OpenVPN Server Configuration ~ Explained
Last week I said we’d look at both server and client configuration. However I’ve reconsidered because there is much information to review. Therefore I’ll review each separately. Let’s begin with the Server configuration. I’ll take you through each configuration parameter and explain its significance in greater detail.
For someone who’s never looked at OpenVPN at first glance configuration options look rather long and cryptic. Let me put your mind at ease it’s not that difficult. In fact, once you’ve configured it once or twice it’s second nature. Oh.. one more thing disabling a parameter is accomplished by placing ‘ ; ‘ in front-of the configuration parameter. Here is an example:
;local = disabled
local = enabled
Once you dive into the configuration, the first parameter you’ll come across is ‘local’.
Local – This parameter specifies the interface OpenVPN listens on. This parameter is optional if your PC has a single interface. It becomes significant if your PC has multiple interfaces and you wish to limit its use to just one of the two interfaces. Syntax: local 192.168.x.x
Port – OpenVPN service must bind to an available port. It expects inbound connections on this port. OpenVPN has been assigned a permanent port, 1194. However you don’t have to use this port, in fact you can use any port you wish as long as it’s not used by another service. Some people say you should use other ports, because everyone knows 1194 is OpenVPN therefore automated scanning tools may scour the Internet looking for OpenVPN Servers at port 1194. If you use a different port, these scanners will not detect OpenVPN because they’re configured to scan port 1194; bit of security through obscurity. Personally I believe there is some truth in this. Will it stop a targeted attack no, a seasoned attacker will fingerprint ports, so eventually he will discover OpenVPN on your host. But it will stop blind automated scanners. Syntax: port <port #>
Dev Tap or Dev Tun – These are referring to OpenVPN virtual interface types. The main difference between them is TAP functions at Layer 2 (Bridged) and TUN at Layer 3 (Routed). Most of the time you’ll be using routed VPN tunnels therefore you’ll be using ‘TUN’. What is important here is both Server and Client configuration must specify the same virtual device type. Syntax: Dev Tun
Dev-Node – Typically this parameter is only required for Windows hosts and only if you have multiple virtual VPN interfaces. “MyTap” is an arbitrary name that may be assigned to each virtual VPN interface (right click the interface and rename). Windows defaults to Local Area Connection 2 or Local Area Connection 3 etc.. Syntax: dev-node name-of-my-interface
Ca – This parameter specifies the Certificate Authority certificate name. If you used OpenVPN easy-rsa (see this blog post) scripts to create your OpenVPN Certificate Authority. Your CA certificate name will always be ca.crt. You can rename it to whatever you’d like as long as it’s specified in the configuration file. Syntax: ca filename.crt
Cert – This parameter refers to the filename of your Server certificate. Typically when generating certificates through easy-rsa scripts you have the flexibility of calling them anything meaningful. You can use something like ‘Server.crt’. This name is arbitrary, but whatever you choose it must be the same in the configuration. Refer to my previous Blog post how to do this. Syntax: cert filename.crt
Key – This parameter is referring to the corresponding private key filename of your generated Server certificate. PKI (Public Key Infrastructure) utilizes public and private key pairs. Therefore when you generate your ‘Server’ certificate you’ll have a public key called ‘Server.crt’ and private key called ‘Server.key’ Your private key should always remain confidential, it should never be given to anyone. You should only give out your public key. Syntax: key filename.key
Dh – This parameter refers to the Diffie-Hellman key which is used for key exchange between Client and Server as the connection is initiated. OpenVPN easy-rsa scripts make it really easy to generate a DH key. Typically it’s always named dh1024.pem or dh2048.pem depending, if you generate a 1024 bit key or 2048 bit key. Refer to my previous Blog post how to do this. Syntax: dh filename.pem
Server – This parameter specifies subnet used for VPN connections. Whatever IP range you specify, typically the first IP will be assigned to the Server. You can specify any private IP range. (192.168.x.x, 10.x.x.x, 172.16.x.x) Syntax: server network subnet-mask
Server 192.168.10.0 255.255.255.0
Ifconfig-pool-persist – OpenVPN stores active client IP addresses in text files. Stored IP’s are taken from the IP pool configured through above ‘server’paramater. If OpenVPN is restarted clients are assigned same virtual IP addresses as specified in this file. Syntax: ifconfig-pool-persist filename.txt
Server-bridge – This option is only relevant when using bridged Layer 2 VPN connections. Reference ‘Dev Tap’ parameter. Syntax: server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
10.8.0.4 255.255.255.0 = IP address and mask assigned to Server’s Bridge Interface
10.8.0.50 10.8.0.100 = IP Range assigned to clients
Push – This option is relevant when using routed Layer 3 connections. Reference ‘Dev Tun’ parameter. Once OpenVPN establishes a connection it can add specified routes to other networks behind the server. This allows the client to access multiple networks hidden behind the server. Syntax: push “network-ip network-mask” (must include quotes)
Client-to-client – Typically VPN clients are isolated for added security. This means active clients cannot see other clients on the network. If you have special requirements and wish client to client communication enable this option. Syntax: client-to-client
duplicate-cn – Typically you’d generate a separate certificate per client. But in some circumstances you may give the same certificate to all clients. In this case this parameter must be enabled. Refer to my previous Blog post how to generate client certificates. Syntax: duplicate-cn
Keepalive – This parameter monitors active VPN connections. A ping packet is sent between client and server at specified intervals. Syntax: Keepalive <how-often-to-ping> <ping timeout value>
Keepalive 10 120
Ping every 10 seconds
Ping timeout at 120 seconds then assume connection down
tls-auth – For added security from DDoS attacks and port flooding, OpenVPN uses an HMAC key to sign packets. If incoming packets are not signed with this key, traffic is dropped. This option requires two paramaters (i) key filename (ii) Specify if Server or Client. Syntax: tls-auth filename.key <0 or 1>
tls-auth ta.key 0 = Server
tls-auth ta.key 1 = Client
cipher – This parameter specifies level of cryptography. You have three choices (Blowfish, AES and Triple DES) Default is Blowfish it offers good encryption, AES offers better encryption and if you’re really paranoid go with Triple DES) One word of caution, higher encryption adds more overhead and processing. This will of course impact performance. Personally I use AES. One thing to note is both client and server must specify same cryptographic cipher. Syntax: cipher <type>
cipher BF-CBC = Blowfish
cipher AES-128-CBC = AES
cipher DES-EDE3-CBC = Triple DES
comp-lzo – Enabling this parameter compresses your VPN connection. This increases link performance. This option is enabled by default, if you choose to disable you must disable on both server and client. Syntax: comp-lzo
Max-clients 100 – This parameter gives you some control over concurrent client connects. Default setting is set to 100 connections, but for smaller Internet pipes reducing this number may give you better overall performance. Syntax: max-clients <#>
user nobody & group nobody – This parameter is only relevant when used with non-Windows operating systems. By specifying ‘nobody’ OpenVPN service privileges are dropped to nobody. This increases system security.
Syntax: user nobody
Syntax: group nobody
persist-key & persist-tun – This parameter retains persistence of some resources. Once privileges are downgraded to nobody OpenVPN Service can no longer access some system resources. Enabling this option ensures these resources are available without elevating system privileges.
Status – This option when enabled creates a status log. This file is dynamically updated with active connection information such as who’s connected and their IP information. Filename is arbitrary.
Syntax: status filename.log
Log – This option creates a static log file when OpenVPN service is started. This is helpful in troubleshooting connection problems. This file is overwritten every time OpenVPN is started.
Syntax: log filename.log
Log-append – This option is similar to above, however file is persistent because information is appended rather than overwritten. This file may be useful for long term logging of OpenVPN connections.
Syntax: log-append filename.log
Verb – This option determines log file verbose level. Your options range from 0-9 with 0 being silent except fatal errors and 9 extremely verbose. 5 or 6 is good for debugging connection problems. A level of 4 is good for general use. Syntax: verb <#>
Mute – This option specifies how many duplicate messages will be output to log. Syntax: mute <#>
Well that’s it, several other more advanced configuration options are available but not required in most cases. Above parameters as shown will give you a fantastic, quick and very secure VPN Server. Next week I’ll show you the final product along with matching client configuration.