OpenVPN client on Debian

Now that the server is ready, let’s switch on the client side !

1. Software installation

Install OpenVPN :

sudo apt-get install openvpn

2. Configuration

Copy the client configuration sample in the working directory :


sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

Here is my configuration:


client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
;mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/MyClient.crt
key /etc/openvpn/keys/MyClient.key
ns-cert-type server
cipher AES-256-CBC
verb 3

Replace XXX.XXX.XXX.XXX by the IP of the OpenVPN server.

Create a folder to store the keys and certificates :


sudo mkdir /etc/openvpn/keys/

Download the ca.crt file from the server:


sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/keys/

Download the client.key file from the server:


sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/MyClient.key /etc/openvpn/keys/MyClient.key

Download the client.crt file from the server:


sudo scp user@XXX.XXX.XXX.XXX:/etc/openvpn/easy-rsa/keys/MyClient.crt /etc/openvpn/keys/MyClient.crt

Then we can try to start the client:


sudo openvpn --config /etc/openvpn/client.conf

Here is the output :


OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Socket Buffers: R=[163840->131072] S=[163840->131072]
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
UDPv4 link local: [undef]
UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=2fc176a5 4d3fbbfd
VERIFY OK: depth=1, C=XX, ST=XXXXXXXX, L=XXXXXXXX, O=XXXXXXXX, OU=XX, CN=XXXXXXXX, name=EasyRSA, emailAddress=XXXXXXXX
VERIFY OK: nsCertType=SERVER
VERIFY OK: depth=0, C=XX, ST=XXXXXXXX, L=XXXXXXXX, O=XXXXXXXX, OU=XXXXXXXX, CN=XXXXXXXX, name=EasyRSA, emailAddress=XXXXXXXX
Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
[server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.1'
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=XXXXXXXXXXXXXXXXXX
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.1
Fri Sep 8 09:08:44 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.1
GID set to nogroup
UID set to nobody
Initialization Sequence Completed

To allow your pi to connect automatically after a reboot, edit the following file as below :


sudo vi /etc/default/openvpn

Then uncomment the line :


AUTOSTART="all"

One thought on “OpenVPN client on Debian”

  1. Pingback: Raspberry pi backup using Rsync server and OpenVPN – Ronan's blog

Leave a Reply

Your email address will not be published. Required fields are marked *