How to install OpenVPN Server and Client


Contributions by: Heavily based on Howto from Duncan Thomas
Created/Updated: 29-04-2006 (revision history)
Versions Supported: 6.0.x and 7.0 beta5+ (OpenVPN 2.0 Final Release)


OpenVPN provides a complete replacement of the time to time unreliable PPTP VPN which is a part of the standard SME distribution. This Howto is focused on using OpenVPN as a Windows 2k/XP Client to Server VPN connection. The installation consists of two steps, first the the portion which resides on the server and then the Client. I the following setup it is assumed that the local IP range for the private network is and that the tunneled VPN network will be




OpenVPN Server Configuration:


First Collect and install the rpm`s as indicated below. If you are using SME 6.x then make sure to use the 6.x guide and for SME 7.0 use the SME 7.0 guide.

SME 6.x

[root@sme home]# cd /root

[root@sme root]# mkdir openvpn

[root@sme openvpn]# cd openvpn

[root@sme openvpn]# wget

[root@sme openvpn]# wget

[root@sme openvpn]# wget

[root@sme openvpn]# wget

[root@sme openvpn]# rpm -Uvh *.rpm


SME 7.0

[root@sme home]# cd /root

[root@sme root]# mkdir openvpn

[root@sme openvpn]# cd openvpn

[root@sme openvpn]# wget

[root@sme openvpn]# wget

[root@sme openvpn]# wget

[root@sme openvpn]# rpm -Uvh *.rpm

Next Enable the service.

[root@sme home]# /sbin/e-smith/db configuration setprop openvpn status enabled

Now its time to create the keys. The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file. The paths should be correct.

[root@sme home]# cd /etc/openvpn/easy-rsa
[root@sme easy-rsa]# pico vars

Now we can create the master certificate. Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and"Common Name" could be set to "Server"

[root@sme easy-rsa]# . vars
[root@sme easy-rsa]# ./clean-all
[root@sme easy-rsa]# ./build-ca
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Generating a 1024 bit RSA private key


Now we can build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above. Do not add "A Challenge  password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.

[root@sme easy-rsa]# ./build-key server
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Generating a 1024 bit RSA private key

Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge  password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.

[root@sme easy-rsa]# ./build-key client
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Generating a 1024 bit RSA private key

Finally we build the Diffie Hellman parameters.

[root@sme easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

And it can take a long time. Your generated keys will be in /etc/openvpn/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ./clean-all will clean out your keys directory - so be careful.


The newly generated keys needs to be copied to the the OpenVPN directory.

[root@sme easy-rsa]# cp keys/ca.crt ..

[root@sme easy-rsa]# cp keys/server.crt ..

[root@sme easy-rsa]# cp keys/server.key ..

[root@sme easy-rsa]# cp keys/dh1024.pem ..


The OpenVPN configuration along with authentication scripts file can be downloaded from my site. Download them and make the executable for root. There will be log files created in /var/log/openvpn indicating when users have logged in and out as well as login failures.

[root@sme easy-rsa]# cd ..

[root@sme openvpn]# wget -N

[root@sme openvpn]# mkdir -p /var/log/openvpn

[root@sme openvpn]# wget -N

[root@sme openvpn]# wget -N

[root@sme openvpn]# wget -N

[root@sme openvpn]# wget -N

[root@sme openvpn]# wget -N

[root@sme openvpn]# chmod 755 *.pl

[root@sme openvpn]# chmod 755 *.sh

[root@sme openvpn]# chmod 700 *.up


Now you need to make a few changes to the /etc/openvpn/server.conf. You need to change the red parameters to match your network configuration.

port 1194
dev tap


dh dh1024.pem
ca ca.crt
cert server.crt
key server.key

auth-user-pass-verify ./ via-env
client-disconnect ./

up ./openvpn.up

mode server

ifconfig-pool # IP range for OpenVPN clients

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120

push "ping 10"
push "ping-restart 60"

push "dhcp-option DOMAIN"                # push the DNS domain suffix
push "dhcp-option DNS"                      # push primary DNS entry to the openvpn clients.
push "route"    # add route to to protected network

status-version 2
status openvpn-status.log
verb 3


Then you need to open port 1194 for UDP traffic as this is the default tunnel for OpenVPN. The port open contrib can be downloaded from my site. Now go into the Server Manager panel and open the port.

[root@sme home]# rpm -Uvh


You now need to add the VPN address range as a local networks in the server-manager under the Security section.

Add a local network

Network address
Subnet mask


Router: IP address of the VPN server and the same value as added in server.conf under "push "route x.x.x.x"


The last thing you need to do before the installation is complete is to do a small change in the /etc/openvpn/openvpn.up file. Change the value to match router you used when adding a local network.


route del -net netmask gw
route del -net netmask dev tap0
route add -net netmask gw


When you have changed the file to match your network we start the service.

[root@sme home]# service openvpn start


I have noticed that sending emails through an internal mail server via the VPN connection is extremely slow. This turned out to be due to a reverse DNS timeout/error caused by the SME server. This can be corrected by adding this. Add the following red text to the /etc/e-smith/templates/var/service/tinydns/root/data/30nameServers file.

    $OUT .= "# NS Records\n";
    foreach my $domain (get_domains())
        $OUT .= ".$domain:\:$SystemName." . get_local_domainname(). "\n";

    use esmith::util;
    # Add name server record for local reverse zone
    my $reverse =
        esmith::util::computeLocalNetworkReversed ($LocalIP, $LocalNetmask);
    $reverse =~ s/\.$//;
    $OUT .= ".$reverse\:\:\n";

#VPN addition
    $reverse = esmith::util::computeLocalNetworkReversed ("","");
    $reverse =~ s/\.$//;
    $OUT .= ".$reverse\:\:\n";



Now we need to expand the config template out to make the real configuration files and the restart the affected DNS services to force them to use the new values.

[root@sme ]# /sbin/e-smith/expand-template /var/service/tinydns/root/data

[root@sme ]# cd /var/service/tinydns/root/

[root@sme ]# tinydns-data

[root@sme ]# service dnscache stop

[root@sme ]# service tinydns stop

[root@sme ]# service tinydns start

[root@sme ]# service dnscache start

Check the date/time stamps of both /var/service/tinydns/root/data and /var/service/tinydns/root/data.cdb. They should match or at least be very close.

Your OpenVPN server configuration is now complete !!!


OpenVPN Client Configuration:

The Win2k/XP client installation is quite simple and pretty much only require the Windows GUI and a configuration file. The Windows GUI can be downloaded from my download area or from its origin. When the GUI has been installed you need to create a configuration file for your VPN tunnel. Create a file in "C:/Program Files/OpenVPN/config" called VPN.ovpn with the following content and where you change the to match your configuration.


port 1194
dev tap



ca ca.crt
cert client.crt
key client.key

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

verb 4


You now need to copy the Client keys you generated during the Server installation to the same directory on the Win2k/XP client. The following keys and certificates must be copied to the "C:/Program Files/OpenVPN/config" folder.

The Client installation is now complete and the user will be prompted upon login for the username and passwords.




See FAQ below if you have any questions before mailing me.



Frequently Asked Questions (FAQ):


Question Answer
I am using Win2k as my client and it doesn't get an IP address properly. Try to add the following option in the VPN.ovpn file located in "C:/Program Files/OpenVPN/config".
#option for windows 200 client if they have trouble
#getting an ip address by pull
ip-win32 ipapi
When I send emails through the VPN connection it takes forever to send Make sure that you have added the SME DNS fix mentioned above.


Revision History


Date Changes
April 29, 2006 Updated to OpenVPN 2.0.7 for SME 6.x (haven't found the package for SME7)
October 23, 2005 Updated to OpenVPN 2.0.2 and added support for SME 7.0 beta 5+
April 18, 2005 Updated to OpenVPN 2.0 final release.
January 17, 2005 Added DNS fix to correct very slow emailing through the VPN connection.
December 30, 2004 Updated with RC6 of OpenVPN and RC1 beta 26 for the Windows GUI interface
December 9, 2004 Updated with RC1 of OpenVPN and added perl-DateManip-5.40-15.i386.rpm as a needed component (used in
November 15, 2004 First release