OpenVPN Client Setup on Linux

This post is a follow up for OpenVPN: Server Setup on Linux. Today we’ll install and configure an OpenVPN client on another Debian Linux machine and will connect to the OpenVPN server that was created earlier.

Install OpenVPN Client

On Debian, OpenVPN client is the same executable as the server. Therefore we have to install the OpenVPN package on the client machine:

# apt-get update && apt-get install openvpn

OpenVPN Client Configuration

Create a directory to store logs:

# mkdir /var/log/openvpn

Copy the default client.conf sample configuration file to /etc/openvpn directory:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

We have already copied the client keys for Sandy and the certificate of the CA which was created during the OpenVPN server configuration, and placed them under /etc/openvpn:

# ls -1 /etc/openvpn/
ca.crt
client.conf
sandy.crt
sandy.key

What’s left to do is to modify the configuration file to point to the OpenVPN server. Open and adapt the client’s config file so it would look like below:

# cat /etc/openvpn/client.conf
#specify that we are a client
client

#using the same settings as we have on the server
dev tun
proto udp

#the hostname/IP and port of the server
remote openvpn.example.com 11194

#keep trying indefinitely to resolve the host name of the OpenVPN server
resolv-retry infinite

#most clients don't need to bind to a specific local port number
nobind

#downgrade privileges after initialisation (non-Windows only)
user nobody
group nogroup

#try to preserve some state across restarts
persist-key
persist-tun

#full paths to keys and certificates
ca /etc/openvpn/ca.crt
cert /etc/openvpn/sandy.crt
key /etc/openvpn/sandy.key

ns-cert-type server

#cryptographic cipher, must be the same on the server config file as well
cipher AES-256-CBC

#the same compression setting as we have on the server
comp-lzo

#log files
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

#log verbosity
verb 3

Start OpenVPN Client

When finished modifying the configuration file, we can start the OpenVPN client service:

# service openvpn start
[ ok ] Starting virtual private network daemon: client.

Troubleshooting

Check to make sure that OpenVPN tun interface if up:

# ifconfig tun
tun0  Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
      inet addr:10.26.0.6 P-t-P:10.26.0.5 Mask:255.255.255.255
      UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
      RX packets:5948 errors:0 dropped:0 overruns:0 frame:0
      TX packets:5948 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:499632 (487.9 KiB) TX bytes:499632 (487.9 KiB)

Check if we can ping the OpenVPN server (ping is allowed on the server):

# ping -c 3 10.26.0.1
PING 10.26.0.1 (10.26.0.1) 56(84) bytes of data.
64 bytes from 10.26.0.1: icmp_req=1 ttl=64 time=0.165 ms
64 bytes from 10.26.0.1: icmp_req=2 ttl=64 time=0.103 ms
64 bytes from 10.26.0.1: icmp_req=3 ttl=64 time=0.116 ms
--- 10.26.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.103/0.128/0.165/0.026 ms

Routing table:

# netstat -nr
Kernel IP routing table
Destination  Gateway    Genmask          Flags MSS Window irtt  Iface
0.0.0.0      10.1.XY.1  0.0.0.0          UG      0 0      0     eth0
10.1.XY.0    0.0.0.0    255.255.255.0    U       0 0      0     eth0
10.26.0.1    10.26.0.5  255.255.255.255  UGH     0 0      0     tun0
10.26.0.5    0.0.0.0    255.255.255.255  UH      0 0      0     tun0

Leave a Reply

Your email address will not be published. Required fields are marked *