Skip to content

Instantly share code, notes, and snippets.

@markruler

markruler/openvpn-client.md

Last active April 16, 2021 01:03
Show Gist options
  • Save markruler/fa6815fd0f7552d7d695d5d72ca80691 to your computer and use it in GitHub Desktop.
Save markruler/fa6815fd0f7552d7d695d5d72ca80691 to your computer and use it in GitHub Desktop.
Download ZIP
OpenVPN Client Connection
Raw
openvpn-client.md

OpenVPN Client Connection

Ubuntu (20.04 Focal Fossa)

apt-get update && apt-get -y upgrade && apt-get -y autoremove
apt-get install -y openvpn
openvpn --version
# OpenVPN 2.4.7 x86_64-pc-linux-gnu
# [...]
# Use a dynamic tun device.
dev tun

# Enable TLS and assume client role during TLS handshake.
tls-client

# Our remote peer
remote vpn.example.com 1194

# Automatically execute routing commands to cause all outgoing IP traffic
# to be redirected over the VPN. This is a client-side option.
redirect-gateway def1

# This option must be used on a client which is connecting to a multi-client server.
# It indicates to OpenVPN that it should accept options pushed by the server,
# provided they are part of the legal set of pushable options
# (note that the–pull option is implied by –client ).
# In particular, –pull allows the server to push routes to the client,
# so you should not use –pull or –client in situations where you don’t
# trust the server to have control over the client’s routing table.
pull

# proto indicates the protocol to use when connecting with the remote, and may be “tcp” or “udp”.
proto udp

# This directive offers policy-level control over OpenVPN’s usage of external programs and scripts.
# Lower level values are more restrictive, higher values are more permissive.
# Settings for level:0 — Strictly no calling of external programs.
# 1 — (Default) Only call built-in executables such as ifconfig, ip, route, or netsh.
# 2 — Allow calling of built-in executables and user-defined scripts.
# 3 — Allow passwords to be passed to scripts via environmental variables (potentially unsafe).
script-security 2

# Certificate authority (CA) file in .pem format, also referred to as the root certificate.
# This file can have multiple certificates in .pem format, concatenated together.
# You can construct your own certificate authority certificate and private key
# by using a command such as:openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
ca ca.crt

# Enable a compression algorithm.
# The algorithm parameter may be “lzo”, “lz4”, or empty.
# LZO and LZ4 are different compression algorithms,
# with LZ4 generally offering the best performance with least CPU usage.
# For backwards compatibility with OpenVPN versions before v2.4,
# use “lzo” (which is identical to the older option “–comp-lzo yes”).
compress lzo

# Renegotiate data channel key after n seconds (default=3600).
# When using dual-factor authentication, note that this default value
# may cause the end user to be challenged to reauthorize once per hour.
reneg-sec 0

# Authenticate with server using username/password.
# auth-user-pass [up]
# `up` is a file containing username/password on 2 lines.
# If the password line is missing, OpenVPN will prompt for one.
# If up is omitted, username/password will be prompted from the console.
auth-user-pass

# Set output verbosity to n (default=1).
# Each level shows all info from the previous levels.
# Level 3 is recommended if you want a good summary of
# what’s happening without being swamped by output.
# 0 — No output except fatal errors.
# 1 to 4 — Normal usage range.
# 5 — Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.
# 6 to 11 — Debug info range (see errlevel.h for additional information on debug levels).
verb 3
# sudo openvpn --config client.ovpn
sudo openvpn \
  --ca ca.crt \
  --auth-user-pass \
  --dev tun \
  --tls-client \
  --remote vpn.example.com 1194 \
  --redirect-gateway def1 \
  --pull \
  --proto udp \
  --script-security 2 \
  --compress lzo \
  --reneg-sec 0 \
  --verb 3

macOS (10.15.7 Catalina)

brew info openvpn
# openvpn: stable 2.5.1 (bottled)
# SSL/TLS VPN implementing OSI layer 2 or 3 secure network extension
# https://openvpn.net/community/
# Not installed
brew install openvpn
brew info openvpn
# openvpn: stable 2.5.1 (bottled)
# SSL/TLS VPN implementing OSI layer 2 or 3 secure network extension
# https://openvpn.net/community/
# /usr/local/Cellar/openvpn/2.5.1 (85 files, 1.7MB) *
#   Poured from bottle on 2021-04-16 at 09:32:58

ls -l /usr/local/sbin/openvpn
# lrwxr-xr-x  1 changsuim  admin  36  4 16 09:32 /usr/local/sbin/openvpn -> ../Cellar/openvpn/2.5.1/sbin/openvpn
export PATH=$PATH:/usr/local/sbin

which openvpn
# /usr/local/sbin/openvpn

or

ln -s /usr/local/sbin/openvpn /usr/local/bin
ls -l /usr/local/bin/openvpn
# lrwxr-xr-x  1 changsuim  staff  23  4 16 09:57 /usr/local/bin/openvpn -> /usr/local/sbin/openvpn

which openvpn
# /usr/local/bin/openvpn
openvpn --version
# OpenVPN 2.5.1 x86_64-apple-darwin19.6.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Mar  1 2021
# [...]

sudo openvpn \
  --ca $HOME/ca.crt \
  --auth-user-pass \
  --dev tun \
  --tls-client \
  --remote vpn.example.com 1194 \
  --redirect-gateway def1 \
  --pull \
  --proto udp \
  --script-security 2 \
  --compress lzo \
  --reneg-sec 0 \
  --verb 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment