Gentoo Wiki




There are as many advantages to VPN tunnels as there are different VPN scenarios. One easy implementation is the "OpenVPN via tun-device" solution.

Example: You work from home (your office) and have a server in a data centre, you want exclusive access to some services like ftp, mysql and sshd(the world of unethical hackers has grown to a very large unknown number, excluding “script kiddies” that we all love so much), a great precaution is not to run anything on default ports another being not to run any listening daemons open to the internet. A VPN is by far the best solution. Further more you can "dial in" when you need access to the VPN network, multiple clients can connect to the server too.


Disclaimer: I, the author (ssorg // francois(at) take no responsibility for any problems this setup may or may not cause on your system by following this HowTo. This setup will however most likely not cause any problems.

Kernel Configuration

Make Sure your kernel has been configured for TUN/TAP driver support.

# cd /usr/src/linux
# make menuconfig
Linux Kernel Configuration: Enable the tun module in your kernel
Device Drivers --->
   Network device support --->
[*]Network device support
<M>   Universal TUN/TAP device driver support  // This option must be enabled

Exit menuconfig, saving the new configurations. You now need to rebuild your kernel.

2.6-based kernels

# cd /usr/src/linux
# make && make modules_install

2.4-based kernels

# cd /usr/src/linux
# make dep && make bzImage modules modules_install

If you compiled any of the two options built-into the kernel, copy the new kernel to /boot and reboot!

# reboot

If you compiled it as a module:

# modprobe tun

Install Software

emerge openvpn

Using SSL keys/certificates

This is not actually so difficult, it's just a bunch of commands to type. Please also refer to the official HOWTO docs (the steps below are based on these docs) at:

First, some explanations. To determine if a client is allowed to connect to the server or not, OpenVPN checks if it has been signed with the CA certificate that signed the server certificate. So you may understand that using commercial certificates like Thawte's really isn't an option in our case! I suggest we start right away and get this all out of the way quickly. :)

First off, change to the dir with the Openvpn scripts to setup the keys easily

$ cd /usr/share/openvpn/easy-rsa/

We then must edit the basic parameters for the certificates. Edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

$ vi vars

Next, initialize the PKI. On Linux/BSD/Unix:

   source ./vars

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

   ai:easy-rsa # ./build-ca
   Generating a 1024 bit RSA private key
   writing new private key to 'ca.key'
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   Country Name (2 letter code) [KG]:
   State or Province Name (full name) [NA]:
   Locality Name (eg, city) [BISHKEK]:
   Organization Name (eg, company) [OpenVPN-TEST]:
   Organizational Unit Name (eg, section) []:
   Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
   Email Address [me@myhost.mydomain]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

   ./build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

   ./build-key client

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:



   ai:easy-rsa # ./build-dh
   Generating DH parameters, 1024 bit long safe prime, generator 2
   This is going to take a long time
Key Files

Now we will find our newly-generated keys and certificates in the keys subdirectory. The .key files are the only ones that shouldn't be left unprotected as it's the only part that's private. You should now transfer the client's keys / certificates, along with the CA CERTIFICATE (Read: NOT the key) to their respective machines via a secure channel. The dh1024.pem file only has to be on the server.

Using both methods

Yes. You can use the secret key file and the certificate encryption at the same time. This is even more secure and protects your network against MITM attacks. So if you used the certificate method, you can also do the alternative step down here to keep your network even more secure!

On the server, create a directory for your server keys and copy them there, further more create a backup of these keys:

# mkdir -p /etc/openvpn/privnet
# mv /usr/share/openvpn/easy-rsa/keys/* /etc/openvpn/privnet/
# #everytime you update openvpn you might loose these files creating a backup is only a good idea!
# tar cfzp /root/openvpn-privnet.tar.gz /etc/openvpn/privnet/
# chmod 700 /root/openvpn-privnet.tar.gz 
# chmod 700 /etc/openvpn/privnet

Server Configuration

This is a fairly easy configuration, nearly default to openvpn's

File: Server-side configuration file /etc/openvpn/openvpn.conf
# non default port to prevent worm attacks!
port 11194
proto udp
dev tun
ca privnet/ca.crt
cert privnet/server.crt
key privnet/server.key
dh privnet/dh1024.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nobody
status openvpn-status.log
verb 3

Start the Server

# /etc/init.d/openvpn start

If you're going to use this solution to further enhance your security setup, add to default run level

# rc-update add openvpn default
 * openvpn added to runlevel default

If the server is using iptables:

# iptables -A INPUT -i tun+ -j ACCEPT
# iptables -A FORWARD -i tun+ -j ACCEPT

Security Enhancements

As mentioned before some people just hate being insecure. Now you can run nearly all the common unsecured daemons (I'm paranoid) on the VPN ip addresses!

Example: You have to connect to your vpn before you can ssh into your server or check mails etc.

File: SSHD configuration file /etc/ssh/sshd_config
** snip snip **
Port 22
** snip snip **

Windows Client

Download the windows client from or (offical download page) . Run the installer on default setup.

Client Configuration

notepad C:\Program Files\OpenVPN\config\client.ovpn
File: Client-side configuration file C:\Program Files\OpenVPN\config\client.ovpn
dev tun
proto udp
# change this to your servers ip or hostname 
remote your.server.tld 11194
resolv-retry infinite


ca ca.crt
cert client.crt
key client.key

verb 3

Copy and paste the following files from the Linux box to windows (this is a very unsecure method of getting the files, I would suggest using WinSCP or similar clients to retrieve the files from the server!)


cat /etc/openvpn/privnet/ca.crt 


notepad C:\Program Files\OpenVPN\config\ca.crt

Do the same with client.crt and client.key

Make sure you have the following files!

dir C:\Program Files\OpenVPN\config 
 15/02/2007  10:24             1,388 ca.crt
 15/02/2007  10:26             3,872 client.crt
 15/02/2007  10:25               906 client.key
 15/02/2007  10:23             3,549 client.ovpn

Connect to your newly created VPN by double clicking on the OpenVPN Icon Image:Windows_OpenVPN_Icon.JPG

Excellent TIP for Windows

Windows has a hosts file similar to /etc/hosts (stems from the BSD ancestry of the Windows TCP/IP stack).

notepad C:\WINDOWS\system32\drivers\etc\hosts
File: Windows hosts file C:\WINDOWS\system32\drivers\etc\hosts       localhost	server


Hide TAP adapter

  1. Run regedit
  2. Find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
  3. Look through each sub-key for one with a DriverDesc = "TAP-Win32 Adapter V8"
  4. Set "Characteristics" = 0x89

To show again, set it to 0x81.

Retrieved from ""

Last modified: Thu, 04 Sep 2008 04:10:00 +0000 Hits: 26,809