OpenVPN Client Setup on Linux

This post is a follow up for OpenVPN: Server Setup on Linux. Today we’ll install and configure an OpenVPN client on another Debian Linux machine and will connect to the OpenVPN server that was created earlier.

Install OpenVPN Client

On Debian, OpenVPN client is the same executable as the server. Therefore we have to install the OpenVPN package on the client machine:

# apt-get update && apt-get install openvpn

OpenVPN Client Configuration

Create a directory to store logs:

# mkdir /var/log/openvpn

Copy the default client.conf sample configuration file to /etc/openvpn directory:

# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

We have already copied the client keys for Sandy and the certificate of the CA which was created during the OpenVPN server configuration, and placed them under /etc/openvpn:

# ls -1 /etc/openvpn/

What’s left to do is to modify the configuration file to point to the OpenVPN server. Open and adapt the client’s config file so it would look like below:

# cat /etc/openvpn/client.conf
#specify that we are a client

#using the same settings as we have on the server
dev tun
proto udp

#the hostname/IP and port of the server
remote 11194

#keep trying indefinitely to resolve the host name of the OpenVPN server
resolv-retry infinite

#most clients don't need to bind to a specific local port number

#downgrade privileges after initialisation (non-Windows only)
user nobody
group nogroup

#try to preserve some state across restarts

#full paths to keys and certificates
ca /etc/openvpn/ca.crt
cert /etc/openvpn/sandy.crt
key /etc/openvpn/sandy.key

ns-cert-type server

#cryptographic cipher, must be the same on the server config file as well
cipher AES-256-CBC

#the same compression setting as we have on the server

#log files
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log

#log verbosity
verb 3

Start OpenVPN Client

When finished modifying the configuration file, we can start the OpenVPN client service:

# service openvpn start
[ ok ] Starting virtual private network daemon: client.


Check to make sure that OpenVPN tun interface if up:

# ifconfig tun
tun0  Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
      inet addr: P-t-P: Mask:
      RX packets:5948 errors:0 dropped:0 overruns:0 frame:0
      TX packets:5948 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100 
      RX bytes:499632 (487.9 KiB) TX bytes:499632 (487.9 KiB)

Check if we can ping the OpenVPN server (ping is allowed on the server):

# ping -c 3
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=64 time=0.165 ms
64 bytes from icmp_req=2 ttl=64 time=0.103 ms
64 bytes from icmp_req=3 ttl=64 time=0.116 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.103/0.128/0.165/0.026 ms

Routing table:

# netstat -nr
Kernel IP routing table
Destination  Gateway    Genmask          Flags MSS Window irtt  Iface      10.1.XY.1          UG      0 0      0     eth0
10.1.XY.0    U       0 0      0     eth0  UGH     0 0      0     tun0  UH      0 0      0     tun0

Leave a Reply

Your email address will not be published. Required fields are marked *