OpenVPN server installation

Server side

Firstly, I must install necessary packages.

apt-get install openvpn easy-rsa

Now it’s time to enable TLS.

cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/easy-rsa/* easy-rsa/

Then I must edit /etc/openvpn/easy-rsa/vars according to my organization (see end of file).

vim /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="mail@domain"
export KEY_EMAIL=mail@domain

Generate CA keys ca.crt and ca.key.

cd easy-rsa/
mkdir keys
touch keys/index.txt
echo 01 > keys/serial
. ./vars # set environment variables
./clean-all
./build-ca

Generate a server key server.crt and server.key.

./build-key-server server

Generate DIFFIE-HELLMAN for SSL/TLS connection.

./build-dh

Generate key for each client.

./build-key clientname

Generate key with password (optional).

./build-key-pass clientname

Generated keys are in /etc/openvpn/easy-rsa/keys/.

Copy the ca.crt, clientname.crt, clientname.key from the server to the client.

Now create /etc/openvpn/server.conf:

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.9.8.0 255.255.255.0 # internal tun0 interface
topology subnet
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # compression - must be set on both sides
persist-key
persist-tun

status log/openvpn-status.log

verb 3 # verbose mode
client-to-client

Create log file.

cd /etc/openvpn
mkdir -p log/
touch log/openvpn-status.log

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory.

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server.

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client. This command gets the CN from the computers certificate:

openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

Example of static client:

ifconfig-push 10.10.10.2 255.255.255.0
# push "route 10.1.135.0 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

If OpenVPN configuration file is server.conf, I can start it by:

systemctl start [email protected]

Start your VPN at boot.

systemctl enable [email protected]

This actually creates a symlink in /etc/systemd/system/multi-user.target.wants/[email protected] pointing to /lib/systemd/system/[email protected].

Enable forward

sysctl -w net.ipv4.ip_forward=1

You have to enable masquerade and set up the firewall to get redirect via default gw working.

-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

Client side

Parameters of client.conf:

client
dev tun
port 1194
proto udp
topology subnet

remote MyVPNserverIP 1194
nobind

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/clientname.crt
key /etc/openvpn/easy-rsa/keys/clientname.key

comp-lzo
persist-key
persist-tun

verb 3

If you want to start client side VPN automatically, you have to enable (uncomment) AUTOSTART=“all“ in the /etc/default/openvpn !! Also you have to run once „systemctl daemon-reload“.