Server Configuration
- Install OpenVPN
Terminal window sudo apt update && apt install openvpn - Copy the easy-rsa directory
easy-rsa is used to generate certificates.
Terminal window sudo cp -pr /usr/share/easy-rsa /etc/openvpn/server/ && cd /etc/openvpn/server/easy-rsa/└── 📁etc└── 📁openvpn└── 📁server└── 📁easy-rsa - Rename and edit the vars file from template
Terminal window cp vars.example vars && nano vars/└── 📁etc└── 📁openvpn└── 📁server└── 📁easy-rsa├── 📄vars.example└── 📄vars- Search for the following block:
/etc/openvpn/server/easy-rsa/vars # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)# These are the default values for fields which will be placed in the# certificate. Don't leave any of these fields blank, although interactively# you may omit any specific field by typing the "." symbol (not valid for# email.)#set_var EASYRSA_REQ_COUNTRY "US"#set_var EASYRSA_REQ_PROVINCE "California"#set_var EASYRSA_REQ_CITY "San Francisco"#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"#set_var EASYRSA_REQ_EMAIL "me@example.net"#set_var EASYRSA_REQ_OU "My Organizational Unit"# Choose a size in bits for your keypairs. The recommended value is 2048. Using# 2048-bit keys is considered more than sufficient for many years into the# future. Larger keysizes will slow down TLS negotiation and make key/DH param# generation take much longer. Values up to 4096 should be accepted by most# software. Only used when the crypto alg is rsa (see below.)- Uncomment the lines and enter your configuration:
/etc/openvpn/server/easy-rsa/vars set_var EASYRSA_REQ_COUNTRY "FR"set_var EASYRSA_REQ_PROVINCE "France"set_var EASYRSA_REQ_CITY "maville"set_var EASYRSA_REQ_ORG "xsec"set_var EASYRSA_REQ_EMAIL "test@gmail.com"set_var EASYRSA_REQ_OU "it" - Create the Certificate Authority
- Here without password, in production it’s recommended to set one.
Terminal window ./easyrsa init-pkiTerminal window ./easyrsa build-ca nopass./easyrsa build-ca nopass Note: using Easy-RSA configuration from: /etc/openvpn/server/easy-rsa/varsUsing SSL: openssl OpenSSL 1.1.1k 25 Mar 2021Generating RSA private key, 2048 bit long modulus (2 primes).............................+++++..................................+++++e is 65537 (0x010001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/server/easy-rsa/pki/ca.crtCommon Name [Easy-RSA CA]:Press Enter to keep the default name.
- Generate the server certificate
- Here without password, in production it’s recommended to set one.
Terminal window ./easyrsa build-server-full server nopass - Generate the client certificate
- Here without password, in production it’s recommended to set one.
Terminal window ./easyrsa build-client-full client nopass - Generate the dh.pem file
- This file will be used for the first connection with symmetric encryption
Terminal window ./easyrsa gen-dh- This operation may take time, depending on your machine’s power.
- Generate the key file
Terminal window openvpn --genkey tls-auth ta.key - Reorder the files
- Copy the entire directory of generated files from the server and the Certificate Authority to
/etc/openvpn/
Terminal window cp pki/issued/server.crt pki/private/server.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn//└── 📁etc└── 📁openvpn├── 📄server.crt├── 📄server.key├── 📄ca.crt├── 📄dh.pem└── 📄ta.key- Copy the entire directory of generated files from the client to
/etc/openvpn/client/
Terminal window cp pki/issued/client.crt pki/private/client.key pki/ca.crt pki/dh.pem ta.key /etc/openvpn/client//└── 📁etc└── 📁openvpn└── 📁client├── 📄client.crt├── 📄client.key├── 📄ca.crt├── 📄dh.pem└── 📄ta.key - Copy the entire directory of generated files from the server and the Certificate Authority to
- Create the configuration file from the template
Terminal window cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server.conf && cd /etc/openvpn/└── 📁etc└── 📁openvpn├── 📄server.conf├── 📄server.crt├── 📄server.key├── 📄ca.crt├─��� 📄dh.pem└── 📄ta.key- Here we copy the configuration file to the default directory
/etc/openvpn/and enter the directory.
- Here we copy the configuration file to the default directory
- Rename the dh.pem file
Terminal window mv /etc/openvpn/dh.pem /etc/openvpn/dh2048.pemNote
By renaming it to
dh2048.pem, the fileserver.confwill recognize it directly, since the file namedh2048.pemis specified by default. - Test the configuration
Terminal window openvpn --config /etc/openvpn/server.confTip
If your configuration is correct, you will see in the last line:
Initialization Sequence CompletedErreur “Already in use”
Danger
If you already have an instance of openvpn running, there may be a conflict with the installation (error: Alredy in use).
You need to find the process that blocks the port of the service.You can list the list of used ports:
Terminal window ss -naYou can filter the default port of OpenVPN to see if an instance is running:
Terminal window ss -pan | grep 1194udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=8660,fd=7))- You can see the
pid=8660here, you need to stop this process:
Terminal window sudo kill -9 8660- Continue the operation until
ss -pan | grep 1194no longer returns a result (adapt the pid each time)
- You can see the
- Restart openvpn on the server
Terminal window systemctl daemon-reload && systemctl restart openvpnNote
You can add
systemctl enable openvpnto make OpenVPN start automatically with the machine.
Client Configuration
- Install OpenVPN on the client
Terminal window apt update && apt install openvpn - Copy files from /etc/openvpn/client directory to transfer them to the client machine
On the client machine, move them to
/etc/openvpn//└── 📁etc└── 📁openvpn├── 📄client.crt├── 📄client.key├── 📄ca.crt├── 📄dh.pem└── 📄ta.key - Copy and edit the client configuration file
Terminal window cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/ && nano /etc/openvpn/client.conf/└── 📁etc└── 📁openvpn└── 📄client.conf/etc/openvpn/client.conf ############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server. ## ## This configuration can be used by multiple ## clients, however each client should have ## its own cert and key files. ## ## On Windows, you might want to rename this ## file so it has a .ovpn extension ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one. On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server? Use the same setting as# on the server.;proto tcpproto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote my-server-1 1194;remote my-server-2 1194Replace
remote my-server-1 1194byremote OPENVPN_SERVER_IP 1194 - Restart OpenVPN on the client
Terminal window sudo systemctl daemon-reload && systemctl restart openvpnNote (Make it autostart at session)
You can add
systemctl enable openvpnto make OpenVPN start automatically with the machine. - Connect to the OpenVPN server
Terminal window openvpn --config /etc/openvpn/client.confIf your configuration is correct, you will see in the last line:
Initialization Sequence Completed