OpenVPN is one of the mostly used VPN solutions and the leading open source VPN. Using SSL it allows to create VPN tunnels to encrypt all the traffic going in. Today let’s take a look at how to install and set up a OpenVPN server.
Install OpenVPN
The first step is to install OpenVPN:
Ubuntu/DebianCentOS 7/FedoraOther distributions
$ sudo apt-get update
$ sudo apt-get install openvpn easy_rsa
$ sudo yum update
$ sudo yum install openvpn easy_rsa
Refer to your distribution package manager to install two packages: openvpn and easy_rsa.
Set up the Certificate Authority
In this step you will set up a Certificate Authority, a piece of software that you trust to sign certificates. If you already have a CA in your setup you can skip this step and should use the documentation associated with your CA to emit/revoke certificates.
Terminal
$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca
Now you should edit a file named vars inside the folder you just created. Near the end of the file you will find the following lines, fill them in with your desired configuration using your favorite text editor:
export KEY_COUNTRY="" # Two-letter country code: e.g. US
export KEY_PROVINCE="" # Two-letter province code: e.g. NY
export KEY_CITY="" # Full city name: e.g. "New York City"
export KEY_ORG="" # Organization name: e.g. "My organization
export KEY_EMAIL="" # Admin mail: e.g. "[email protected]"
export KEY_OU="" # Organization Unit: e.g. "Research"
export KEY_NAME="" # The name of the key: e.g. "RootCA", this line is in the middle of the file rather than the end.
Now that you’ve set all the variables, you can do:
$ source vars
$ ./build-ca
Now that you have the CA up and running you’re ready to start signing certificates.
Set up the Server certificate and the OpenVPN server
The first certificate you will issue will be the one associated with the OpenVPN server. This will make sure your clients will be connected to the RIGHT server rather than an imposter.
Terminal
$ cd ~/openvpn-ca
$ source vars
$ ./build-key-server server
You will be asked for the usual plethora of confirmations, in the end you will get a signed server certificate. In order to strengthen the encryption you will now generate a Diffie-Hellman keypair (be aware this will take some time):
$ ./build-dh
In addition you can generate a HMAC signature to further increase security:
$ openvpn --genkey --secret keys/ta.key
Now that you have all the pieces in place we can copy them to the server configuration directory (/etc/openvpn):
$ cd ~/openvpn-ca/keys
$ sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
All that’s missing now is a server configuration file, luckily enough there’s a sample file within your installation. With this command we will extract the file from an archive and copy it to your server configuration directory:
$ gunzip -c /usr/share/doc/openvpn*/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
This file can be quite daunting, but it’s full of comments that will help you out. For brevity you can find here a “clean” version of a functioning file:
# Port/protocol
port 1194
proto udp
# Device configuration
dev tun # You can also use TAP, depending on your needs.
# Key configuration
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# HMAC
tls-auth ta.key 0
cipher AES-256-CBC
# Max clients
;max-clients 100
# Miscellaneous settings
keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
verb 3
explicit-exit-notify 1
Edit this file according to your needs, remembering that lines starting with a # or a ; are comments.
Setting up network and OpenVPN service
Allow IP Forwarding
In order to be able to route network packets, your Linux kernel must be instructed to do so:
Terminal
$ echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
$ sudo sysctl -p
Open firewall ports
In order for the OpenVPN traffic to pass you will need to open ports within your firewall. Change the following commands according to your port/protocol specified in the server.conf file:
Ubuntu/DebianCentOS 7/FedoraOther distributions
$ sudo ufw allow 1194/udp
$ sudo ufw reload
$ sudo firewall-cmd --add-port=1194/udp --permanent
$ sudo firewall-cmd --reload
Refer to your distribution firewall to open the ports defined in the server.conf file.
Setting up masquerading
Ubuntu/DebianCentOS 7/Fedora
Change the default policy so that everything OpenVPN packets won’t get discarded:
$ sudo sed -i "s/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/" /etc/default/ufw
$ sudo systemctl restart ufw
Enable masquerading (NAT/PAT):
$ sudo firewall-cmd --add-masquerade --permanent
$ sudo firewall-cmd --add-masquerade
$ sudo firewall-cmd --reload
Starting and enabling OpenVPN at boot
Terminal
$ sudo systemctl start [email protected]
$ sudo systemctl enable [email protected]
Be mindful that if you used a different name for the server.conf file you should change these commands accordingly.
Generating client certificates
You can simply generate client certificates (that you will use to connect from other devices) by doing:
Terminal
$ cd ~/openvpn-ca
$ source vars
$ ./build-key client1
This will generate a certificate without password protection, if you’re willing to create a password-protected certificate use ./build-key-pass instead of ./build-key.
The IT guy with a slight look of boredom in his eyes. Freelancer. Current interests: Kubernetes, Tensorflow, shiny new things.
Recent Comments