ActiVPN uses OpenVPN on port 1194 with a Public Key Infrastructure (PKI) for secure client connections. This setup prioritizes security using certificates for authentication, rather than passwords alone.ย The following configuration examples provide a minimal, functional setup as a baseline for further customization.ย This configuration focuses on a single server instance of ActiVPN. All certificate generation and management is assumed to be handled separately using tools like EasyRSA or OpenSSL.
Server Configuration (server.conf):
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.keyย # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client Configuration (client.ovpn):
client
dev tun
proto udp
remote your_server_ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
After establishing the ActiVPN connection on port 1194, routing is crucial. The push "redirect-gateway def1 bypass-dhcp" directive in the server configuration forces all client traffic through the ActiVPN server.ย Ensure IP forwarding is enabled on the server:
sysctl -w net.ipv4.ip_forward=1
To make this change permanent, edit /etc/sysctl.conf and uncomment or add the line: net.ipv4.ip_forward=1.
Configure your firewall to allow forwarding from the ActiVPN subnet (10.8.0.0/24) to your internet-facing interface. DNS is handled by pushing Google's public DNS servers (8.8.8.8 and 8.8.4.4) to the client.ย Adjust these values as needed.
Start the ActiVPN server.
Connect with the client configuration.
Verify the client receives an IP address within the 10.8.0.0/24 range.
Check internet connectivity through the ActiVPN server. Use a website like whatismyip.com to confirm your IP address matches the server's public IP.
Test DNS resolution by pinging a domain name (e.g., ping google.com).
Security:ย The ca.crt, server.crt, server.key, client.crt, and client.key files are critical for ActiVPNโs security. Protect these files.
PKI Management:ย Regularly rotate certificates for enhanced security of your ActiVPN port 1194 infrastructure.
Firewall:ย Carefully configure your firewall to allow ActiVPN traffic on port 1194 and forward traffic correctly.
Customization:ย This is a minimal configuration. Adapt it to your specific needs, considering factors like user management, advanced routing, and additional security measures within your ActiVPN environment.
Troubleshooting: Examine the OpenVPN server and client logs for errors.ย Common issues include certificate problems, firewall restrictions, and routing misconfigurations.