Luca Bruno blog

OpenVPN configuration for server and multiple clients

This is a simple post showing a basic configuration for setting up OpenVPN server accepting multiple clients with TLS.

First of all generate self-signed server and client private key and certificates, and dh params. Make sure to write the Organization Name AND Common Name (CN) when asked, otherwise openvpn will fail to verify the certificates.

openssl req -newkey rsa:2048 -nodes -keyout serverkey.pem -x509 -days 365000 -out servercert.pem  
openssl req -newkey rsa:2048 -nodes -keyout clientkey.pem -out client.csr  
openssl x509 -req -days 365000 -in client.csr -CA servercert.pem -CAkey serverkey.pem -set_serial 01 -out clientcert.pem  
openssl dhparam -outform PEM -out dh.pem 1024  

Server configuration:

dev tun  
mode server  
tls-server  
server 10.8.0.0 255.255.255.0  
ca servercert.pem  
cert servercert.pem  
key serverkey.pem  
dh dh.pem  
duplicate-cn  
topology subnet  
keepalive 10 60  
ping-timer-rem  
persist-tun  
persist-key  

If you plan to use the server as gateway like configured below, don’t forget to enable IP forwarding and masquerading:

sysctl net.ipv4.ip_forward=1  
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE  

Client configuration:

client  
redirect-gateway  
tls-client  
key clientkey.pem  
cert clientcert.pem  
ca servercert.pem  
keepalive 10 60  
dev tun  

Have fun, tune as needed.