Basic Client-Server configuration with OpenVPN

Created by Yuriy Andamasov, Modified on Wed, 17 Jan at 10:03 AM by Srividya Anantapatnaikuni

Article review date
2024-01-17
Validated for VyOS versions
1.2.5, 1.3.5

Introduction

In addition to site-to-site configuration, OpenVPN also supports a client-server model for VPNs. This mode is more popular than using it in site-to-site mode, and allows for multiple remote client connections to a single centralized server. 

In this mode, you might have multiple configured sites connecting to a single centralized router. For instance, you may have several branch offices, as well as a central headquarter office with your central router. The central router can serve as the OpenVPN server, with the branch office routers acting as OpenVPN clients.

The use of server-client VPNs in OpenVPN requires X.509 certificates to be setup. If you do not have an existing PKI (Public Key Infrastructure), you may set up a simple one using this guide.

Configuration Example 

Network Specifications

In our example configuration, we will be using the following layout and goals for our network:

Routers:

  • Three VyOS routers; one OpenVPN server, and two OpenVPN clients.
  • Server router: central-rtr,  located at the central office.
  • First client router: branch1-rtr, located at the first branch. 
  • Second client router: branch2-rtr, located at the second branch. 

Networks and Addresses:

  • central-rtr has a public IP address of 203.0.113.2.
  • central-rtr has a private physical LAN that needs to be accessible through the client VPNs. The LAN's subnet is 192.168.0.0/24.
  • Both branch routers have dynamic public IP addresses.
  • The address range for the tunnel endpoints for clients will be in 10.23.1.0/24
  • Each client will have a /24-size subnet assigned to it in the 10.23.0.0/16 range.
  • branch1-rtr will have the tunnel endpoint address of 10.23.1.10 and the subnet of 10.23.10.0/24 assigned to it.
  • branch2-rtr will have the endpoint address of 10.23.1.20 and the subnet of 10.23.20.0/24

X.509 Certificate Information:

  • Root CN (Common Name): my-root-ca
  • Server CN: central.
  • Server key name: server.key.  
  • Branch 1 CN: branch1.
  • Branch 1 client key name: branch1.key.  
  • Branch 2  CN: branch2.
  • Branch 2 client key name: branch2.key

All above certs are signed against our root cert. The file locations for the relevant files will be in each of the routers at the path /config/auth/ovpn/  

Configuring the Server

Firstly, we need to configure our central-rtr to act as our OpenVPN server.

In configuration mode, issue the following commands:

set interface openvpn vtun0 mode 'server'
set interface openvpn vtun0 server subnet 10.23.1.0/24
set interface openvpn vtun0 persistent-tunnel
set interface openvpn vtun0 protocol udp
set interface openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interface openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
set interface openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem'
set interface openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'

We also need to install a push-route to push the route of the server's LAN of 192.168.0.0/24 to the clients:

set interfaces openvpn vtun0 server push-route 192.168.0.0/24

Now we need to set each of the client's configuration options. Client names are identified by the CN field in their certs:

set interface openvpn vtun0 server client branch1 ip 10.23.1.10
set interface openvpn vtun0 server client branch1 subnet 10.23.10.0/24
set interface openvpn vtun0 server client branch2 ip 10.23.1.20
set interface openvpn vtun0 server client branch2 subnet 10.23.20.0/24

Configure the Clients

Now we need to configure the client routers. We'll again assume the proper certificate and key files have been moved to the /config/auth/ovpn/ directory on each client.

Branch 1's Router:

set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 remote-host 203.0.113.2
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/branch1.crt
set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/branch1.key

We also need to set up a static route to our 10.23.0.0/16 subnet on each router, as OpenVPN does not install this route automatically:

set protocols static interface-route 10.23.0.0/16 next-hop-interface vtun0

Branch 2's Router:

set interfaces openvpn vtun0 mode client
set interfaces openvpn vtun0 remote-host 203.0.113.2
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ovpn/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/ovpn/branch2.crt
set interfaces openvpn vtun0 tls key-file /config/auth/ovpn/branch2.key
set protocols static interface-route 10.23.0.0/16 next-hop-interface vtun0

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article