Step 2: Examining the Config Files
Table of Contents
Objective: View the OpenVPN configuration files on the client and server.
You have already configured the OpenVPN server and generated a client config. We are almost ready! However, we have to make a configuration change before we connect to the server. There is a documented configuration error that we must correct.
Note
push "comp-lzo no"
causes an error occurs on some OpenVPN
clients. We should fix our configurations to work reliably using any client.
The error is trying to set comp-lzo
through a push
command if the
setting does not exist in the client. The server can set comp-lzo
in
the client only if the directive already exists. We should add
comp-lzo no
to the client config to correct this issue.
push
is used to send or push settings to the client. Using push
makes
it easier to maintain client configs because the settings are changed once
on the server, instead of modifying each client.
root@vps298933:~# docker run -v /root/vpn-data:/etc/openvpn --rm myownvpn ovpn_genconfig -u udp://IP_ADDRESS:PORT
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
6.2.1. OpenVPN Conf Files
The configuration files for OpenVPN are in directory /etc/openvpn
.
You can view the files by opening a shell connection to the Docker container.
docker exec -it openvpn /bin/bash
Recall, that we mounted this directory to /root/vpn-data
so that we can
modify the conf files without having to enter the container. As you can see,
the files are identical.
root@vps298933:~# docker exec -it openvpn /bin/bash bash-4.4# ls -lh /etc/openvpn total 20 drwxr-xr-x 2 root root 4.0K Apr 18 15:04 ccd -rw-r--r-- 1 root root 650 Apr 18 15:06 crl.pem -rw-r--r-- 1 root root 642 Apr 18 15:04 openvpn.conf -rw-r--r-- 1 root root 813 Apr 18 15:04 ovpn_env.sh drwx------ 6 root root 4.0K Apr 18 15:09 pki bash-4.4# exit exit root@vps298933:~# ls -lh ~/vpn-data/ total 20K drwxr-xr-x 2 root root 4.0K Apr 18 21:04 ccd -rw-r--r-- 1 root root 650 Apr 18 21:06 crl.pem -rw-r--r-- 1 root root 642 Apr 18 21:04 openvpn.conf -rw-r--r-- 1 root root 813 Apr 18 21:04 ovpn_env.sh drwx------ 6 root root 4.0K Apr 18 21:09 pki root@vps298933:~#
Tip
View these two resources for additional configuration insights:
OpenVPN Configuration from stosb.com.
Server Guide for OpenVPN from Ubuntu.
openvpn.conf
The default file name for the server configuration files is server.conf.
For this Docker project, the developer decided to call it openvpn.conf
.
Let’s look at some of these directives.
Open the openvpn.conf
file and view the configuration.
- server 192.168.255.0 255.255.255.0
server
specifies the IP address and subnet mask of the network.- verb 3
verb
is the verbose setting, which controls how much data the program logs or displays. 1 is the default, but 3 is a recommended value.- key, ca, cert, dh, tls–auth
These directives specify the paths to the keys and certificates.
- key-direction 0
The key direction should be to 0 on the server, and 1 on the client.
- keepalive 10 60
keepalive
persists the connection on the server. It has two arguments, which are ping and timeout.10
is the ping value. The server pings the client every 10 seconds.60
is the timeout value. The server will assume the remote peer is down if the client does respond in the specified time.
- persist-key, persist-tun
Does not re-read the key or drop the tunnel if the connection is dropped.
- proto udp
proto
defines with protocol to use, UDP or TCP.UDP is preferred because TCP/IP ensures data delivery after the data passes through the VPN connection.
TCP adds overhead and can slow down the connection.
TCP is used to bypass VPN detection by using port 443 to masquerade the data as HTTPS data.
- port 1194
port
specifies which port the VPN server accepts connections.A Docker-based configuration relies on the port forwarding to change the port.
- dev tun0
dev
sets the name of the virtual network device to use. It makes configuring the firewall easier if the value is specified in the config.
- status /tmp/openvpn-status.log
status
defines the location of the log file.- user nobody, group nogroup
A security feature that sets the user and group of the OpenVPN daemon to nobody after it starts.
It protects the system is an intruder gains control of the process.
- comp-lzo no
comp-lzo
specifies the compression link.no
disables compressionyes
forces the use of compressionadaptive
determines compression from the client config
- route 192.168.254.0 255.255.255.0
route
defines the routing table in the OpenVPN server’s routing table.- push
push
sends a configuration to the client.Prevents from having to define these values statically in the client.
push "block-outside-dns"
forces the network to use the DNS servers specified in the OpenVPN config.Using
block-outside-dns
prevents DNS leak.
push "dhcp-option DNS 8.8.8.8"
specifies which DNS server that a client should use.push "comp-lzo no"
disables compression on the clientCaution
The
push "comp-lzo"
directive does not work reliably across all clients. Some clients will ignore the request ifcomp-lzo
is not explicitly defined in the client config.
client.ovpn
The default file name for the server configuration files is client.conf.
The configuration guide for this project called it user1.ovpn
. You can
create many client configs. The name is not important.
Let’s look at some of these directives.
Open the user1.ovpn
file and view the configuration.
- client
Adding
client
enables client mode. It identifies this file as a client config.- nobind
nobind
uses a random port on the client side to connect to the server. Otherwise, the OpenVPN client uses the same port as the server.This directive is needed for running multiple VPN clients on the same host.
- dev tun
dev
specifies the VPN tunnel. The two options areTUN
andTAP
.TUN only passes TCP/IP traffic and does not provide any broadcast traffic across the VPN tunnel.
TAP is used for more advanced setups when it is necessary to pass broadcast data to the client or server, such as for network discovery.
- remote-cert-tls server
This directive requires that the certificate on the other end is a server certificate.
- remote 10.10.235.128 11111 udp
remote
contains the information necessary to connect to the server.remote IP port protocol
10.10.235.128
is the IP address of the server11111
informs the client which port to connect to on the serverudp
specifies using the UDP protocol. The other option is TCP.
- redirect-gateway def1
This directive redirects all traffic through the VPN.