date: 2006-10-08 16:52:15+00:00

A simple OpenVPN tunnel to your RHEL/CentOS server

categories: - Howto - Linux - Security - VPN

I'll explain how I used a static key configuration to get a simple VPN tunnel to connect to my samba share at home from work.

OpenVPN GUI for Windows : Download at

I don't know any good GUI for Linux, I simply use the CLI (install the package openvpn for your distribution)

OpenVPN 2 Server : Grab the latest version for your distribution at

Generate your static key :

On the client or server side : openvpn --genkey --secret static.key

You would share the static key between the server and the client over a secure channel (scp, pgp, etc.)

From official documentations, the pros and cons :

Static Key advantages

* Simple Setup
* No X509 PKI (Public Key Infrastructure) to maintain

Static Key disadvantages

* Limited scalability -- one client, one server
* Lack of perfect forward secrecy -- key compromise results in total disclosure of previous sessions
* Secret key must exist in plaintext form on each VPN peer
* Secret key must be exchanged using a pre-existing secure channel

As you notice, it fits to very basic needs, if you need something more complex, this is not the good place :)

Configuration on the server side :

Create a file /etc/openvpn/server.opvn : dev tun ifconfig secret /etc/openvpn/static.key port 1194 proto udp user nobody group nobody daemon comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key log /var/log/openvpn.log verb 1

This configuration will make openvpn run as a daemon, using a tun device, under the user nobody. It will log connections and keep a stable connection (I stay connected hours long)

Configuration on the client side :

Create a file /etc/openvpn/client.opvn or c:program filesopenvpn..... : remote dev tun port 1194 proto udp comp-lzo ifconfig secret /etc/openvpn/static.key route

The client will connect to the server located at on port 1194. The client IP will be After a successful connection, you should be able to ping

Firewall configuration on the server side :

Open port UDP/1194 under iptables iptables -A INPUT -i tun0 -p udp -m udp --dport 1194 -d 0/0 -j ACCEPT

Finally... On the server side :

Type : chkconfig openvpn on service openvpn start

OpenVPN should start listening on

Verify using the command ifconfig, search for device tun0

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr: P-t-P: Mask: UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

You should set up your services on your server to listen to this tun0 interface. If you set up samba to listen on, you would be able to connect to your shares from the client using from your windows client

Based on