Simple setup of an OpenVPN-server
This is a simple how to.
This is written as build upon the server on which the openvpn-service runs. This is generally considered a bad idea. The only part that needs to be different, running the configuration on a different computer, is the "installing" part.
Setting up the server
Set up the directory where certificates will be built
mkdir RSA cd RSA ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool . ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf . ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf . cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars . mkdir keys touch keys/index.txt echo 00 > keys/serial
Set up the default values for the ceritficates, by editing "vars" and changing the variables at the bottom of the file.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org"
Create a certificate authority
Create Diffie-Hellman key for server
Create Dual-factor authentication key
openvpn --genkey --secret keys/tls-auth.key
Create an certificate revotaion list, this is easiest accomplished by creating and revoking a certificate.
/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key dummy /usr/share/doc/openvpn/examples/easy-rsa/2.0/revoke-full dummy
Download and install the following:
server.conf.in a configuration template for the server
client.conf.in a configuration template for clients
build-conf.bash a configuration builder
Edit server.conf.in and client.conf.in:
"local xxx.xxx.xxx.xxx" should be the wan-ip-number on your server (optionally 0.0.0.0).
"remote xxx.xxx.xxx.xxx" should be the fully qualified domain name or public ip number of your server
192.168.yyy.* to a private lan of your choosing
lines with "dhcp-option" to reflect an optional nameserver describing your network. Can be removed entirely.
choose UDP or TCP settings (UDP is preferred)
Create a certificate and config for the openvpn server. Make sure that "hostname --long" is the name of the server you run openvpn on
/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-server `hostname --long` ./build-conf.bash `hostname --long` server
Install the files on the server
sudo mkdir /etc/openvpn/clients sudo cp keys/crl.pem /etc/openvpn sudo cp `hostname --long`.conf /etc/openvpn/ sudo /etc/init.d/openvpn restart
Now your server is (hopefully up and running)
Setting up the client
Create a certifitate and config for your client:
/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key client-name ./build-conf.bash client-name
you should now have a client-name.conf, which you can copy to your client machine, and run
sudo openvpn client-name.conf
Static vpn ip-number for client
If you want this client to always have a specific ip number you can make a server config, for this certificate:
sudo bash -c "echo 'ifconfig-push 192.168.yyy.zzz 255.255.255.0' > /etc/openvpn/clients/client-name"