OpenVPN Client Configuration
- 05/06/2012 12:00 PM
Applicable Plans - All Cloud Hosting Plans
OpenVPN Client Configuration
Overview
This is a guide for end users who will be connecting to an OpenVPN server that has been set up by their system administrator.
-
If you are a system administrator looking for instructions on how to install and configure OpenVPN, please see here - OpenVPN Installation.
-
If you are looking for instructions on how to use OpenVPN to connect to a shared folder, a secure web site, or secured e-mail server, please see here - Using OpenVPN
Connecting to OpenVPN
You can connect to OpenVPN from Windows XP Professional, Windows Vista, Windows 7, Mac OS X, or Linux.
You should have been provided a directory or folder containing four files (ca.crt, client.crt, client.key, client.ovpn) that you will need to use in order to set up your OpenVPN to connect to the OpenVPN server. Please note that the client.crt, client.key, and client.ovpn files may have different names depending on how your system administrator configured your particular set of keys.
The folder or directory may also be in a compressed format. For Windows users, a free program like 7-Zip can be used to extract the files - http://www.7-zip.org/. For Mac OS X users, you should just be able to double-click on the compressed directory to extract it, and for Linux users you should be able to extract from the command line.
-
For Windows, you will need to install the OpenVPN client program from OpenVPN on your PC, and then add the files that were provided to you from your system administrator to the OpenVPN directory on your computer. You may also need to edit the client.ovpn file to point to the correct location for the ca, crt, and key files.
-
For Mac OS X, you will need to use a program like Tunnelblick to connect to your Virtual Server using OpenVPN. You will need to install the client program, and then add the files that were provided to you by your system administrator to the Tunnelblick application directory. You will also need to edit the client.ovpn file to point to the correct locations of the ca, crt, and key files.
-
For Linux, you will need to install the OpenVPN package on your local computer, and then add the files that were provided to you by your system administrator to the /etc/openvpn directory. You will then use the command line as the root user to run the OpenVPN client program. The instructions for Linux should work for most UNIX based systems.
How to configure an OpenVPN client to use the client files provided to you will be covered in the section of this user guide specific to your operating system.
Connecting to OpenVPN from Windows 7 or Windows Vista
Install OpenVPN (Windows 7/Windows Vista)
Client file configuration
Using OpenVPN GUI
Connecting to OpenVPN from Windows XP Professional
Install OpenVPN (Windows XP Pro)
Windows XP client configuration
Starting the Windows XP client and connecting to OpenVPN
Connecting to OpenVPN from Mac OS X
Tunnelblick configuration
Starting Tunnelblick and connecting to OpenVPN
Connecting to OpenVPN from Linux
Linux OpenVPN client configuration
Starting the Linux client and connecting to OpenVPN
Connecting to OpenVPN from Windows 7 or Windows Vista
 |
In order to use OpenVPN on Windows 7 or Windows Vista, your user will need to have administrator privileges. If you don't have administrator privileges, please contact whoever is responsible for your computer configuration for assistance. |
Install OpenVPN (Windows 7/Windows Vista)
To connect to OpenVPN from your Windows 7 or Windows Vista PC, you will need to download the OpenVPN client program from the OpenVPN website - http://openvpn.net/index.php/open-source/downloads.html. Download the latest version available unless you have a specific reason to need an older version. For best results, download the Windows Installer.
Once you have downloaded the OpenVPN Windows Installer, install the program. The OpenVPN program will install in the C:\Program Files (x86)\OpenVPN directory.
This will also install the OpenVPN GUI, which you will use to connect to OpenVPN. The OpenVPN GUI installs a shortcut on your desktop.
Client file configuration
Open the directory that was provided to you by your system administrator, and move the four individual files: ca.crt, client.crt, client.key, client.ovpn to the C:\Program Files (x86)\OpenVPN\config directory. Move the individual files, don't move the entire directory, and remember that the client.crt, client.key, and client.ovpn files may have different names depending on how they were set up.
Using OpenVPN GUI
Once the files are in the config directory, close this window and go back to the desktop. Right click on the shortcut icon for OpenVPN GUI, and go to Properties.
In the OpenVPN GUI Properties screen, click on the Compatibility tab. In Privilege Level, make sure that Run this program as an administrator is checked.
Once you have set OpenVPN GUI to run as an administrator, then double-click on the OpenVPN GUI icon to start the program. This will create an icon on your Taskbar, in the Notification area. The icon is circled in blue in this screenshot. Notice that the "color" of the icon is red, meaning that OpenVPN is not connected.
Right-click on the OpenVPN GUI icon, and click on Connect.
This will open the status screen, which will scroll any messages generated during the connection to OpenVPN. Notice that the "color" of the icon goes to yellow during the connection process.
If the connection is successful, the status screen will disappear, and you will see a client is now connected message, which will also show the IP address assigned to the local end of the VPN connection. Notice that the "color" of the icon is now green.
To verify that the connection is up and routing correctly, try to ping the OpenVPN server. Go to Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, try to ping the OpenVPN server, which is at 10.8.0.1, with the ping 10.8.0.1 command. You should get four replies.
If your connection was unsuccessful, you can right-click on the OpenVPN GUI icon in the Notification area, and select Show Status. This will allow you to scroll back through the connection messages to see any issues. With Windows 7 and Windows Vista, one of the more common issues is with permissions and privileges, which is why it is important to make sure that OpenVPN GUI can run as an administrator.
If you cannot connect, go back through the configuration, and make sure that you have all the files in the correct locations. Also verify that you followed the steps correctly when creating the OpenVPN keys. If you are not able to troubleshoot the issue, please contact eApps Support for assistance.
Connecting to OpenVPN from Windows XP Professional
|
In order to use OpenVPN on Windows XP Professional, your user will need to have administrator privileges. If you don't have administrator privileges, please contact whoever is responsible for your computer configuration for assistance. |
Install OpenVPN (Windows XP Pro)
To connect to OpenVPN from your Windows XP Pro PC, you will need to download the OpenVPN client program from the OpenVPN website - http://openvpn.net/index.php/open-source/downloads.html. Download the latest version available unless you have a specific reason to need an older version. For best results, download the Windows Installer.
Once you have downloaded the OpenVPN Windows Installer, install the program. By default, this will install into the *C:Files directory.
Windows XP client configuration
Move the directory that was provided to you by your system administrator into the OpenVPN directory, and rename it to client. Make sure the location is now *C:Files. Remember that the client.crt, client.key, and client.ovpn files in that directory may have different names depending on how they were set up.
Enter that new directory, and right click on the client.ovpn file, and choose Open With, and choose a plain text editor, such as Wordpad. Do not use a word processor like Microsoft Word or LibreOffice Writer, only use a plain text editor (be aware that Notepad may wrap the text in this file, making it difficult to read).
In WordPad, scroll down until you find these lines, generally lines 88, 89, and 90:
| ca ca.crt cert client.crt key client.key |
Verify that the path to the ca.crt, client.crt, and the client.key files exactly matches the location where they are installed, and also exactly matches the names of the files. This is very important - if the path does not match the location, and the names are not correct, you will not be able to connect to OpenVPN.
Also notice the location and number of the back-slashes ( \ ) in the file. This is also very important.
In this example, the ca.crt, client.crt, and client.key files are in the client directory, so the path to the files would look like this:
| ca C:\ Files\\\.crt cert C:\ Files\\\.crt key C:\ Files\\\.key |
Once you have edited the file so that the paths and names of the files are correct, save and exit the client.ovpn file.
Starting the Windows XP client and connecting to OpenVPN
To start the OpenVPN connection, right-click again on the client.ovpn file, and click on Start OpenVPN on this config file (generally the second option down).
This will open a DOS window, and quite a few status messages will scroll across the screen. When the messages stop scrolling, the last line should be Initialization Sequence Completed. At this point, you are connected to the VPN tunnel.
You can verify this by pinging the Virtual Server over the tunnel. Open a Windows command prompt, and ping the IP address of 10.8.0.1. You should get four replies:
If you do not get a reply, then go back over your configuration. Look at the original DOS window which scrolled the connection messages to see if there are any errors.
If you are not able to troubleshoot the issue, please contact eApps Support for assistance.
Connecting to OpenVPN from Mac OS X
To connect to OpenVPN from Mac OS X, you will need to download and install Tunnelblick - http://code.google.com/p/tunnelblick/. Tunnelblick is a free and open source OpenVPN client for Mac OS X. You can download the application from here - http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2
Tunnelblick configuration
Once the application is installed, move the directory that was provided to you by your system administrator to the correct location for Tunnelblick, and rename it client The client.ovpn file will then need to be edited so that it points to the correct locations for these files. Remember that the client.crt, client.key, and client.ovpn files in that directory may have different names depending on how they were set up.
Using either the command line or the Finder, move the client directory to Users > your_user_name > Library > Application Support > Tunnelblick > Configurations.
From the command line, the path will look like this: /Users/your_user_name/Library/Application Support/Tunnelblick/Configurations
Make sure that you are navigating to the Library directory under your user name, not to the Library directory under the system root directory.
Once you have moved the client directory to the Configurations directory for Tunnelblick, open the client.ovpn file for editing. You can edit the file in any plain text editor you have installed on the system. Do not use a word processor like Microsoft Word or LibreOffice Writer, only use a plain text editor.
Once you have the file open for editing, find these lines, generally lines 88, 89, and 90.
| ca ca.crt cert client.crt key client.key |
Change the lines so that they look like this. Make sure to substitute your_user_name with your actual user name. Also pay very close attention to the locations of the forward slashes and back slashes, because you will need to have those in exactly the right places.
| ca /Users/your_user_name/Library/Application Support/Tunnelblick/Configurations/client/ca.crt cert /Users/your_user_name/Library/Application Support/Tunnelblick/Configurations/client/client.crt key /Users/your_user_name/Library/Application Support/Tunnelblick/Configurations/client/client.key |
Starting Tunnelblick and connecting to OpenVPN
Once you have moved the client directory to the correct location, and edited the client.ovpn file, you can start the Tunnelblick application. Go to your Applications folder, and click on Tunnelblick.
When Tunnelblick is running, it puts an an icon in the Menu bar at the top right of the Desktop, usually just to the left of the Spotlight icon.
To connect to OpenVPN, click on the Tunnelblick icon in the Menu bar, and then go to client/ > Connect client
You will see some status messages as Tunnelblick connects. When the connection is successful, the icon will show a green colored area in the center:
You can verify this by pinging the Virtual Server from the Mac OS X terminal. Open the Terminal program, and ping 10.8.0.1 with the ping -c 4 10.8.0.1 command (the -c 4 limits the ping to 4 replies)
| macbookpro:~ user_name$ ping -c 4 10.8.0.1 PING 10.8.0.1 (10.8.0.1): 56 data bytes 64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=29.079 ms 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=28.207 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=29.782 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=28.270 ms --- 10.8.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 28.207/28.834/29.782/0.646 ms macbookpro:~ user_name$ |
If you do not get a reply, then go back over your configuration. In Tunnelblick, click on the icon again and go to VPN Details. This will open the Tunnelblick log, which is useful for troubleshooting connection issues.
If you are not able to troubleshoot the issue, please contact eApps Support for assistance.
Connecting to OpenVPN from Linux
Due to the large number of Linux distros and desktops available, this user guide will explain how to connect to OpenVPN from the command line only. This should be common on all distros. If your distro or desktop has a different client to use, feel free to use that instead.
|
In order to connect to an OpenVPN server from Linux, you will need to be able to work as the root user or have sudo privileges. If you don't have root or sudo privileges, please contact whoever is responsible for your computer configuration for assistance. |
Depending on your specific Linux distro, you may have an OpenVPN client already available, or the OpenVPN application may already be installed. Please see the documentation for your Linux distro or refer to the support community for your distro if you have any questions on exactly what's installed or available to you.
This user guide assumes that OpenVPN is already installed. If you need to install OpenVPN, then refer to the documentation for your Linux distro for information on how to install packages, or consult the support community for your distro for more assistance.
Linux OpenVPN client configuration
Move the directory provided to you by your system administrator to the /etc/openvpn directory. Assuming that you are going to only use OpenVPN as a client on this computer, this should not cause an issue. If you are using OpenVPN as something other than just a client, you may need to use a different directory.
If necessary, unpack the file using the tar xvzf file_name.tar.gz command. This will put the four client files (ca.crt client.crt client.key client.ovpn) in the /etc/openvpn directory. Remember that the client.crt, client.key, and client.ovpn files in that directory may have different names depending on how they were set up.
| [root@vpn-client openvpn]# tar xvzf file_name.tar.gz ca.crt client.crt client.key client.ovpn [root@eapps-example openvpn]# ll total 24 -rw-r--r-- 1 root root 1338 Apr 20 15:28 ca.crt -rw-r--r-- 1 root root 3935 Apr 20 15:32 client.crt -rw-r--r-- 1 root root 5127 Apr 26 13:10 file_name.tar.gz -rw------- 1 root root 916 Apr 20 15:32 client.key -rw-r--r-- 1 root root 3513 Apr 20 15:34 client.ovpn [root@vpn-client openvpn]# |
Once the files are unpacked in the correct directory, verify that the client.ovpn file is pointing to the correct locations for the ca.crt, client.crt, and client.key files. Open the file in any plain text editor that you have available and look at these lines, which are generally lines 88, 89, and 90.
| ca ca.crt cert client.crt key client.key |
This configuration shows that the files are in the current working directory, which is correct. If for some reason your files are in a different location, you would need to make the necessary adjustment.
Starting the Linux client and connecting to OpenVPN
Once the client files are in place, you can start the OpenVPN client with the openvpn --config client.ovpn & command. This starts OpenVPN, using the client.ovpn as the configuration file. The ampersand (&) at the end puts the process in the background so that it can continue to run if you exit the command.
| [root@vpn-client openvpn]# openvpn --config client.ovpn & [1] 954 [root@centos openvpn]# Thu Apr 26 14:07:55 2012 OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL][LZO2] [EPOLL][PKCS11] [eurephia] built on Sep 12 2011 Thu Apr 26 14:07:55 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Thu Apr 26 14:07:55 2012 LZO compression initialized Thu Apr 26 14:07:55 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Thu Apr 26 14:07:55 2012 Socket Buffers: R=[124928->131072] S=[124928->131072] Thu Apr 26 14:07:55 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu Apr 26 14:07:55 2012 Local Options hash (VER=V4): '41690919' Thu Apr 26 14:07:55 2012 Expected Remote Options hash (VER=V4): '530fdded' Thu Apr 26 14:07:55 2012 UDPv4 link local: [undef] Thu Apr 26 14:07:55 2012 UDPv4 link remote: 68.169.49.8:1194 Thu Apr 26 14:07:55 2012 TLS: Initial packet from 68.169.49.8:1194, sid=766be375 96066f8f Thu Apr 26 14:07:55 2012 VERIFY OK: depth=1, /C=US/ST=GA/L=Norcross/O=eApps_Hosting/CN=eapps-example.com/name=server-ca/emailAddress=support@eapps.com Thu Apr 26 14:07:55 2012 VERIFY OK: nsCertType=SERVER Thu Apr 26 14:07:55 2012 VERIFY OK: depth=0, /C=US/ST=GA/L=Norcross/O=eApps_Hosting/CN=eapps-example.com/name=server/emailAddress=support@eapps.com Thu Apr 26 14:07:55 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 26 14:07:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 26 14:07:55 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Apr 26 14:07:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Apr 26 14:07:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Apr 26 14:07:55 2012 [eapps-example.com] Peer Connection Initiated with 68.169.49.8:1194 Thu Apr 26 14:07:57 2012 SENT CONTROL [eapps-example.com]: 'PUSH_REQUEST' (status=1) Thu Apr 26 14:07:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Thu Apr 26 14:07:57 2012 OPTIONS IMPORT: timers and/or timeouts modified Thu Apr 26 14:07:57 2012 OPTIONS IMPORT: --ifconfig/up options modified Thu Apr 26 14:07:57 2012 OPTIONS IMPORT: route options modified Thu Apr 26 14:07:57 2012 ROUTE default_gateway=68.169.56.1 Thu Apr 26 14:07:57 2012 TUN/TAP device tun0 opened Thu Apr 26 14:07:57 2012 TUN/TAP TX queue length set to 100 Thu Apr 26 14:07:57 2012 /sbin/ip link set dev tun0 up mtu 1500 Thu Apr 26 14:07:57 2012 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Thu Apr 26 14:07:57 2012 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Thu Apr 26 14:07:57 2012 Initialization Sequence Completed [root@vpn-client openvpn]# |
To verify that the connection is up, try to ping the OpenVPN server, which is 10.8.0.1.
| [root@vpn-client openvpn]# ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.638 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.853 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.884 ms 64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=0.703 ms ^C --- 10.8.0.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3092ms rtt min/avg/max/mdev = 0.638/0.769/0.884/0.105 ms [root@vpn-client openvpn]# |
If you do not get a reply, then go back over your configuration. Look carefully at the status messages from the OpenVPN client connection for any errors. If you have access to the OpenVPN server, look at the OpenVPN logs for any errors or status messages. If you are not able to troubleshoot the issue, please contact eApps Support for assistance.