OpenVPN – Config and procedures

Server: aglianico (

Client Configuration

The client needs a config file (described below) and 4 keys:
– ca.crt (Server Certificate Authority, shared)
– ta.key (HMAC firewall key, shared)
– userName.crt (user private, see “new user” section)
– userName.key (user private, see “new user” section)
This is the client config (userName.ovpn file). Change paths and userName keys file.
To start a VPN, use the command: sudo openvpn userName.ovpn

dev tun
proto udp
remote 1194
resolv-retry infinite
cipher AES-256-CBC
verb 3
ca /path/ca.crt
cert /path/userName.crt
key /path/userName.key
tls-auth /path/ta.key 1

New User

To create and register a new user (pippo), connect to frontend ( as root and:
– cd /etc/openvpn/easy-rsa
– source ./vars
– ./build-key pippo
– leave all options as default BUT:
– Name [server]:pippo
Email Address []
– do not insert a “A challenge password []:”
– Sign the certificate? [y/n]:y
– 1 out of 1 certificate requests certified, commit? [y/n]y

At this point, in the /etc/openvpn/easy-rsa/keys directory, you will have:
– pippo.crt
– pippo.csr
– pippo.key
And a new entry in the file index.txt marked as “V”.

Make sure that the user obtains those 3 files (and also ca.crt and ta.key) ON A SAFE CHANNEL (better by hand) and remove them from the server.

Revoke User

To revok the access to an user (pippo), connect to frontend ( as root and:
– cd /etc/openvpn/easy-rsa
– check the real certificate user’s name into file/etc/openvpn/easy-rsa/keys/index.txt
– source ./vars
– ./revoke-full pippo
– at this point the entry in the file keys/index.txt should be marked as “R” and the revoked cert list should be updated in keys/crl.pem (openssl crl -in keys/crl.pem -text)
Apply the revoke (overwrite current crl.pem):
– cp keys/crl.pem /etc/openvpn/
– systemctl restart openvpn@server.service (to kill current connections and force to re-authenticate)

Server Configuration

Required rpms: openvpn, easy-rsa, iptables-services.

Network setup

# systemctl disable firewalld
# systemctl stop firewalld
# sudo yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
# iptables –flush
# iptables -t nat -A POSTROUTING -s -d -j MASQUERADE
# iptables-save > /etc/sysconfig/iptables
add “net.ipv4.ip_forward = 1” to /etc/sysctl.conf
# systemctl restart network.service

add NAT and FIREWALL rules (UDP 1194 from WAN to to network firewall (


If you want to enable direct access from the VPN to one of the AWS machines you can add a rule like the following:
#iptables -A FORWARD -i tun0 -s -d -j ACCEPT

where is the IP of the AWS machine, in this case prod-db

if you want to enable a whole set of ip you can use ipset
for example to enable all aws machines create a file aws_machines.txt containing master-of-puppet preprod-db preprod-db-slave preprod-app-1 preprod-app-2 preprod-web preprod-common prod-db prod-db-slave prod-app-1 prod-app-2 prod-web prod-common profiling-db profiling-app training-dbapp training-web training-common uat-db uat-web uat-common uat-app-2 uat-app-1 integration-common integration-web integration-dbapp nexus uat-rserver r_playground preprod-rserver prod-rserver

then invoke

//Create the ips set
#ipset -N AWS_MACHINES iphash

//Add all aws machines to the ip set
#awk ‘{print $1}’ aws_machines.txt | xargs -I {} ipset -A AWS_MACHINES {}

#create an iptables rule that give access to the whole set

iptables -A FORWARD -i tun0 -s -m set –match-set AWS_MACHINES dst -j ACCEPT

Service setup

# systemctl -f enable openvpn@server.service
# systemctl start openvpn@server.service

Server config file (/etc/openvpn/server.conf)

# Which local IP address should OpenVPN listen on? (optional)
port 1194
proto udp
dev tun

# SSL/TLS root certificate (ca), certificate (cert), and private key (key). Each client and the server must have their own cert and
# key file. The server and all clients will use the same ca file.
# See the “easy-rsa” directory for a series of scripts for generating RSA certificates and private keys. Remember to use
# a unique Common Name for the server and each of the client certificates.
# Any X509 key management system can be used. OpenVPN can also use a PKCS #12 formatted key file (see “pkcs12” directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
# Diffie hellman parameters. Generate your own with: openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh2048.pem
crl-verify /etc/openvpn/crl.pem


# Push routes to the client to allow it to reach other private subnets behind the server. Remember that these private subnets will also need
# to know to route the OpenVPN client address pool ( back to the OpenVPN server.
push “route”

# If enabled, this directive will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and
# and DNS lookups to go through the VPN (The OpenVPN server machine may need to NAT or bridge the TUN/TAP interface to the internet in order for this to work properly).
;push “redirect-gateway def1 bypass-dhcp”
;push “dhcp-option DNS”
;push “dhcp-option DNS”

# The keepalive directive causes ping-like messages to be sent back and forth over the link so that each side knows when the other side has gone down.
# Ping every 10 seconds, assume that remote peer is down if no ping received during a 120 second time period.
keepalive 10 120

# For extra security beyond that provided by SSL/TLS, create an “HMAC firewall” to help block DoS attacks and UDP port flooding.
# Generate with: openvpn –genkey –secret ta.key
# The server and each client must have a copy of this key. The second parameter should be ‘0’ on the server and ‘1’ on the clients.
tls-auth /etc/openvpn/ta.key 0 # This file is secret

# Select a cryptographic cipher. Note that 2.4 client/server will automatically negotiate AES-256-GCM in TLS mode.
cipher AES-256-CBC

# Max concurrent clients we want to allow.
max-clients 50
user nobody
group nobody

# Output a short status file showing current connections, truncated and rewritten every minute.
status /etc/openvpn/openvpn-status.log
verb 4
log /etc/openvpn/openvpn.log