Gernot Walzl

OpenVPN

OpenVPN is an open-source virtual private network (VPN).

This tutorial was written for Debian 10 (buster) in March, 2020.

Contents

Server

The official Debian 10 repository contains a package for OpenVPN 2.4.
The following command installs this package:

apt install openvpn

Easy RSA

OpenVPN utilizes SSL/TLS security mechanisms.
Therefore, certificates (and keys) need to be generated and signed
by a certificate authority (CA). Easy RSA is helpful in that regard.

Use the following command to initialize a directory easy-rsa with files
that help creating the required certificates:

cd /etc/openvpn
make-cadir easy-rsa

Default values for certificates can be specified by uncommenting corresponding
fields in the following file:

/etc/openvpn/easy-rsa/vars
#...

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "me@example.net"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

#...

The following commands generate the certificate authority (CA),
a certificate/key pair for the server and a certificate/key pair for
a client named client1:

cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server
./easyrsa gen-dh
./easyrsa build-client-full client1

If the OpenVPN server is started on boot, removing the passphrase
prevents being prompted for a password:

./easyrsa set-rsa-pass server nopass

To change the passphrase:

./easyrsa set-rsa-pass server

Create an archive for the client:

cd /etc/openvpn
tar czvf client1_ovpn.tar.gz easy-rsa/pki/ca.crt easy-rsa/pki/issued/client1.crt easy-rsa/pki/private/client1.key

Server Config

Copy the example config file for the server to the correct location:

zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server/server.conf

Edit relevant parts in server config file:

/etc/openvpn/server/server.conf
#...

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/easy-rsa/pki/dh.pem

#...

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

#...

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

#...

Start Server

Start OpenVPN with the config /etc/openvpn/server/server.conf:

systemctl start openvpn-server@server

Start the given config on boot:

systemctl enable openvpn-server@server

Client

OpenVPN needs to be installed on the clients:

apt install openvpn

Client Certificates

Copy the certificate/key pair from the server to a client:

cd /etc/openvpn
tar xvf client1_ovpn.tar.gz

Each client should have its own certificate/key pair.

Client Config

Copy the example config file for the client to the correct location:

cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/client/vpn.example.net.conf

Edit relevant parts in the client config file:

/etc/openvpn/client/vpn.example.net.conf
#...

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.example.net 1194

#...

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/client1.crt
key /etc/openvpn/easy-rsa/pki/private/client1.key

#...

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

#...

Start Client

Start OpenVPN with the config /etc/openvpn/client/vpn.example.net.conf:

systemctl start openvpn-client@vpn.example.net

GUI

A system tray icon for systemd services can be used as graphical user interface (GUI)
for an OpenVPN client.

Internet Access

This section describes how to route all client traffic (including web-traffic)
through the VPN.

Server

Enable IPv4 packet forwarding in the kernel:

/etc/sysctl.conf
#...

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

#...

Forward traffic from the VPN over the interface eth0:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Client

/etc/openvpn/client/vpn.example.net.conf
#...

redirect-gateway autolocal
CONTENT.html 2022-07-07 8.8 KB