From ArchWiki
Jump to navigation Jump to search

This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use. For more detailed information, please see the OpenVPN 2.3 man page and the OpenVPN documentation. OpenVPN is a robust and highly flexible VPN daemon. It supports SSL/TLS security, Ethernet bridging, TCP or UDP tunnel transport through proxies or NAT. Additionally it has support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it. It supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of IPSec but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the GNU General Public License (GPL).

Install OpenVPN

Install the openvpn package. Any computer that generates keys and certificates needs easy-rsa as well.

Note: The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.

Prepare the data

  • Copy /etc/easy-rsa to /etc/openvpn/easy-rsa and cd there.
  • Run
    # easyrsa init-pki
  • If you want to edit variables like the key size, organizational fields, or expire time (among others), edit the vars file.
  • Clean up any previous keys if you messed up:
    # easyrsa clean-all

The following steps all take place inside the copied /etc/openvpn/easy-rsa directory. Replace "servername" and "clientname" accordingly.

Server side configuration

Generating the certificates

Initialize a new PKI and generate a CA keypair that will be used to sign certificates:

# easyrsa build-ca

Generate the needed server-files:

# easyrsa gen-dh
# openvpn --genkey --secret /etc/openvpn/ta.key
# easyrsa build-server-full servername nopass

Note the "nopass" option. This can be left out, but after starting the server you will need to enter the password by running systemd-tty-ask-password-agent for the VPN to fully start. On the server side, this is usually less of an issue as it should rarely need to be rebooted.

Copy the /etc/openvpn/easy-rsa/pki/issued/servername.crt, /etc/openvpn/easy-rsa/pki/private/servername.key, /etc/openvpn/easy-rsa/pki/ca.crt and /etc/openvpn/easy-rsa/pki/dh.pem files to /etc/openvpn/.

Edit the configuration file

Copy /usr/share/openvpn/examples/server.conf to /etc/openvpn/ and edit it. For a basic configuration, you will need to edit at least these four lines:

ca ca.crt            # This should be the default.
cert servername.crt
key servername.key
dh dh.pem            # The default reads "dh2048.pem"

Client side configuration

This can be done on the server or the client. If the server is under your control, generating the keys on the server requires you to only move the files once.

Generating client-keys on the server

Cd into /etc/openvpn/easy-rsa/ and run easyrsa build-client-full clientname nopass. The nopass-option again allows the VPN to connect without asking for a password. Otherwise the password must be entered via systemd-tty-ask-password-agent after the OpenVPN client starts. Transfer /etc/openvpn/easy-rsa/pki/issued/clientname.crt, /etc/openvpn/easy-rsa/pki/private/clientname.key, /etc/openvpn/easy-rsa/pki/ca.crt and /etc/openvpn/easy-rsa/pki/ta.key to /etc/openvpn/ on the client.

Generating client-keys on the client

Run easyrsa gen-req clientname nopass. Send the newly generated /etc/openvpn/easy-rsa/pki/reqs/clientname.req to the server and import and sign them with:

easyrsa import-req /path/to/clientname.req clientname
easyrsa sign-req client clientname

Transfer /etc/openvpn/easy-rsa/pki/issued/clientname.crt, /etc/openvpn/easy-rsa/pki/private/clientname.key, /etc/openvpn/easy-rsa/pki/ca.crt and /etc/openvpn/easy-rsa/pki/ta.key from the server to /etc/openvpn/ on the client.

Edit the configuration file

Copy /usr/share/openvpn/examples/server.conf to /etc/openvpn/ and edit it. For a basic configuration, you will need to edit at least these four lines:

ca ca.crt            # This should be the default.
cert clientname.crt
key clientname.key
dh dh.pem            # The default reads "dh2048.pem"