Client unable to ping VPN Server - Need Routing Help

[pjoseph]

Greetings,

I have installed OpenVPN 2.1.0 on Ubuntu Server 10.04 and OpenVPN 2.2.1 on client Xubuntu 12.04. While the VPN connects and reports without errors in the log, only the Server can ping and ssh to Clients VPN ip. Clients can NOT ping Server VPN ip.

I am sure the problem is related to proper routing, which I have not been able to fully grasp, even after readed a great number of samples, explanations, tutorials, and forums.

I see some forums describe adding additional routing instructions to the Server.conf or to the client's ccd file, while others use iptables directly. Can you please assist me in the proper routing setup? I want be able to ping Server VPN ip from Client and Client VPN ip from Server.

Thanks,

Paul

IPs:

Code: Select all

Server public ip:  pu.bl.ic.165 255.255.255.248
Server's network:  pu.bl.ic.160/29

Server VPN ip:  172.16.32.1 255.255.255.255
Server VPN ptp: 172.16.32.2 255.255.255.255
Server VPN network: 172.16.32.0/32

Client lan ip:  192.168.1.152 255.255.255.0
Client network: 192.168.1.0/24

Client VPN ip: 172.16.32.6 255.255.255.255
Client VPN ptp:  172.16.32.5 255.255.255.255
Client VPN network: 172.16.32.4/32

Tests:

Code: Select all

Server ping (own) public ip:  Good
Server ping (own) VPN ip:     Good
Server ping (own) ptp:        NO
Server ping Client lan ip:    NO
Server ping Client VPN ip:    Good
Server ping Client ptp:       NO

Client ping Server public ip: Good
Client ping Server VPN ip:    NO   << Want to fix this one
Client ping Server ptp:       NO
Client ping (own) lan ip:     Good
Client ping (own) VPN ip:     Good
Client ping (own) ptp:        NO

Server Config:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert SERVER-NAME.crt
key SERVER-NAME.key  
dh dh1024.pem
server 172.16.32.0 255.255.255.0
ifconfig-pool-persist VPN-NAME.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0 
cipher AES-256-CBC
tls-cipher AES256-SHA
engine aesni
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
status /var/log/openvpn/VNP-NAME-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
mute 20

Server ccd for CLIENT-NAME:

Code: Select all

ifconfig-push 172.16.32.6 172.16.32.5

Net forwarding on Server:

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
1									ENABLED

Client Config:

Code: Select all

client
dev tun
proto udp
remote vpn.SERVER-NAME.com 1194
ca ca.crt
cert CLIENT-NAME.crt
key CLIENT-NAME.key
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
tls-cipher AES256-SHA
#engine aesni  -- no longer available
engine rsax
comp-lzo
user nobody
group nogroup
verb 3
mute 20

Net forwarding on Client:

Code: Select all

sysctl net | grep ip_forward
net.ipv4.ip_forward = 1			ENABLED

[pjoseph]

I have also tried using topology subnet instead of net30, which changed the VPN network to 172.16.32.0/24. However, the results of the tests are the same as above.

Server Config:

Code: Select all

topology subnet
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER-NAME.crt
key SERVER-NAME.key  
dh dh1024.pem
server 172.16.32.0 255.255.255.0
ifconfig-pool-persist VPN-NAME.txt
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0 
cipher AES-256-CBC
tls-cipher AES256-SHA
engine aesni
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
status /var/log/openvpn/VNP-NAME-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
mute 20

Server ccd for CLIENT-NAME:

Code: Select all

ifconfig-push 172.16.32.6 255.255.255.0

[janjust]

'topology net30' does not change anything compared to your first post, it's the default.
In your setup you do not need a 'CCD' file but it should work anyways.

Increase the verbosity on the server to '5'

Code: Select all

verb 5

then reconnect the client and from the client ping the server at 172.16.32.1. Post the output of the server log file .

Also, check the firewall on the server to see if inbound pings are allowed

[pjoseph]

Verbosity increased to 5.

Server log:

Code: Select all

Sat Apr 27 17:18:46 2013 us=508253 Current Parameter Settings:
Sat Apr 27 17:18:46 2013 us=508367   config = '/etc/openvpn/cdp.conf'
Sat Apr 27 17:18:46 2013 us=508384   mode = 1
Sat Apr 27 17:18:46 2013 us=508399   persist_config = DISABLED
Sat Apr 27 17:18:46 2013 us=508409   persist_mode = 1
Sat Apr 27 17:18:46 2013 us=508418   show_ciphers = DISABLED
Sat Apr 27 17:18:46 2013 us=508427   show_digests = DISABLED
Sat Apr 27 17:18:46 2013 us=508436   show_engines = DISABLED
Sat Apr 27 17:18:46 2013 us=508445   genkey = DISABLED
Sat Apr 27 17:18:46 2013 us=508454   key_pass_file = '[UNDEF]'
Sat Apr 27 17:18:46 2013 us=508463   show_tls_ciphers = DISABLED
Sat Apr 27 17:18:46 2013 us=508472 Connection profiles [default]:
Sat Apr 27 17:18:46 2013 us=508482   proto = udp
Sat Apr 27 17:18:46 2013 us=508491   local = '[UNDEF]'
Sat Apr 27 17:18:46 2013 us=508500   local_port = 1194
Sat Apr 27 17:18:46 2013 us=508509   remote = '[UNDEF]'
Sat Apr 27 17:18:46 2013 us=508518   remote_port = 1194
Sat Apr 27 17:18:46 2013 us=508526   remote_float = DISABLED
Sat Apr 27 17:18:46 2013 us=508538   bind_defined = DISABLED
Sat Apr 27 17:18:46 2013 us=508547   bind_local = ENABLED
Sat Apr 27 17:18:46 2013 us=508563 NOTE: --mute triggered...
Sat Apr 27 17:18:46 2013 us=508593 244 variation(s) on previous 20 message(s) suppressed by --mute
Sat Apr 27 17:18:46 2013 us=508608 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Sat Apr 27 17:18:46 2013 us=508847 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Apr 27 17:18:46 2013 us=508965 Initializing OpenSSL support for engine 'aesni'
Sat Apr 27 17:18:46 2013 us=511267 Diffie-Hellman initialized with 1024 bit key
Sat Apr 27 17:18:46 2013 us=512000 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Sat Apr 27 17:18:46 2013 us=707634 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Apr 27 17:18:46 2013 us=707790 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr 27 17:18:46 2013 us=707819 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr 27 17:18:46 2013 us=707859 TLS-Auth MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Apr 27 17:18:46 2013 us=710184 TUN/TAP device tun0 opened
Sat Apr 27 17:18:46 2013 us=710242 TUN/TAP TX queue length set to 100
Sat Apr 27 17:18:46 2013 us=710290 /sbin/ifconfig tun0 172.16.32.1 netmask 255.255.255.0 mtu 1500 broadcast 172.16.32.255
Sat Apr 27 17:18:46 2013 us=719638 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 27 17:18:46 2013 us=725383 GID set to nogroup
Sat Apr 27 17:18:46 2013 us=725517 UID set to nobody
Sat Apr 27 17:18:46 2013 us=725588 Socket Buffers: R=[124928->131072] S=[124928->131072]
Sat Apr 27 17:18:46 2013 us=725624 UDPv4 link local (bound): [undef]
Sat Apr 27 17:18:46 2013 us=725634 UDPv4 link remote: [undef]
Sat Apr 27 17:18:46 2013 us=725653 MULTI: multi_init called, r=256 v=256
Sat Apr 27 17:18:46 2013 us=725812 IFCONFIG POOL: base=172.16.32.2 size=252
Sat Apr 27 17:18:46 2013 us=725877 IFCONFIG POOL LIST
Sat Apr 27 17:18:46 2013 us=725891 paul-crown,172.16.32.2
Sat Apr 27 17:18:46 2013 us=725927 Initialization Sequence Completed

Log after reconnect:

Code: Select all

Sat Apr 27 17:19:20 2013 us=578480 MULTI: multi_create_instance called
Sat Apr 27 17:19:20 2013 us=578681 dyn.am.ic.234:58858 Re-using SSL/TLS context
Sat Apr 27 17:19:20 2013 us=578823 dyn.am.ic.234:58858 LZO compression initialized
Sat Apr 27 17:19:20 2013 us=579338 dyn.am.ic.234:58858 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sat Apr 27 17:19:20 2013 us=579409 dyn.am.ic.234:58858 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 27 17:19:20 2013 us=579518 dyn.am.ic.234:58858 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sat Apr 27 17:19:20 2013 us=579554 dyn.am.ic.234:58858 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sat Apr 27 17:19:20 2013 us=579644 dyn.am.ic.234:58858 Local Options hash (VER=V4): '162b04de'
Sat Apr 27 17:19:20 2013 us=579680 dyn.am.ic.234:58858 Expected Remote Options hash (VER=V4): '9e7066d2'
RSat Apr 27 17:19:20 2013 us=579869 dyn.am.ic.234:58858 TLS: Initial packet from [AF_INET]dyn.am.ic.234:58858, sid=450d9cb5 e416a2f5
WRRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSat Apr 27 17:19:21 2013 us=163171 dyn.am.ic.234:58858 VERIFY OK: depth=1, /C=US/ST=CO/L=Denver/O=Company_Name_LLC/CN=Company_Name_LLC_CA/emailAddress=_dns-admin@domain.com
Sat Apr 27 17:19:21 2013 us=163751 dyn.am.ic.234:58858 VERIFY OK: depth=0, /C=US/ST=CO/L=Denver/O=Company_Name_LLC/CN=paul-crown/emailAddress=_dns-admin@domain.com
WRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRSat Apr 27 17:19:21 2013 us=394736 dyn.am.ic.234:58858 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Apr 27 17:19:21 2013 us=394798 dyn.am.ic.234:58858 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Apr 27 17:19:21 2013 us=394828 dyn.am.ic.234:58858 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Apr 27 17:19:21 2013 us=394854 dyn.am.ic.234:58858 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WWWRRRSat Apr 27 17:19:21 2013 us=436424 dyn.am.ic.234:58858 Control Channel: TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 1024 bit RSA
Sat Apr 27 17:19:21 2013 us=436516 dyn.am.ic.234:58858 [paul-crown] Peer Connection Initiated with [AF_INET]dyn.am.ic.234:58858
Sat Apr 27 17:19:21 2013 us=436622 paul-crown/dyn.am.ic.234:58858 OPTIONS IMPORT: reading client specific options from: ccd/paul-crown
Sat Apr 27 17:19:21 2013 us=436889 paul-crown/dyn.am.ic.234:58858 MULTI: Learn: 172.16.32.6 -> paul-crown/dyn.am.ic.234:58858
Sat Apr 27 17:19:21 2013 us=436922 paul-crown/dyn.am.ic.234:58858 MULTI: primary virtual IP for paul-crown/dyn.am.ic.234:58858: 172.16.32.6
RSat Apr 27 17:19:23 2013 us=541471 paul-crown/dyn.am.ic.234:58858 PUSH: Received control message: 'PUSH_REQUEST'
Sat Apr 27 17:19:23 2013 us=541676 paul-crown/dyn.am.ic.234:58858 SENT CONTROL [paul-crown]: 'PUSH_REPLY,route-gateway 172.16.32.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.16.32.6 255.255.255.0' (status=1)

I attempted to ping 172.16.32.1 with no response on the client side. On the server side, the log file continued to grow with the following the longer I let the client attempt to ping.

Code: Select all

WRWRRWWRWRRWRWRwRwRwRwRwRwRwRwRwRwRWwRwRwRwRwRwRwRwRwRwRWwRwRwRwRwRwRwRwRwRwRWwRwRwRwRwRwRwRwRwRWwRwRwRwRwRwRwRwRwRwRWwRwRwRwRwRwRwRwRwRw

Pinging the Server's public IP pu.bl.ic.165 works fine, so I know the server does respond to ping requests.

[pjoseph]

I am still hoping for some routing assistance. I am convinced that I am simply missing a routing instruction to tell my client traffic to route back through the vpn tunnel. I am now reading up on ip routing tables, but I confess all of the examples so far that I have run into have yet to explain it clear enough for me to understand what I am missing.

To recap, Server 172.16.32.1 CAN ping Client 172.16.32.6, but this Client can NOT ping Server 172.16.32.1. Server accepts pings as Client 192.168.1.152 CAN ping Server pu.bl.ic.ip.

Current Server Config:

Code: Select all

topology subnet
port 1194
proto udp
dev tun

ca ca.crt
cert SERVER-NAME.crt
key SERVER-NAME.key  # This file should be kept secret
dh dh1024.pem

server 172.16.32.0 255.255.255.0
# ----- automatically means the following:
# mode server
# tls-server
# push "topology subnet"
# ifconfig 172.16.32.0 255.255.255.0
# ifconfig-pool 172.16.32.2 172.16.32.254 255.255.255.0
# push "route-gateway 172.16.32.1"

ifconfig-pool-persist cdp.txt
client-config-dir ccd
ccd-exclusive
client-to-client

keepalive 10 120
# ----- automatically means the following:
# ping 10
# ping-restart 240
# push "ping 10"
# push "ping-restart 120"

tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
tls-cipher AES256-SHA
engine aesni          # works in Ubuntu 10.04
#engine rsax          # works in Ubuntu 12.04
comp-lzo
max-clients 25
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/cdp-status.log
log-append  /var/log/openvpn/openvpn.log
verb 5
mute 20

ccd/CLIENT-NAME

Code: Select all

ifconfig-push 172.16.32.6 255.255.255.0 gw 172.16.32.1

Server netstat -r

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
pu.bl.ic.160   *               255.255.255.248 U         0 0          0 eth0
172.16.32.0     *               255.255.255.0   U         0 0          0 tun0
default         pu.bl.ic.161   0.0.0.0         UG        0 0          0 eth0

Current Client Config

Code: Select all

client
dev tun
proto udp
remote vpn.SERVER-NAME.com 1194

ca ca.crt
cert CLIENT-NAME.crt
key CLIENT-NAME.key

resolv-retry infinite
nobind
persist-key
persist-tun

ns-cert-type server     
#remote-cert-type server  # future method
tls-auth ta.key 1
cipher AES-256-CBC
tls-cipher AES256-SHA
#engine aesni            # works in Ubuntu 10.04
engine rsax              # works in Ubuntu 12.04
comp-lzo
verb 3
mute 20
user nobody
group nogroup

Client netstat -r

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         myrouter.local  0.0.0.0         UG        0 0          0 wlan1
link-local      *               255.255.0.0     U         0 0          0 wlan1
172.16.32.0     *               255.255.255.0   U         0 0          0 tun0
192.168.1.0     *               255.255.255.0   U         0 0          0 wlan1

[janjust]

To recap, Server 172.16.32.1 CAN ping Client 172.16.32.6, but this Client can NOT ping Server 172.16.32.1.

if the first works but the second does not, then the firewall on the server is blocking access. Check iptables on the server for INPUT traffic

[pjoseph]

Check iptables on the server for INPUT traffic

Which brings me to the knowledge base that I still have not mastered. I get the general idea in reading it, but am at a loss as to what to change. I would have guessed the icmp type 0 and type 8 being accepted would indicate that it is open to pinging.

Code: Select all

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 3 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 11 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 

I am confused by the sections both input and forward dealing with tun+ with why a drop comes before each. Below is what listed.

from iptables-save

-A INPUT -j DROP
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
-A FORWARD -i tun+ -j ACCEPT

Thinking that this is not right, I have moved the tun+ input and forward filters each to before DROP. And, success.

Thanks janjust for pointing me in the right direction.

For other newbies:

Code: Select all

iptables-save > rules
nano rules   [made changes, CTRL-X, Y, Enter to save]
iptables-restore rules

Final iptables-save > rules

Code: Select all

*mangle
:PREROUTING ACCEPT [1128:267303]
:INPUT ACCEPT [1027:253571]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [432:48104]
:POSTROUTING ACCEPT [432:48104]
COMMIT
# Completed on Mon Apr 29 10:53:09 2013
# Generated by iptables-save v1.4.4 on Mon Apr 29 10:53:09 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [33:5038]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -j DROP 
-A INPUT -i eth+ -j PUB_IN 
-A INPUT -i ppp+ -j PUB_IN 
-A INPUT -i slip+ -j PUB_IN 
-A INPUT -i venet+ -j PUB_IN 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -o eth+ -j PUB_OUT 
-A OUTPUT -o ppp+ -j PUB_OUT 
-A OUTPUT -o slip+ -j PUB_OUT 
-A OUTPUT -o venet+ -j PUB_OUT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 2112 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 2285 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 23101:23105 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 2112 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 123 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 1194 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 1195 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 10000 -j ACCEPT 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j DROP 
-A PUB_OUT -j ACCEPT 
-A fail2ban-ssh -j RETURN 
-A fail2ban-ssh -j RETURN 
COMMIT
# Completed on Mon Apr 29 10:53:09 2013
# Generated by iptables-save v1.4.4 on Mon Apr 29 10:53:09 2013
*nat
:PREROUTING ACCEPT [360:35132]
:POSTROUTING ACCEPT [12:760]
:OUTPUT ACCEPT [12:760]
COMMIT
# Completed on Mon Apr 29 10:53:09 2013

And I have already listed above, but since this topic is solved, I wanted to share the final config. I know I would find such helpful when troubleshooting. In my case the server is running Ubuntu 10.04 x86_64 and OpenVPN 2.1.0, while my clients are running Xubuntu 12.04 x86_64 and OpenVPN 2.2.1.

Server VPN-NAME.conf

Code: Select all

topology subnet
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER-NAME.crt
key SERVER-NAME.key  # This file should be kept secret
dh dh1024.pem

server 172.16.32.0 255.255.255.0
# ----- automatically means the following:
# mode server
# tls-server
# push "topology subnet"
# ifconfig 172.16.32.0 255.255.255.0
# ifconfig-pool 172.16.32.2 172.16.32.254 255.255.255.0
# push "route-gateway 172.16.32.1"

ifconfig-pool-persist VPN-NAME.txt
client-config-dir ccd
ccd-exclusive
client-to-client

keepalive 10 120
# ----- automatically means the following:
# ping 10
# ping-restart 240
# push "ping 10"
# push "ping-restart 120"

tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
tls-cipher AES256-SHA
engine aesni          # with Ubuntu 10.04
#engine rsax          # with Ubuntu 12.04+
comp-lzo
max-clients 25
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/VPN-NAME-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
mute 20

Server ccd - I like my clients all on static ips
ccd/CLIENT-NAME

Code: Select all

ifconfig-push 172.16.32.6 255.255.255.0 gw 172.16.32.1

Client VPN-NAME.conf

Code: Select all

client
# ----- automatically means the following:
# pull
# tls-client

dev tun
proto udp
remote vpn.SERVER-NAME.com 1194
ca ca.crt
cert CLIENT-NAME.crt
key CLIENT-NAME.key
resolv-retry infinite
nobind

ns-cert-type server     
#remote-cert-type server  # future method
tls-auth ta.key 1
cipher AES-256-CBC
tls-cipher AES256-SHA
#engine aesni            # with Ubuntu 10.04
engine rsax              # with Ubuntu 12.04+
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20