Gernot Walzl

OpenVPN

OpenVPN is an open-source virtual private network (VPN).

This tutorial was written for Debian 10 (buster) in March, 2020.

Contents

Server

The official Debian 10 repository contains a package for OpenVPN 2.4.
The following command installs this package:
apt install openvpn

Easy RSA

OpenVPN utilizes SSL/TLS security mechanisms.
Therefore, certificates (and keys) need to be generated and signed
by a certificate authority (CA). Easy RSA is helpful in that regard.

Use the following command to initialize a directory easy-rsa with files
that help creating the required certificates:
cd /etc/openvpn
make-cadir easy-rsa

Default values for certificates can be specified by uncommenting corresponding
fields in /etc/openvpn/easy-rsa/vars:

#...

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "me@example.net"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

#...

The following commands generate the certificate authority (CA),
a certificate/key pair for the server and a certificate/key pair for
a client named client1:
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server
./easyrsa gen-dh
./easyrsa build-client-full client1

If the OpenVPN server is started on boot, removing the passphrase
prevents being prompted for a password:
./easyrsa set-rsa-pass server nopass

To change the passphrase:
./easyrsa set-rsa-pass server

Create an archive for the client:
cd /etc/openvpn
tar czvf client1_ovpn.tar.gz easy-rsa/pki/ca.crt easy-rsa/pki/issued/client1.crt easy-rsa/pki/private/client1.key

Server Config

Copy the example config file for the server to the correct location:
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server/server.conf

Edit relevant parts in /etc/openvpn/server/server.conf:

#...

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/easy-rsa/pki/dh.pem

#...

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

#...

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

#...

Start Server

Start OpenVPN with the server config:
systemctl start openvpn-server@server

Start the given config on boot:
systemctl enable openvpn-server@server

Client

OpenVPN needs to be installed on the clients:
apt install openvpn

Client Certificates

Copy the certificate/key pair from the server to a client:
cd /etc/openvpn
tar xvf client1_ovpn.tar.gz

Each client should have its own certificate/key pair.

Client Config

Copy the example config file for the client to the correct location:
cat /usr/share/doc/openvpn/examples/sample-config-files/client.conf > /etc/openvpn/client/vpn.example.net.conf

Edit relevant parts in /etc/openvpn/client/vpn.example.net.conf:

#...

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote vpn.example.net 1194

#...

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/client1.crt
key /etc/openvpn/easy-rsa/pki/private/client1.key

#...

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

#...

Start Client

Start OpenVPN with the client config:
systemctl start openvpn-client@vpn.example.net

GUI

A system tray icon for systemd services can be used as graphical user interface (GUI)
for an OpenVPN client.

CONTENT.html 2020-04-05 7.39 KB