Simple setup of an OpenVPN-server

This is a simple how to.

This is written as build upon the server on which the openvpn-service runs. This is generally considered a bad idea. The only part that needs to be different, running the configuration on a different computer, is the "installing" part.

Setting up the server

Set up the directory where certificates will be built

mkdir RSA
cd RSA
ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool .
ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf .
ln -s /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf .
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars .
mkdir keys
touch keys/index.txt
echo 00 > keys/serial

Set up the default values for the ceritficates, by editing "vars" and changing the variables at the bottom of the file.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

Create a certificate authority

/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-ca

Create Diffie-Hellman key for server

/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-dh

Create Dual-factor authentication key

openvpn --genkey --secret keys/tls-auth.key

Create an certificate revotaion list, this is easiest accomplished by creating and revoking a certificate.

/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key dummy
/usr/share/doc/openvpn/examples/easy-rsa/2.0/revoke-full dummy

Download and install the following:

• server.conf.in a configuration template for the server

• client.conf.in a configuration template for clients

• build-conf.bash a configuration builder

Edit server.conf.in and client.conf.in:

• "local xxx.xxx.xxx.xxx" should be the wan-ip-number on your server (optionally 0.0.0.0).

• "remote xxx.xxx.xxx.xxx" should be the fully qualified domain name or public ip number of your server

• 192.168.yyy.* to a private lan of your choosing

• lines with "dhcp-option" to reflect an optional nameserver describing your network. Can be removed entirely.

• choose UDP or TCP settings (UDP is preferred)

Create a certificate and config for the openvpn server. Make sure that "hostname --long" is the name of the server you run openvpn on

/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-server `hostname --long`
./build-conf.bash `hostname --long` server

Install the files on the server

sudo mkdir /etc/openvpn/clients
sudo cp keys/crl.pem /etc/openvpn
sudo cp `hostname --long`.conf /etc/openvpn/
sudo /etc/init.d/openvpn restart

Now your server is (hopefully up and running)

Setting up the client

Create a certifitate and config for your client:

/usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key client-name
./build-conf.bash client-name

you should now have a client-name.conf, which you can copy to your client machine, and run

sudo openvpn client-name.conf

Static vpn ip-number for client

If you want this client to always have a specific ip number you can make a server config, for this certificate:

sudo bash -c "echo 'ifconfig-push 192.168.yyy.zzz 255.255.255.0' > /etc/openvpn/clients/client-name"