Table of Contents
Objective: View the OpenVPN configuration files on the client and server.
You have already configured the OpenVPN server and generated a client config. We are almost ready! However, we have to make a configuration change before we connect to the server. There is a documented configuration error that we must correct.
push "comp-lzo no" causes an error occurs on some OpenVPN
clients. We should fix our configurations to work reliably using any client.
The error is trying to set
comp-lzo through a
push command if the
setting does not exist in the client. The server can set
the client only if the directive already exists. We should add
comp-lzo no to the client config to correct this issue.
push is used to send or push settings to the client. Using
it easier to maintain client configs because the settings are changed once
on the server, instead of modifying each client.
root@vps298933:~# docker run -v /root/vpn-data:/etc/openvpn --rm myownvpn ovpn_genconfig -u udp://IP_ADDRESS:PORT Processing PUSH Config: 'block-outside-dns' Processing Route Config: '192.168.254.0/24' Processing PUSH Config: 'dhcp-option DNS 220.127.116.11' Processing PUSH Config: 'dhcp-option DNS 18.104.22.168' Processing PUSH Config: 'comp-lzo no' Successfully generated config Cleaning up before Exit ...
The configuration files for OpenVPN are in directory
You can view the files by opening a shell connection to the Docker container.
docker exec -it openvpn /bin/bash
Recall, that we mounted this directory to
/root/vpn-data so that we can
modify the conf files without having to enter the container. As you can see,
the files are identical.
root@vps298933:~# docker exec -it openvpn /bin/bash bash-4.4# ls -lh /etc/openvpn total 20 drwxr-xr-x 2 root root 4.0K Apr 18 15:04 ccd -rw-r--r-- 1 root root 650 Apr 18 15:06 crl.pem -rw-r--r-- 1 root root 642 Apr 18 15:04 openvpn.conf -rw-r--r-- 1 root root 813 Apr 18 15:04 ovpn_env.sh drwx------ 6 root root 4.0K Apr 18 15:09 pki bash-4.4# exit exit root@vps298933:~# ls -lh ~/vpn-data/ total 20K drwxr-xr-x 2 root root 4.0K Apr 18 21:04 ccd -rw-r--r-- 1 root root 650 Apr 18 21:06 crl.pem -rw-r--r-- 1 root root 642 Apr 18 21:04 openvpn.conf -rw-r--r-- 1 root root 813 Apr 18 21:04 ovpn_env.sh drwx------ 6 root root 4.0K Apr 18 21:09 pki root@vps298933:~#
View these two resources for additional configuration insights:
The default file name for the server configuration files is server.conf.
For this Docker project, the developer decided to call it
Let’s look at some of these directives.
openvpn.conf file and view the configuration.
- server 192.168.255.0 255.255.255.0
serverspecifies the IP address and subnet mask of the network.
- verb 3
verbis the verbose setting, which controls how much data the program logs or displays. 1 is the default, but 3 is a recommended value.
- key, ca, cert, dh, tls–auth
These directives specify the paths to the keys and certificates.
- key-direction 0
The key direction should be to 0 on the server, and 1 on the client.
- keepalive 10 60
keepalivepersists the connection on the server. It has two arguments, which are ping and timeout.
10is the ping value. The server pings the client every 10 seconds.
60is the timeout value. The server will assume the remote peer is down if the client does respond in the specified time.
- persist-key, persist-tun
Does not re-read the key or drop the tunnel if the connection is dropped.
- proto udp
protodefines with protocol to use, UDP or TCP.
UDP is preferred because TCP/IP ensures data delivery after the data passes through the VPN connection.
TCP adds overhead and can slow down the connection.
TCP is used to bypass VPN detection by using port 443 to masquerade the data as HTTPS data.
- port 1194
portspecifies which port the VPN server accepts connections.
A Docker-based configuration relies on the port forwarding to change the port.
- dev tun0
devsets the name of the virtual network device to use. It makes configuring the firewall easier if the value is specified in the config.
- status /tmp/openvpn-status.log
statusdefines the location of the log file.
- user nobody, group nogroup
A security feature that sets the user and group of the OpenVPN daemon to nobody after it starts.
It protects the system is an intruder gains control of the process.
- comp-lzo no
comp-lzospecifies the compression link.
yesforces the use of compression
adaptivedetermines compression from the client config
- route 192.168.254.0 255.255.255.0
routedefines the routing table in the OpenVPN server’s routing table.
pushsends a configuration to the client.
Prevents from having to define these values statically in the client.
push "block-outside-dns"forces the network to use the DNS servers specified in the OpenVPN config.
block-outside-dnsprevents DNS leak.
push "dhcp-option DNS 22.214.171.124"specifies which DNS server that a client should use.
push "comp-lzo no"disables compression on the client
push "comp-lzo"directive does not work reliably across all clients. Some clients will ignore the request if
comp-lzois not explicitly defined in the client config.
The default file name for the server configuration files is client.conf.
The configuration guide for this project called it
user1.ovpn. You can
create many client configs. The name is not important.
Let’s look at some of these directives.
user1.ovpn file and view the configuration.
clientenables client mode. It identifies this file as a client config.
nobinduses a random port on the client side to connect to the server. Otherwise, the OpenVPN client uses the same port as the server.
This directive is needed for running multiple VPN clients on the same host.
- dev tun
devspecifies the VPN tunnel. The two options are
TUN only passes TCP/IP traffic and does not provide any broadcast traffic across the VPN tunnel.
TAP is used for more advanced setups when it is necessary to pass broadcast data to the client or server, such as for network discovery.
- remote-cert-tls server
This directive requires that the certificate on the other end is a server certificate.
- remote 10.10.235.128 11111 udp
remotecontains the information necessary to connect to the server.
remote IP port protocol
10.10.235.128is the IP address of the server
11111informs the client which port to connect to on the server
udpspecifies using the UDP protocol. The other option is TCP.
- redirect-gateway def1
This directive redirects all traffic through the VPN.