< Previous | Contents | Next >

1.4. Simple Client Configuration

There are various different OpenVPN client implementations with and without GUIs. You can read more about clients in a later section. For now we use the OpenVPN client for Ubuntu which is the same executable as the server. So you have to install the openvpn package again on the client machine:

sudo apt install openvpn

This time copy the client.conf sample config file to /etc/openvpn/.

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

Copy the client keys and the certificate of the CA you created in the section above to e.g. /etc/openvpn/ and edit /etc/openvpn/client.conf to make sure the following lines are pointing to those files. If you have the files in /etc/openvpn/ you can omit the path.

ca ca.crt

cert client1.crt key client1.key

And you have to at least specify the OpenVPN server name or address. Make sure the keyword client is in the config. That's what enables client mode.

client

remote vpnserver.example.com 1194

Also, make sure you specify the keyfile names you copied from the server

ca ca.crt

cert client1.crt key client1.key

Now start the OpenVPN client:

ubuntu@testopenvpn-client:~$ sudo systemctl start openvpn@client ubuntu@testopenvpn-client:~$ sudo systemctl status openvpn@client

. [email protected] - OpenVPN connection to client

Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)

Active: active (running) since Tue 2016-04-12 08:50:50 UTC; 3s ago Docs: man:openvpn(8)

https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO

Process: 1677 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status

10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writep Main PID: 1679 (openvpn)

Tasks: 1 (limit: 512)

CGroup: /system.slice/system-openvpn.slice/[email protected]

|-1679 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status

10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --wr

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: OPTIONS IMPORT: --ifconfig/up options modified

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: OPTIONS IMPORT: route options modified Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: ROUTE_GATEWAY

192.168.122.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:89:ca:89

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: TUN/TAP device tun0 opened

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: TUN/TAP TX queue length set to 100 Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: do_ifconfig, tt->ipv6=0, tt-

>did_ifconfig_ipv6_setup=0

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: /sbin/ip link set dev tun0 up mtu 1500 Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: /sbin/ip addr add dev tun0 local

10.8.0.6 peer 10.8.0.5

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.5

Apr 12 08:50:52 testopenvpn-client ovpn-client[1679]: Initialization Sequence Completed

Check if it created a tun0 interface:

root@client:/etc/openvpn# ifconfig tun0

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255

UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

Check if you can ping the OpenVPN server:

root@client:/etc/openvpn# ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms

The OpenVPN server always uses the first usable IP address in the client network and only that IP is pingable. E.g. if you configured a /24 for the client network mask, the .1 address will be used. The P- t-P address you see in the ifconfig output above is usually not answering ping requests.

Check out your routes:

root@client:/etc/openvpn# netstat -rn Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

< Previous | Contents | Next >