OpenVPN
Installation
sudo apt install openvpn easy-rsa
Configuration
From now on the commands below must be issued as root user (not sudo):
su -cd /usr/share/doc/openvpn/examples/sample-config-filesgunzip -c server.conf.gz > /etc/openvpn/server.conf
Edit /etc/openvpn/server.conf and uncomment these lines:
;push "redirect-gateway def1 bypass-dhcp";push "dhcp-option DNS 208.67.222.222";push "dhcp-option DNS 208.67.220.220";user nobody;group nogroup
We continue configuration:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit etc/sysctl.conf and uncomment this line:
#net.ipv4.ip_forward=1
Configure firewall
apt install ufwufw allow sshufw allow 1194/udp
Edit /etc/default/ufw and change this line:
DEFAULT_FORWARD_POLICY="DROP"
to
DEFAULT_FORWARD_POLICY="ACCEPT"
Edit /etc/ufw/before.rules and add the following lines on the top of the document:
*nat:POSTROUTING ACCEPT [0,0]-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADECOMMIT
Note: You must change eth0 for your server device name.
Activate firewall
ufw enableufw status
Create keys for Server
cd /etc/openvpnmake-cadir easy-rsa
Edit /etc/openvpn/easy-rsa/vars and make it look like:
# In how many days should certificates expire?export KEY_EXPIRE=3650# Don't leave any of these fields blankexport KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="SanFrancisco"export KEY_ORG="Hal"export KEY_EMAIL="youremail@address.com"export KEY_OU="Hal"# X509 Subject Fieldexport KEY_NAME="server"
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
For Debian 9, issue these commands:
cd /etc/openvpn/easy-rsa. ./vars./clean-allln -s openssl-1.0.0.cnf openssl.cnf./build-ca #Accept all defaults./build-key-server server #Accept all defaults
For Debian 10, issue these commands:
cd /etc/openvpn/easy-rsa./easyrsa init-pki./easyrsa build-ca./easyrsa build-server-full server
Copy the new generated certificates
cd keyscp server.crt server.key ca.crt ta.key /etc/openvpn
Start OpenVPN server
service openvpn start
Create keys for Clients
- For Debian 9, issue these commands:
cd /etc/openvpn/easy-rsa./build-key client
client can be any name. Password is not mandatory
- For Debian 10, issue these commands:
./easyrsa build-client-full clientname nopass
Create tls-auth key:
openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
(Optional) Generate Diffie-Hellman paramenters
Necessary for the server end of a SSL/TLS connection
- For Debian 9, issue these commands:
cd /etc/openvpn/easy-rsa./build-dh
- For Debian 10, issue these commands:
./easyrsa gen-dh
Tide up
cdmkdir clientcp /usr/share/doc/openvpn/examples/sample-config-files/client.conf clientmv client/client.conf client/myclient.ovpncd /etc/openvpn/easy-rsa/keyscp ca.crt client.crt client.key ta.key ~/client/
.ovpn configuration
cd ~/clientvi myclient.ovpn
Change these lines:
remote my-server-1 1194;user nobody;group nogroupca ca.crtcert client.crtkey client.key
to
remote 35.224.181.105 1194user nobodygroup nogroup# ca ca.crt# cert client.crt# key client.key
Now issue these commands:
echo "<ca>" >> myclient.ovpncat ca.crt >> myclient.ovpnecho "</ca>" >> myclient.ovpnecho "<cert>" >> myclient.ovpncat client.crt >> myclient.ovpnecho "</cert>" >> myclient.ovpnecho "<key>" >> myclient.ovpncat client.key >> myclient.ovpnecho "</key>" >> myclient.ovpnecho "<tls-auth>" >> myclient.ovpncat ta.key >> myclient.ovpnecho "</tls-auth>" >> myclient.ovpn
Copy .ovpn file from server to client
Note: All these steps are performed from the client machine, not the server:
ssh-copy-id -i .ssh/id_rsa.pub root@35.224.181.105scp root@35.224.181.105:client/myclient.ovpn .