Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Security How To

Configuring the Server Side OpenVPN Machine

The server side OpenVPN machine is the heart of the VPN. In routed mode, all clients will connect to the OpenVPN server and all communication between clients (if the "client-to-client" option is enabled) is routed by the OpenVPN server, so it's best to have a dedicated, always-up machine to run it on.

Clients need the server side IP address hardcoded in their config files, so it's usually best and easiest to set up a domain name to point to your server side network. (There are many free services out there for free domain names. You'll also need a dynamic DNS service, such as TZO or DynDNS, if the IP address of your server's WAN connection changes frequently.)

First, we need to create a configuration directory for OpenVPN. Elevate yourself to root and create the directory /etc/openvpn with subdirectories /etc/openvpn/certs and /etc/openvpn/keys.

~ # mkdir /etc/openvpn
~ # mkdir /etc/openvpn/certs /etc/openvpn/keys

Next, copy the server's certificate (server.crt) and the CA's certificate (ca.crt) we created earlier with OpenVPN's easy-rsa into /etc/openvpn/certs. Likewise, copy the server's key (server.key) into /etc/openvpn/keys. The server's key should be kept secret, lock down the permissions on the key with:

~ # chmod -R 600 /etc/openvpn/keys/

Next, we need to create the Diffie-Hellman parameters for symmetric key agreement and exchange. After creation, copy the DH parameters (dh2048.pem) to /etc/openvpn.

~ $ openssl dhparam -out dh2048.pem 2048

One of the great features of OpenVPN is the ability to "push" specific configurations to individual clients. This allows you to set up a very powerful and flexable VPN network with multiple types of clients all connecting back to one central server.

This is accomplished by setting up a client configuration directory on the OpenVPN server that contains short configuration files for each client that connects to the server. When a client connects, the server looks for the configuration file with the same common name as the client's certificate and executes any configuration parameters in that file.

Create the directory /etc/openvpn/client-configs and in it, create a file with the same common name as the client network (remote_office in this example).

~ # mkdir /etc/openvpn/client-configs
~ # touch /etc/openvpn/client-configs/remote_office

Open up remote_office with your favorite text editor and enter the following configuration:

iroute 192.168.1.0 255.255.255.0
push "route 10.1.1.0 255.255.255.0 vpn_gateway"

The iroute directive sets an internal route on the OpenVPN server, so it knows to route all traffic bound for the network 192.168.1.0/24 through the remote_office client. Pushing the route 10.1.1.0/24 allows the client advertises the server's network to the client.

NOTE!Note: Another handy option to push to clients is the redirect-gateway option. This redirects all the client's traffic though the VPN which can be a great way to surf the Internet safely from an insecure wireless hot spot.

Finally, we need to edit the OpenVPN config file. OpenVPN ships with a collection of good example config files (found in ~/openvpn-2.0.9/sample-config-files) that are very well documented starting points. The man page is also very well written and contains loads of useful information.

For this example, the OpenVPN server's config file (server.conf) looks like this.

NOTE!Note: If you plan of have multiple clients connecting to the OpenVPN server, you can allow them to "see" each other using the "client-to-client" option. Otherwise, clients will only be able to see the server.

Configuring the Server Side Router

In order to route traffic from the server-side network through OpenVPN to the client, the machines on the server's network need to know how to reach the client. So we need to add a route to the server-side router to route all traffic bound for the client subnet (192.168.1.0/24) to the OpenVPN machine (10.1.1.2).

On the DGL-4300, this is found under Advanced > Routing (Figure 3).

Adding a Route to the Server-side Router
Click to enlarge image

Figure 3: Adding a Route to the Server-side Router

Now we can start up the OpenVPN server:

 ~ # openvpn --config /etc/openvpn/server.conf

More Stuff

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi there.I just got a RT-AC2900. I flashed it with Merlins latest FW first thing and all seem to be running fine.A question thou - the LED-button on t...
This company is planning to release a MoCA 2.5 network adapter that uses 2.5 Gb Ethernet connection.http://en.lusterinc.com/network/products/moca-wi-f...
Hi All,First time poster. Been running Merlin on my Asus router. Very satisfied and basically no issue for the past year, and if any it won't need tha...
I'm only interested in a VPN for its security features. I'm not interested in hiding my identity or appearing to be in a different country.Normally, t...
I have an ASUS RT-AC66U_B1 router running the latest asuswrt merlin firmware for it and every now and then when I try to login to the router's webui I...

Don't Miss These

  • 1
  • 2
  • 3