Personal tools
You are here: Home GNU / Linux Debian 4.0 Etch Install and setup OpenVPN on Debian 4.0 Etch
Document Actions
  • Send this page to somebody
  • Print this page
  • Add Bookmarklet

Install and setup OpenVPN on Debian 4.0 Etch

by Pierre-Yves Landuré last modified 2014-01-27 17:29

OpenVPN is a software allowing to create virtual private network without using such technologies as PPtP (Microsoft) or IPSec. It is available on many operating systems (Microsoft Windows, GNU / Linux, MacOS X, ...). It a simple way to manage a virtual private network between various operating systems and computers.


This howto is deprecated. Use the new version on the Biapy Help Desk:

Install and setup OpenVPN sur Debian

Software installation

OpenVPN installation is done by this command line :

apt-get install openvpn openssl liblzo1

Once OpenVPN installed on our system, we create a folder to regroup scripts used by this howto :

mkdir --parents /etc/openvpn/scripts/

We also need to create character devices used by the server and load necessary modules :

modprobe tun

mkdir /dev/net
mknod /dev/net/tun c 10 200

Note : if your are unable to modprobe the tun module, you may need to install module-init-tools :

/usr/bin/apt-get install module-init-tools

Source : Thanks to Murmel for his comment.

Encryption keys creation

OpenVPN use OpenSSL to encrypt connections. Clients authentication is based on private / public keys signature. This keys are the core of a OpenVPN network. You need to be carefull when creating them.

EasyRSA scripts setup

OpenVPN is installed with some scripts that easy encryption keys creation. We now copy this scripts in the VPN server configuration folder so that we can edit them :

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

Two of the files of this configuration needs to be edited. We start by downloading modified versions needed by this howto :

wget \
     --output-document /etc/openvpn/easy-rsa/vars
wget \
     --output-document /etc/openvpn/easy-rsa/openssl.cnf

VPN server parameters

You can now edit the VPN configuration files to fit your needs  :

vim /etc/openvpn/easy-rsa/vars

Here is a short description of the values you need to change  :

  • OPENVPN_SERVER : DNS alias of the host of the OpenVPN server software.
  • OPENVPN_CLIENTS : Space separated list of VPN clients names.
  • OPENVPN_IPRANGE : The first 3 digits of IP address in your VPN.

Warning : The IP address ranges of your VPN and of your local networks MUST be different. You will find more information on available IP address ranges by reading Numbering private subnets.

You should also enter your geographical informations :

  • KEY_COUNTRY : Your country code.
  • KEY_PROVINCE : Your province.
  • KEY_CITY : Your city.
  • KEY_ORG : The key name (you don't have to change it).
  • KEY_EMAIL : The email address associated to the key.

Note : By default, the length of created keys is 1024 bits. If you are quite paranoïd, you can raise this value at cost of your VPN performances.


Certification authority creation

A certification authority is a private / public keys pair used to sign other public keys. To create your certification authority, use the following command lines :

source /etc/openvpn/easy-rsa/vars

If you have correctly set up easy-rsa, you can use the default values.

Note :  Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert.

Server certificate creation

We will now create our server certificate. This is done by running these commands :

source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/build-key-server server

Here again, use default values.

Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoïa level.

The script ask you to confirm the certificate signature. Answer Yes at both asks.

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Note : The certificate signature is done with our certification authority.

Diffie Hellman parameters

Diffie Hellman parameters must be computed so that your configuration work. This is done by running these command lines :

source /etc/openvpn/easy-rsa/vars

TLS key

We now create a key that will protect our VPN from some attacks. It allow us to setup a HSA firewall :

openvpn --genkey --secret /etc/openvpn/keys/ta.key

Server configuration

To create our VPN server configuration, we use a example file :

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

We modify this file to feet our needs :

source /etc/openvpn/easy-rsa/vars
sed -i  \
    -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
    -e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
    -e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
    -e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
    -e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
    -e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
    -e 's/^;\(.*# Triple-DES\)$/\1/' \
    -e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \

Reduced permissions

We want our VPN server to run with minimals permissions. First, make you keys folder readable :

chmod go+rx /etc/openvpn/keys

And setup OpenVPN to run with nouser and nogroup permissions :

sed -i \
    -e 's/^;\(user[ \t]*.*\)/\1/' \
    -e 's/^;\(group[ \t]*.*\)/\1/' \

Client to Client communication in the VPN network

If you want your VPN clients to be able to dialog with each others, and not only with the server, run this command line :

sed -i -e 's/^;client-to-client/client-to-client/' \

Clients revocation management :

In order to detect revoked clients, we enable the revoked certificates management :

echo "
# Revoked certificate list
crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf

And we create a empty crl.pem file :

chmod +x /etc/openvpn/easy-rsa/make-crl
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem

Last step

The last step is to restart the VPN server :

/etc/init.d/openvpn restart

VPN clients management

A client certificate can be created or revoked. The revocation allow to eject an unwanted client from our virtual private network. It's a process i've ignored for some time, since i did not need it. But now, i can see that it is very usefull.

First, we download two scripts that easy client revocation and addition.

wget \
     --output-document /etc/openvpn/scripts/
chmod +x /etc/openvpn/scripts/
wget \
     --output-document /etc/openvpn/scripts/
chmod +x /etc/openvpn/scripts/

Clients certificates creation

We now create our clients certificates. Run the following comand lines :

source /etc/openvpn/easy-rsa/vars
  /etc/openvpn/easy-rsa/build-key $OPENVPN_CLIENT;

When the script ask you something, just use default values, but be sure to reply "y" at these two questions :

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Client addition

If you want to add a new client, you can do this using this command line :

/etc/openvpn/scripts/ client_name

After adding a client, i suggest you to replay the following steps (described bellow in this page) :

  • Clients configuration files creation
  • Clients fixed IP addresses attribution

  • Bind configuration files creation or update

Client revocation

If you want to exclude one of your client from your virtual private network, you can revoke it by using this command line :

/etc/openvpn/scripts/ client_name

Clients configuration files creation

We will now create tar.gz files containing keys and configurations files needed by our VPN clients. In order to do this, we download a script designed to easy this task :

wget \
     --output-document /etc/openvpn/scripts/
chmod +x /etc/openvpn/scripts/

We create configuration files for each VPN clients :


You have now many tar.gz files that you can copy on clients computers and extract we this command line :

tar --directory /etc -xzf votre-fichier-client.tar.gz

Now, you need to install OpenVPN on clients computers and start or restart it :

apt-get install openvpn liblzo1
/etc/init.d/openvpn restart

If all went well, you should see a message telling you that everything is OK. The following command line allow you to get more informations about your VPN link :

ifconfig tun0

Going deeper

The first part of this article helped you to create a simple Virtual Private Network where clients can't communicate between each others and with the server. It's fine but in most case, it is not sufficient. We will see here how we can enhance our VPN. The first step is to run this command lines :

mkdir /etc/openvpn/clients-configs
echo "
# Advanced configurations
client-config-dir /etc/openvpn/clients-configs" \
     >> /etc/openvpn/server.conf

Allowing VPN clients to access VPN server local network

If you want to access your VPN server local network from your VPN clients, you should first make sure that your clients local networks does not use the same IP address range that your server local network. If all is checked, you can signal to your clients which route to use to access your server local network :

ifconfig eth0 | grep inet | \
    sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
    >> /etc/openvpn/server.conf

Once this done, we will play with the iptables configuration to make a NAT router from our VPN server. Yep, i've said NAT. I've see a lot of complicated howtos to setup a complete routing between VPN clients and the server local network, but i think it is totally overkill for most needs.

Netfilter (IpTables) configuration

First, if needed, we create the iptables ip-up.d script. This script will be run each time the network is started:

if [ ! -e /etc/network/if-up.d/iptables ]; then
  echo '#!/bin/sh
# IpTables rules.' | /usr/bin/tee /etc/network/if-up.d/iptables
/bin/chmod +x /etc/network/if-up.d/iptables

We allow NAT rules to work on the system:

sed -i -e 's/[# ]*\(net\.ipv4\.conf\.default\.forwarding=\).*/\11/g' /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward

We load the NAT configuration for our VPN:

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE

And we add it to the if-up.d script so that it will be loaded at each system start:

echo "iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE" \
    | /usr/bin/tee -a /etc/network/if-up.d/iptables

Your iptables configuration will be now reloaded each time your server restart.

Clients fixed IP addresses attribution

It is possible to fix VPN clients IP addresses. You can then connect to them easily by using this IP adresses.

For more informations, visit Configuring client specific rules and access policies.

In order to do this, we download a script designed to ease this task :

wget \
     --output-document /etc/openvpn/scripts/
chmod +x /etc/openvpn/scripts/

And we run it :


Setting up a name server for our VPN

If you have choosen to fix your VPN clients IP addresses, it is interesting to have a DNS server to provide computer/IP associations for our VPN network. In my configuration, i use Bind :

apt-get install bind9

If you think it is using a homing missile to kill a flee, you are probably right, but i was willing to try Bind (and nothing is better than learning by usage).

We now add the fixed IP addresses from our VPN to the Bind configuration.

Bind configuration initialization

This step is done once and for all. We configure Bind in order that it know were to find our VPN specific configuration. First, we get needed data, and we run a light computation :

source /etc/openvpn/easy-rsa/vars
REVERSE_IPRANGE=`echo $OPENVPN_IPRANGE | sed -e 's/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\3\.\2\.\1/'`

We then tell Bind to use the file we will create to manage our VPN clients names.

echo "
# OpenVPN configuration
zone \"$\" in {
        type master;
        file \"/etc/bind/db.$OPENVPN_IPRANGE\";

        type master;
        file \"/etc/bind/db.$OPENVPN_LOCALDOMAIN\";
};" >> /etc/bind/named.conf.local

You now need to setup your VPN server so that it tell the VPN clients witch DNS server to use :

echo "
# VPN provided DNS server configuration.
push \"dhcp-option DOMAIN $OPENVPN_LOCALDOMAIN\"
push \"dhcp-option DNS $OPENVPN_IPRANGE.1\"" \
     >> /etc/openvpn/server.conf

Restart your VPN server :

/etc/init.d/openvpn restart

This configuration will work by itself for your Microsoft VPN clients. For linux clients, you need to do something more (see below).

Bind configuration files creation or update

We now download a script allowing us to update the bind configuration when we add or revoke a VPN client :

wget \
     --output-document /etc/openvpn/scripts/
chmod +x /etc/openvpn/scripts/

From now on, each time you add a new client to your VPN, once you've setted up its fixed IP address, you can update the Bind daemon configuration by running :


Once this done, you should reload Bind configuration :

/etc/init.d/bind9 reload

Configuring Linux clients to use DNS informations provided by VPN server

Warning : The following is to be done on every linux client for your VPN (and not on the server).

We first download the script client.up that fetch DNS informations from our VPN link, and insert it in the resolv.conf file :

wget \
chmod +x /etc/openvpn/client.up

We type our VPN network name :


Then, we configure the client so that it run the client.up script when connecting to the VPN network :

echo "
# VPN provided DNS configuration.
up /etc/openvpn/client.up
route-up /etc/openvpn/client.up
plugin /usr/lib/openvpn/ \"script_type=down /etc/openvpn/client.up\"" \
    >> /etc/openvpn/$OPENVPN_LOCALDOMAIN.conf

You just need to restart your VPN client to activate this configuration :

/etc/init.d/openvpn restart


I would like to thank the people that help me while writing this guide : 
The OpenVPN home page, that provide a very complete HOWTO. If you want to dive deeper in the VPN universe, it is the place to go.
Charles Duffy
The person who created the client.up script. Without his work, this howto would have never been complete. Thank you Charles.
Felix Knecht
Thank you Felix for telling me that using /etc/network/options was deprecated :D.



great article

Posted by Robert at 2008-02-25 22:58
Fantastic article. I've setup OpenVPN before but your configuration is very thorough.


Posted by Basti at 2008-03-21 13:17
Hi, i tried to setup a vpn with this Guide, but when i finally try to connect with a client, i'm getting an error because of Invalid Certificate.

VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=DXX/ST=XX/L=XXX/O=XXXX-vpn.vpn_Server/CN=ca.XXXX/
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed


Posted by lwolf at 2008-03-21 19:21
In the step "Server certificate creation", have you replied yes to :

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

Just typing enter is not enough.


Posted by Thomas at 2008-05-08 15:23
Top guide. Excellent.

Thank you.


Posted by Benedikt at 2008-05-15 12:50
This is the best step-by-step howto for setting up openvpn with an secure and easy configuration!!

Thank you very much!


Posted by Allan at 2008-05-28 13:52
Superb , easy to follow. worked first time

Great Tutorial

Posted by :brandon at 2008-06-02 00:01
Just want to say what a great tutorial this was. very well thought out and executed. the only thing i had to comment on was the fact the the current iptables (as of 6/1/08) does not work with the line `gunzip --to-stdout /usr/share/doc/iptables/examples/oldinitdscript.gz > /etc/init.d/iptables` i ended up getting it to working perfectly using an old stable (backports) version of the iptables package. specifically `iptables_1.2.11-10_i386.deb` from a german mirror. the file can be found for download at `` for anyone who ran into the same problem.

Thanks a bunch, you saved my life here.


make-crl error

Posted by betauser at 2008-06-03 12:23
root@host:/etc/openvpn/keys# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pemyou must define KEY_DIR
root@host:/etc/openvpn/keys# ls crl*
ls: crl*: No such file or directory

is this normal?

no, it is not

Posted by Pierre-Yves Landuré at 2008-06-03 12:33
Try issuing this command:

source /etc/openvpn/easy-rsa/vars

Before retrying the crl creation. This guide must be followed from start to end without session interruption. Then, you can use client creation and revocation scripts whenever you want. But the configuration must be done in one session.

host/network `.0' not found

Posted by Rick at 2008-07-18 18:33
The how-to is awesome, just one issue that I can not get past in one of the last steps:

when I enter, "iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth1 -j MASQUERADE", in the cli I get the following error message:

iptables v1.3.6: host/network `.0' not found

My connection to the net is in eth1 instead of eth0.

You missed one thing

Posted by lwolf at 2008-07-18 20:19
You must load settings before running this command:


source /etc/openvpn/easy-rsa/vars

and then

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth1 -j MASQUERADE

Good luck


Posted by none at 2008-08-09 20:12
Just want to let you know, that this tutorial and the script are great. Thanks a lot and hope u can keep this site online as long as possible!

Struggling with DNS

Posted by Ralf Coenen at 2008-08-29 10:50
My DNS-Server was already configured to serve my local network on, so that combining the given "" with the my local configs does not work properly.

So I had to add the following to /etc/bind/named.conf.local:
# OpenVPN configuration

zone "" {
type master;
file "/etc/bind/10.8.142.rev";
zone "vpndomain.vpn" {
type master;
file "/etc/bind/vpndomain.vpn.hosts";

The file /etc/bind/vpndomain.vpn.hosts is like this:
$ttl 38400
vpndomain.vpn. IN SOA server.localdomain.lan. root.localdomain.lan. (
38400 )
vpndomain.vpn. IN NS server.ceno.lan.
user1.vpndomain.vpn. IN A
user2.vpndomain.vpn. IN A
server.vpndomain.vpn. IN A
and the file /etc/bind/10.8.142.rev is like this:

$ttl 38400 IN SOA server.localdomain.lan root.localdomain.lan. (
38400 ) IN NS server.localdomain.lan. IN PTR user1.vpndomain.vpn. IN PTR user2.vpndomain.vpn. IN PTR server.vpndomain.vpn.

Don't forget to restart or reload bind9


Posted by Stefan Kammann at 2008-09-06 13:02
Thank you very much for this good document

Nice tutorial

Posted by Rahul at 2008-11-01 12:15
Excellent guide. I can easily see how many hours of work it has saved for me. Also the comments were useful. Keep up the great work.

Client configuration for using OpenVPN provided DNS

Posted by Rahul at 2008-11-01 21:54
I am using Debian Lenny as my client. I tried the last section "Configuring Linux clients to use DNS informations provided by VPN server" in this guide to set up my client to update the DNS automaitcally when it receives the value from the OpenVPN server. But I observed that there was some problem in the sanityCheck function in client.up script and my openvpn connection kept crashing. So I commented out this function call in client.up script (as it didn't seem to do anything really useful). Alternatively the line "up /etc/openvpn/client.up" in /etc/openvpn/vpndomain.vpn.conf can be commented out instead of modifying client.up script. Now my resolv.conf was getting updated whenever I started my vpn client (/etc/init.d/openvpn restart). But I observed that whenever my local lan dhcp client fetched its information from my local DHCP server, /etc/resolv.conf was being overwritten.

Luckily I observed that the openvpn which comes with Debian Lenny has an /etc/openvpn/update-resolv-conf script which serves the same purpose. Just add these two lines to the end of /etc/openvpen/vpndomain.vpn.conf in your client machine and you shall observe that /etc/resolv.conf is updated automatically whenever you establish a vpn connection and it does not even get overwritten:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(Be sure to install the resolvconf package using apt-get as the script update-resolv-conf makes use of the executable /sbin/resolvconf).

Thank you !

Posted by lwolf at 2008-11-01 23:19
Whoa, thank you for this useful tip ! I'll take a look at the openvpn in lenny as soon as possible !

Lone Wolf

passing option "--script-security 2" to openvpn

Posted by Rahul at 2009-01-12 08:19
Also I forgot to mention that you will have to pass the option "--script-security 2" to openvpn so that it can call the external script update-resolv-conf. In Debian Lenny, this can be set by modifying the OPTARGS variable in /etc/default/openvpn as below:

# Optional arguments to openvpn's command line
OPTARGS="--script-security 2"

No more /etc/network/options

Posted by Felix Knecht at 2008-11-27 23:37
Just a little correction to the part "Netfilter (IpTables) configuration":

There is no /etc/network/options anymore. (see /usr/share/doc/netbase/README.Debian)
Instead you need to edit /etc/sysctl.conf and change/uncomment the following line:


Thank you !

Posted by Pierre-Yves Landuré at 2008-11-28 09:29
I've corrected this guide, and added you to the Thanks section :).


Posted by bob at 2008-12-05 03:41
you are a god among men. i've tried dozens of tutorials and NEVER gotten this thing working. you kick ass. thanks a million

make-crl error

Posted by avaton at 2008-12-29 00:24
Thank you very much for the excellent work.
I am facing an issue so far.
When I issue the:
source /etc/openvpn/easy-rsa/vars
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
I receive the following error:
3848:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133
Thanks in advance for your reply.
Best regards.

have you set every variable in vars file ?

Posted by lwolf at 2008-12-29 04:46

your error says :"variable has no value".

You should check that every value in /etc/openvpn/easy-rsa/vars is set.

Good luck

problem persists

Posted by avaton at 2008-12-30 16:41
Dear lwolf,
I checked the /etc/openvpn/easy-rsa/vars file and all values were set according to the guide, except that instead of your suggested:

export KEY_CONFIG="/etc/openvpn/easy-rsa/openssl.cnf"

I used

export KEY_CONFIG=$D/easy-rsa/openssl.cnf

When I changes the vars file to reflect your suggested value I received an additional information in the error:

# source /etc/openvpn/easy-rsa/vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 133 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
3407:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 133

My 133rd line in /etc/openvpn/easy-rsa/openssl.cnf is this:

commonName_default = $ENV::KEY_COMMONNAME

Any ideas?
Thanks again for the help.
Best regards.

openssl.cnf fixed

Posted by tavaron at 2009-02-13 09:38
Hi avaton,
I had the same problem as you before. So I tried to fix the openssl.cnf.
The problem is the variable. I insert my wished default values directly and it worked.
I don't know how to insert the values correctly via a variable but this will work and maybe lone wolf will fix this in his downloadable version oh the openssl.cnf

best regards

openssl.cnf problem and woes averted

Posted by soulblighter at 2010-03-17 18:57
I found this article amazingly helpful and so have been the comments so I thought I should do what I can and return the favor =}

I came to the step and problem as avaton:
localhost:/etc/openvpn/easy-rsa# chmod +x /etc/openvpn/easy-rsa/make-crl
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
error on line 145 of config file '/etc/openvpn/easy-rsa/openssl.cnf'
2473:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 145

So I looked at my version of openssl.cnf at line 145 and saw this bit of code:
# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN

I looked at the openssl.conf lwolf provided and compared the two openssl.cnf's ( I used the default openssl.cnf provided by /usr/share/doc/openvpn/examples/easy-rsa/2.0/ ) and made the following changes to my openssl.cnf:

# JY -- added for batch mode
#organizationalUnitName_default = $ENV::KEY_OU
organizationalUnitName_default = $ENV::KEY_ORG
#commonName_default = $ENV::KEY_CN
commonName_default = $ENV::KEY_COMMONNAME

After this, I tried to run the command again:
localhost:/etc/openvpn/easy-rsa# /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf

It went through without complaint and checked my keys directory and the crl.pem was there. Hope this is able to help someone!

Many thanks

Posted by Ralf at 2009-01-06 13:50
that was the best tutorial I've found during a very long search about openvpn and specially setting up the certificates

Once again:

Many, Many thanks


Posted by mohsen at 2009-02-24 18:50
i have problem!

/etc/init.d/openvpn restart

Stopping virtual private network daemon:.
Starting virtual private network daemon: server(FAILED).

So... do it manually by command:

/usr/sbin/openvpn --config /etc/openvpn/server.conf

Tue Feb 24 19:50:08 2009 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Tue Feb 24 19:50:08 2009 Diffie-Hellman initialized with 2048 bit key
Tue Feb 24 19:50:08 2009 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Tue Feb 24 19:50:08 2009 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 19:50:08 2009 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb 24 19:50:08 2009 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Tue Feb 24 19:50:08 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
Tue Feb 24 19:50:08 2009 Exiting

is that run??

maybe more in syslog ?

Posted by Pierre-Yves Landuré at 2009-02-24 20:47

by the look of your error message :

Tue Feb 24 19:50:08 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use

This mean that there is something using port 1194. This is propably a openvpn server still running. I only can advise you to take a look at the end of /var/log/syslog to diagnose the source of the problem.


Posted by mohsen at 2009-02-25 00:52
before install and read your tutorial ... i installed openvpn and openssl
after your learning do it again... is it problem? how fix it?

well probably not

Posted by lwolf at 2009-02-25 05:25
It should not be a problem if you used debian packages to install openvpn. You can try to purge your actual configuration and start from the beginning.

To purge, you can try :

apt-get --purge remove openvpn
rm -r /etc/openvpn

and then restart my tutorial


Posted by mohsen at 2009-02-26 23:47
thank for your help... it's start OK

so.. my client have windows:
you just say for linux client... what's files need for windows client?
all is okay before this line which is for linux client:
tar --directory /etc -xzf votre-fichier-client.tar.gz

windows clienfs

Posted by Lone Wolf at 2009-02-27 05:58
The files needed are the sames for linux and windows client. But for a windows client, you'll need to rename the conf file to give it the .ovpn extension, and edit it to change the path to keys for something that fit windows c:\.

I'm going to update this guide soon so that it create windows configuration files. (by soon i mean somewhere between next week and next year :( (i've not a great amount of free time currently))

hope this help

windows clients

Posted by Maciej at 2009-04-26 20:25
Hi, great how-to, thanks for that.
As far as Windows is concerned with OpenVPN binary distribution for windows it is necessary to follow these steps:
- untar config files into C:\Program Files\OpenVPN\config
- rename <client>.conf file to <client>.ovpn
- change options in <client>.ovpn to point to <client>-keys directory in Windows file system, the proper notation is key, it should look like that: 'C:\\Program Files\\OpenVPN\\config\\<client>-keys\\ca.crt' so you have to put path in quotes (due to spaces used in directory names) and use double backslash (\\) cause one backslash is interpreted as control character.

As far as installation for Debian 5.0 Lenny some changes have to be applied. In my case original easy-rsa directory does not contain any files but two directories names 1.0 2.0 which apparenty stands for OpenSSL version. Choosing files in 2.0 and copying then to /etc/openvpn/easy-rsa worked fine. There was only one exception, 2.0 does not include /etc/openvpn/easy-rsa/make-crl needed to create crl.pem file. Easy solution to that problem (very simplistic) was to copy make-crl from 1.0 - that worked very well.

Thanks once again for great work!

One of the best HOWTO i have ever seen

Posted by Abhinav at 2009-02-26 20:35
Waoo... Hats off to you man... superb document.. Every things thought throughly and written..

Thanks and Superb Work...

help me!

Posted by kati at 2009-02-27 00:54
Thanks for learning...

but i have problem with this line for vars file:

# OPENVPN_IPRANGE : What's mean? ?
# OPENVPN_LOCALDOMAIN : (my server is like is that correct for this line if i write: ??

Please help me!!

as said in this guide :

Posted by Lone wolf at 2009-02-27 05:55
# OPENVPN_IPRANGE : The first 3 digits of IP address in your VPN.

So :

IPRANGE=10.23.213 # Must be different from you local network ip range.

LOCALDOMAIN=something.vpn # Domain name for computers connected to the vpn.

hope this help

help me!

Posted by kati at 2009-02-27 11:50
i copied (etc/openvpn/client.tag.gz) and copy c:\Program Files\OpenVPN\config

then i try for run OpenVPN GUI but when connect i see this error:

What's it?

help me!

Posted by kati at 2009-02-27 12:04
so.. when from windows i open client.ovpn

have this lines:
ca /etc/openvpn/
cert /etc/openvpn/
key /etc/openvpn/

but i can't find this folder

just have folder keys on this path!!


Posted by salymon at 2009-02-27 18:41

ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
>> /etc/openvpn/server.conf

eth0: error fetching interface information: Device not found

What's this error?

It means you are not connected by ethernet

Posted by lwolf at 2009-02-27 21:06
eth0 is the default ethernet "alias". If it is not present, you are probably using a wifi connection. Just find the name of your interface using "ifconfig", and then replace "eth0" by this name in the command line. (you may also wan to remove the "push route" line at the end of your server.conf.

by the way... wifi is not so good for a server.


Posted by problem at 2009-02-27 23:05
How active iptables ?

iptables -t nat -A POSTROUTING -s $OPENVPN_IPRANGE.0/24 -o eth0 -j MASQUERADE

iptables: No chain/target/match by that name


Posted by Alex at 2009-03-01 01:36
Increasing the asymmetric key length only increases authentication time, it will not cause your tunnel to go more slowly. The servers use the 1024/2048 bit keys to talk, then once they trust each other use a session key to actually encrypt data, which is symmetric.

What's problem?

Posted by mohsen at 2009-03-02 12:21

i do all your tutorial!!

just 2 step have problem...

Allowing VPN clients to access VPN server local network:

ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g' \
>> /etc/openvpn/server.conf

i haven't eth0 and replace with venet0

and step 2 which i have problem with iptables:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source i have VPS

Now make connect by windows and all thing is good and successful... but i haven't NAT... still i have last ip provide

What's problem??

can't modprobe tun (solved)

Posted by murmel at 2009-03-16 20:05
I wasn't able to modprobe tun and thus not being able to start OpenVPN.
This because I'm using a VPS without much of the stuff that comes with a standard install.
What I had to do was to install module-init-tools (apt-get install module-init-tools).
Thanks alot man!

bind9 reload

Posted by tondo at 2009-03-19 15:43
#/home/administrator# /etc/init.d/bind9 reload
* Reloading domain name service... bind9 rndc: connect failed: connection refused

what's wrong?


Posted by tondo at 2009-03-20 12:43
hi, it is possible to use this tutorial on Ubuntu? I have Ubuntu 8.10 Server edition.

What is the difference between "original files of the easy-rsa" (/usr/share/doc/openvpn/examples/easy-rsa/) and files which are downloaded in this guide. For example:

Have a nice day.

Allowing VPN clients to access VPN server local network

Posted by murmel at 2009-03-20 20:56
ifconfig eth0 | grep inet | \
sed -e 's/.*:\([0-9\.]*\)[0-9]\{1,3\} .*:\([0-9\.]*\) .*:\([0-9\.]*\).*/push "route \10 \3"/g'
Will in my case look like this:
push "route"
inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
And the line "inet6 addr: xxxx::xxxx:xxxx:xxxx:xxxx/64 Scope:Link" shouldn't be there and also the route should in my case be
I have NO idea how to do those advance sed scripts, I'm just changing it in the config when it've been added.
I just thought you should know!
Thanks for the best guide!

Problem with dhcp gateway

Posted by Kristian at 2009-03-25 11:06
Hello firends, main problem with redirect all traffic trought VPN is gateway assigned by dhcp. We need set gateway strongly to

OVPN dhcp assign virtual IPs:
[gateway, client ip]
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30]...........
we need
[ 1, 2] [ 1, 6] [ 1, 10] [ 1, 14] [ 1, 18]
[ 1, 22] [ 1, 26] [ 1, 30].........

Have somebody any solution??? thanks.

Solution founded

Posted by Kristian at 2009-03-25 14:18
Hello, I found solution:

in server.conf - push "redirect-gateway"

in ssh

echo "1" > /proc/sys/net/ipv4/ip_forward ----forwarding packets between networks
iptables -t nat -A POSTROUTING -s ovpn_ip_range.0/24 -o eth0 -j MASQUERADE

thanks for good how to.

script merging certificates into the config

Posted by murmel at 2009-04-07 17:37

This script is executed in the same folder as the .tar.gz configurations. It will create .ovpn configurations that will be compressed into .tar.bz2 archives.
Quite useful when distributing the configurations to Windows users.

Thank you !

Posted by lwolf at 2009-04-07 17:47
Thank you for your contribution, i've been looking to update this guide for windows support, and you've just ease my work.

Thank you very much.

re: Thank you !

Posted by murmel at 2009-04-07 21:24
No problem man!
I hope it works and modify it however you like!
I'm using all your sweet configurations.

I'm trying to create an automated system that'll make it easier to install.
In the end, it all should look something like OpenVPN-AS, but without all the licencing stuff.

Thanks !

openvpn_autoconfig beta 1

Posted by murmel at 2009-04-08 00:38

I've just made it and I've checked and it works.
Just download it. Install OpenVPN. Extract it into /etc/openvpn and run sudo sh
There's still much to do.


Posted by murmel at 2009-04-09 01:59
Even more automated now. The only thing you need to do now is enter the information. Made all the certification creating automated.
I've added an client creation script.
Howto use:
Install openvpn and openssl.
Extract openvpn_autoconf.tar.bz2 into /etc/openvpn/.
run: sudo /etc/openvpn/
Enter information.
Use the username.tar.bz2 files, give them to the users. If there's linux users, rename the configurations from .ovpn to .conf.
Add client: sudo /etc/openvpn/ username

Everything I've done here is thanks to this guide. :)
But this will maybe make it easier to install OpenVPN on alot of server etc.
There's still alot of work to do.

beta 2

Posted by murmel at 2009-04-09 17:41

openvpn script not working

Posted by orange at 2009-04-28 07:07
Hi Murmeel,

I followed your instructions but it does not work. When I connect through the ovpn file it says error in key direction. I would appreciate any help.



Posted by Robert at 2010-07-29 15:52
Murmel; excellent work. Thanks!
For some reason IP forwarding didn't work by following any of the guides; using your tool worked flawlessly!

help me please :(

Posted by jepon at 2010-04-19 05:26
when i restart whith cmd /etc/init.d/openvpn restart
i got this error warning

Stopping virtual private network daemon:.
Starting virtual private network daemon: server(FAILED)

so i try this command

/usr/sbin/openvpn --config /etc/openvpn/server.conf

an i got diferen error like this

Mon Apr 19 05:12:31 2010 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Mon Apr 19 05:12:31 2010 Diffie-Hellman initialized with 1024 bit key
Mon Apr 19 05:12:31 2010 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Mon Apr 19 05:12:31 2010 Outgoing Control Channel Authentication: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Apr 19 05:12:31 2010 Incoming Control Channel Authentication: Using 160 bitmessage hash 'SHA1' for HMAC authentication
Mon Apr 19 05:12:31 2010 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0]
Mon Apr 19 05:12:31 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
Mon Apr 19 05:12:31 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Apr 19 05:12:31 2010 Cannot allocate TUN/TAP dev dynamically
Mon Apr 19 05:12:31 2010 Exiting

what must i do, i use VPS,, thanks b4

permission denied ?

Posted by Lone Wolf at 2010-04-19 08:54
Try using sudo :$

sudo /etc/init.d/openvpn restart

I believe you are not running these command lines as root.


Posted by perfector at 2010-07-12 11:42
Hi lone wolf,

could you include the "ifconfig" outputs of both the server and the clients too?

Very Good howto

Posted by Frank Uittenbosch at 2010-09-23 10:13
Hi Lone-wolf
gz on your very good howto, i have learned a lot from you!
all i had to change for debian lenny and squeeze is:
Instead of /etc/openvpn/easy-rsa/<script-name>
it's /etc/openvpn/easy-rsa/1.0/<script-name>

Thanks again!


Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: