← back

2018-08-26: setting up a minimally simple tunnel with OpenVPN

An essential aspect of networking is the creation of small connections, often only a single port or IP address range and frequently done in a secure manner. These are called tunnels.

For implementing a tunnel between two or more networks for the purpose spanning between them is referred to as a VPN. A popular software tool for this is OpenVPN. As per usual, the man page sums up the functionality elegantly:

openvpn - secure IP tunnel daemon

Since OpenVPN is quite configurable and has a vast array of feature, the focus here will be on a simple example of connecting two hosts. For this example, the addresses of the hosts will be and respectively.

Begin by creating a simple key, for the sake of the example, consider a secret static key to encrypt the tunnel connection.

openvpn --genkey --secret name_of_key

By default this will create a 2048-bit static key. Note that this type of non-TLS key is quite dangerously insecure, but it is useful for running tests on a connection between host addresses before an eventual TLS server is setup.

Go ahead and copy both of the servers using a program such as scp:

scp -i ~/.ssh/id_name /path/to/name_of_key user@

To begin, on the host, the start and end of the tunnel can be specified using the --ifconfig flag. The starting IP address of this host can be itself and the tunnel end can be the other host, For the sake of simpilicity, call the device `tun1` for tunnel 1 and set a high-ish verbosity of level 5.

openvpn --dev tun1 --ifconfig --verb 5 --secret name_of_key

On the host do the same, swapping the start and end tunnel IP addresses, like so:

openvpn --dev tun1 --ifconfig --verb 5 --secret name_of_key

With this complete, the tunnel should be active and accepting connections. Do a quick check using the ip command, and then test it using ping or mtr. Try this out on both hosts; for the host, it would be something like this:

ip a

If the other host responds, then the tunnel was setup correctly. Please note that this should not be used as a permanent solution since it is quite insecure.

If this fails, then consider taking a brief look at iptables or other firewall software and determine if perhaps a rule is blocking the device or IP.

iptables -vL

At this point, various small networking tests (e.g. of a log reader or web app) could be done before setting up a TLS server and signed key with certificate authority.

That more-or-less demostrates how to quickly setup a tunnel between two hosts using OpenVPN. Quite a lot of features could use an article in of themselves, especially with regards to fine-tuning of the config file.

With this in mind, there is a new technology that will eventually be bundled with the Linux kernel, WireGuard.

Note that as of the writing of this article, WireGuard is still considered bleeding-edge and thus may not yet be production ready. In a few years, however, it will likely become mainstream due to its simple configuration and fast speed when compared to older VPN technology.