 03 15:30:05 openvpn2 ovpn-server[5856]: GID set to nogroup
May 03 15:30:05 openvpn2 ovpn-server[5856]: UID set to nobody
May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link local (bound): [undef]
May 03 15:30:05 openvpn2 ovpn-server[5856]: UDPv4 link remote: [undef]
May 03 15:30:05 openvpn2 ovpn-server[5856]: MULTI: multi_init called, r=256 v=256
May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
May 03 15:30:05 openvpn2 ovpn-server[5856]: IFCONFIG POOL LIST
May 03 15:30:05 openvpn2 ovpn-server[5856]: Initialization Sequence Completed
You can also check that the OpenVPN tun0 interface is available by typing:
ip addr show tun0
You should see a configured interface:
Output
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
If everything went well, enable the service so that it starts automatically at boot:
sudo systemctl enable openvpn@server
Step 10: Create Client Configuration Infrastructure
Next, we need to set up a system that will allow us to create client configuration files easily. Creating the Client Config Directory Structure
Create a directory structure within your home directory to store the files:
mkdir -p ~/client-configs/files
Since our client configuration files will have the client keys embedded, we should lock down permissions on our inner directory:
chmod 700 ~/client-configs/files
Creating a Base Configuration
Next, let's copy an example client configuration into our directory to use as our base configuration:
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Open this new file in your text editor:
nano ~/client-configs/base.conf
Inside, we need to make a few adjustments.
First, locate the remote directive. This points the client to our OpenVPN server address. This should be the public IP address of your OpenVPN server. If you changed the port that the OpenVPN server is listening on, change 1194 to the port you selected: ~/client-configs/base.conf
. . . # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote server_IP_address 1194 . . .
Be sure that the protocol matches the value you are using in the server configuration: ~/client-configs/base.conf
proto udp
Next, uncomment the user and group directives by removing the ";": ~/client-configs/base.conf
# Downgrade privileges after initialization (non-Windows only) user nobody group nogroup
Find the directives that set the ca, cert, and key. Comment out these directives since we will be adding the certs and keys within the file itself: ~/client-configs/base.conf
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. #ca ca.crt #cert client.crt #key client.key
Mirror the cipher and auth settings that we set in the /etc/openvpn/server.conf file: ~/client-configs/base.conf
cipher AES-128-CBC auth SHA256
Next, add the key-direction directive somewhere in the file. This must be set to "1" to work with the server: ~/client-configs/base.conf
key-direction 1
Finally, add a few commented out lines. We want to include these with every config, but should only enable them for Linux clients that ship with a /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients. ~/client-configs/base.conf
# script-security 2 # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf
If your client is running Linux and has an /etc/openvpn/update-resolv-conf file, you should uncomment these lines from the generated OpenVPN client configuration file.
Save the file when you are finished.
Creating a Configuration Generation Script
Next, we will create a simple script to compile our base configuration with the relevant certificate, key, and encryption files. This will place the generated configuration in the ~/client-configs/files directory.
Create and open a file called make_config.sh within the ~/client-configs directory:
nano ~/client-configs/make_config.sh
Inside, paste the following script: ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Save and close the file when you are finished.
Mark the file as executable by typing:
chmod 700 ~/client-configs/make_config.sh
Step 11: Generate Client Configurations
Now, we can easily generate client configuration files.
If you followed along with the guide, you created a client certificate and key called client1.crt and client1.key respectively by running the ./build-key client1 command in step 6. We can generate a config for these credentials by moving into our ~/client-configs directory and using the script we made:
cd ~/client-configs ./make_config.sh client1
If everything went well, we should have a client1.ovpn file in our ~/client-configs/files directory:
ls ~/client-configs/files
Output client1.ovpn
Transferring Configuration to Client Devices
We need to transfer the client configuration file to the relevant device. For instance, this could be your local computer or a mobile device.
While the exact applications used to accomplish this transfer will depend on your choice and device's operating system, you want the application to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client's VPN authentication files over an encrypted connection.
Here is an example SFTP command using our client1.ovpn example. This command can be run from your local computer (OS X or Linux). It places the .ovpn file in your home directory:
sftp sammy@openvpn_server_ip:client-configs/files/client1.ovpn ~/
Here are several tools and tutorials for securely transferring files from the server to a local computer:
WinSCP How To Use SFTP to Securely Transfer Files with a Remote Server How To Use Filezilla to Transfer and Manage Files Securely on your VPS
Step 12: Install the Client Configuration
Now, we'll discuss how to install a client VPN profile on Windows, OS X, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to you.
The OpenVPN connection will be called whatever you named the .ovpn file. In our example, this means that the connection will be called client1.ovpn for the first client file we generated. Windows
Installing
The OpenVPN client application for Windows can be found on OpenVPN's Downloads page. Choose the appropriate installer version for your version of Windows.
Note OpenVPN needs administrative privileges to install.
After installing OpenVPN, copy the .ovpn file to:
C:\Program Files\OpenVPN\config
When you launch OpenVPN, it will automatically see the profile and makes it available.
OpenVPN must be run as an administrator each time it's used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you can preset this, but this must be done from an administrative account. This also means that standard users will need to enter the administrator's password to use OpenVPN. On the other hand, standard users can't properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.
Connecting
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so that the VPN can be connected and disconnected as needed; it does not actually make the VPN connection.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that's our client1.ovpn profile) and choose Connect.
A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect. OS X
Installing
Tunnelblick is a free, open source OpenVPN client for Mac OS X. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded .dmg file and follow the prompts to install.
Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. It can be easier to answer No and let Tunnelblick finish. Open a Finder window and double-click client1.ovpn. Tunnelblick will install the client profile. Administrative privileges are required.
Connecting
Launch Tunnelblick by double-clicking Tunnelblick in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect menu item to initiate the VPN connection. Select the client1 connection.
Linux
Installing
If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.
The most universal way of connecting, however, is to just use the OpenVPN software.
On Ubuntu or Debian, you can install it just as you did on the server by typing:
sudo apt-get update sudo apt-get install openvpn
On CentOS you can enable the EPEL repositories and then install it by typing:
sudo yum install epel-release sudo yum install openvpn
Configuring
Check to see if your distribution includes a /etc/openvpn/update-resolv-conf script:
ls /etc/openvpn
Output update-resolve-conf
Next, edit the OpenVPN client configuration file you transfered:
nano client1.ovpn
Uncomment the three lines we placed in to adjust the DNS settings if you were able to find an update-resolv-conf file: client1.ovpn
script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
If you are using CentOS, change the group from nogroup to nobody to match the distribution's available groups: client1.ovpn
group nobody
Save and close the file.
Now, you can connect to the VPN by just pointing the openvpn command to the client configuration file:
sudo openvpn --config client1.ovpn
This should connect you to your server.