...
This is covered well in the digitalocean guide, but I thought I would note down the commands used here as it's something I use/do often.
Generate a client key
First, generate the client key by cd'ing into your openvpn-ca (cert authority folder) and sourcing the variables required:
...
| Info |
|---|
replace <client-key-name> with the name of the client key you want |
Generate a client .ovpn file
If you followed the digitalocean guide you'll now be able to generate an ovpn client config that contains the key and everything needed for a client to securely connect to your openvpn server by
...
| Code Block |
|---|
ifconfig-pool 10.8.0.100 10.8.0.200 255.255.255.0 |
Next, let lets uncomment the client-config-dir directive:
...
For example, suppose we have a client configuration named "client1" which has the ovpn file "client1.ovpn", that we want to assign the ip address "10.8.0.12" to. We would do the following:
...
| Code Block |
|---|
ifconfig-push 10.8.0.12 255.255.255.0 |
| Info |
|---|
You DO NOT need to restart the openvpn server after adding client configs. Each time a client connects openvpn will check for a corresponding (named) file in the ccd folder. |
Enabling split-tunnel for a specific client
If you've setup your openvpn server to route all client traffic through the tunnel, you might want a specific client to ignore this and only use the tunnel for connections to other machines on the VPN.
An example for this might be when using an VPN connection to securely connect machines together for node_exporter monitoring (Prometheus) as alluded to in Create a persistent SSH tunnel between servers with systemd (a VPN is an alternative to that article and the preferred approach).
To ignore the server's redirect-gateway directive, add the following to the client's ovpn config file:
| Code Block |
|---|
pull-filter ignore redirect-gateway |
| Info |
|---|
Note this requires at least openvpn version 2.4. For older versions see here. |
Overriding DNS settings for server in client configutation
...
Add the following to you .ovpn config (replacing x.x.x.x and y.y.y.y with your preferred DNS addresses).
| Code Block | ||
|---|---|---|
| ||
# override DNS with my own settings pull-filter ignore "dhcp-option DNS" # don't block other DNS servers (for windows clients) pull-filter ignore "block-outside-dns" # set own DNS servers (optional) dhcp-option DNS x.x.x.x dhcp-option DNS y.y.y.y |
...
| Warning |
|---|
Replace |
Honour DNS config pushed from server on Arch Linux client
On a few of my Arch (and Manjaro) machines, they weren't using DNS configs being pushed from the OpenVPN server.
As outlined in on the Arch Wiki, I needed to add the following to my client config (.ovpn):
| Code Block |
|---|
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf |
If OpenVPN doesn't reconnect after wake
...
| Code Block |
|---|
sudo systemctl enable openvpn-reconnect |
Recovering after an accidental ./clean-all
...
...
Using port 443 for OpenVPN & other applications (like a webserver)
...
- https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04
- https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway
- https://wiki.archlinux.org/index.php/OpenVPN#The_update-resolv-conf_custom_script
Related articles
| Content by Label | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...