Creating OpenVPN Server and Setting up OpenVPN Clients

I recently setup a remote office that houses my huge Virtual Host machine and wanted private/encrypted access to that network from where ever I am.  Thus I turned to OpenVPN as a solution after a little bit of research (see this BestVPN Article).  This article covers the basics of setting up an OpenVPN server on a Ubuntu server sitting behind a NAT firewall. 

Let’s start on the Ubuntu Server…
Enter root first…

$ sudo su

Setup OpenVPN Server

Starting with a Ubuntu computer you’d like to make the OpenVPN Server… Install OpenVPN and Easy-RSA

$ apt-get install openvpn easy-rsa -y


The first thing to know about OpenVPN is we’ll be setting things up to use certificates.  It is the most secure method and requires you to manually distribute the client certificates and configuration files.  The method you choose determines the security.  Most secure is to hand deliver the certs on an encrypted thumb drive.

Certificate Authority

To setup your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy-rsa directory to /etc/openvpn.

$ mkdir /etc/openvpn/easy-rsa
$ cp -rf /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ vi /etc/openvpn/easy-rsa/vars

And, change the values that matches with your country, state, city, mail id etc.

export KEY_COUNTRY=”CountryCode”
export KEY_PROVINCE=”MyStateOrProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”Organization Name”
export KEY_EMAIL=””
export KEY_CN=MyVPN
export KEY_OU=MyVPN

Enter the following to generate the master Certificate Authority (CA) certificate and key:

$ cd /etc/openvpn/easy-rsa/
$ cp openssl-1.0.0.cnf openssl.cnf
$ source vars
$ ./clean-all

Run the following command to generate CA certificate and CA key:

$ ./build-ca

Server Certificates

Next, we will generate a certificate and private key for the server:

$ ./build-key-server server

Client Certificates

Each client will need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal while being user root:

$ ./build-key client

Generate Diffie Hellman Parameter

This is a unique key used for our VPN Server, Enter the following command to generate DH parameter.

$ ./build-dh
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.

$ cd /etc/openvpn/easy-rsa/keys/
$ cp dh1024.pem ca.crt server.crt server.key /etc/openvpn/

Client Configuration File

We need to copy and edit the client configuration file.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client.ovpn

Edit file client.ovpn,
$ vi /home/client.ovpn

Set the VPN server host name/IP address:

remote [public ip or hostname of your vpn server] 1194

Distributing Client Certificates

You must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.


You have to copy the above files to your VPN clients securely. Copy the keys with caution. If anyone gets ahold of your keys, they can easily intrude and get full access to your virtual private network.

Configuring VPN Server

Copy the file server.conf.gz file to /etc/openvpn/ directory.
$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/

Extract the file using the following command:
$ gzip -d /etc/openvpn/server.conf.gz

Edit file server.conf,
$ vi /etc/openvpn/server.conf

Find and uncomment the following lines to route client systems traffic through OpenVPN server.

push “redirect-gateway def1 bypass-dhcp”

Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.

push “dhcp-option DNS”
push “dhcp-option DNS”

Uncomment the following lines:

user nobody
group nogroup

Save and close the file.

IP forwarding and routing Configuration

Edit sysctl.conf file,
$ vi /etc/sysctl.conf

Find the following line and set value “1” to enable IP forwarding.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Run the following command to apply the sysctl changes.
$ sysctl -p

Enter the following command to enable IP forwarding:
$ echo 1 > /proc/sys/net/ipv4/ip_forward

Start OpenVPN Server

Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
$ service openvpn start

Verify if VPN interface(tun0) is created using ifconfig command:
$ ifconfig

Network Router Configuration

We need to do two things on your router and how you do them greatly depends on your router.  I’m assuming you have a hardware router hooked up to your DSL, Cable or other type of internet connection and you’re setting up a Ubuntu VPN server on the internal network and want to access other computers on that internal network once your remote clients have authenticated into the VPN tunnel.

1. Your VPN server should have an internal static IP address… We need to tell your router to route all traffic to your VPN server so when your VPN clients connect they can communicate with your internal network.

2. Open external port 1194 tcp and udp and point it at your VPN server’s internal static IP address.


Now we have the files needed to put on your clients, your server is all setup, and your router is configured correctly… it’s time to look at setting up clients.  I created a client certificate for each of my three workstations… each running a different OS:  Mac OS X, Ubuntu 14.04, and Windows 7.  I want to validate and connect into my VPN remote network from all three systems… but configuring their client is slightly different on each.  Below I go into details on setting each one up.

Ubuntu Client

I’ll assume you are using this system as a Ubuntu workstation/laptop and have a graphical interface… thus want to use Network Manager to connect in.  First we’ll need to install two items:
$ sudo apt-get install openvpn network-manager-openvpn

System Settings->Network->+ (hit pluse in bottom left)
Choose VPN interface and hit Create
Select OpenVPN from the type list and hit Create
Specify the Gateway (public ip or domain name of your vpn server)
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.

Save that and you’re done.  You should now connect into your VPN and run a few ping and other tests. 

Mac Client

My primary laptop is a Mac, so let’s go there next.  Here you’ll need to install a VPN client application called TunnelBlick.

Once you’ve installed the application, you need to dbl-click on your client.ovpn file.  The ovpn file type has been associated with Tunnelblick when it was installed and will open up the file allowing you to add that connection ot your available list.  Once done, simply connect into the VPN and run your tests.

Windows Client

Visit and download the windows OpenVPN client.
Launch the Securepoint SSL VPN client, dbl click the tray icon when it appears, and select New. 
Enter Name of your VPN Connection and hit Next
Enter the Public IP or Domain Name of your VPN server, the port you configured (default is 1194) and I prefer TCP connections due to reliability reasons… then hit Next
Point the User Certificate at the client.crt file
Point the CA Certificate at the ca.crt file
Point the Private Key at the client.key file.
Hit Next
Under Advanced Settings
– check the “Comp-LZO” checkbox
– uncheck the “Auth user/pass” checkbox
– leave all others at their Defaults
hit Next
Lastly hit Finish


All done… let me know if you have any questions below.

Visual Studio: Add Uninstall to Your Application

First let me send a shout out to my reference for this little tidbit of information:  How to add a Uninstall option in Visual Studio Setup project without writing code GoGoToTo created a very nice article on this.  I simply expanded it further to include getting your application “registered” so within BigFix it will show up as one of the registered apps.

First View your File System so we can add the special folder “System”

Uninstall and Register 1

If your application is x86, then we’ll want to add the msiexec.exe from the c:\windows\SysWow64 folder.

Uninstall and Register 2

Uninstall and Register 3

Left click to highlight the msiexec.exe file and in the properties window, adjust as indicated in the following image:

Uninstall and Register 4

Next we’ll need to add a shortcut to the “User’s Program Menu”.  In my example, I’ve created a sub-folder named after my application.  Click that folder and in the right window, right-click and create a shortcut.

Uninstall and Register 5

Navigate to the System Folder and select the msiexe.exe file.

Uninstall and Register 6

Uninstall and Register 7

Before we modify the shortcut’s properties, we’ll need to copy the ProductCode from the Setup Application Properties.

Uninstall and Register 8

Using that ProductCode, modify the shortcut’s properties as follows:

Uninstall 8a

Now we get to register our application… Open the Registry View.

Uninstall and Register 9

Under HKEY_LOCAL_MACHINE add the following sub-keys:

Microsoft\Windows\CurrentVersion\App Paths\[name of your exe]

Remember to specify the last key to “DeleteAtUninstall” = True

Add the following 2 string values with the values as shown.

Uninstall and Register 10


That’s it.  You now have an uninstall link that will be created upon installation of your app.  You will also have your application properly “registered” so BigFix can properly detect it.

New BigFix Deployment

When you first setup your Tivoli Endpoint Manager (BigFix) deployment, you will want to enable a few analyses.  These analyses will collect data that can be very helpful when managing your infrastructure as well as troubleshooting and adding customizations.

First up is to activate the BES Component Versions analysis…  You can find a shortcut to this under BigFix Management->Deployment Overview

New Deployment 1

Simply Activate this analysis…

New Deployment 2

And the data will start pouring in.  This information will then be read by various dashboards within the product which help you manage your deployment.

New Deployment 3

Another analysis to be activated is the BES Health Checks Analysis.  This will help you analyze the health and configuration of your deployment.  It provides basic information on the components that make up your infrastructure.  You can find the shortcut to this under BigFix Management->Deployment Health Checks

New Deployment 4

Activate this as well…

New Deployment 5

and you’ll start to see data from this analysis as well.  Just like the first analysis, this one will pull in data and feed that to dashboards within the product.

New Deployment 6

Further down on the Deployment Health Checks dashboard in the Deployment Optimization section is a Warning about activating the BES Relay Status Analysis.  Click that shortcut to activate that as well…

New Deployment 7

New Deployment 8

Just as the others, the data will be pulled in for use by various dashboards.

New Deployment 9


If you have any questions or comments, please leave them below.