LinuxCommandLibrary

openvpn

Establish secure VPN connections

TLDR

Connect to server using a configuration file

$ sudo openvpn [path/to/client.conf]
copy

Try to set up an insecure peer-to-peer tunnel on bob.example.com host
$ sudo openvpn --remote [alice.example.com] --dev [tun1] --ifconfig [10.4.0.1] [10.4.0.2]
copy

Connect to the awaiting bob.example.com host without encryption
$ sudo openvpn --remote [bob.example.com] --dev [tun1] --ifconfig [10.4.0.2] [10.4.0.1]
copy

Create a cryptographic key and save it to file
$ openvpn --genkey secret [path/to/key]
copy

Try to set up a peer-to-peer tunnel on bob.example.com host with a static key
$ sudo openvpn --remote [alice.example.com] --dev [tun1] --ifconfig [10.4.0.1] [10.4.0.2] --secret [path/to/key]
copy

Connect to the awaiting bob.example.com host with the same static key as on bob.example.com
$ sudo openvpn --remote [bob.example.com] --dev [tun1] --ifconfig [10.4.0.2] [10.4.0.1] --secret [path/to/key]
copy

SYNOPSIS

openvpn [options] [configuration_file]

PARAMETERS

--config file
    Specify a configuration file. This is the most common way to run openvpn, as the file contains all necessary parameters for a VPN connection.

--client
    Enable client mode. This implicitly sets options appropriate for connecting to an OpenVPN server.

--server subnet netmask
    Enable server mode, assigning IP addresses to connecting clients from the specified subnet and netmask.

--remote host [port]
    Specify the remote server's hostname or IP address and optional port to connect to in client mode.

--dev tun|tap[X]
    Specify the virtual network device type (tun for routed IP, tap for Ethernet bridging) and optionally its number.

--ca file
    Specify the Certificate Authority (CA) certificate file for verifying peer certificates.

--cert file
    Specify the local peer's certificate file.

--key file
    Specify the local peer's private key file.

--tls-auth file
    Use a shared secret key for HMAC authentication of all TLS packets, providing an additional layer of security.

--daemon
    Run openvpn as a background daemon after initial setup.

--verb n
    Set output verbosity level (0-11). Higher numbers provide more detailed logs.

--log file
    Direct log output to a specified file instead of standard output/error.

--push "option"
    Server-side only. Push an option to connecting clients. E.g., `--push "redirect-gateway def1"` to route client traffic through the VPN.

DESCRIPTION

openvpn is a highly versatile, open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections. It operates by establishing encrypted tunnels across public networks, enabling users to securely access private network resources or browse the internet anonymously.
OpenVPN utilizes a custom security protocol based on SSL/TLS for key exchange and supports various encryption ciphers and authentication methods, including certificates, smart cards, and username/password. It can operate in either routed (TUN device) or bridged (TAP device) configurations, making it adaptable to diverse network setups. Its robust feature set, cross-platform compatibility, and ability to traverse NATs and firewalls have made it a widely adopted solution for secure remote access and network linking.

CAVEATS

Using openvpn typically requires root privileges to create virtual network interfaces (TUN/TAP devices) and configure network routing.
The configuration process can be complex, especially for server setups or advanced scenarios involving routing and firewall rules.
Performance can be influenced by CPU capabilities (for encryption/decryption), network latency, and the chosen cipher strength.
Ensure firewall rules are correctly configured to allow OpenVPN traffic on the chosen UDP/TCP port.

CONFIGURATION FILES

While openvpn can be run directly with command-line options, it is most commonly used with a single configuration file (e.g., .ovpn files). This file consolidates all settings for a specific VPN connection, including client/server roles, certificates, keys, remote addresses, and network configurations, simplifying deployment and management.

TUN VS. TAP DEVICES

openvpn can operate over two types of virtual network interfaces:
TUN (network TUNnel): A layer-3 (IP) device that handles IP packets. It's used for routed VPNs where OpenVPN manages IP addressing and routing.
TAP (network TAP): A layer-2 (Ethernet) device that handles Ethernet frames. It's used for bridged VPNs, allowing clients to appear on the same Ethernet segment as the server, useful for network services that rely on broadcast traffic.

SECURITY MODEL

openvpn's security is primarily based on the SSL/TLS protocol for secure key exchange, using X.509 certificates for authentication. It supports various strong ciphers for data encryption (e.g., AES-256) and HMAC for message integrity. Additional security can be achieved with --tls-auth for pre-shared key HMAC authentication of all TLS packets, providing protection against denial-of-service attacks and port scanning.

HISTORY

openvpn was first released by James Yonan in 2002. It quickly gained popularity as a robust, open-source alternative to proprietary VPN solutions, largely due to its flexibility, strong security features based on SSL/TLS, and ability to traverse challenging network environments. Over the years, it has become a de-facto standard for secure remote access and site-to-site connectivity in the open-source community, with continuous development and a strong user base.

SEE ALSO

ip(8), iptables(8), route(8), ss(8), ping(8)

Copied to clipboard