Set up virtual private networks (VPNs)

HowTos & Reviews

How to setup OpenVPN on Windows 10
There is a now slightly outdated guided walkthrough of the install available here. We are working to get everything resolved and finished ASAP. In most cases, you'll leave it blank. This project in particular began from the code by StarshipEngineer to help make installing OpenVPN on a raspberry pi as simple as it can be. On the final page, leave Start the My Private Network Service selected and click on Finish , this will automatically start the service for you.

Table of contents

Windows 10 SSL OpenVPN Setup

The alternative was ft of cat5e run up and across a 50 ft ceiling See All Buying Options. In stock on September 25, This is going to be more of a technical review..

I'm an IT Director for my company so I deal with this type of equipment all the time. I picked up this device for my house and I was looking for a few features. I wanted Gigabit ports,fast WiFi, and not a massive device. I also didn't want to spend a lot of money.

So I landed on this device. I tested the Gigabit ports and 1 port wasn't Gigabit. Port 2 only worked at I disabled the 2. I don't need it and 2 for Security. I setup the device using WPA2 using the 5G only. I personally like the 5G best We were previously using two Netgear FVSs to connect our satellite office to our main office.

The interface is pretty basic, and as a result makes configuring it a snap. They have been running for a week now without any issues or reboots. I will update this review if I I purchased a LRT a little over 30 days ago. It has now been up for 34 days with no issues. I purchased it mainly because hackers kept attacking my servers through the RDP port. I had used a Cisco router for VPN access but they dropped support of the client.

The basic features of the LRT were easy to setup. Best of all, the combination of password and certificate authentication is offered and just a part of the setup. I needed a replacement fast and cheap and the RV fit the bill. I was a little scared at first, because there has been much negative reported about this device, but more recent reviews have been positive. But, the price was right and I needed it fast, so what the heck?

It really only took minutes to get the IPv4 parts running and we were back online! No page reference guides or configuration manuals to get basic firewalling in place! It is performing far better than the PIX Bought 6 for embedding into prototype IoT type devices. Used T-mobile SIM and works great. I'm supper impressed by this little guy. I have an expensive Netgear router that has been having some serious issues, I've been considering a travel router for a while, so I got this so I have a back up.

I have a medium sized home, and while it can't quite cover the whole thing perfectly, it's very reliable and I haven't run into any real problems - unlike my Nighthawk. I'm very impressed with the software, it's fast and very easy to use. It's also way easier to change settings than other routers I have used since it doesn't take two minutes to reboot every time you change something. I have actually been relying on it as my primary router for over a month now since the Nighthawk is just not cutting it.

With three people's phones, computers, Chromecasts, and Google Homes - plus some smart home stuff - it has been Only 2 left in stock - order soon.

The only parameter which must be explicitly entered is the Common Name. As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? If you would like to password-protect your client keys, substitute the build-key-pass script. Remember that for each client, make sure to type the appropriate Common Name when prompted, i. Always use a unique common name for each client. Now we will find our newly-generated keys and certificates in the keys subdirectory.

Here is an explanation of the relevant files:. The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.

Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request CSR to the key-signing machine.

In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret. It's best to use the OpenVPN sample configuration files as a starting point for your own configuration.

These files can also be found in. On Windows they are named server. The sample server configuration file is an ideal starting point for an OpenVPN server configuration. Before you use the sample configuration file, you should first edit the ca , cert , key , and dh parameters to point to the files you generated in the PKI section above. At this point, the server configuration file is usable, however you still might want to customize it further:.

If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:. The sample client configuration file client. To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line or right-click on the. As in the server configuration, it's best to initially start the OpenVPN server from the command line or on Windows, by right-clicking on the client.

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message. Now, try a ping across the VPN from the client. If you are using routing i. If you are using bridging i. If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:.

See the access policies section below. You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side.

The firewall can either be a a personal software firewall running on the client, or b the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client. See the FAQ for additional troubleshooting information. When executed, the initscript will scan for. The Windows installer will set up a Service Wrapper, but leave it turned off by default. This will configure the service for automatic start on the next reboot. Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal if you are starting openvpn with an initscript , the script may already be passing a --writepid directive on the openvpn command line.

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client or one which has disconnected, but where the server has not timed-out its instance object , kill the client instance object by using the management interface described below.

This will cause the client to reconnect and use the new client-config-dir file. If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface described below. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:. This tells OpenVPN to listen on TCP port for management interface clients port is an arbitrary choice -- you can use any free port. Once OpenVPN is running, you can connect to the management interface using a telnet client. Once the VPN is operational in a point-to-point capacity between client and server, it may be desirable to expand the scope of the VPN so that clients can reach multiple machines on the server network, rather than only the server machine itself.

For the purpose of this example, we will assume that the server-side LAN uses a subnet of First, you must advertise the This can easily be done with the following server-side config file directive:. One of the benefits of using ethernet bridging is that you get this for free without needing any additional configuration. In a typical road-warrior or remote access scenario, the client machine connects to the VPN as a single machine. But suppose the client machine is a gateway for a local LAN such as a home office , and you would like each machine on the client LAN to be able to route through the VPN.

For this example, we will assume that the client LAN is using the Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now:. In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs.

When a new client connects to the OpenVPN server, the daemon will check this directory for a file which matches the common name of the connecting client. If a matching file is found, it will be read and processed for additional configuration file directives to be applied to the named client. The next step is to create a file called client2 in the ccd directory.

This file should contain the line:. This will tell the OpenVPN server that the Why the redundant route and iroute statements, you might ask? Next, ask yourself if you would like to allow network traffic between client2's subnet If so, add the following to the server config file. This will cause the OpenVPN server to advertise client2's subnet to other connecting clients.

The last step, and one that is often forgotten, is to add a route to the server's LAN gateway which directs The outgoing ping would probably reach the machine, but then it wouldn't know how to route the ping reply, because it would have no idea how to reach This requires a more complex setup maybe not more complex in practice, but more complicated to explain in detail:.

For example, suppose you would like connecting clients to use an internal DNS server at Add this to the OpenVPN server configuration:. To test this feature on Windows, run the following from a command prompt window after the machine has connected to an OpenVPN server:. Suppose we are setting up a company VPN, and we would like to establish separate access policies for 3 different classes of users:. The basic approach we will take is a segregate each user class into its own virtual IP address range, and b control access to machines by setting up firewall rules which key off the client's virtual IP address.

In our example, suppose that we have a variable number of employees, but only one system administrator, and two contractors. Our IP allocation approach will be to put all employees into an IP address pool, and then allocate fixed IP addresses for the system administrator and contractors.

Note that one of the prerequisites of this example is that you have a software firewall running on the OpenVPN server machine which gives you the ability to define specific firewall rules.

For our example, we will assume the firewall is Linux iptables. Next, let's translate this map into an OpenVPN server configuration. First of all, make sure you've followed the steps above for making the First, define a static unit number for our tun interface, so that we will be able to refer to it later in our firewall rules:. Because we will be assigning fixed IP addresses for specific System Administrators and Contractors, we will use a client configuration directory:.

Now place special configuration files in the ccd subdirectory to define the fixed IP address for each non-Employee VPN client. Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints.

Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:. This completes the OpenVPN configuration. The final step is to add firewall rules to finalize the access policy.

For this example, we will use firewall rules in the Linux iptables syntax:. To use this authentication method, first add the auth-user-pass directive to the client configuration. Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure 1 or success 0 value.

Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. See the description of auth-user-pass-verify in the manual page for more information. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below. To use it, add this to the server-side config file:.

For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam. Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate.

Dual-factor authentication is a method of authentication that combines two elements: Something you have should be a device that cannot be duplicated; such a device can be a cryptographic token that contains a private secret key.

This private key is generated inside the device and never leaves it. If a user possessing this token attempts to access protected services on a remote network, the authorization process which grants or denies network access can establish, with a high degree of certainty, that the user seeking access is in physical possession of a known, certified token.

Something you know can be a password presented to the cryptographic device. Without presenting the proper password you cannot access the private secret key. Another feature of cryptographic devices is to prohibit the use of the private secret key if the wrong password had been presented more than an allowed number of times.

This behavior ensures that if a user lost his device, it would be infeasible for another person to use it. Cryptographic devices are commonly called "smart cards" or "tokens", and are used in conjunction with a PKI Public Key Infrastructure.

The VPN server can examine a X. Since the device cannot be duplicated and requires a valid password, the server is able to authenticate the user with a high degree of confidence. Dual-factor authentication is much stronger than password-based authentication, because in the worst-case scenario, only one person at a time can use the cryptographic token. Passwords can be guessed and can be exposed to other users, so in the worst-case scenario an infinite number of people could attempt to gain unauthorized access when resources are protected using password-only authentication.

If you store the secret private key in a file, the key is usually encrypted by a password. Unlike when using a cryptographic device, the file cannot erase itself automatically after several failed decryption attempts.

This standard specifies an API, called Cryptoki, to devices which hold cryptographic information and perform cryptographic functions. Cryptoki, pronounced "crypto-key" and short for cryptographic token interface, follows a simple object-based approach, addressing the goals of technology independence any kind of device and resource sharing multiple applications accessing multiple devices , presenting to applications a common, logical view of the device called a cryptographic token.

To summarize, PKCS 11 is a standard that can be used by application software to access cryptographic tokens such as smart cards and other devices. Most device vendors provide a library that implements the PKCS 11 provider interface -- this library can be used by applications in order to access these devices. PKCS 11 is a cross-platform, vendor-independent free standard. The first thing you need to do is to find the provider library, it should be installed with the device drivers.

Each vendor has its own library. A configured token is a token that has a private key object and a certificate object, where both share the same id and label attributes. A simple enrollment utility is Easy-RSA 2. Each PKCS 11 provider can support multiple devices. In order to view the available object list you can use the following command:. The serialized id string of the requested certificate should be specified to the pkcsid option using single quote marks.

This will load two providers into OpenVPN, use the certificate specified on pkcsid option, and use the management interface in order to query passwords. The daemon will resume into hold state on the event when token cannot be accessed. The token will be used for seconds after which the password will be re-queried, session will disconnect if management session disconnects. PKCS 11 is a free, cross-platform vendor independent standard.

Most smart card vendors provide support for both interfaces. In the Windows environment, the user should select which interface to use. If you wish to run OpenVPN in an administrative environment using a service, the implementation will not work with most smart cards because of the following reasons:.

General web browsing, for example, will be accomplished with direct connections that bypass the VPN. In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing.

While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time. If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:.

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy. This command assumes that the VPN subnet is This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active.

Any address which is reachable from clients may be used as the DNS server address. Redirecting all network traffic through the VPN is not entirely a problem-free proposition. Here are some typical gotchas to be aware of:. For more information on the mechanics of the redirect-gateway directive, see the manual page. While OpenVPN clients can easily access the server via a dynamic IP address without any special configuration, things get more interesting when the server itself is on a dynamic address.

While OpenVPN has no trouble handling the situation of a dynamic server, some extra configuration is required. The first step is to get a dynamic DNS address which can be configured to "follow" the server every time the server's IP address changes.

There are several dynamic DNS service providers available, such as dyndns. The next step is to set up a mechanism so that every time the server's IP address changes, the dynamic DNS name will be quickly updated with the new IP address, allowing clients to find the server at its new IP address. There are two basic ways to accomplish this:. The OpenVPN client by default will sense when the server's IP address has changed, if the client configuration is using a remote directive which references a dynamic DNS name.

The usual chain of events is that a the OpenVPN client fails to receive timely keepalive messages from the server's old IP address, triggering a restart, and b the restart causes the DNS name in the remote directive to be re-resolved, allowing the client to reconnect to the server at its new IP address.

So add the following to both client and server configurations:. Next, add the http-proxy directive to the client configuration file see the manual page for a full description of this directive. Add this to the client config:. If you would instead like to place these credentials in a file, replace stdin with a filename, and place the username on line 1 of this file and the password on line 2. This example is intended show how OpenVPN clients can connect to a Samba share over a routed dev tun tunnel.

If you are ethernet bridging dev tap , you probably don't need to follow these instructions, as OpenVPN clients should see server-side machines in their network neighborhood.

If the Samba and OpenVPN servers are running on different machines, make sure you've followed the section on expanding the scope of the VPN to include additional machines.

Next, edit your Samba configuration file smb. Make sure the hosts allow directive will permit OpenVPN clients coming from the If you are running the Samba and OpenVPN servers on the same machine, you may want to edit the interfaces directive in the smb. The OpenVPN client configuration can refer to multiple servers for load balancing and failover. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list.

You can also direct the OpenVPN client to randomize its server list on startup, so that the client load will be probabilistically spread across the server pool. The 60 parameter tells the OpenVPN client to try resolving each remote DNS name for 60 seconds before moving on to the next server in the list. The server list can also refer to multiple OpenVPN server daemons running on the same machine, each listening for connections on a different port, for example:. If your servers are multi-processor machines, running multiple OpenVPN daemons on each server can be advantageous from a performance standpoint.

OpenVPN also supports the remote directive referring to a DNS name which has multiple A records in the zone configuration for the domain.

In this case, the OpenVPN client will randomly choose one of the A records every time the domain is resolved. One of the often-repeated maxims of network security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. OpenVPN provides several mechanisms to add additional security layers to hedge against such an outcome.

It can protect against:. This command will generate an OpenVPN static key and write it to the file ta. This key should be copied over a pre-existing secure channel to the server and all client machines. It can be placed in the same directory as the RSA. Without root privileges, a running OpenVPN server daemon provides a far less enticing target to an attacker. This configuration is a little more complex, but provides best security.

In order to work with this configuration, OpenVPN must be configured to use iproute interface, this is done by specifying --enable-iproute2 to configure script. This configuration uses the Linux ability to change the permission of a tun device, so that unprivileged user may access it. It also uses sudo in order to execute iproute so that interface properties and routing table may be modified.

The chroot directive allows you to lock the OpenVPN daemon into a so-called chroot jail , where the daemon would not be able to access any part of the host system's filesystem except for the specific directory given as a parameter to the directive.

This is important from a security perspective, because even if an attacker were able to compromise the server with a code insertion exploit, the exploit would be locked out of most of the server's filesystem.

OpenVPN automatically supports any cipher which is supported by the OpenSSL library, and as such can support ciphers which use large key sizes. For example, the bit version of AES Advanced Encryption Standard can be used by adding the following to both server and client configuration files:. In a high security environment, you might want to specially designate a machine for key signing purposes, keep the machine well-protected physically, and disconnect it from all networks.

Floppy disks can be used to move key files back and forth, as necessary. Such measures make it extremely difficult for an attacker to steal the root key, short of physical theft of the key signing machine. Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes. As an example, we will revoke the client2 certificate, which we generated above in the "key generation" section of the HOWTO.

First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation" section above. Note the "error 23" in the last line.

Step 1 — Install and Configure OpenVPN's Server Environment

Leave a Reply

Time to add our new configuration. At the bottom, in the text field, enter a new name “pia_client”, select “Simple client configuration for a routed point-to-point VPN” and click Add button (Figure 3). Step 1: Download and Install the OpenVPN Desktop Client. Click here to download the OpenVPN Connect Client.. You can also use the Client from OpenVPN, the . OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we'll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and A.