Difference between revisions of "OpenVPN Checklist Guide"

From ArchWiki
Jump to navigation Jump to search
m (→‎Install: style)
(The current way to not enter a challenge password is by appending nopass)
Line 15: Line 15:
 
==Generate the certificates==
 
==Generate the certificates==
 
* Create the "certificate authority" key  
 
* Create the "certificate authority" key  
{{bc|# easyrsa build-ca}}
+
{{bc|# easyrsa build-ca nopass}}
 
* Create certificate and private key for the server
 
* Create certificate and private key for the server
{{bc|# easyrsa build-server-full ''<server-name>''}}
+
{{bc|# easyrsa build-server-full ''<server-name>'' nopass}}
 
* Create the Diffie-Hellman pem file for the server. Do not enter a challenge password or company name when you set these up.
 
* Create the Diffie-Hellman pem file for the server. Do not enter a challenge password or company name when you set these up.
 
{{bc|# easyrsa gen-dh}}
 
{{bc|# easyrsa gen-dh}}
 
* Create a certificate for each client.  
 
* Create a certificate for each client.  
{{bc|# easyrsa build-client-full ''<client-name>''}}
+
{{bc|# easyrsa build-client-full ''<client-name>'' nopass}}
 
All certificates are stored in {{ic|keys}} directory. If you mess up, you can start all over by doing a {{ic|easyrsa clean-all}}
 
All certificates are stored in {{ic|keys}} directory. If you mess up, you can start all over by doing a {{ic|easyrsa clean-all}}
  

Revision as of 08:53, 16 August 2017

This article summarizes the install process required for OpenVPN. See OpenVPN instead for a walkthrough.

Install

Install the packages openvpn and easy-rsa.

Prepare data

# easyrsa clean-all

Generate the certificates

  • Create the "certificate authority" key
# easyrsa build-ca nopass
  • Create certificate and private key for the server
# easyrsa build-server-full <server-name> nopass
  • Create the Diffie-Hellman pem file for the server. Do not enter a challenge password or company name when you set these up.
# easyrsa gen-dh
  • Create a certificate for each client.
# easyrsa build-client-full <client-name> nopass

All certificates are stored in keys directory. If you mess up, you can start all over by doing a easyrsa clean-all

Copy to each client the ca.crt, and their respective crt and key files.

Setting up the server

  • Create /etc/openvpn/server/myvpnserver.conf with a content like this:
/etc/openvpn/server/myvpnserver.conf
port <port>
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<server-name>.crt
key /etc/openvpn/easy-rsa/keys/<server-name>.key
dh /etc/openvpn/easy-rsa/keys/<your pem file>

server <desired base ip> 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10
  • Start and, optionally, enable for autostart on boot, the daemon. (In this example, is openvpn-server@myvpnserver.service)

Read Daemon for more information.

Setting up the clients

  • Create a .conf file for each client like this:
/etc/openvpn/client/a-client-conf-file.conf
client
remote <server> <port>
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert <client crt file with full path>
key <client key file with full path>
comp-lzo
  • Start the connection with
# openvpn a-client-conf-file.conf &

Optionally, enable for autostart on boot the daemon. (In this example, is openvpn-client@a-client-conf-file.service)

Read Daemon for more information.