Installing the OpenVPN Client Configuration Manually¶
Performing a manual client installation instead of using the OpenVPN Client Export Package requires additional steps to install the software and settings onto the client devices. Installing the client on other operating systems is left up to the reader.
After installing OpenVPN, copy the certificates to the client and create the client configuration file.
Copy certificates¶
Three files from the firewall are needed for each client: the CA certificate, the client certificate, and the client key. A fourth file, the TLS key, is only required if the server was configured for TLS authentication.
Export the CA certificate from System Cert > Manager on the CAs tab, save this as
ca.crt
Export the client certificate and key as described in Local Users, save these as
username.crt
andusername.key
Copy these files to the OpenVPN
config
directory on the clientCopy the TLS key from the server configuration screen If TLS authentication is used on this OpenVPN server. Save this into a new text file called
tls.key
and include it in theconfig
folder as well.
Create Configuration¶
After copying the certificates to the client, the OpenVPN client configuration file must be created. This can be done with any plain text file editor such as Notepad on Windows. The following shows the options most frequently used:
client
dev tun
proto udp
remote vpn.example.com 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert username.crt
key username.key
verb 3
comp-lzo
tls-auth tls.key 1
auth-user-pass
- remote
Specifies the host and port of the remote OpenVPN server. An IP address or FQDN can be specified here.
- proto
Specifies the protocol used by the OpenVPN connection. Change this line to
proto tcp
if TCP is used on the OpenVPN server.- ca, cert, key
Must be modified accordingly for each client to reflect the filenames saved previously.
- tls-auth
If TLS authentication is not used, the tls-auth line may be omitted.
- auth-user-pass
If the remote access VPN does not include username and password authentication, omit this line.
See also
For a more complete reference on the OpenVPN directives, refer to the OpenVPN manual for the installed client version.
Distributing configuration and keys to clients¶
The easiest way to distribute the keys and OpenVPN configuration to clients is
via the OpenVPN Client Export package. If that package is not a viable choice,
place the needed files in a ZIP archive or self-extracting archive automatically
extracting to C:\Program Files\OpenVPN\config
. This must be transmitted
securely to the end user, and must never be passed over untrusted networks
unencrypted.