From Gentoo Wiki
Jump to: navigation, search

OpenVPN (Open Virtual Private Network) is software that enables the creation of secure point-to-point or site-to-site connections.



KERNEL Enable CONFIG_TUN in the kernel
Device Drivers  --->
    [*] Network device support  --->
        [*] Network core driver support
        <*>   Universal TUN/TAP device driver support

USE flags

USE flags for net-vpn/openvpn Robust and highly flexible tunneling application compatible with many OSes

down-root Enable the down-root plugin local
examples Install examples, usually source code global
inotify Enable inotify filesystem monitoring support global
iproute2 Enabled iproute2 support instead of net-tools local
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
lz4 Enable LZ4 support local
lzo Enable support for lzo compression global
mbedtls Use mbed TLS instead of OpenSSL local
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip global
pkcs11 Enable PKCS#11 smartcard support local
plugins Enable the OpenVPN plugin system local
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
ssl Add support for Secure Socket Layer connections global
static !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically global
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking global
test Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore global


Install the OpenVPN package:

root #emerge -v net-vpn/openvpn


Server side

If this is the first time setting up an openvpn server, we will need to create a PKI (Public Key Infrastructure) from scratch.

In this example place all generated keys into /etc/openvpn/example/
The example will just setup a single server. For multiple OpenVPN instances see the 'Gentoo specifics' section.

Write a server-side openvpn configuration.

FILE /etc/openvpn/openvpn.confSetup a example UDP OpenVPN server
# server binding port
port 12112

# openvpn protocol, could be tcp / udp / tcp6 / udp6
proto udp

# tun/tap device
dev tun0

# keys configuration, use generated keys
ca example/ca.crt
cert example/example.crt
key example/example.key
dh example/dh2048.pem

# optional tls-auth key to secure identifying
# tls-auth example/ta.key 0

# OpenVPN 'virtual' network infomation, network and mask

# persistent device and key settings
ifconfig-pool-persist ipp.txt

# pushing route tables
push "route"
# push "dhcp-option DNS"

# connection
keepalive 10 120

user nobody
group nobody

# logging
status openvpn-status.log
log /etc/openvpn/openvpn.log
verb 4

Start openvpn server, run

root #/etc/init.d/openvpn start

Client side

Copy the necessary key files to client, via a secure way (such as SSH), including

  • ca.crt
  • client1.csr (in this example)
  • client1.crt (in this example)
  • client1.key (in this example)
  • ta.key (if using tls-auth)

Write a client-side openvpn configuration file:

FILE /etc/openvpn/openvpn.confclient-side udp openvpn configuration
# specify client-side

# tun/tap device
dev tun0

# protocol, according to server
proto udp

# server address
remote 12112

# connection
resolv-retry 30

# persistent device and keys

# keys settings
ca example/ca.crt
cert example/client1.crt
key example/client1.key

# optional tls-auth
# tls-auth exmaple/ta.key 1

# pull dns settings from the server
script-security 2

# These scripts are defaults within the service script. To specify custom scripts,
# use /etc/openvpn/${SVCNAME}-{up,down}.sh as suggested by the service script.
# If you use systemd, SVCNAME will not get set automatically.
# Add `setenv SVCNAME my_svc_name` to set it, where my_svc_name is determined by
# /etc/openvpn/client/my_svc_name.conf
# up /etc/openvpn/
# down /etc/openvpn/

# logging
log /etc/openvpn/openvpn.log
verb 4

To automatically provide username and password, or just username with the password still prompted, add the following option, where auth is the file name containing 1 line with a username, or 2 lines with a username and password.

FILE /etc/openvpn/openvpn.confclient-side openvpn configuration for automating username/password
auth-user-pass /etc/openvpn/auth

To start client, run


root #/etc/init.d/openvpn start


root #systemctl start openvpn

If all goes well, this would give you a working OpenVPN server and client connection.

Gentoo specifics

The init script allows multiple tunnels. Decide on a name for the tunnel - eg EXAMPLE

Using OpenRC

root #ln -s /etc/init.d/openvpn /etc/init.d/openvpn.EXAMPLE

Now create your config as /etc/openvpn/EXAMPLE.conf

root #/etc/init.d/openvpn.EXAMPLE start

Using systemd

Due to dependencies server and client operations are separated into two units.

Create your server config as /etc/openvpn/server/EXAMPLE.conf

root #systemctl start openvpn-server@EXAMPLE

Create your client config as /etc/openvpn/client/EXAMPLE.conf

root #systemctl start openvpn-client@EXAMPLE

You can then create more tunnels by replacing EXAMPLE with more names. Each one has its own configuration and can be stopped and started individually. The default is simply to use openvpn.conf and not symlink the service. You can of course use both methods.


See also

External resources