Here are the steps to configure OpenVPN using Webmin:
1. Create Certification Authority
To create the Certification Authority, go to Server -> OpenVPN + CA, click on Certification Authority List.
In the New Certification Authority form page, fill in the fields with the required informations and click Save.
The system will generate required parameters, ca.key and ca.crt for the Certification Authority.
When finished, the Certificate Authority name will be displayed in the Certification Authority List.
2. Create Key for server
To create the Server key, go to Server -> OpenVPN + CA, click on the Certication Authority List, then click on Keys list.
In the New key to Certification Authority: alambil-ca form page, fill in the required fields, make sure to choose “server” for the Key Server type and don’t put any password in the key password field. Click Save when finished.
The system will generate the server key.
3. Create New VPN server and configure the server
We will use the Certification Authority to create the VPN Server. Go to Servers -> OpenVPN + CA, click on VPN List, then click on the New VPN server.
In the New VPN Server form page, fill in the required fields.
The port use in the VPN server should be allowed access in the firewall.
In the NetIP assign, allocate a network address range that will be used for the TUN interface of the VPN server and for the connecting clients. Make sure that this network range is routable in the LAN.
In the vpn server configuration, we put additional configuration:
route 10.22.1.0 255.255.255.0 route 10.22.2.0 255.255.255.0 route 10.22.3.0 255.255.255.0 push "route 10.180.0.0 255.255.252.0" push "route 10.22.1.0 255.255.255.0" push "route 10.22.2.0 255.255.255.0" push "route 10.22.3.0 255.255.255.0" push "dhcp-option DNS 10.180.3.12" client-to-client
The route entries are added on the server to adjust the server local routing table, telling it to route those networks over the vpn. The push routes are added on the clients connecting, telling them to route those networks over the vpn connection. The push dhcp-option are added on the clients connecting, so that they can use the specified private DNS server. The client-to-client are added so that client can connect to other client over the vpn connection.
4. Create client Key and VPN client account for each client
We need to create client Key and VPN client account for each client that will use VPN connection. To create the client key, go to Servers -> OpenVPN + CA, click on the Certication Authority List, then click on Keys list.
In the New key to Certification Authority: alambil-ca form page, fill in the required fields, make sure to choose “client” for the Key Server type. Click Save when finished.
The system will generate the client key.
To create the OpenVPN client account for the client key, go to Server -> OpenVPN +CA, click on VPN List. In the VPN Server list page, client on Client List of the VPN Server.
Then click on New VPN Client button.
In the New VPN Client form page, fill in the required fields.
In the remote IP field, fill in with the public IP of the VPN server. Make sure that the port is opened in the firewall.
In the ccd file content field for client site-1, we put:
iroute 10.22.1.0 255.255.255.0
The iroute entry is useful for site-to-site VPN. The iroute entry tells the openvpn server that client site-1 is responsible for or the owner of the network 10.22.1.0/24. When creating VPN client for mobile user, there is no need to add the iroute entry.
5. Enable IP forwarding on the server
To enable IP forwarding on the server, in the webmin, go to Networking -> Network Configuration, then click on Routing and Gateways.
Make sure to choose Yes on the Act as router, then in the network configuration page, click Apply Configuration button.
You can also use the shell command to enable ip forwarding:
# echo 1 >> /proc/sys/net/ipv4/ip_forward
To check if the configuration have been applied correctly, use cat to display the value. It should be 1.
# cat /proc/sys/net/ipv4/ip_forward
6. Configure the firewall
In the firewall, we should configure:
- NAT policies to associate public IP and private IP used by the OpenVPN server
- Access rule from the Internet to the public IP of the OpenVPN server on port 1194
- Access rule from DMZ to LAN for VPN client to access resources on the LAN
- Access rule from LAN to DMZ for computers on the LAN that need access to the VPN client
If needed, we can also enable firewall/iptables on the Linux server. If we do it, then we need to put access rule for the VPN client to access resources outside the OpenVPN server and vice versa.
In the next section, we will discuss about the client side of OpenVPN configuration.