Table of Contents

openvpn configuration

Server

Server installation

$ apt install openvpn easy-rsa

Certificate Authority Setup

$ make-cadir /etc/openvpn/easy-rsa
$ cd /etc/openvpn/easy-rsa
$ ./easyrsa gen-dh
$ ./easyrsa init-pki
$ ./easyrsa build-ca nopass

Server Keys and Certificates

$ ./easyrsa gen-dh
$ ./easyrsa gen-req myservername nopass
$ ./easyrsa sign-req server myservername
$ cp pki/dh.pem pki/ca.crt \
	pki/issued/myservername.crt \
	pki/private/myservername.key \
	/etc/openvpn/

Client Certificate (for server)

$ ./easyrsa gen-req myclient nopass
$ ./easyrsa sign-req client myclient

Simple Server Configuration

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/myserver.conf

Edit /etc/openvpn/myserver.conf

ca ca.crt
cert myservername.crt
key myservername.key
dh dh.pem

user nobody
group nogroup

Gen ta key

$ cd /etc/openvpn
$ openvpn --genkey --secret ta.key

Validate myserver.conf file

$ openvpn /etc/openvpn/myserver.conf

Edit /etc/sysctl.conf and uncomment

#net.ipv4.ip_forward=1

Then reload sysctl

$ sysctl -p /etc/sysctl.conf

Start openvpn

$ systemctl enable openvpn@myserver
$ systemctl start openvpn@myserver

To view logs

$ journalctl -u openvpn@myserver -xe

Check if OpenVPN created a tun0 interface

$ ip addr show dev tun0

Client

Simple Client Configuration

$ apt install openvpn

$ cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/myclient.conf

Copy client keys from server

ca ca.crt
cert myclient1.crt
key myclient1.key
tls-auth ta.key 1

Edit myclient.conf

client
remote vpnserver.example.com 1194

Start openvpn

$ systemctl start openvpn@client

Check on the client if it created a tun0 interface

$ ip addr show dev tun0

Check it you can ping the OpenVPN server

$ ping 10.8.0.1

Check out your routes

$ ip route

Script to configure Server

#!/bin/sh

apt install openvpn easy-rsa

make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

./easyrsa gen-dh
./easyrsa init-pki
./easyrsa build-ca nopass

./easyrsa gen-dh
./easyrsa gen-req server nopass
./easyrsa sign-req server server


cp pki/dh.pem /etc/openvpn/dh2048.pem
cp pki/ca.crt \
  pki/issued/server.crt \
  pki/private/server.key \
  /etc/openvpn/

cd /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > server.conf

sed -i -e "s/;user nobody/user nobody/" \
    -e "s/;group nogroup/group nogroup/" \
    -e "s/;client-to-client/client-to-client/" \
    server.conf

openvpn --genkey --secret ta.key

sed -i -e "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/" \
    /etc/sysctl.conf 

sysctl -p /etc/sysctl.conf

systemctl enable openvpn@server
systemctl start openvpn@server

journalctl -u openvpn@server -xe

Script to configure Client

#!/bin/sh

username=john
servername=workvpn
clientname=$(echo $servername)_client

tmpdir=$PWD/tmp
dumpdir=$tmpdir/$clientname

rm -rf $dumpdir
mkdir -p $dumpdir

cd /etc/openvpn/easy-rsa

./easyrsa gen-req $clientname nopass
./easyrsa sign-req client $clientname

cp /etc/openvpn/easy-rsa/pki/issued/$clientname.crt \
   /etc/openvpn/easy-rsa/pki/private/$clientname.key \
   $dumpdir/
cp /etc/openvpn/ta.key $dumpdir/$servername.ta.key
cp /etc/openvpn/ca.crt $dumpdir/$servername.ca.crt

cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > \
    $dumpdir/$clientname.conf

sed -i -e "s/;user nobody/user nobody/" \
        -e "s/;group nogroup/group nogroup/" \
        -e "s/tls-auth ta.key 1/tls-auth $servername.ta.key 1/" \
        -e "s/ca ca.crt/ca $servername.ca.crt/" \
        -e "s/cert client.crt/cert $clientname.crt/" \
        -e "s/key client.key/key $clientname.key/" \
    $dumpdir/$clientname.conf



chown $username:$username $tmpdir -R

Script to add route at client

/sbin/route add -net 10.8.0.0/24 dev tun0

Script to test with tcpdump

tcpdump -v -n -i tun0
Edit this page