User:Dustball/OpenVPN
This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.3 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.
OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.
OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).
Install OpenVPN
Install the openvpn package. Any computer that generates keys and certificates needs easy-rsa as well.
Prepare the data
- Copy
/etc/easy-rsa
to/etc/openvpn/easy-rsa
and cd there. - Run
# easyrsa init-pki
- If you want to edit variables like the key size, organizational fields, or expire time (among others), edit the
vars
file. - Clean up any previous keys if you messed up:
# easyrsa clean-all
The following steps all take place inside the copied /etc/openvpn/easy-rsa
directory. Replace "servername" and "clientname" accordingly.
Server side configuration
Generating the certificates
Initialize a new PKI and generate a CA keypair that will be used to sign certificates:
# easyrsa build-ca
Generate the needed server-files:
# easyrsa gen-dh
# openvpn --genkey --secret /etc/openvpn/ta.key
# easyrsa build-server-full servername nopass
Note the "nopass" option. This can be left out, but after starting the server you will need to enter the password by running systemd-tty-ask-password-agent
for the VPN to fully start. On the server side, this is usually less of an issue as it should rarely need to be rebooted.
Copy the /etc/openvpn/easy-rsa/pki/issued/servername.crt
, /etc/openvpn/easy-rsa/pki/private/servername.key
, /etc/openvpn/easy-rsa/pki/ca.crt
and /etc/openvpn/easy-rsa/pki/dh.pem
files to /etc/openvpn/
.
Edit the configuration file
Copy /usr/share/openvpn/examples/server.conf
to /etc/openvpn/
and edit it. For a basic configuration, you will need to edit at least these four lines:
ca ca.crt # This should be the default. cert servername.crt key servername.key dh dh.pem # The default reads "dh2048.pem"
Client side configuration
This can be done on the server or the client. If the server is under your control, generating the keys on the server requires you to only move the files once.
Generating client-keys on the server
Cd into /etc/openvpn/easy-rsa/
and run easyrsa build-client-full clientname nopass
. The nopass
-option again allows the VPN to connect without asking for a password. Otherwise the password must be entered via systemd-tty-ask-password-agent
after the OpenVPN client starts. Transfer /etc/openvpn/easy-rsa/pki/issued/clientname.crt
, /etc/openvpn/easy-rsa/pki/private/clientname.key
, /etc/openvpn/easy-rsa/pki/ca.crt
and /etc/openvpn/easy-rsa/pki/ta.key
to /etc/openvpn/
on the client.
Generating client-keys on the client
Run easyrsa gen-req clientname nopass
. Send the newly generated /etc/openvpn/easy-rsa/pki/reqs/clientname.req
to the server and import and sign them with:
easyrsa import-req /path/to/clientname.req clientname
easyrsa sign-req client clientname
Transfer /etc/openvpn/easy-rsa/pki/issued/clientname.crt
, /etc/openvpn/easy-rsa/pki/private/clientname.key
, /etc/openvpn/easy-rsa/pki/ca.crt
and /etc/openvpn/easy-rsa/pki/ta.key
from the server to /etc/openvpn/
on the client.
Edit the configuration file
Copy /usr/share/openvpn/examples/server.conf
to /etc/openvpn/
and edit it. For a basic configuration, you will need to edit at least these four lines:
ca ca.crt # This should be the default. cert clientname.crt key clientname.key dh dh.pem # The default reads "dh2048.pem"