Outils personnels
Vous êtes ici : Accueil GNU / Linux Debian Installer et configurer OpenVPN sur Debian 4.0 Etch
Actions sur le document
  • Send this page to somebody
  • Print this page
  • Add Bookmarklet

Install and setup OpenVPN on Debian 4.0 Etch

Par Pierre-Yves Landuré - Dernière modification 27/01/2014 19:29

OpenVPN is a software allowing to create virtual private network without using such technologies as PPtP (Microsoft) or IPSec. It is available on many operating systems (Microsoft Windows, GNU / Linux, MacOS X, ...). It a simple way to manage a virtual private network between various operating systems and computers.


This howto is deprecated. Use the new version on the Biapy Help Desk:

Install and setup OpenVPN sur Debian

Software installation

OpenVPN installation is done by this command line :

apt-get install openvpn openssl liblzo1

Once OpenVPN installed on our system, we create a folder to regroup scripts used by this howto :

mkdir --parents /etc/openvpn/scripts/

We also need to create character devices used by the server and load necessary modules :

modprobe tun

mkdir /dev/net
mknod /dev/net/tun c 10 200

Note : if your are unable to modprobe the tun module, you may need to install module-init-tools :

/usr/bin/apt-get install module-init-tools

Source : Thanks to Murmel for his comment.

Encryption keys creation

OpenVPN use OpenSSL to encrypt connections. Clients authentication is based on private / public keys signature. This keys are the core of a OpenVPN network. You need to be carefull when creating them.

EasyRSA scripts setup

OpenVPN is installed with some scripts that easy encryption keys creation. We now copy this scripts in the VPN server configuration folder so that we can edit them :

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Two of the files of this configuration needs to be edited. We start by downloading modified versions needed by this howto :

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/vars \
     --output-document /etc/openvpn/easy-rsa/vars
wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/openssl.cnf \
     --output-document /etc/openvpn/easy-rsa/openssl.cnf

VPN server parameters

You can now edit the VPN configuration files to fit your needs  :

vim /etc/openvpn/easy-rsa/vars

Here is a short description of the values you need to change  :

  • OPENVPN_SERVER : DNS alias of the host of the OpenVPN server software.
  • OPENVPN_CLIENTS : Space separated list of VPN clients names.
  • OPENVPN_IPRANGE : The first 3 digits of IP address in your VPN.

Warning : The IP address ranges of your VPN and of your local networks MUST be different. You will find more information on available IP address ranges by reading Numbering private subnets.

You should also enter your geographical informations :

  • KEY_COUNTRY : Your country code.
  • KEY_PROVINCE : Your province.
  • KEY_CITY : Your city.
  • KEY_ORG : The key name (you don't have to change it).
  • KEY_EMAIL : The email address associated to the key.

Note : By default, the length of created keys is 1024 bits. If you are quite paranoïd, you can raise this value at cost of your VPN performances.


Certification authority creation

A certification authority is a private / public keys pair used to sign other public keys. To create your certification authority, use the following command lines :

source /etc/openvpn/easy-rsa/vars

If you have correctly set up easy-rsa, you can use the default values.

Note :  Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert.

Server certificate creation

We will now create our server certificate. This is done by running these commands :

source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/build-key-server server

Here again, use default values.

Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoïa level.

The script ask you to confirm the certificate signature. Answer Yes at both asks.

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Note : The certificate signature is done with our certification authority.

Diffie Hellman parameters

Diffie Hellman parameters must be computed so that your configuration work. This is done by running these command lines :

source /etc/openvpn/easy-rsa/vars

TLS key

We now create a key that will protect our VPN from some attacks. It allow us to setup a HSA firewall :

openvpn --genkey --secret /etc/openvpn/keys/ta.key

Server configuration

To create our VPN server configuration, we use a example file :

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

We modify this file to feet our needs :

source /etc/openvpn/easy-rsa/vars
sed -i  \
    -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
    -e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
    -e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
    -e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
    -e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
    -e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
    -e 's/^;\(.*# Triple-DES\)$/\1/' \
    -e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \

Reduced permissions

We want our VPN server to run with minimals permissions. First, make you keys folder readable :

chmod go+rx /etc/openvpn/keys

And setup OpenVPN to run with nouser and nogroup permissions :

sed -i \
    -e 's/^;\(user[ \t]*.*\)/\1/' \
    -e 's/^;\(group[ \t]*.*\)/\1/' \

Client to Client communication in the VPN network

If you want your VPN clients to be able to dialog with each others, and not only with the server, run this command line :

sed -i -e 's/^;client-to-client/client-to-client/' \

Clients revocation management :

In order to detect revoked clients, we enable the revoked certificates management :

echo "
# Revoked certificate list
crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf

And we create a empty crl.pem file :

chmod +x /etc/openvpn/easy-rsa/make-crl
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem

Last step

The last step is to restart the VPN server :

/etc/init.d/openvpn restart

VPN clients management

A client certificate can be created or revoked. The revocation allow to eject an unwanted client from our virtual private network. It's a process i've ignored for some time, since i did not need it. But now, i can see that it is very usefull.

First, we download two scripts that easy client revocation and addition.

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/add-client.sh \
     --output-document /etc/openvpn/scripts/add-client.sh
chmod +x /etc/openvpn/scripts/add-client.sh
wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/revoke-client.sh \
     --output-document /etc/openvpn/scripts/revoke-client.sh
chmod +x /etc/openvpn/scripts/revoke-client.sh

Clients certificates creation

We now create our clients certificates. Run the following comand lines :

source /etc/openvpn/easy-rsa/vars
  /etc/openvpn/easy-rsa/build-key $OPENVPN_CLIENT;

When the script ask you something, just use default values, but be sure to reply "y" at these two questions :

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Client addition

If you want to add a new client, you can do this using this command line :

/etc/openvpn/scripts/add-client.sh client_name

After adding a client, i suggest you to replay the following steps (described bellow in this page) :

  • Clients configuration files creation
  • Clients fixed IP addresses attribution

  • Bind configuration files creation or update

Client revocation

If you want to exclude one of your client from your virtual private network, you can revoke it by using this command line :

/etc/openvpn/scripts/revoke-client.sh client_name

Clients configuration files creation

We will now create tar.gz files containing keys and configurations files needed by our VPN clients. In order to do this, we download a script designed to easy this task :

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/create-clients-configuration.sh \
     --output-document /etc/openvpn/scripts/create-clients-configuration.sh
chmod +x /etc/openvpn/scripts/create-clients-configuration.sh

We create configuration files for each VPN clients :


You have now many tar.gz files that you can copy on clients computers and extract we this command line :

tar --directory /etc -xzf votre-fichier-client.tar.gz

Now, you need to install OpenVPN on clients computers and start or restart it :

apt-get install openvpn liblzo1
/etc/init.d/openvpn restart

If all went well, you should see a message telling you that everything is OK. The following command line allow you to get more informations about your VPN link :

ifconfig tun0

Going deeper

The first part of this article helped you to create a simple Virtual Private Network where clients can't communicate between each others and with the server. It's fine but in most case, it is not sufficient. We will see here how we can enhance our VPN. The first step is to run this command lines :

mkdir /etc/openvpn/clients-configs
echo "
# Advanced configurations
client-config-dir /etc/openvpn/clients-configs" \
     >> /etc/openvpn/server.conf

Allowing VPN clients to access VPN server local network

If you want to access your VPN server local network from your VPN clients, you should first make sure that your clients local networks does not use the same IP address range that your server local network. If all is checked, you can signal to your clients which route to use to access your server local network :

ifconfig eth0 | grep inet | \
    sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
    >> /etc/openvpn/server.conf

Once this done, we will play with the iptables configuration to make a NAT router from our VPN server. Yep, i've said NAT. I've see a lot of complicated howtos to setup a complete routing between VPN clients and the server local network, but i think it is totally overkill for most needs.

Netfilter (IpTables) configuration

First, if needed, we create the iptables ip-up.d script. This script will be run each time the network is started:

if [ ! -e /etc/network/if-up.d/iptables ]; then
  echo '#!/bin/sh
# IpTables rules.' | /usr/bin/tee /etc/network/if-up.d/iptables
/bin/chmod +x /etc/network/if-up.d/iptables

We allow NAT rules to work on the system:

sed -i -e 's/[# ]*\(net\.ipv4\.conf\.default\.forwarding=\).*/\11/g' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

We load the NAT configuration for our VPN:

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE

And we add it to the if-up.d script so that it will be loaded at each system start:

echo "iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE" \
    | /usr/bin/tee -a /etc/network/if-up.d/iptables

Your iptables configuration will be now reloaded each time your server restart.

Clients fixed IP addresses attribution

It is possible to fix VPN clients IP addresses. You can then connect to them easily by using this IP adresses.

For more informations, visit Configuring client specific rules and access policies.

In order to do this, we download a script designed to ease this task :

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/setup-clients-ips.sh \
     --output-document /etc/openvpn/scripts/setup-clients-ips.sh
chmod +x /etc/openvpn/scripts/setup-clients-ips.sh

And we run it :


Setting up a name server for our VPN

If you have choosen to fix your VPN clients IP addresses, it is interesting to have a DNS server to provide computer/IP associations for our VPN network. In my configuration, i use Bind :

apt-get install bind9

If you think it is using a homing missile to kill a flee, you are probably right, but i was willing to try Bind (and nothing is better than learning by usage).

We now add the fixed IP addresses from our VPN to the Bind configuration.

Bind configuration initialization

This step is done once and for all. We configure Bind in order that it know were to find our VPN specific configuration. First, we get needed data, and we run a light computation :

source /etc/openvpn/easy-rsa/vars
REVERSE_IPRANGE=`echo $OPENVPN_IPRANGE | sed -e 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\3\.\2\.\1/'`

We then tell Bind to use the file we will create to manage our VPN clients names.

echo "
# OpenVPN configuration
zone \"$REVERSE_IPRANGE.in-addr.arpa\" in {
        type master;
        file \"/etc/bind/db.$OPENVPN_IPRANGE\";

        type master;
        file \"/etc/bind/db.$OPENVPN_LOCALDOMAIN\";
};" >> /etc/bind/named.conf.local

You now need to setup your VPN server so that it tell the VPN clients witch DNS server to use :

echo "
# VPN provided DNS server configuration.
push \"dhcp-option DOMAIN $OPENVPN_LOCALDOMAIN\"
push \"dhcp-option DNS $OPENVPN_IPRANGE.1\"" \
     >> /etc/openvpn/server.conf

Restart your VPN server :

/etc/init.d/openvpn restart

This configuration will work by itself for your Microsoft VPN clients. For linux clients, you need to do something more (see below).

Bind configuration files creation or update

We now download a script allowing us to update the bind configuration when we add or revoke a VPN client :

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/update-bind-config.sh \
     --output-document /etc/openvpn/scripts/update-bind-config.sh
chmod +x /etc/openvpn/scripts/update-bind-config.sh

From now on, each time you add a new client to your VPN, once you've setted up its fixed IP address, you can update the Bind daemon configuration by running :


Once this done, you should reload Bind configuration :

/etc/init.d/bind9 reload

Configuring Linux clients to use DNS informations provided by VPN server

Warning : The following is to be done on every linux client for your VPN (and not on the server).

We first download the script client.up that fetch DNS informations from our VPN link, and insert it in the resolv.conf file :

wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/client.up \
chmod +x /etc/openvpn/client.up

We type our VPN network name :


Then, we configure the client so that it run the client.up script when connecting to the VPN network :

echo "
# VPN provided DNS configuration.
up /etc/openvpn/client.up
route-up /etc/openvpn/client.up
plugin /usr/lib/openvpn/openvpn-down-root.so \"script_type=down /etc/openvpn/client.up\"" \
    >> /etc/openvpn/$OPENVPN_LOCALDOMAIN.conf

You just need to restart your VPN client to activate this configuration :

/etc/init.d/openvpn restart


I would like to thank the people that help me while writing this guide :

The OpenVPN home page, that provide a very complete HOWTO. If you want to dive deeper in the VPN universe, it is the place to go.
Charles Duffy
The person who created the client.up script. Without his work, this howto would have never been complete. Thank you Charles.
Felix Knecht
Thank you Felix for telling me that using /etc/network/options was deprecated :D.



great article

Posté par Robert le 26/02/2008 00:58
Fantastic article. I've setup OpenVPN before but your configuration is very thorough.


Posté par Basti le 21/03/2008 15:17
Hi, i tried to setup a vpn with this Guide, but when i finally try to connect with a client, i'm getting an error because of Invalid Certificate.

VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=DXX/ST=XX/L=XXX/O=XXXX-vpn.vpn_Server/CN=ca.XXXX/emailAddress=your@email.org
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed


Posté par lwolf le 21/03/2008 21:21
In the step "Server certificate creation", have you replied yes to :

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Just typing enter is not enough.


Posté par Thomas le 08/05/2008 17:23
Top guide. Excellent.

Thank you.


Posté par Benedikt le 15/05/2008 14:50
This is the best step-by-step howto for setting up openvpn with an secure and easy configuration!!

Thank you very much!


Posté par Allan le 28/05/2008 15:52
Superb , easy to follow. worked first time

Great Tutorial

Posté par :brandon le 02/06/2008 02:01
Just want to say what a great tutorial this was. very well thought out and executed. the only thing i had to comment on was the fact the the current iptables (as of 6/1/08) does not work with the line `gunzip --to-stdout /usr/share/doc/iptables/examples/oldinitdscript.gz > /etc/init.d/iptables` i ended up getting it to working perfectly using an old stable (backports) version of the iptables package. specifically `iptables_1.2.11-10_i386.deb` from a german mirror. the file can be found for download at `http://packages.debian.org/sarge/i386/iptables/download` for anyone who ran into the same problem.

Thanks a bunch, you saved my life here.


make-crl error

Posté par betauser le 03/06/2008 14:23
root@host:/etc/openvpn/keys# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pemyou must define KEY_DIR
root@host:/etc/openvpn/keys# ls crl*
ls: crl*: No such file or directory

is this normal?

no, it is not

Posté par Pierre-Yves Landuré le 03/06/2008 14:33
Try issuing this command:

source /etc/openvpn/easy-rsa/vars

Before retrying the crl creation. This guide must be followed from start to end without session interruption. Then, you can use client creation and revocation scripts whenever you want. But the configuration must be done in one session.

host/network `.0' not found

Posté par Rick le 18/07/2008 20:33
The how-to is awesome, just one issue that I can not get past in one of the last steps:

when I enter, "iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth1 -j MASQUERADE", in the cli I get the following error message:

iptables v1.3.6: host/network `.0' not found

My connection to the net is in eth1 instead of eth0.

You missed one thing

Posté par lwolf le 18/07/2008 22:19
You must load settings before running this command:


source /etc/openvpn/easy-rsa/vars

and then

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth1 -j MASQUERADE

Good luck


Posté par none le 09/08/2008 22:12
Just want to let you know, that this tutorial and the script are great. Thanks a lot and hope u can keep this site online as long as possible!

Struggling with DNS

Posté par Ralf Coenen le 29/08/2008 12:50
My DNS-Server was already configured to serve my local network on, so that combining the given "update-bind-config.sh" with the my local configs does not work properly.

So I had to add the following to /etc/bind/named.conf.local:
# OpenVPN configuration

zone "142.8.10.in-addr.arpa" {
type master;
file "/etc/bind/10.8.142.rev";
zone "vpndomain.vpn" {
type master;
file "/etc/bind/vpndomain.vpn.hosts";

The file /etc/bind/vpndomain.vpn.hosts is like this:
$ttl 38400
vpndomain.vpn. IN SOA server.localdomain.lan. root.localdomain.lan. (
38400 )
vpndomain.vpn. IN NS server.ceno.lan.
user1.vpndomain.vpn. IN A
user2.vpndomain.vpn. IN A
server.vpndomain.vpn. IN A
and the file /etc/bind/10.8.142.rev is like this:

$ttl 38400
142.8.10.in-addr.arpa. IN SOA server.localdomain.lan root.localdomain.lan. (
38400 )
142.8.10.in-addr.arpa. IN NS server.localdomain.lan. IN PTR user1.vpndomain.vpn. IN PTR user2.vpndomain.vpn. IN PTR server.vpndomain.vpn.

Don't forget to restart or reload bind9


Posté par Stefan Kammann le 06/09/2008 15:02
Thank you very much for this good document

Nice tutorial

Posté par Rahul le 01/11/2008 14:15
Excellent guide. I can easily see how many hours of work it has saved for me. Also the comments were useful. Keep up the great work.

Client configuration for using OpenVPN provided DNS

Posté par Rahul le 01/11/2008 23:54
I am using Debian Lenny as my client. I tried the last section "Configuring Linux clients to use DNS informations provided by VPN server" in this guide to set up my client to update the DNS automaitcally when it receives the value from the OpenVPN server. But I observed that there was some problem in the sanityCheck function in client.up script and my openvpn connection kept crashing. So I commented out this function call in client.up script (as it didn't seem to do anything really useful). Alternatively the line "up /etc/openvpn/client.up" in /etc/openvpn/vpndomain.vpn.conf can be commented out instead of modifying client.up script. Now my resolv.conf was getting updated whenever I started my vpn client (/etc/init.d/openvpn restart). But I observed that whenever my local lan dhcp client fetched its information from my local DHCP server, /etc/resolv.conf was being overwritten.

Luckily I observed that the openvpn which comes with Debian Lenny has an /etc/openvpn/update-resolv-conf script which serves the same purpose. Just add these two lines to the end of /etc/openvpen/vpndomain.vpn.conf in your client machine and you shall observe that /etc/resolv.conf is updated automatically whenever you establish a vpn connection and it does not even get overwritten:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(Be sure to install the resolvconf package using apt-get as the script update-resolv-conf makes use of the executable /sbin/resolvconf).

Thank you !

Posté par lwolf le 02/11/2008 01:19
Whoa, thank you for this useful tip ! I'll take a look at the openvpn in lenny as soon as possible !

Lone Wolf

passing option "--script-security 2" to openvpn

Posté par Rahul le 12/01/2009 10:19
Also I forgot to mention that you will have to pass the option "--script-security 2" to openvpn so that it can call the external script update-resolv-conf. In Debian Lenny, this can be set by modifying the OPTARGS variable in /etc/default/openvpn as below:

# Optional arguments to openvpn's command line
OPTARGS="--script-security 2"

No more /etc/network/options

Posté par Felix Knecht le 28/11/2008 01:37
Just a little correction to the part "Netfilter (IpTables) configuration":

There is no /etc/network/options anymore. (see /usr/share/doc/netbase/README.Debian)
Instead you need to edit /etc/sysctl.conf and change/uncomment the following line:


Thank you !

Posté par Pierre-Yves Landuré le 28/11/2008 11:29
I've corrected this guide, and added you to the Thanks section :).


Posté par bob le 05/12/2008 05:41
you are a god among men. i've tried dozens of tutorials and NEVER gotten this thing working. you kick ass. thanks a million

make-crl error

Posté par avaton le 29/12/2008 02:24
Thank you very much for the excellent work.
I am facing an issue so far.
When I issue the:
source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
I receive the following error:
3848:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133
Thanks in advance for your reply.
Best regards.

have you set every variable in vars file ?

Posté par lwolf le 29/12/2008 06:46

your error says :"variable has no value".

You should check that every value in /etc/openvpn/easy-rsa/vars is set.

Good luck

problem persists

Posté par avaton le 30/12/2008 18:41
Dear lwolf,
I checked the /etc/openvpn/easy-rsa/vars file and all values were set according to the guide, except that instead of your suggested:

export KEY_CONFIG="/etc/openvpn/easy-rsa/openssl.cnf"

I used

export KEY_CONFIG=$D/easy-rsa/openssl.cnf

When I changes the vars file to reflect your suggested value I received an additional information in the error:

# source /etc/openvpn/easy-rsa/vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 133 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
3407:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133

My 133rd line in /etc/openvpn/easy-rsa/openssl.cnf is this:

commonName_default = $ENV::KEY_COMMONNAME

Any ideas?
Thanks again for the help.
Best regards.

openssl.cnf fixed

Posté par tavaron le 13/02/2009 11:38
Hi avaton,
I had the same problem as you before. So I tried to fix the openssl.cnf.
The problem is the variable. I insert my wished default values directly and it worked.
I don't know how to insert the values correctly via a variable but this will work and maybe lone wolf will fix this in his downloadable version oh the openssl.cnf

best regards

openssl.cnf problem and woes averted

Posté par soulblighter le 17/03/2010 20:57
I found this article amazingly helpful and so have been the comments so I thought I should do what I can and return the favor =}

I came to the step and problem as avaton:
localhost:/etc/openvpn/easy-rsa# chmod +x /etc/openvpn/easy-rsa/make-crl
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 145 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
2473:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 145

So I looked at my version of openssl.cnf at line 145 and saw this bit of code:
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN

I looked at the openssl.conf lwolf provided and compared the two openssl.cnf's ( I used the default openssl.cnf provided by /usr/share/doc/openvpn/examples/easy-rsa/2.0/ ) and made the following changes to my openssl.cnf:

# JY -- added for batch mode
#organizationalUnitName_default = $ENV::KEY_OU
organizationalUnitName_default = $ENV::KEY_ORG
#commonName_default = $ENV::KEY_CN
commonName_default = $ENV::KEY_COMMONNAME

After this, I tried to run the command again:
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

It went through without complaint and checked my keys directory and the crl.pem was there. Hope this is able to help someone!

Many thanks

Posté par Ralf le 06/01/2009 15:50
that was the best tutorial I've found during a very long search about openvpn and specially setting up the certificates

Once again:

Many, Many thanks


Posté par mohsen le 24/02/2009 20:50
i have problem!

/etc/init.d/openvpn restart

Stopping virtual private network daemon:.
Starting virtual private network daemon: server(FAILED).

So... do it manually by command:

/usr/sbin/openvpn --config /etc/openvpn/server.conf

Tue Feb 24 19:50:08 2009 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Tue Feb 24 19:50:08 2009 Diffie-Hellman initialized with 2048 bit key
Tue Feb 24 19:50:08 2009 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Tue Feb 24 19:50:08 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 19:50:08 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 19:50:08 2009 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Feb 24 19:50:08 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Tue Feb 24 19:50:08 2009 Exiting

is that run??

maybe more in syslog ?

Posté par Pierre-Yves Landuré le 24/02/2009 22:47

by the look of your error message :

Tue Feb 24 19:50:08 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use

This mean that there is something using port 1194. This is propably a openvpn server still running. I only can advise you to take a look at the end of /var/log/syslog to diagnose the source of the problem.


Posté par mohsen le 25/02/2009 02:52
before install and read your tutorial ... i installed openvpn and openssl
after your learning do it again... is it problem? how fix it?

well probably not

Posté par lwolf le 25/02/2009 07:25
It should not be a problem if you used debian packages to install openvpn. You can try to purge your actual configuration and start from the beginning.

To purge, you can try :

apt-get --purge remove openvpn
rm -r /etc/openvpn

and then restart my tutorial


Posté par mohsen le 27/02/2009 01:47
thank for your help... it's start OK

so.. my client have windows:
you just say for linux client... what's files need for windows client?
all is okay before this line which is for linux client:
tar --directory /etc -xzf votre-fichier-client.tar.gz

windows clienfs

Posté par Lone Wolf le 27/02/2009 07:58
The files needed are the sames for linux and windows client. But for a windows client, you'll need to rename the conf file to give it the .ovpn extension, and edit it to change the path to keys for something that fit windows c:\.

I'm going to update this guide soon so that it create windows configuration files. (by soon i mean somewhere between next week and next year :( (i've not a great amount of free time currently))

hope this help

windows clients

Posté par Maciej le 26/04/2009 22:25
Hi, great how-to, thanks for that.
As far as Windows is concerned with OpenVPN binary distribution for windows it is necessary to follow these steps:
- untar config files into C:\Program Files\OpenVPN\config
- rename <client>.conf file to <client>.ovpn
- change options in <client>.ovpn to point to <client>-keys directory in Windows file system, the proper notation is key, it should look like that: 'C:\\Program Files\\OpenVPN\\config\\<client>-keys\\ca.crt' so you have to put path in quotes (due to spaces used in directory names) and use double backslash (\\) cause one backslash is interpreted as control character.

As far as installation for Debian 5.0 Lenny some changes have to be applied. In my case original easy-rsa directory does not contain any files but two directories names 1.0 2.0 which apparenty stands for OpenSSL version. Choosing files in 2.0 and copying then to /etc/openvpn/easy-rsa worked fine. There was only one exception, 2.0 does not include /etc/openvpn/easy-rsa/make-crl needed to create crl.pem file. Easy solution to that problem (very simplistic) was to copy make-crl from 1.0 - that worked very well.

Thanks once again for great work!

One of the best HOWTO i have ever seen

Posté par Abhinav le 26/02/2009 22:35
Waoo... Hats off to you man... superb document.. Every things thought throughly and written..

Thanks and Superb Work...

help me!

Posté par kati le 27/02/2009 02:54
Thanks for learning...

but i have problem with this line for vars file:

# OPENVPN_IPRANGE : What's mean? ?
# OPENVPN_LOCALDOMAIN : (my server is like km52120.hostingaura.com) is that correct for this line if i write: km52120.hostingaura.com.vpn ??

Please help me!!

as said in this guide :

Posté par Lone wolf le 27/02/2009 07:55
# OPENVPN_IPRANGE : The first 3 digits of IP address in your VPN.

So :

IPRANGE=10.23.213 # Must be different from you local network ip range.

LOCALDOMAIN=something.vpn # Domain name for computers connected to the vpn.

hope this help

help me!

Posté par kati le 27/02/2009 13:50
i copied (etc/openvpn/client.tag.gz) and copy c:\Program Files\OpenVPN\config

then i try for run OpenVPN GUI but when connect i see this error:

What's it?

help me!

Posté par kati le 27/02/2009 14:04
so.. when from windows i open client.ovpn

have this lines:
ca /etc/openvpn/km31512-05.hostingaura.com-keys/ca.crt
cert /etc/openvpn/km31512-05.hostingaura.com-keys/sungirl.crt
key /etc/openvpn/km31512-05.hostingaura.com-keys/sungirl.key

but i can't find this folder km31512-05.hostingaura.com-keys

just have folder keys on this path!!


Posté par salymon le 27/02/2009 20:41

ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
>> /etc/openvpn/server.conf

eth0: error fetching interface information: Device not found

What's this error?

It means you are not connected by ethernet

Posté par lwolf le 27/02/2009 23:06
eth0 is the default ethernet "alias". If it is not present, you are probably using a wifi connection. Just find the name of your interface using "ifconfig", and then replace "eth0" by this name in the command line. (you may also wan to remove the "push route" line at the end of your server.conf.

by the way... wifi is not so good for a server.


Posté par problem le 28/02/2009 01:05
How active iptables ?

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE

iptables: No chain/target/match by that name


Posté par Alex le 01/03/2009 03:36
Increasing the asymmetric key length only increases authentication time, it will not cause your tunnel to go more slowly. The servers use the 1024/2048 bit keys to talk, then once they trust each other use a session key to actually encrypt data, which is symmetric.

What's problem?

Posté par mohsen le 02/03/2009 14:21

i do all your tutorial!!

just 2 step have problem...

Allowing VPN clients to access VPN server local network:

ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
>> /etc/openvpn/server.conf

i haven't eth0 and replace with venet0

and step 2 which i have problem with iptables:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source i have VPS

Now make connect by windows and all thing is good and successful... but i haven't NAT... still i have last ip provide

What's problem??

can't modprobe tun (solved)

Posté par murmel le 16/03/2009 22:05
I wasn't able to modprobe tun and thus not being able to start OpenVPN.
This because I'm using a VPS without much of the stuff that comes with a standard install.
What I had to do was to install module-init-tools (apt-get install module-init-tools).
Thanks alot man!

bind9 reload

Posté par tondo le 19/03/2009 17:43
#/home/administrator# /etc/init.d/bind9 reload
* Reloading domain name service... bind9 rndc: connect failed: connection refused

what's wrong?


Posté par tondo le 20/03/2009 14:43
hi, it is possible to use this tutorial on Ubuntu? I have Ubuntu 8.10 Server edition.

What is the difference between "original files of the easy-rsa" (/usr/share/doc/openvpn/examples/easy-rsa/) and files which are downloaded in this guide. For example:

Have a nice day.

Allowing VPN clients to access VPN server local network

Posté par murmel le 20/03/2009 22:56
ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g'
Will in my case look like this:
push "route xxx.xxx.xxx.20"
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
And the line "inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link" shouldn't be there and also the route xxx.xxx.xxx.20 should in my case be xxx.xxx.xxx.21.
I have NO idea how to do those advance sed scripts, I'm just changing it in the config when it've been added.
I just thought you should know!
Thanks for the best guide!

Problem with dhcp gateway

Posté par Kristian le 25/03/2009 13:06
Hello firends, main problem with redirect all traffic trought VPN is gateway assigned by dhcp. We need set gateway strongly to xxx.xxx.xxx.1

OVPN dhcp assign virtual IPs:
[gateway, client ip]
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30]...........
we need
[ 1, 2] [ 1, 6] [ 1, 10] [ 1, 14] [ 1, 18]
[ 1, 22] [ 1, 26] [ 1, 30].........

Have somebody any solution??? thanks.

Solution founded

Posté par Kristian le 25/03/2009 16:18
Hello, I found solution:

in server.conf - push "redirect-gateway"

in ssh

echo "1" > /proc/sys/net/ipv4/ip_forward ----forwarding packets between networks
iptables -t nat -A POSTROUTING -s ovpn_ip_range.0/24 -o eth0 -j MASQUERADE

thanks for good how to.

script merging certificates into the config

Posté par murmel le 07/04/2009 19:37

This script is executed in the same folder as the .tar.gz configurations. It will create .ovpn configurations that will be compressed into .tar.bz2 archives.
Quite useful when distributing the configurations to Windows users.

Thank you !

Posté par lwolf le 07/04/2009 19:47
Thank you for your contribution, i've been looking to update this guide for windows support, and you've just ease my work.

Thank you very much.

re: Thank you !

Posté par murmel le 07/04/2009 23:24
No problem man!
I hope it works and modify it however you like!
I'm using all your sweet configurations.

I'm trying to create an automated system that'll make it easier to install.
In the end, it all should look something like OpenVPN-AS, but without all the licencing stuff.

Thanks !

openvpn_autoconfig beta 1

Posté par murmel le 08/04/2009 02:38

I've just made it and I've checked and it works.
Just download it. Install OpenVPN. Extract it into /etc/openvpn and run sudo sh auto_config.sh.
There's still much to do.


Posté par murmel le 09/04/2009 03:59
Even more automated now. The only thing you need to do now is enter the information. Made all the certification creating automated.
I've added an client creation script.
Howto use:
Install openvpn and openssl.
Extract openvpn_autoconf.tar.bz2 into /etc/openvpn/.
run: sudo /etc/openvpn/auto_config.sh
Enter information.
Use the username.tar.bz2 files, give them to the users. If there's linux users, rename the configurations from .ovpn to .conf.
Add client: sudo /etc/openvpn/addclient.sh username

Everything I've done here is thanks to this guide. :)
But this will maybe make it easier to install OpenVPN on alot of server etc.
There's still alot of work to do.

beta 2

Posté par murmel le 09/04/2009 19:41

openvpn script not working

Posté par orange le 28/04/2009 09:07
Hi Murmeel,

I followed your instructions but it does not work. When I connect through the ovpn file it says error in key direction. I would appreciate any help.



Posté par Robert le 29/07/2010 17:52
Murmel; excellent work. Thanks!
For some reason IP forwarding didn't work by following any of the guides; using your tool worked flawlessly!

help me please :(

Posté par jepon le 19/04/2010 07:26
when i restart whith cmd /etc/init.d/openvpn restart
i got this error warning

Stopping virtual private network daemon:.
Starting virtual private network daemon: server(FAILED)

so i try this command

/usr/sbin/openvpn --config /etc/openvpn/server.conf

an i got diferen error like this

Mon Apr 19 05:12:31 2010 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Mon Apr 19 05:12:31 2010 Diffie-Hellman initialized with 1024 bit key
Mon Apr 19 05:12:31 2010 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Mon Apr 19 05:12:31 2010 Outgoing Control Channel Authentication: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Apr 19 05:12:31 2010 Incoming Control Channel Authentication: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Apr 19 05:12:31 2010 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0]
Mon Apr 19 05:12:31 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
Mon Apr 19 05:12:31 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Apr 19 05:12:31 2010 Cannot allocate TUN/TAP dev dynamically
Mon Apr 19 05:12:31 2010 Exiting

what must i do, i use VPS,, thanks b4

permission denied ?

Posté par Lone Wolf le 19/04/2010 10:54
Try using sudo :$

sudo /etc/init.d/openvpn restart

I believe you are not running these command lines as root.


Posté par perfector le 12/07/2010 13:42
Hi lone wolf,

could you include the "ifconfig" outputs of both the server and the clients too?

Very Good howto

Posté par Frank Uittenbosch le 23/09/2010 12:13
Hi Lone-wolf
gz on your very good howto, i have learned a lot from you!
all i had to change for debian lenny and squeeze is:
Instead of /etc/openvpn/easy-rsa/<script-name>
it's /etc/openvpn/easy-rsa/1.0/<script-name>

Thanks again!


Réalisé avec Plone

Ce site respecte les normes suivantes :