This post is the second part of setting up an OpenVPN server (the first part is here). In my previous post I initially intended to have all road warriors into the same subnet, different than the Server subnet, however that proved to be infeasible. Instead, each individual device not behind a network (such as the home network depicted there) will be assigned an IP from the OpenVPN server in the 192.168.201.0/24 subnet and will be able to access both the server as well as any other potential subnets in the network.

A consequence of this is that this won’t allow devices to be on their own subnet. Whilst that is not a problem with me, you may require to setup additional routing like shown in the Home network in the previous post.

Build a Certificate for each Road Warrior

Do the same as for the home certificate, but change Home with RW-NameOfTheDevice. Note that in the Server configuration, you do not have to configure additional routing (or adding client-specific configuration in the ccd folder), you only need to build the certificates.

You will have to create a separate certificate for each device you want to be able to connect to the network. See further down for an explanation.

Adding a Windows Road Warrior

Install OpenVPN on the machine you want.

Rename the OpenVPN network adapter to VPN.

Create a directory somewhere (let’s assume C:\VPN). Inside it create a file named VPN.ovpn and add the following, changing the items in bold as applicable:

client
port 12345
proto udp
dev tun
dev-node VPN
ca “C:\\VPN\\ca.crt”
cert “C:\\VPN\\RW-YOURDEVICENAME.crt”
key “C:\\VPN\\RW-YOURDEVICENAME.key”
# Make sure that “1” exists after the ta.key file and not 0
tls-auth “C:\\VPN\\ta.key” 1
keepalive 10 120
persist-tun
persist-key
cipher AES-256-GCM
nobind
remote YOURSERVERIP
dhcp-renew
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512

tls-version-min 1.2

log “C:\\VPN\\log\\openvpn.log”
log-append “C:\\VPN\\log\\openvpn.log”
status “C:\\VPN\\log\\openvpn-status.log”
verb 4

Open the OpenVPN GUI and change the configuration files folder location to C:\VPN as well as set C:\VPN\log for the log files folder.

Right click on the OpenVPN icon in the notification area and press connect. If all goes well, you should be able to ping the remote server (192.168.201.1) as well as any machine on the Home network (e.g. 192.168.200.1 for the router). The server and home networks must also be able to ping this machine from their end.

Adding an Android Road Warrior

The configuration is similar, but there is one difference. We can either embed the ca certificate, device certificate and device key into the configuration (but not the TLS key, that’s a limitation of OpenVPN), or use a PKCS#12 archive that will contain them and can also be stored in Android Keychain. We will go with the second option here.
Note that the ta.key for TLS authentication will need to be embedded in the configuration!
Following is the configuration file for the device.

client
port 12345
proto udp
dev tun
dev-node VPN
keepalive 10 120
persist-tun
persist-key
cipher AES-256-GCM
nobind
remote YOURSERVERIP
dhcp-renew
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512

tls-version-min 1.2
# Make sure that this is set to “1”
key-direction 1
<tls-auth>
—–BEGIN OpenVPN Static key V1—–
Paste the contents of the ta.key in here (including the header and footer shown here)
—–END OpenVPN Static key V1—–
</tls-auth>

verb 3

The next step is to create a PKCS#12 file. Navigate to your OpenVPN directory, under the easy-rsa\keys directory (usually C:\Program Files\OpenVPN\easy-rsa\keys).
Type ..\..\bin\openssl.exe pkcs12 -export -in DEVICENAME.crt -inkey DEVICENAME.key -certfile ca.crt -name DEVICENAME -out DEVICENAME.p12 ⏎

You will be asked for an export password, provide something you can remember.

Download the OpenVPN application from Android Μarket and run it. In the application, choose the third option (OVPN Profile), choose the PKCS#12 tab and import the p12 file you have created. You will have to provide the password you used on the previous step and then you will be asked where to import it. Make sure that the choice is VPN, rather than WiFi.

Next, choose the OVPN tab and choose the OVPN file.

Try to connect and you will be asked to select a certificate from the Android Keychain. Press Select Certificate and the choose the certificate you imported on the previous step.

Now connect and use a terminal emulator like Termux to ping the main server. If all went well, you should be able to ping successfully!

What about IOS?

Unfortunately, I don’t own an IOS device and as such I cannot offer any real help, however I would expect that the approach is similar to an Android device.