OpenVPN
OpenVPN (Open Virtual Private Network) is software that enables the creation of secure point-to-point or site-to-site connections.
Installation
Kernel
Device Drivers --->
[*] Network device support --->
[*] Network core driver support
<*> Universal TUN/TAP device driver support
USE flags
USE flags for net-vpn/openvpn Robust and highly flexible tunneling application compatible with many OSes
dco
|
Enable support for kernel data channel offload |
down-root
|
Enable the down-root plugin |
examples
|
Install examples, usually source code |
inotify
|
Enable inotify filesystem monitoring support |
iproute2
|
Enabled iproute2 support instead of net-tools |
lz4
|
Enable support for lz4 compression (as implemented in app-arch/lz4) |
lzo
|
Enable support for lzo compression |
mbedtls
|
Use mbed TLS as the backend crypto library |
openssl
|
Use OpenSSL as the backend crypto library |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
pkcs11
|
Enable PKCS#11 smartcard support |
plugins
|
Enable the OpenVPN plugin system |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
systemd
|
Enable use of systemd-specific libraries and features like socket activation or session tracking |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
Emerge
Install the OpenVPN package:
root #
emerge -v net-vpn/openvpn
Also consider installing net-dns/openresolv.
Configuration
For a simple, single-client configuration that does not require PKI, see OpenVPN's official guide.
Server side
If this is the first time setting up an openvpn server, we will need to create a PKI (Public Key Infrastructure) from scratch.
In this example place all generated keys into /etc/openvpn/example/
The example will just setup a single server. For multiple OpenVPN instances see the 'Gentoo specifics' section.
Write a server-side openvpn configuration.
/etc/openvpn/openvpn.conf
Setup a example UDP OpenVPN servertls-server
# server binding port
port 12112
# openvpn protocol, could be tcp / udp / tcp6 / udp6
proto udp
# tun/tap device
dev tun0
# keys configuration, use generated keys
ca example/ca.crt
cert example/example.crt
key example/example.key
dh example/dh2048.pem
# optional tls-auth key to secure identifying
# tls-auth example/ta.key 0
# OpenVPN 'virtual' network infomation, network and mask
server 10.100.0.0 255.255.255.0
# persistent device and key settings
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
# pushing route tables
push "route 192.168.1.0 255.255.255.0"
# push "dhcp-option DNS 192.168.1.1"
# connection
keepalive 10 120
comp-lzo
user nobody
group nobody
# logging
status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4
Start openvpn server, run
root #
/etc/init.d/openvpn start
Client side
Copy the necessary key files to client, via a secure way (such as SSH), including
- ca.crt
- client1.crt (in this example)
- client1.key (in this example)
- ta.key (if using tls-auth)
Write a client-side openvpn configuration file:
/etc/openvpn/openvpn.conf
client-side udp openvpn configuration# specify client-side
client
# tun/tap device
dev tun0
# protocol, according to server
proto udp
# server address
remote address.to.server 12112
# connection
comp-lzo
resolv-retry 30
nobind
# persistent device and keys
persist-key
persist-tun
# keys settings
ca example/ca.crt
cert example/client1.crt
key example/client1.key
# optional tls-auth
# tls-auth exmaple/ta.key 1
# pull dns settings from the server
script-security 2
# These scripts are defaults within the service script. To specify custom scripts,
# use /etc/openvpn/${SVCNAME}- {up,down}.sh as suggested by the service script.
# If you use systemd, SVCNAME will not get set automatically.
# Add `setenv SVCNAME my_svc_name` to set it, where my_svc_name is determined by
# /etc/openvpn/client/my_svc_name.conf
up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
# logging
log /etc/openvpn/openvpn.log
verb 4
/etc/openvpn/openvpn.conf
To VPN only to specific addresses (IP only)route-nopull
route 3.211.206.102 255.255.255.0
route 108.139.243.1-255 255.255.255.0
To automatically provide username and password, or just username with the password still prompted, add the following option, where auth is the file name containing 1 line with a username, or 2 lines with a username and password.
/etc/openvpn/openvpn.conf
client-side openvpn configuration for automating username/passwordauth-user-pass /etc/openvpn/auth
To start client, run
OpenRC
root #
/etc/init.d/openvpn start
systemd
root #
systemctl start openvpn
If all goes well, this will yield a working OpenVPN server and client connection.
Monitoring
To see logs in real time, start like this:
root #
openvpn /etc/openvpn/openvpn.conf
Syslog
Assuming that syslog is enabled, OpenVPN's output is available, along with other services, on syslog.
Additionally, it is possible to send a signal to have it displaying status:
root #
killall -USR2 openvpn ; tail -f /var/log/syslog
This command does nothing but requesting statistic info. Nevertheless, be careful when using killall command!
Gentoo specifics
The init script allows multiple tunnels. Decide on a name for the tunnel - eg EXAMPLE.
Using OpenRC
root #
ln -s /etc/init.d/openvpn /etc/init.d/openvpn.EXAMPLE
Now create config as /etc/openvpn/EXAMPLE.conf:
root #
/etc/init.d/openvpn.EXAMPLE start
Using systemd
Due to dependencies server and client operations are separated into two units.
Create the server config as /etc/openvpn/server/EXAMPLE.conf:
root #
systemctl start openvpn-server@EXAMPLE
Create the client config as /etc/openvpn/client/EXAMPLE.conf:
root #
systemctl start openvpn-client@EXAMPLE
More tunnels can be created by replacing EXAMPLE with more names. Each one has its own configuration and can be stopped and started individually. The default is simply to use openvpn.conf and not symlink the service. Both methods may of course be used.
Troubleshooting
/etc/resolv.conf doesn't get updated
Ensure that the option up and down on the configuration file points to the right path for the script.
Also, dhcpcd is known to overwrite pre-existing file when service is ran (e.g. either automatically called by other script, or manually called thru net-misc/netifrc).
In most cases, the conflict between different network programs can be resolved by installing net-dns/openresolv. The configuration would work out-of-box. Most networking scripts (including Gentoo's OpenVPN up & down script; along with dhcpcd) would regard its presence.
If disabling dhcpcd's resolv.conf update is necessary (most likely not), add the line below to /etc/dhcpcd.conf:
/etc/dhcpcd.conf
nohook resolv.conf
See also
- WireGuard — a modern, simple, and secure VPN that utilizes state-of-the-art cryptography.
- VPN services
- Resolv.conf — used to configure hostname resolution.