Installing the OpenVPN Client Configuration Manually¶
Performing a manual client installation instead of using the OpenVPN Client Export Package requires additional steps to install the software and settings onto the client devices. Installing the client on other operating systems is left up to the reader.
After installing OpenVPN, copy the certificates to the client and create the client configuration file.
Three files from the firewall are needed for each client: the CA certificate, the client certificate, and the client key. The configuration may require a fourth file, the TLS key, if the server is configured for TLS authentication.
Export the CA certificate from System Cert > Manager on the CAs tab, save this as
Export the client certificate and key as described in Local Database, save these as
Copy these files to the OpenVPN
configdirectory on the client
Copy the TLS key from the server configuration screen If TLS authentication is used on this OpenVPN server. Save this into a new text file called
tls.keyand include it in the
configfolder as well.
After copying the certificates to the client, the OpenVPN client configuration file must be created. This can be done with any plain text file editor such as Notepad on Windows. The following shows the options most frequently used:
client dev tun proto udp remote vpn.example.com 1194 ping 10 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert username.crt key username.key verb 3 comp-lzo tls-auth tls.key 1 auth-user-pass
The host and port of the remote OpenVPN server. Can be an IP address or FQDN.
The protocol used by the OpenVPN connection. Change this line to
proto tcpif the OpenVPN server uses TCP.
- ca, cert, key
Must be modified accordingly for each client to reflect the filenames saved previously.
If TLS authentication is not used, the tls-auth line may be omitted.
If the remote access VPN does not include username and password authentication, omit this line.
For a more complete reference on the OpenVPN directives, refer to the OpenVPN manual.
Distributing configuration and keys to clients¶
The easiest way to distribute the keys and OpenVPN configuration to clients is
via the OpenVPN Client Export Package. If that package is not a viable
choice, place the needed files in a ZIP archive or self-extracting archive
automatically extracting to
C:\Program Files\OpenVPN\config or the
appropriate path for the client in question.
Transmit this configuration securely to the end user, never allow it to pass over untrusted networks unencrypted.