====Email Server Settings====
[[userguide:servermanagement|Server Management]] > [[userguide:servermanagement:networkservices|Network Services]] > OpenVPN Server
OpenVPN is an open-source VPN application that lets you create and join a private network securely over the public Internet. When enabled, your Users can use this server as endpoint for their internet connection. The settings of OpenVPN can be configured on this GUI page.
These services are divided between two sub-tabs:
* [[#General|General]]
* [[#Client Certificates|Client Certificates]]
BlueOnyx uses [[https://openvpn.net/index.php/open-source/345-openvpn-project.html|OpenVPN v2.4.1-2]] as its OpenVPN server.
For troubleshooting [[#Troubleshooting OpenVPN|troubleshooting]] information please scroll to the end of this page.
----
===General===
==Enable OpenVPN==
When this checkbox is ticked, the OpenVPN server will be started with the settings and the configuration displayed on this page.
==UDP Port==
OpenVPN binds to a publicly reachable UDP port. By default this is port 1194 UDP, but you can choose to run it on a different port instead.
==Max Clients==
Maximum amount of OpenVPN clients that are allowed to connect simultaneously.
==DNS Servers==
Specify the DNS servers that VPN clients will use for their internet connection.
==APF Firewall exception==
This option will only show when you also have the optional Package "APF Firewall" from the BlueOnyx shop installed. By default APF blocks access to all UDP ports but the one for DNS. If you want OpenVPN to be reachable despite APF being active, then please tick this checkbox. That will open the OpenVPN UDP port in APF and will also modify APF to add the required IPTables postrouting rule.
==Allow siteAdmins==
By default the siteAdmin of a Vsite with OpenVPN service enabled does NOT have the right to enable/disable OpenVPN access of his users. Tick this checkbox if you want to grant siteAdmins the right to enable/disable OpenVPN access for their own users. For this to work the Vsite in question must have OpenVPN enabled.
==Update Key (WARNING!)==
Tick this checkbox is you want to generate the required OpenVPN SSL certificate. During initial setup this is mandatory. If you tick this checkbox again and save, then ALL OpenVPN SSL certificates (for server and users) will get invalidated and are recreated from scratch. No further
OpenVPN login is possible with previously issued OpenVPN credentials and the newly issued credentials must be used. Therefore use this function with extreme prejudice after the initial setup has been completed.
==Key Name==
This is the name of the OpenVPN server certificate. This cannot be changed.
==VPN Domain==
Fully qualified domain name of this OpenVPN server. Should be the same as
the server name of this BlueOnyx.
===Certificate Information===
This information is taken from the signed certificate (if any) that is installed on the server.
* **City**: The city in which the organization is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.
* **State or Province**: The state, province, or region in which the above city is located. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.
* **Country**: Select the country in which the organization that will use this certificate is located or registered. It is important that this information is correct and can be verified with a local, regional, or national government or other official organization.
* **Organization**: The official name of the organization owning this certificate. In order to obtain a signed certificate from a certificate authority, the organization name and location must be verifiable with a local, regional, or national government or other official organization. In addition, the certificate authority must be able to verify that the person requesting the certificate is the owner or employee of the named organization.
* **Organization Unit**: The division or unit of the organization that is using this certificate. This is optional, but may be useful if the person applying for a signed certificate is an employee of a subsidiary of a larger organization.
* **Contact Email**: The email address to be contacted for information about this certificate.
===Client Certificates===
The Client Certificates tab shows you a list of all users who have been issued with OpenVPN access. The shown information details the user name, the virtual site that the user might belong to (if any) and date and time of issue of the certificate. Additionally three buttons are shown together which each entry:
* Key icon: Download OVPN key
* Folder icon: Download ZIP-file with the OVPN key and the certificates
* Trashcan icon: Allows you to revoke the issued certificate and to block this users OpenVPN access.
===Troubleshooting OpenVPN===
If your OpenVPN server is not starting, then please try to start it manually from SSH as 'root' and check what the status of the server says. The commands for this are as follows:
==BlueOnyx 5209R:==
''systemctl restart openvpn@server.service''
''systemctl status openvpn@server.service''
==BlueOnyx 5207R, 5208R or Aventurin{e} 6108R:==
''/sbin/service openvpn restart''
''ps axf|grep openvpn''
The configuration files for OpenVPN reside under ''/etc/openvpn/'' and all user certificates can be found under ''/etc/openvpn/easy-rsa/pki''. If you ever plan on migrating the OpenVPN access from one server to another, then be sure to move the ''/etc/openvpn/'' directory across to the new server as well. This will retain both the server certificates and the user certificates.
Under Aventurin{e} or OpenVZ the VPS in question with the OpenVPN package installed must have the capability [[https://openvz.org/VPN_via_the_TUN/TAP_device|Net/TUN]] enabled. In Aventurin{e} this can be done via the GUI interface under VPS / Basic Settings by ticking the respective checkbox and saving. Also make sure your Aventurin{e} node has the kernel module "tun" loaded ("modprobe tun").
==Useful shell-tools:==
* ''/etc/openvpn/easy-rsa/user_cert.sh'': This takes a username as an argument and creates OpenVPN access for that user.
* ''/etc/openvpn/easy-rsa/user_revoke.sh'': This takes a username as an argument and revokes OpenVPN access for that user. The certificate of that user will be invalidated and revoked, so he cannot login with these credentials again. If the user is currently logged in, he will be logged out.
* ''/etc/openvpn/easy-rsa/list-crl'': Must be run from inside the /etc/openvpn/easy-rsa/ directory. Shows a list of all revoked user certificates.
* ''/etc/openvpn/easy-rsa/init.sh'': Initial setup script. Should not be run manually.
* ''/etc/openvpn/easy-rsa/gen_dh.sh'': Initial setup script for the 2048 bit Diffie Hellman keys. Is used once during initial setup of the package.
* ''/etc/openvpn/easy-rsa/easyrsa'': Full Easy-RSA 3.0 command toolkit, which is used by the GUI to set up, configure and to revoke keys.