The OpenVPN Client can be used to create a VPN tunnel between the client system and any VPN server that uses the OpenVPN protocol. This will allow you to route traffic through the VPN tunnel to the VPN server from the client system.
To build the OpenVPN Client, we must first ensure that the prerequisite modules are available. These are lzo, openssl and pam. If your package manager has them available, you can install them like this on an RPM-based system like RedHat or CentOS:
su
yum install lzo
yum install lzo-devel
yum install openssl
yum install openssl-devel
yum install pam-devel
For a Debian-based system such as Ubuntu, you can try:
su
apt-get install lzo lzo-devel openssl openssl-devel pam-devel
If your system is like some earlier RedHat/CentOS systems, the openssl, openssl-devel and pam-devel packages will already be installed and the lzo/lzo-devel packages will not be available.
But, even if your OS does have a version of LZO available, the version that is available is usually obsolete by quite a bit (e.g. for CentOS 6.3, in 2013 May, lzo-2.03 is supplied, whereas lzo-2.06 has been available since 2011 Aug 12). Given that the whole point of LZO is speed, and since the later versions of LZO have optimizations that improve speed, the latest LZO will run cooler, cleaner, quieter, longer. In other words, the performance of your VPN connection will be better and use less resources. So, for us, we always begin by building LZO.
If you surf over to http://www.oberhumer.com/opensource/lzo/download, you can select and download the latest source version of LZO from the list. Once you have the source, change to the directory where it was downloaded and unpack it:
tar -xvzf lzo-2.06.tar.gz
Change to the package directory, and configure and build the source:
cd lzo-2.06
./configure
make
make check
make test (run a full test)
Once the tests run, install the LZO library:
su
make install
Now that you have all of the prerequisites installed, you can build and install the OpenVPN package. Begin by downloading the latest OpenVPN source from http://openvpn.net/index.php/open-source/downloads.html. After you obtain the source, change to the directory where it was downloaded and unpack it:
tar xfz openvpn-2.3.1.tar.gz
Then cd to the top-level directory and type:
./configure --enable-password-save
make
OpenVPN can be installed like this:
su
make install
Now that you've installed the OpenVPN package and before you proceed any further, you should check that the iproute package is installed on your system because this package and the commands therein are very useful when running VPN tunnels. You can simply look for /bin/ip or /sbin/ip to verify that the iproute package is installed. If it isn't, install it like this:
su
yum install iproute
Or, if you are using a Debian-based system such as Ubuntu, install it like this:
sudo apt-get install iproute
Before you switch OpenVPN into production mode and start paying for a VPN provider (if that is your intention), you may want to test your OpenVPN installation against an OpenVPN server that is readily available and doesn't require you to sign up and pay for the service. You can surf over to http://www.bestfreevpn.com/ where you may be able to find a free OpenVPN server that will allow you to test your connection. Another tip is to search with your favorite search engin for 'free vpn "openvpn"' and see what it finds.
Whichever service you choose, be sure you pick a server that supports OpenVPN. You'll need to download a set of credentials that can be used to set up a free client connection, and possibly a username and password. If need be, unzip the downloaded file or extract the files (one way or another) to get something that looks like these files:
openvpn.conf
ca.crt
client.crt
client.key
And possibly, if the VPN provider uses a TLS authorization key, a file that looks like this:
ta.key
Alternately, some of the free VPN providers supply a simple configuration file that includes everything (certificates and keys) all in the config file itself. If you choose one of these VPN providers, all you need is the config file, for example:
simplevpn.conf
We used to use Hostizzle for testing because they offered a 30-day free trial account. This is no longer the case but they still offer a cheap account (currently $3/month). You could choose this route instead of a free VPN provider to test your connection against a real, production VPN service. In this discussion, we'll use Hostizzle and VPNBook (a provider that we found through our search engine) as examples of how to set up two different VPN connections.
It makes a nice, clean installation if you put all of the OpenVPN configuration files in a common directory such as /etc/openvpn, but such a directory is not created by the the OpenVPN install. So, before proceeding, create it:
su
mkdir /etc/openvpn
chown root:root /etc/openvpn
chmod u=rwx,go=rx /etc/openvpn
VPNBook supplies all the files you'll need as a single config file (with the certificates and keys embedded within it) as a set of config files, one for each connection type that they offer, in their zip file whereas Hostizzle supplies separate config and certificate/key files in their zipped archive. Either pick the single VPNBook config file for the connection type you wish to test (we start out simple using TCP, port 80, so our favorite ISP won't get their greasy little fingers on anything and we have a good chance of it working) or unzip the Hostizzle files to the /etc/openvpn directory, naming or renaming them along the way to identify their origin and keep them separate:
su
(extract VPNBook Euro 1, TCP, 80 as) /etc/openvpn/VPNBook-Euro1-TCP80.conf
chown root:root /etc/openvpn/VPNBook-Euro1-TCP80.conf
chmod u=rw,go= /etc/openvpn/VPNBook-Euro1-TCP80.conf
or
su
cp ca.crt /etc/openvpn/Hostizzle_ca.crt
cp client.crt /etc/openvpn/Hostizzle_client.crt
cp client.key /etc/openvpn/Hostizzle_client.key
cp ta.key /etc/openvpn/Hostizzle_ta.key
cp 3dbf5515f8a7a248e3559ae8534cfe44.ovpn /etc/openvpn/Hostizzle.conf
chmod u=rw,go= /etc/openvpn/Hostizzle*
Since you renamed the Hostizzle files, you need to alter the reference to them in the conf file. Use your favorite editor to change Hostizzle.conf to read:
.
tls-auth /etc/openvpn/Hostizzle_ta.key 1
ca /etc/openvpn/Hostizzle_ca.crt
cert /etc/openvpn/Hostizzle_client.crt
key /etc/openvpn/Hostizzle_client.key
.
.
.
Save the edited config file. You can then run the OpenVPN client against the VPNBook or Hostizzle server to test that all is well:
su
/usr/local/sbin/openvpn /etc/openvpn/VPNBook-Euro1-TCP80.conf
or
su
/usr/local/sbin/openvpn /etc/openvpn/Hostizzle.conf
You'll see a series of messages detailing the steps that OpenVPN takes to establish the connection to the server. If all goes well, you can see that the connection is properly set up by opening a separate terminal window and entering:
/sbin/ifconfig
You should see something like:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-...
inet addr:10.60.0.1 P-t-P:10.60.0.1 Mask:255.255.0.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
When the VPN tunnel comes up, OpenVPN automatically adds a route to the tunnel and makes it the default gateway. You can see this with:
/sbin/route
Your results should look something like this:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
.
.
.
10.60.0.0 * 255.255.0.0 U 0 0 0 tun0
default 10.60.0.1 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.60.0.1 128.0.0.0 UG 0 0 0 tun0
If all is well, you should be able to ping the gateway:
ping -c 2 10.60.0.1
A real test is to do a traceroute to a node that is omnipresent, for example:
traceroute google.com
If the traceroute returns nodes that aren't normally in your route to the big eye in the sky, OpenVPN is working. You can verify this fact by looking up the IP addresses in the traceroute results at either of these Web sites:
http://ip2location.com/demo
http://www.geobytes.com/IpLocator.htm?GetLocation
To shut down the tunnel, simply enter <Ctrl-C> on the terminal that is connected to the openvpn command and it should shut down cleanly, removing the routes through the tunnel device and the tunnel device itself. You can check this by replaying the /sbin/route and /sbin/ifconfig commands and observing that the tun device and routing is gone.
For each VPN connection that you wish to use, you will need to duplicate the steps above, copying the certificates and key that are supplied to you by the VPN service or that you get from your system adminstrator (or that you created when you set up the VPN server, if you are the system adminstrator). For example:
su
cp ca.crt /etc/openvpn/MyVPN_ca.crt
cp client.crt /etc/openvpn/MyVPN_client.crt
cp client.key /etc/openvpn/MyVPN_client.key
chmod u=rw,go= /etc/openvpn/MyVPN*
Then, you'll have to create a config file for the VPN connection (if one isn't supplied by the VPN service). If a config file is supplied by the VPN service, you should use your favorite editor to change MyVPN.conf, renaming the certificate/key files to reflect the names used when they were copied to /etc/openvpn. Otherwise, if you need to start from scratch, copy the client sample configuration file from the OpenVPN install directory:
su
cp .../openvpn-2.3.1/sample-config-files/client.conf /etc/openvpn/MyVPN.conf
chmod u=rw,go= /etc/openvpn/MyVPN.conf
Once you've copied the sample configuration file, use your favorite editor to make any changes necessary, as noted in the file's comments, but especially the changes to the certificate file names:
.
ca /etc/openvpn/MyVPN_ca.crt
cert /etc/openvpn/MyVPN_client.crt
key /etc/openvpn/MyVPN_client.key
.
.
.
Save the edited config file. As above, you can then run the OpenVPN client against the new VPN server like this:
su
/usr/local/sbin/openvpn --config /etc/openvpn/MyVPN.conf
If you're happy with simply starting and stopping the tunnel whenever you need it, you can do it from the command line using the command shown above. To stop the client, either press <Ctrl-C> or kill the PID, if you started the tunnel using "&".
Note that OpenVPN adds routes through the tunnel for all traffic when it comes up. Maybe this will work for you but, in all probability you'll want to set up routing yourself. If this is the case, you can start the tunnel like this:
su
/usr/local/sbin/openvpn --route-noexec --config /etc/openvpn/MyVPN.conf
Then, you should then consult the section "Routing Traffic Through a VPN Connection" for notes on how to selectively route only the traffic that you want through your VPN connection, instead of all the traffic.
Also, starting and stopping your OpenVPN tunnel using commands from the command line is fairly rudimentary. The "Starting/Stopping an OpenVPN Tunnel and Routing Traffic Through It" section shows the scripts that will allow you to bring up the tunnel and shut it down, as well as altering the routing table to route traffic through the tunnel and modifying the firewall rules to ensure that bringing up the tunnel doesn't open up the system to any security breaches.