OpenVPN configuration for /etc/openvpn/server.conf

server.conf

local 192.168.2.0 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun 
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route 192.168.2.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS 192.168.2.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and 
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1

Hi, I tried out your tutorial on readwrite.com and it was very well detailed and easy to follow. I just have a few questions about this configuration file because I think it is the reason why the VPN server fails to start upon booting. Do I need to include the "#" in the file or is that just marking the separation between what you need to type and your comment. Also what do the 10th, 12th, 14th, 16th, 18th, 19th, 21st, 22nd, and 23rd lines mean in relation to them having a # in front of them because I'm confused whether they are directions of what to type in place of the comment or if they are just explaining what the text above or below the comment does. Or possibly a little of both. I really appreciate the help and would really like to get my Raspberry Pi VPN server finally running.

everything after # in a line is a comment, so it doesn't do anything

Hi,
I'm using this for a project at school, and I was wondering... The IP 10.8.0.0 is that supposed to be changed to the public IP of my router or? It seems that my raspberry pi is getting another interface holding this IP.

Johanstuhrnasser:

"10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN."

source: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing

Sorry for the noob question. I have been following the readwrite tutorial http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing. It was all going well until I got to creating the server conf file. I have a few questions:

A) When putting in the crt and key names, is there a special syntax for listing the values for additional clients?

B) what does the red text signify? are the quotes meant to be typed as well?

Just wanted to point out, that in order for this to work now the verbose level has to be 2 or more. (New version of ssl)

It works.I thought I configed a wrong server.conf.but I tried "iptables -t nat -L" found the problem.

what did that tell you prairie wolf? Mine isn't working for me either

Hello! After connecting, i recieve a message:

Wed Mar 11 22:58:56 2015 Successful ARP Flush on interface [57] {AF13632B-87D1-40D1-9533-4FB5FFC42FAC}
Wed Mar 11 22:59:01 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=57]
Wed Mar 11 22:59:01 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Wed Mar 11 22:59:01 2015 Initialization Sequence Completed

I'm connected to server (ping to 10.8.0.1 is OK), but i cannot open a sites. And that's my server.conf:

local 192.168.1.140 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun 
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet
push "route 192.168.1.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS 192.168.1.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and 
#128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1

@popipav on line 17, you need to put in your local IP for you rpi. looks like a typo

The problem was in the UDP-protocoll - i changed it to TCP and Voilà! But thank you anyway!

The OpenVPN server will not work on my Pi. I have gone back and checked the files (and there were some errors, which are now fixed), but it just will not start. There is no error output either, so I can't do a proper debugging job.
What to do?

I was having some issues with my Windows clients but strangely with my Andorid everything was working fine, and I found out what was causing the problem.

On line 17 you say # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
Actually it's not the Raspberry pi ip address "host address" but the Network address to which the Raspberry pi is connected that should be used on that line.
For example if it's a 192.168.1.0/24 network the raspberry pi has a host address from 192.168.1.1 to 192.168.1.254 and the line should be : push "route 192.168.1.0 255.255.255.0"

Where do we add the static IP of our connection?? Sorry pretty new to rpi and have not made a VPN server before.

My probably final ultra short config ...
Allows for access to local network when used together with:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Server.crt
key /etc/openvpn/easy-rsa/keys/Server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

With thanks to http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing

Hi All,

I have followed the tutorial to configure a VPN server on my Pi2 and it has partly worked; I can access my internal network over VPN, but I am not able to access any websites. What could be a reason for this? Thanks in advance!

The iptables entry discussed by OwenBrotherwood was the key for me. I could connect, but couldn't ping anything but the host otherwise.

I had this all configured at one point and things were peachy. Now, not so much.
nmap -sU 192.168.1.101
gives:
Host is up.
PORT STATE SERVICE
1194/udp open|filtered openvpn

but open port check (canyouseeme.org) shows 1194 "connection refused"
Port forwarding is enabled under the NAT/QoS tab of DD-WRT, with 1194 being forwarded to 192.168.1.101

Any ideas?

I struggled to connect to devices on my local LAN when I was connected from a client.

I noticed that line 13, the last number on the subnet is 255:

# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 

When changing this to 0 to match the local subnet (line 17), it worked initially when testing on 3G, but then stopped.
Any ideas?

what does the iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE do? beacuse it make my internet working.
will this saved if i restart the raspberry pi?

Happened the same as @esseti, once introduced the postrouting everything started to work. Until then, I was only able to reach the public ip of the eth0 of the rpi.

So, at the end there is two things extra that I needed to end up with a working openvpn with fully "redirect-gateway"
I have to create the tun/tap device and add the iptable rule, every time the system starts.
To acomplish that I modified /etc/network/if-up.d/openvpn

And added the four lines to the script:
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
between the first and second if.

Lauren, works great! Thank you so much.
I have tested three ClientX.ovpn and all connect and run just fine; from my iPad--- next my droid tablet and phone.
I'm using the OpenVPN Client on the iPad, and I played havoc trying to get my .ovpn profile into the tablet. I finally was able to do this by using iTunes (with the iPad connected to my mac) in the apps pulldown; drag and drop the profile onto the OpenVPN Client in the apps pane and viola! (then import the .ovpn from within the OpenVPN Client on the iPad).
I'm finally able to to use Pro SSH term app to access my plethora of PIs and Edisons from the iPad as though I were sitting there at home; very nice--- got this going following your very good instructions on a Raspberry PI B+ with Raspbian.
Thanks again.

I am able to connect to the VPN remotely and within my network. The issue I have is when I connect remotely, I can't see the PC I have internally. for example, if i connect my tablet and PC on the same network internally through the VPN I am able to see them both on computer>network list. If I connect my tablet remotely on 4G, I successfully connect to the VPN, but I cannot see the PC that is on the network.

This is my interfaces file:

and my server file:

Here is the iptables:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE

If changes are made to this after finishing the steps in the guide do we need to remake any keys or redo any steps to the whole process?

push "dhcp-option DNS 192.168.1.1" # This should already match your router address and not need to be changed.

I had this line set up as my public IP address not my router IP.

Noob here. Can someone please help me? What's my CRT and KEY name? How do I find out?

This is what I get:
Please enter an existing Client Name:
Client1
Client’s cert found: Client1
Client’s Private Key found: Client1.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
./MakeOVPN.sh: line 46: Default.txt: command not found
Done! Client1.ovpn Successfully Created.
./MakeOVPN.sh: line 72: No: command not found

I am facing problem while connecting SIP Registrations
I can able to connect Client with OPENVPN Server, Please tell me the IP routing configuration:

my current IP route is:
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.101.0/24 dev em1 proto kernel scope link src 192.168.101.2
64.xxx.xx.xx/24 dev em1 proto kernel scope link src 64.xxx.xx.xx
10.8.0.0/24 via 10.8.0.2 dev tun0
169.254.0.0/16 dev em1 scope link metric 1002
default via 192.168.101.1 dev em1 src 192.168.101.2
default via 64.56.73.1 dev em1

Changed my Local Subnet to the pi itself since I am also runnning Pi-hole.
Able to get to yahoo.com and google.com and some other sites but others doesn't load at all, when connected, am i missing somthing?

Found out im using my ipv6 address and not my ipv4 address when checking out my ip, so i'm assuming its using the ipv6 of the sites that i can connect to.

How can you update the server.conf file? Everytime i try to update it it throws a permissions error. Same error happens on WinSCP and Cyberduck.

cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME

can someone explain what this means ? what is CRT and Key name or do i just leave it as so?

The following script in the repository enabled duplicate-cn by default. You don't want to change the config file.
https://github.com/gayankuruppu/openvpn-install-for-multiple-users