Static IP for OpenVPN Clients

To set your vpn clients to have a static IP uncomment the line from the server config

client-config-dir /etc/openvpn/ccd

then create a directory...

# mkdir /etc/openvpn/ccd

then create a file in the /etc/openvpn/ccd directory with the same name as the created client certificate (ex Juan)

# vim /etc/openvpn/ccd/Juan

Below is a sample content:

ifconfig-push 192.168.1.20 255.255.255.0

Save it and restart your OpenVPN server...

# /etc/init.d/openvpn restart

You can create as many as you like as long the certificate is the same as the config file in ccd directory

OpenVPN Client how to

Generating Client Certificate and Key

Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created a server certificate and keys.

cd /etc/openvpn/easy-rsa/
source ./vars
./pkitool client        

Note: You can change the name of your client certificate like your name Ex: ./pkitool Juan

Then you will need the following files to be placed on the client PC...

• client.ovpn (config file. extension is conf if using linux)
• ca.crt
• client.crt
• client.key
• ta.key

client config file contents:

client

dev tap
proto tcp
remote server1 1194
#remote server2 1194
#remote server 3 8080
nobind
persist-key
comp-lzo

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1 

ns-cert-type server
cipher BF-CBC
verb 3
ping 10
ping-restart 120

# uncomment below if Vista or higher is the client
#route-method exe
#route-delay 2

#uncomment this if you wish to prevent the client to get route info from server
#route-nopull

=== End of file

Extra windows settings:
Edit the registry value below to enable LAN Routing in Vista and higher

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: IPEnableRouter
Type: REG_DWORD
Data: 0x00000001 (1) 

To start OpenVPN in Windows just load the OpenVPN GUI
Note: make sure the config file extension name is ovpn and all the certificates are inside the config directory

To start OpenVPN in linux just type the ff. below...
# /etc/init.d/openvpn restart
Note: make sure the extension name is conf and all the certificates are inside the OpenVPN directory

OpenVPN Server on Ubuntu

source: https://help.ubuntu.com/community/OpenVPN

To install the OpenVPN in your Ubuntu machine type this on the console

# aptitude install openvpn bridge-utils

To set the Bridge:

- Edit /etc/network/interfaces

When a Linux server is behind a NAT firewall, the /etc/network/interfaces file commonly looks like 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet static
  address 192.168.1.10
  netmask 255.255.255.0
  gateway 192.168.1.1

- Edit this and add a bridge interface so that it look similar to:

## This is the network bridge declaration
## Start these interfaces on boot
auto lo br0
iface lo inet loopback
iface br0 inet static
  address 192.168.1.10
  netmask 255.255.255.0
  gateway 192.168.1.1
  bridge_ports eth0
iface eth0 inet manual
  up ip link set $IFACE up promisc on
  down ip link set $IFACE down promisc off

- Restart networking: 

# sudo /etc/init.d/networking restart

After installation of OpenVPN let's create the Certificates to be used...

Step 1: 

Copy files to the /etc/openvpn/easy-rsa/ directory 

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 

Step 2: 

Edit /etc/openvpn/easy-rsa/vars 

sudo vi /etc/openvpn/easy-rsa/vars

Change these lines at the bottom so that they reflect your new CA. 

export KEY_COUNTRY="PH"
export KEY_PROVINCE="BC"
export KEY_CITY="Makati"
export KEY_ORG="verzion"
export KEY_EMAIL="me@myhost.mydomain"

Step 3: 

Setup the CA and create the first server certificate. Follow them as is.

cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../

The Certificate Authority is now setup and the needed keys are in /etc/openvpn/

Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.

First, we're going to create a couple of new scripts to be used by the openvpn server. 

sudo vi /etc/openvpn/up.sh

This script should contain the following 

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV

Now, we'll create a "down" script. 

sudo vi /etc/openvpn/down.sh

It should contain the following. 

#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ip link set "$DEV" down

Now, make both scripts executable. 

sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh

And now on to the server configuration itself...

# vim /etc/openvpn/server.conf

here are the content:

mode server
tls-server

# the local ip addr of the server
local 192.168.11.1
# the port can be changed
port 1194

proto tcp
#proto udp
mssfix 1400

#bridging directive
dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

# the certificates
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
cipher BF-CBC
comp-lzo

# the VPN ip addr
server-bridge 192.168.1.50 255.255.255.0 192.168.0.100 192.168.1.120
# this will make the other VPN client to communicate
client-to-client
# uncomment below if you wish to have static IP on you clients
#client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway"

keepalive 10 120
# may be changed if more or less users are to connect
# remember to create more VPN tap devices if more users are to connect
max-clients 9
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 3
ping 10
ping restart 120

=== End of file

then to start the OpenVPN server type...

# /etc/init.d/openvpn restart

After setting up the VPN server let's go to the Client VPN