OpenVPN Client/Server

OpenVPN is a popular open source solution for setting up VPNs, and is included with VyOS by default.

This section will guide you through the process of configuring a typical client/server OpenVPN on VyOS from start to finish.

If you are yet to provision your VyOS instance on the OrionVM platform please follow our Getting Started guide.


Certificates and Keys

VyOS provides the scripts necessary to generate the certificates and keys required for VPN authentication.

The first step is to copy the easy-rsa folder and modify some fields at the bottom of the vars file to match your company information. This is used as default values for the script to sign the certificates.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
nano /config/easy-rsa2/vars

The following commands initiate the PKI:

cd /config/easy-rsa2/
source ./vars
./clean-all

We can then build the ca, dh, keys and certs. When asked to input fields press enter, the values will default to the fields modified above. For certs, do not set passwords, and sign and commit certs if requested.

./build-ca
./build-dh
./build-key-server server
./build-key client

Finally, we copy the server files to the correct location:

sudo mkdir /config/auth/ovpn
sudo cp keys/ca.crt /config/auth/ovpn/
sudo cp keys/dh1024.pem /config/auth/ovpn/
sudo cp keys/server.key /config/auth/ovpn/
sudo cp keys/server.crt /config/auth/ovpn/

Copying Client Files

We must also copy the client files to the client machine. As we are using the open internet we will use scp to transfer the files securely.

From the client command line input the following commands to make a copy of ca.crt, client.crt and client.key from your VyOS instance (in this case located at 23.90.55.23) in your present working directory:

scp vyos@23.90.55.23:/config/easy-rsa2/keys/ca.crt ./
scp vyos@23.90.55.23:/config/easy-rsa2/keys/client.crt ./
scp vyos@23.90.55.23:/config/easy-rsa2/keys/client.key ./

Alternatively, this can be done using a single command:

scp vyos@23.90.55.23:/config/easy-rsa2/keys/\{ca.crt,client.crt,client.key\} ./

Creating Client Config

We must now create a client configuration file to be used by our VPN client. Use your preferred text editor to create a file named client.ovpn and add the following, where host is the public IP of your VyOS instance:

client
proto udp
remote-cert-tls server
verb 2
dev tun0
cert client.crt
key client.key
ca ca.crt
remote <host> 1194

Configuring the Server

To configure the OpenVPN server to run on your VyOS instance input the following commands. It is recommended to set the server subnet (i.e. the subnet connected clients will be allocated IPs under) to one which is currently unused. In this case, we set the subnet to 192.168.10.0/24:

set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server subnet '192.168.10.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'

DNS Forwarding

If you would like clients connected to your VPN to have access to your instances public internet connection you will have to apply additional configuration options.

We first apply our DNS settings. In this case we will apply Google's IP addresses 8.8.8.8 and 8.8.4.4 as our DNS servers:

set interfaces openvpn vtun0 server name-server 8.8.8.8
set interfaces openvpn vtun0 server name-server 8.8.4.4

We must then configure the Source NAT so that traffic from our VPN can access the public internet via eth1:

set nat source rule 200 outbound-interface 'eth1'
set nat source rule 200 source address '192.168.0.0/24'
set nat source rule 200 translation address masquerade

Opening the Port

Our final step is to open the default port for VPN access:

set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol udp
commit
save

Connecting to Your VPN

You should now be able to connect to your VPN server using the client configuration files created in the Copying Client Files section.