Step 3 : Setup OpenVPN connections

We'll now prepare a complete set of security and parameter files per OpenVPN client (GM in our context) so that they can be easily distributed to the relevant people/machines.

At the end of the process, you will only need one such set, for yourself : my-fg-ovpn-dm01

But we'll also do it for (revoked) "my-fg-ovpn-dm02" so you can test both, and see the connection working for dm01 and failing for dm02 (we revoked this guy earlier), which will verify that the CRL is taken into account.

In the first part we are looking at things as the PKI owner. Then we'll switch to the VPN user point of view when we being playing with OpenVPN GUI.

OpenVPN client parameters

my-fg-ovpn-dm01

So, let's head over to T:\fg-ovpn\MY-FG-OVPN\my-fg-ovpn-clients\my-fg-ovpn-dm01, one of the folders we prepared long ago. It should currently be empty :

We'll begin by creating the OpenVPN connection parameter file : my-fg-ovpn-dm01.ovpn

my-fg-ovpn-dm01.ovpn

client
float
dev tun
;dev-node <name of TAP virtual network card in Windows, if you have several of them>
proto udp
remote <OpenVPN Server Public IP or FQDN> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca my-fg-ovpn-ca.crt
cert my-fg-ovpn-dm01.crt
key my-fg-ovpn-dm01.key
ns-cert-type server
tls-auth my-fg-ovpn-ta.key 1
comp-lzo
verb 4

This is a text file that you'll have to save in the above folder.

Let's have a look at this config file :

• Lines beginning with # or ; are commented and have no impact on the connection configuration.

• lines 14 to 18 show that our OpenVPN client will need several additional files to work; these files have been created during the previous steps

• line 6 is where we'll need to put the Public IP of the OpenVPN server (or its DNS name, if it has one) Since we don't yet know this Public IP, we'll leave the <placeholder> there for now

So we'll save the .ovpn file above in T:\fg-ovpn\MY-FG-OVPN\my-fg-ovpn-clients\my-fg-ovpn-dm01, and also copy/paste there, from T:\fg-ovpn\MY-FG_OVPN\MY_FG_OVPN_PKI\MY-FG-OVPN-PKI-KEYS :

• my-fg-ovpn-ca.crt : the public certificate for our Certification Authority <<== NOT client-specific

• my-fg-ovpn-ta.key : the shared TLS Authentication security key <<== NOT client-specific

• my-fg-ovpn-dm01.crt : the client public certificate <<==client-specific

• my-fg-ovpn-dm01.key : the client private key <<==client-specific

Which gives :

OpenVPN Client parameters for my-fg-ovpn-dm01

Your "distribution folder" for my-fg-ovpn-dm01 is complete...

...except for the placeholder at line 6 ofmy-fg-ovpn-dm01.ovpn, which will have to be replaced with a real value : <OpenVPN Server Public IP or FQDN>.

There is another way to create OpenVPN configs : mono-file connection profiles where all the certificates and keys are all embedded as text blocks into the .ovpn file.

I prefer to stay with the "old way" and keep files separate as it maintains compatibility with older versions of OpenVPN (my GM machine still uses an old 32bit OpenVPN v2.2.2 😬 ) - but feel free to explore OpenVPN docs for the other format...

Rinse and repeat for my-fg-ovpn-dm02

You can :

• copy/paste + rename and edit ("dm01"->"dm02") the .ovpn text file from dm01's to dm02's sub-folder

• then copy/paste the 2 "client-invariant" files : CA certificate and TLS-Auth key

• and copy/paste the 2 "client-specific" files : dm02's certificate+key from the PKI keys sub-folder.

DM02's setup :

my-fg-ovpn-dm02.ovpn

client
float
dev tun
;dev-node <name of TAP virtual network card in Windows, if you have several of them>
proto udp
remote <OpenVPN Server Public IP or FQDN> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca my-fg-ovpn-ca.crt
cert my-fg-ovpn-dm02.crt
key my-fg-ovpn-dm02.key
ns-cert-type server
tls-auth my-fg-ovpn-ta.key 1
comp-lzo
verb 4

OpenVPN GUI

Let's now switch to the user view of OpenVPN, which is what you'll use in the future : the OpenVPN GUI, that you can find in the OpenVPN group, "pin to Start", etc...

When we use it for the first time, the result is "a bit" anticlimatic... 😬

After you close this dialog, you don't see anything new about OpenVPN on your screen. 😡

Actually this is an excellent thing : OpenVPN will stay as inconspicuous as possible, whether connected to 0, 1, or more servers.

Ok, let's move on to the notification icons on the bottom right of the desktop, where you'll finally discover something new :

I'll choose to have this notification icon always visible, so it will now always be on my taskbar.

Let's Right-click it :

A quick look at the default settings :

Note : the personal folders above have just been created

I'll just change 2 options according to my own preference : to have it always running (discreetly, in the taskbar), and have a notification balloon also when a "reconnect" happens :

Updating settings / personal preference

Now let's have a look at the folders in my Windows personal storage (that we see on the "Advanced" tab of the Settings above) :

Let's bring some configs there ! We'll copy/paste our 2 shiny "distribution folders" for dm01 and dm02, from our "PKI owner" storage : we are "distributing" to ourselves...

Let's copy from the client distributions...

...and paste to our own "live" client setup.

There we are ! All set and ready to connect. Just right-click the OpenVPN GUI again :

When your OpenVPN server is on-line and you know its Public IP :

• you'll use the "Edit config" option to write the public IP at line 6 of the config, save and close the file,

• then right-click OpenVPN GUI again, this time choosing "Connect"

🎆 Done ! 🎆

The .ovpn config files that you edit when using the "Edit Config" menu item of OpenVPN GUI are the ones stored in your OpenVPN personal folder.