Setting up OpenVPN

6.4 Setting up OpenVPN

Alright, this section is probably the most difficult one. This section assumes you installed OpenVPN using all the default settings. I am also assuming the following real NIC settings from a previous section:

The IP Address is 192.168.0.3
The Default Gateway is 192.168.0.1.
The Subnet Mask is 255.255.255.0.
The DNS server is 192.168.0.2

I am also assuming that your router (also known as a residential gateway or firewall) is configured so that the DHCP IP assignment ranges only up to 192.168.0.64. You can usually check or edit the setting by logging in to the router.

6.4.1 Create authentication files

Using the command line interface of Windows (“Start”, “Run...” and cmd), execute the following commands:

cd C:\Program Files\OpenVPN\easy-rsa
This changes the current directory to the folder that will contain the necessary authentication files.
vars
clean-all
This cleans up the folder so we are ready to begin. Do not perform this step again unless you want to start from scratch!
vars
build-ca
This step builds a certificate authority (CA) certificate and key. Most of the information it prompts you are not important. However, you have to enter the “Common Name” properly. I choose “ciss342-ca”, but you can choose some other name.
vars
build-dh
This builds the Diffie Hellman parameters. This step may take a bit of time on a slower system. The file generated here is used by OpenVPN server and client to exchange keys in via an insecure connection.
vars
build-key-server ciss342-server
This step creates the key for the OpenVPN server. Again, you’ll be prompted a few questions. The “Common Name” is the only one that is important. I choose “ciss342-server’. You also need to answer y for the last two questions regarding whether to sign the certificate and whether to commit.
vars
build-key ciss342-client1
build-key ciss342-client2
This step creates the keys for the clients called client1 client2. Again, you have to specify a meaningful “Common Name”, and answer y for the last two questions. Be sure to choose a different “common name” for each client.
openvpn --genkey --secret keys/ta.key
This steps generates the TLS key that will be used later.

After all these steps, you’ll find a few files in the subfolder keys under the current folder. Use the command dir keys to list the files.

6.4.2 Create and change the server configuration file

Using Windows Explorer, navigate to C:\Program Files\OpenVPN\config. Then, use a text editor (such as Notepad) to create a file named server.ovpn with the following content. Text to the right of the semi-colon (;) of a line is comments and needs not be entered.

port 1194 ; this is the default port of OpenVPN
proto udp ; use UDP instead of TCP
mode server ; server side configuration
dev tap   ; use TAP (ethernet bridge)
dev-node tap-bridge ; specify TUN/TAP interface for bridging to ethernet
ca ../easy-rsa/keys/ca.crt ; certificate authority certificate
cert ../easy-rsa/keys/ciss342-server.crt ; server certificate
key ../easy-rsa/keys/ciss342-server.key  ; server private key
dh ../easy-rsa/keys/dh1024.pem ; Diffie hellman parameter
push "redirect-gateway"
client-to-client ; permits client to client communication
tls-server
tls-auth ../easy-rsa/keys/ta.key 0 ; mode server requires TLS
cipher BF-CBC ; cryptographic cipher
comp-lzo      ; compression
persist-key
persist-tun
verb 3

6.4.3 Disable Windows Firewall

You need to disable Windows Firewall on some of the interfaces for this to work. In the Control Panel (classic view), double click “Windows Firewall”. If you don’t see this option, it means Windows Firewall is not installed. However, you may still have to configure other third party software firewalls that you have installed.

In “Windows Firewall”, select the “Advanced” tab. Unselect the checkbox next to “tap-bridge”, then click “OK”.

6.4.4 Start the OpenVPN server

In Windows Explorer, navigate to C:\Program Files\OpenVPN\config. Then right-click server, and select “Start OpenVPN on this config file’.

A command line interface should start up. If all works, you should see the last line indicating “Initialization Sequence Completed”.

Note that all other steps only need to be performed once, but this step is necessary every time you restart the computer.

6.4.5 Make a bridge

At this point, the TUN/TAP interface is not connected to any real network. To make the connection to a real network, we need to create bridge the TUN/TAP interface (tap-bridge) to an actual NIC.

In the Control Panel (classic view), double-click “Network Connections”. This should display all the available connections:

Select both tap-bridge and the actual NIC. You have to control-click to select two interfaces. Then, right click one of the interfaces and select “Bridge Connections”.

It will take a while to create the bridge, and you may see some warnings.

After the bridge is created, you need to manually edit some of its settings. Right click the bridge connection, click “Properties...”, then double the TCP/IP item.

Change the IP address to the address that you choose for the network bridge. In our example, 192.168.0.100 is the number. Set the Submet mask to 255.255.255.0. The Default Gateway should be set to 192.168.0.1, and the Preferred DNS server should be set to 192.168.0.2.

Obviously, these IP addresses are example, only. The actual IP addresses depend on your network.

6.4.6 Confirm the configuration

If you don’t see any broken network connections on your task bar, it means the set up should be working. You can use your web browser to confirm this by going to an external web site.

You can also open a command line interface (cmd) and use the following commands:

ipconfig /all
This command should list only the bridge as the only interface.
ping google.com
If all works, this command should be able to ping an Internet web site. If the command displays the IP address of the domain name, but fails to ping, the problem is likely to be with relaying ICMP packets. If the command does not display an IP address, it is possible that the DNS setting is incorrect.

6.4.7 Subsequent restart

If you restart the system, some steps need to be repeated unless you automate the process.

First, you need to start OpenVPN manually. However, this does not automatically connect the VPN interface tap-bridge. Windows will report the interface remains “unplugged”. This is because it is a part of the network bridge, and it was unplugged when the network bridge was created (during start up).

To fix this, you can disable the network bridge interface, and re-enable it. As you re-enable the network bridge, Windows checks and reinitialize the bridged interfaces, which include tap-bridge.

You can automate the restarting of OpenVPN. Create a file called startOpenVPN.bat in C:\Documents and Settings\yourname\Start Menu\Programs\Startup. Change yourname to your actual user name. The file should have the following lines:

cd "C:\Program Files\OpenVPN\config"
..\bin\openvpn server.ovpn

This way, this script only runs when you log in.

[prev] [prev-tail] [front] [up]