Skip to content

OpenVPN Config file – How to understand it

01/12/2012

Each VPN provider will provide you with a config file.  If you open this config using Notepad, then it will read something like this.

VPNBook- UDP Port 53 Client config file

– Client (You’re the client, not the server, so we’re off to a good start).

– Protocol = UDP  (UDP is faster than TCP, so this is the fastest form of VPN).

– Remote = VPNBook server – the port we connect on is Port 53

openvpn client config 7 vpnbook cert settings

-Resolve & retry = infinite = keep trying

-MTU = maximum transmission unit.  Consider packets stacked like suitcases in an airplane.  Each suitcase has a maximum weight and size.  This MTU confirms the maximum weight of each suitcase allowed – to fly with British Airways OpenVPN. 🙂

-Persist = keep trying

-CA = Certificate authority.  The .CRT file is their certificate.

-auth-user-pass = look for a password file (called password.txt)

-verb = verbose level.  How “chatty” the error messages are.

– cipher = AES 256

openvpn client config 7 vpnbook cert settings

So when you download the UDP Port 53 config file from VPNBook, that’s what the file is saying to your computer.

*****

Line 1 – We are the “client”.

  • Client

  • device = tun.  Each VPN tunnel has 4 Devices.  2 are real IP, and the other 2 are virtual IP numbers.  If it’s not tun, it will read dev tap.

openvpn client config 1 client

Step 2 – Remote means the OpenVPN server

  • Protocol = is UDP.

  • If not UDP, the protocol would be TCP.

openvpn client config udp

  • remote (the server) and the IP/Port that we need to connect on

  • A setting to retry the connection (very handy if the connection fails, or we’re on a busy network)

openvpn client config 2 port of server

Line 3 – Persist and HTTP proxy settings (if they’re being used)

  • Persist

  • Http Proxyopenvpn client config 3 persist key

Line 4 –  SSL

  • SSL is the security for your Browser (Firefox or IE).

  • It checks the certificate (that’s a .crt file)

  • And uses a key for each client (that’s the .key file)

openvpn client config 4 SSL

Line 5 – Verify the certificate and SSL security

  • TLS is the newer version of SSL.

  • So this TLS-auth is about the browser security or SSL secret keys.

  • It’s also handy for stopping DOS attacks

openvpn client config 5 server certificate

Line 6 – 007 James Bond Spy keys go here

  • Cipher – server/client must agree on an encryption system – to encrypt your data.

  • AES 256 is very strong, unbreakable in fact.

  • comp-lzo = Allow compression.

openvpn client config 6 ciper key

Hopefully, when you get error messages now, you’ll understand what has gone wrong.

Eg if the error says TLS keys – that means the SSL key exchange has not happened in the time allowed – this would close the session.  The keys are needed to encrypt your message.  If it fails, OpenVPN won’t allow you to connect, as it’s unsafe.

 

OpenVPN Live connection – http://www.IVPN.net

6 Comments
  1. Mitch permalink

    Thank you so much mate !
    Just what I was looking for!

    Like

  2. Mitch permalink

    I seem to have fixed it the error with this line : ping-restart 195.60.76.223 53
    // I’m also using VPNbook.
    It’s still popping up but not as frequent.

    Thu Dec 06 10:47:12 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Thu Dec 06 10:47:21 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Thu Dec 06 10:47:25 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21500 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:25 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21501 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:25 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21509 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21547 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21548 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21568 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21570 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21571 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21572 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21627 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:26 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #21629 ] — see the man page entry for –no-replay and –replay-window for more info or silence this warning with –mute-replay-warnings
    Thu Dec 06 10:47:34 2012 TLS Error: local/remote TLS keys are out of sync: 195.60.76.223:53 [1]
    Thu Dec 06 10:47:43 2012 TLS Error: local/remote TLS keys are out of sync: 195.60.76.223:53 [3]
    Thu Dec 06 11:03:47 2012 TLS Error: local/remote TLS keys are out of sync: 195.60.76.223:53 [3]
    Thu Dec 06 11:28:16 2012 TLS Error: local/remote TLS keys are out of sync: 195.60.76.223:53 [3]

    Your help will be much appreciated.
    Regards Mitch

    Like

  3. When I import the ovpn-file to OpenVPN on my Android I get an error on the dhcp-option DISABLE-NBT. It says something that dhcp-option should be on 2 lines so I have to delete that line and then I can import the file.

    But it also says: “Your configuration had a few configuration options that could be parsed. These options were added as custom configuration options.
    Those are:
    mssfix
    fast-io
    resolv-retry infinite
    fragment 1200

    I don’t know why because on my PC all works fine.

    Like

    • Hi Cd,
      Found a site which seems to match up to what you’re telling me. I’ve pasted it, and linked it for you….opcode Errors upon connecting

      Fix: Edit the config files.

      Launch OpenVPN. Do not connect to any server. Select a server and select edit config.
      Add the the following lines at the bottom:

      dhcp-option DISABLE-NBT
      dhcp-option DISABLE-NBT

      SAVE. Then now connect.

      That’s it!

      I also have experienced this problem, and now, I do not have any problem connecting to any VPN’s anymore. 😀
      http://askhideki.com/fixing-vpn-on-globe-tattoo-broadband-connectivity-issues/

      ***
      I’ve just read all four VPNBOOK config’s and they all state the disable NBT lines so it’s not an error.
      VPN book are setting this config. However, they’re not double lines…. so this might be a fix for you. If you can add this double dhcp option to the end of the config.

      I’ve been looking up Android instructions, that are visual. Found some here
      https://strongvpn.com/setup_android_open.shtml

      Also found this:
      Do the visual guides for Android help?

      Like

  4. Thank you the visual guides did help me. All is working great on my phone now!

    Like

  5. Yay! Thanks for the feedback, great to hear the visual guides worked. 🙂

    All’s well that ends well.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: