What do you think? Discuss, post comments, or ask questions at the end of this article [More about me]

It's not often that I find a very complete setup guide that covers many aspects of what I want to achieve.  However, digitalocean's guide for setting up an openvpn server is excellent and very well written.  It covers many (most) of the things I implement on any openvpn server I setup.

In this writeup I'll simply cover some of the things that aren't in digitalocean's guide and that I usually implement to meet specific use cases.

If you're setting up an openvpn server, please check out their guide and follow along.  Much of what I cover here would depend on a setup similar to what is outlined by digitalocean.

Generating client configurations

This is covered well in the digitalocean guide, but I thought I would note down the commands used here as it's something I use/do often.

Generate a client key

First, generate the client key by cd'ing into your openvpn-ca (cert authority folder) and sourcing the variables required:

cd ~/openvpn-ca
source vars

Do NOT run ./clean-all unless you really want to remove all client keys (seriously, I've done this by mistake and you will then need to recreate or restore previous keys).

Then simply generate a client key with

./build-key <client-key-name>

replace <client-key-name> with the name of the client key you want

Generate a client .ovpn file

If you followed the digitalocean guide you'll now be able to generate an ovpn client config that contains the key and everything needed for a client to securely connect to your openvpn server by

cd ~/client-configs
./make_config.sh <client-key-name>

This will create a client key in ~/client-configs/files that can be transferred to the client.

Assigning static IP addresses to particular client configurations

You might want/need to map certain client configurations to a static ip address in the openvpn ip pool.  For this use case you would generally have a ip range for static ip addresses, and a separate (non-conflicting) range for dynamic ip address assignment (i.e. standard clients connect and receive an dynamic ip address subject to availability).

Such a configuration requires several changes to server.conf and the creation of a folder which holds a client-name config file (which contains the static ip address to assign) for each config you wan to assign a static ip address to.

server.conf changes

Here we'll do two things, define an ip address range for dynamic assignment, and enable the folder to hold client static ip address files.

Let's start with changing the dynamic ip range.  For this example we're going to set the dynamic ip range from 10.8.0.100 to 10.8.0.200:

ifconfig-pool 10.8.0.100 10.8.0.200 255.255.255.0

Next, lets uncomment the client-config-dir directive:

client-config-dir /etc/openvpn/ccd

You'll note that I give the absolute path to the ccd folder (just my preference).

 Don't forget to actually create the ccd folder:

sudo mkdir -p /etc/openvpn/ccd

Let's now restart openvpn

sudo systemctl restart openvpn@server

Create files for each client you want to assign an ip address to

Here we simply add a file, which must have the same name as the client configuration. 

For example, suppose we have a client configuration named "client1" which has the ovpn file "client1.ovpn", that we want to assign the ip address "10.8.0.2" to.  We would do the following:

sudo vim /etc/openvpn/ccd/client1

and then add the following line

ifconfig-push 10.8.0.2 255.255.255.0

You DO NOT need to restart the openvpn server after adding client configs. Each time a client connects openvpn will check for a corresponding (named) file in the ccd folder.

Enabling split-tunnel for a specific client

If you've setup your openvpn server to route all client traffic through the tunnel, you might want a specific client to ignore this and only use the tunnel for connections to other machines on the VPN.

An example for this might be when using an VPN connection to securely connect machines together for node_exporter monitoring (Prometheus) as alluded to in Create a persistent SSH tunnel between servers with systemd (a VPN is an alternative to that article and the preferred approach).

To ignore the server's redirect-gateway directive, add the following to the client's ovpn config file:

pull-filter ignore redirect-gateway

Note this requires at least openvpn version 2.4.  For older versions see here.

Overriding DNS settings for server in client configutation

Openvpn server.conf  allows you to define DNS addresses such as addresses for OpenDNS etc.  These addresses with then be pushed to the client to implement when it connects to the server.

However, you might want/need to use different DNS servers for your client.  This can be done easily by rejecting the server's pushed DNS addresses and implementing your own directly in your .ovpn config file.

Add the following to you .ovpn config (replacing x.x.x.x  and y.y.y.y  with your preferred DNS addresses).

# override DNS with my own settings
pull-filter ignore "dhcp-option DNS"
# don't block other DNS servers (for windows clients)
pull-filter ignore "block-outside-dns"

# set own DNS servers (optional)
dhcp-option DNS x.x.x.x
dhcp-option DNS y.y.y.y

Replace x.x.x.x  and y.y.y.y  with your preferred DNS addresses above.

Honour DNS config pushed from server on Arch Linux client

On a few of my Arch (and Manjaro) machines, they weren't using DNS configs being pushed from the OpenVPN server.

As outlined in on the Arch Wiki, I needed to add the following to my client config (.ovpn):

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If OpenVPN doesn't reconnect after wake

On one of my laptops (running Manjaro) the openvpn client wouldn't reconnect after waking from sleep.  As outlined in the Arch wiki, you can quickly add a systemd service which sends a SIGHUP signal to OpenVPN which forces a reconnect to occur:

/etc/systemd/system/openvpn-reconnect.service
[Unit]
Description=Restart OpenVPN after suspend

[Service]
ExecStart=/usr/bin/pkill --signal SIGHUP --exact openvpn

[Install]
WantedBy=sleep.target

then enable the service:

sudo systemctl enable openvpn-reconnect

Using port 443 for OpenVPN & other applications (like a webserver)

See Transparent SSLH: using a single port to transparently route incoming traffic for Apache, OpenVPN, and SSH

References

  1. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
  2. https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
  3. https://wiki.archlinux.org/index.php/OpenVPN#The_update-resolv-conf_custom_script