# Step 3 : Setup OpenVPN connections

We'll now prepare a complete set of security and parameter files per OpenVPN client (GM in our context) so that they can be easily distributed to the relevant people/machines.

{% hint style="info" %}
**At the end of the process, you will only need one such set, for yourself : my-fg-ovpn-dm01**
{% endhint %}

But we'll **also do it for (revoked) "my-fg-ovpn-dm02"** so you can test both, and see the connection **working for dm01** and **failing for dm02** (we ***revoked*** this guy earlier), which will verify that the [CRL](https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/step-2-create-your-pki#your-initial-certification-revocation-list) is taken into account.

In the first part we are looking at things ***as the PKI owner.***  Then we'll switch to the ***VPN user point of view*** when we being playing with ***OpenVPN GUI.***

## OpenVPN client parameters

### my-fg-ovpn-dm01

So, let's head over to **`T:\fg-ovpn\MY-FG-OVPN\my-fg-ovpn-clients\my-fg-ovpn-dm01`**, one of the folders we prepared long ago.  It should currently be empty :

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-Lir0X1gBI28D20UyIEO%2F-Lir2bVHCFeXRRvaDAqN%2Fimage.png?alt=media\&token=cd7c18f7-9f58-4e97-816e-40a7fbf40625)

We'll begin by creating the **OpenVPN connection parameter file** : **`my-fg-ovpn-dm01.ovpn`**

{% code title="my-fg-ovpn-dm01.ovpn" %}

```
client
float
dev tun
;dev-node <name of TAP virtual network card in Windows, if you have several of them>
proto udp
remote <OpenVPN Server Public IP or FQDN> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca my-fg-ovpn-ca.crt
cert my-fg-ovpn-dm01.crt
key my-fg-ovpn-dm01.key
ns-cert-type server
tls-auth my-fg-ovpn-ta.key 1
comp-lzo
verb 4
```

{% endcode %}

***This is a text file that you'll have to save in the above folder.***

Let's have a look at this config file :

* Lines beginning with **`#`** or **`;`** are commented and have no impact on the connection configuration.
* **lines 14 to 18** show that our OpenVPN client will **need several additional files** to work; these files have been created during the previous steps
* **line 6** is where we'll need to put the **Public IP of the OpenVPN server** (or its DNS name, if it has one)\
  \&#xNAN;***Since we don't yet know this Public IP, we'll leave the \<placeholder> there for now***

So we'll save the .ovpn file above in **`T:\fg-ovpn\MY-FG-OVPN\my-fg-ovpn-clients\my-fg-ovpn-dm01`**, and also copy/paste there, from **`T:\fg-ovpn\MY-FG_OVPN\MY_FG_OVPN_PKI\MY-FG-OVPN-PKI-KEYS`** :

* **my-fg-ovpn-ca.crt** : the public certificate for our Certification Authority *<<== NOT client-specific*
* **my-fg-ovpn-ta.key** : the shared TLS Authentication security key    *<<== NOT client-specific*
* **my-fg-ovpn-dm01.crt** : the client public certificate    ***<<==client-specific***
* **my-fg-ovpn-dm01.key** : the client private key    ***<<==client-specific***

Which gives :

![OpenVPN Client parameters for my-fg-ovpn-dm01](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirFna-Yhq_xaB2jZrc%2Fimage.png?alt=media\&token=ea54d459-ed73-4aba-8396-2887ab240910)

{% hint style="success" %}
**Your "distribution folder" for my-fg-ovpn-dm01 is complete...**

**...except for the placeholder at line 6** o&#x66;**`my-fg-ovpn-dm01.ovpn`**, which will have to be replaced with a real value : **`<OpenVPN Server Public IP or FQDN>`**.
{% endhint %}

{% hint style="info" %}
There is *another way to create OpenVPN configs* : mono-file connection profiles where *all the certificates and keys are all embedded as text blocks into the .ovpn file*.

I prefer to stay with the "old way" and keep files separate as it maintains compatibility with older versions of OpenVPN (my GM machine still uses an old 32bit OpenVPN v2.2.2 :grimacing: ) - *but feel free to explore* [*OpenVPN docs*](https://openvpn.net/community-resources/#articles) *for the other format...*
{% endhint %}

### Rinse and repeat for my-fg-ovpn-dm02

You can :

* copy/paste + **rename and edit** ("dm01"->"dm02") the **`.ovpn`** text file from dm01's to dm02's sub-folder
* then copy/paste the 2 "client-invariant" files : CA certificate and TLS-Auth key
* and copy/paste the 2 "client-specific" files : dm02's certificate+key **from the PKI keys sub-folder**.

***DM02's setup :***

{% code title="my-fg-ovpn-dm02.ovpn" %}

```
client
float
dev tun
;dev-node <name of TAP virtual network card in Windows, if you have several of them>
proto udp
remote <OpenVPN Server Public IP or FQDN> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca my-fg-ovpn-ca.crt
cert my-fg-ovpn-dm02.crt
key my-fg-ovpn-dm02.key
ns-cert-type server
tls-auth my-fg-ovpn-ta.key 1
comp-lzo
verb 4
```

{% endcode %}

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirKztuDCRFTQjaHVQi%2Fimage.png?alt=media\&token=b30d2a5d-28e5-4053-86b7-ff362dcfaeee)

## OpenVPN GUI

Let's now switch to the ***user view of OpenVPN***, which is what you'll use in the future : the **OpenVPN GUI**, that you can find in the OpenVPN group, "pin to Start", etc...

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirYyikLGVZMeDXJcFE%2Fimage.png?alt=media\&token=96829489-7b86-4a49-a95b-5df3f52b07a5)

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirYK-y1nCriWFS4NBE%2Fimage.png?alt=media\&token=514ed617-c4e7-4dbb-80f0-4eb782529941)

When we use it for **the first time**, the result is "a bit" **anticlimatic**... :grimacing:&#x20;

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirLV1htnQpwNubZehF%2Fimage.png?alt=media\&token=4c513534-ffdc-4ebb-8480-f78d151eb170)

After you close this dialog, you don't see anything new about OpenVPN on your screen. :rage:&#x20;

**Actually this is an excellent thing** : OpenVPN will stay as inconspicuous as possible, whether connected to 0, 1, or more servers.

Ok, let's move on to the **notification icons** on the bottom right of the desktop, where you'll finally discover something new :

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirMVWLiLmsUOojqyBq%2Fimage.png?alt=media\&token=678b2ce4-8d67-4710-810d-9b83c2fffb5b)

I'll choose to have this notification icon *always visible*, so it will now always be on my taskbar.

Let's **Right-click** it :

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirNKFRJAaC67hupIWt%2Fimage.png?alt=media\&token=a947a8d5-ae52-44c7-ae74-4c5867368cb5)

A quick look at the default settings :

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirNcOTKqad7BA7IJFb%2Fimage.png?alt=media\&token=664923d1-336a-434f-9b15-329ccdb0135d)

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirNzJjjz94-gDxE7OY%2Fimage.png?alt=media\&token=2c3814d2-5b7c-42a2-ac88-bc5d863ebe78)

![Note : the personal folders above have just been created](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirO4qJkOE04A_tbvus%2Fimage.png?alt=media\&token=ff54cdd3-a603-4b8d-973a-a32bb4775d5f)

I'll just change 2 options according to **my own preference** : to have it *always running* (discreetly, in the taskbar), and have a *notification balloon* also when a "reconnect" happens :

![Updating settings / personal preference](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirNpKJ4RgQ6MtusIIw%2Fimage.png?alt=media\&token=946975ed-d969-4a64-9076-829e16f5e788)

Now let's have a look at the folders in my Windows personal storage (that we see on the "Advanced" tab of the Settings above) :

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirLoZGf6QYbPnheHyB%2Fimage.png?alt=media\&token=5c105f26-bfd4-4dc7-aaa9-9d71027cfd67)

**Let's bring some configs there ! We'll copy/paste our 2 shiny "distribution folders"** for dm01 and dm02, from our "PKI owner" storage : we are "distributing" to ourselves...

![Let's copy from the client distributions...](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirSdGkmcsirKZwolJX%2Fimage.png?alt=media\&token=f2356ce5-8708-4cc1-a4c3-0ed21d02422a)

![...and paste to our own "live" client setup.](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LirSiPdyTdyiPEZzOpX%2Fimage.png?alt=media\&token=a94c2357-e2bc-4cdf-b473-905a9070f230)

{% hint style="success" %}
**There we are ! All set and ready to connect. Just right-click the OpenVPN GUI again :**
{% endhint %}

![](https://681104499-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LhjKavWMofrik61tHfB%2F-LirFmUnxm4sSpIAlUVL%2F-LircnDnqJ8JWJATuoFe%2Fimage.png?alt=media\&token=f4a3e43b-0aa8-466d-90da-17156c408dff)

When your OpenVPN server is on-line and you know its **Public IP** :

* you'll use the "**Edit config**" option to write the **public IP at line 6** of the config, save and close the file,
* then right-click OpenVPN GUI again, this time choosing "**Connect**"

:fireworks: **Done !** :fireworks:&#x20;

{% hint style="info" %}
The **`.ovpn`** **config files** that you edit when using the "**Edit Config**" menu item of **OpenVPN GUI** are the ones stored **in your OpenVPN personal folder.**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://zeferby.gitbook.io/transparent-openvpn-for-fantasy-grounds/local-setup/step-3-prepare-your-openvpn-connection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.