OpenVPN uses Public Key Infrastructure (PKI) to encrypt VPN traffic between nodes. A simple way of setting up a VPN with OpenVPN is to connect the clients through a bridge interface on the VPN server. This guide will assume that one VPN node, the server in this case, has a bridge interface configured. For more information on setting up a bridge see the section called “Bridging”.


To install openvpn in a terminal enter:

sudo apt-get install openvpn

Server Certificates

Now that the openvpn package is installed, the certificates for the VPN server need to be created.

First, copy the easy-rsa directory to /etc/openvpn. This will ensure that any changes to the scripts will not be lost when the package is updated. You will also need to adjust permissions in the easy-rsa directory to allow the current user permission to create files. From a terminal enter:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
sudo chown -R $USER /etc/openvpn/easy-rsa/

Next, edit /etc/openvpn/easy-rsa/vars adjusting the following to your environment:

export KEY_CITY="Winston-Salem"
export KEY_ORG="Example Company"
export KEY_EMAIL=""

Enter the following to create the server certificates:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

Client Certificates

The VPN client will also need a certificate to authenticate itself to the server. To create the certificate, enter the following in a terminal:

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Replace hostname with the actual hostname of the machine connecting to the VPN.

Copy the following files to the client:

  • /etc/openvpn/ca.crt

  • /etc/openvpn/easy-rsa/keys/hostname.crt

  • /etc/openvpn/easy-rsa/keys/hostname.key

  • /etc/openvpn/ta.key


Remember to adjust the above file names for your client machine's hostname.

It is best to use a secure method to copy the certificate and key files. The scp utility is a good choice, but copying the files to removable media then to the client, also works well.


Server Configuration

Now configure the openvpn server by creating /etc/openvpn/server.conf from the example file. In a terminal enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

Edit /etc/openvpn/server.conf changing the following options to:

dev tap0
up "/etc/openvpn/ br0"
down "/etc/openvpn/ br0"
push "route"
push "dhcp-option DNS"
push "dhcp-option DOMAIN"
tls-auth ta.key 0 # This file is secret
user nobody
group nogroup
  • local: is the IP address of the bridge interface.

  • server-bridge: needed when the configuration uses bridging. The portion is the bridge interface and mask. The IP range is the range of IP addresses that will be assigned to clients.

  • push: are directives to add networking options for clients.

  • user and group: configure which user and group the openvpn daemon executes as.


Replace all IP addresses and domain names above with those of your network.

Next, create a couple of helper scripts to add the tap interface to the bridge. Create /etc/openvpn/


/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

And /etc/openvpn/



/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

Then make them executable:

sudo chmod 755 /etc/openvpn/
sudo chmod 755 /etc/openvpn/

After configuring the server, restart openvpn by entering:

sudo /etc/init.d/openvpn restart

Client Configuration

First, install openvpn on the client:

sudo apt-get install openvpn

Then with the server configured and the client certificates copied to the /etc/openvpn/ directory, create a client configuration file by copying the example. In a terminal on the client machine enter:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

Now edit /etc/openvpn/client.conf changing the following options:

dev tap
remote 1194
cert hostname.crt
key hostname.key
tls-auth ta.key 1

Replace with the hostname of your VPN server, and hostname.* with the actual certificate and key filenames.

Finally, restart openvpn:

sudo /etc/init.d/openvpn restart

You should now be able to connect to the remote LAN through the VPN.