Creating Configuration Files for Server and Clients
Getting the sample config files
Using the OpenVPN sample configuration files as a starting point for your configuration is best. These files can also be found in:
The sample-config-files directory of the OpenVPN source distribution.
The sample-config-files directory in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn if installed from an RPM or DEB package.
Start Menu > All Programs > OpenVPN > OpenVPN Sample Configuration Files on Windows.
Note
The sample configuration files on Linux, BSD, or unix-like OSes are named server.conf
and client.conf
. On Windows, they're named server.ovpn
and client.ovpn
.
Editing the server configuration file
The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), listen for client connections on UDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
Before using the sample configuration file, you should edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI topic.
At this point, the server configuration file is usable. However, you still might want to customize it further:
If using Ethernet bridging, you must use server-bridge and dev tap instead of server and dev tun.
If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp. (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
You should modify the server directive if you want to use a virtual IP address range other than 10.8.0.0/24. Remember that this virtual IP address range should be a private range that is currently unused on your network.
Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
If using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives.
If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:
Use a different port number for each instance (the UDP and TCP protocols use different port spaces, so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If using Windows, each OpenVPN configuration needs to have its own TAP-Windows adapter. You can add adapters by going to Start Menu > All Programs > TAP-Windows > Add a new TAP-Windows virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives that create output files so that multiple instances do not overwrite each other's output files. These directives include log, log-append, status, and ifconfig-pool-persist.
Editing the client configuration files
The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file.
Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI topic.
Note
Each client should have its own cert/key pair. Only the ca file is universal across the OpenVPN server and all clients.
Next, edit the remote directive to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).
Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also, make sure that comp-lzo and fragment, if used, are present in both client and server config files.