It does look a bit difficult at first, but I'll walk you through it (it's Debian/Ubuntu specific)...
Install OpenVPN
This installs OpenVPN from the Debian/Ubuntu package and creates a new system user/group called "openvpn". It's preferable over using "root" (a major security concern) or "nouser"/"nogroup" (insecure as well, but less so than "root").
Shell cut & paste:
Code:
apt-get install openvpn
adduser --system --no-create-home --group openvpn
Configure Easy-RSA
Easy-RSA is included with OpenVPN, and makes the task of managing security certificates (CSR's, for granting user/client access to the OpenVPN server) easier.
Shell cut & paste:
Code:
mkdir /etc/openvpn/easy-rsa
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
nano vars
You're now editing the
/etc/openvpn/easy-rsa/vars file - scroll down until you see "export KEY_COUNTRY=" and edit accordingly, for example:
Code:
export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="Hammersmith"
export KEY_ORG="My Company"
export KEY_EMAIL="hello@mycomany.internal"
Exit by pressing CTRL+X and answer Y for "Yes, save".
Shell cut & paste (answer any questions with their default):
Code:
source ./vars
./clean-all
chmod 700 /etc/openvpn/easy-rsa/keys/
./build-ca
./build-dh
And in the following shell cut & paste, simply replace the domain name with what you'd like to use instead:
Code:
./build-key-server vpn.myserver.com
The above actions has created the following files:
dh:
/etc/openvpn/easy-rsa/keys/dh1024.pem
CA public certificate:
/etc/openvpn/easy-rsa/keys/ca.crt
RA Server certificate & key:
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
/etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
(where "vpn.myserver.com" is obviously replaced by the domain you've chosen).
From now on, if you want to add more domains (as in, more OpenVPN servers), simply use:
Code:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-server
OpenVPN Server Configuration
Here we assume that we call the server "ra-server" and the configuration's filename reflects that. Of course you can change this as you like, and OpenVPN supports multiple .conf files (let's keep it simple for now and stick to one ).
Edit /etc/openvpn/ra-server.conf by typing
Code:
nano /etc/openvpn/ra-server.conf
and replace any existing contents with the contents below, paying attention to modify whatever the comments (lines starting with a #) specify:
Code:
server 192.168.2.0 255.255.255.0
# YOUR LOCAL SERVER IP HERE:
local 91.12.34.56
dev tun
proto udp
comp-lzo
# THESE 2 LINES ARE HELPFUL FOR THOSE WITH MOBILE (G3 / G3.5) BROADBAND:
tun-mtu 1500
tun-mtu-extra 32
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1 bypass-dns"
keepalive 10 60
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/vpn.myserver.com.crt
key /etc/openvpn/easy-rsa/keys/vpn.myserver.com.key
# LEAVE THE FOLLOWING LINE COMMENTED FOR NOW:
# crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
user openvpn
group openvpn
persist-key
persist-tun
So in all, 3 lines need to be modified. I'll get to that
"crl-verify" line later.
OpenVPN Client Configuration
The first step is to create a CSR on the server, or a "remote client access certificate". You do this with the following steps on the server:
Code:
cd /etc/openvpn/easy-rsa
source ./vars
./build-key-pkcs12
All you need to do is replace
with a memorable name (preferably without spaces), such as "john-laptop".
This will generate a file
/etc/openvpn/easy-rsa/keys/.p12, ie. "john-laptop.p12", and is what you will give to the remote VPN user/client (only this file - no other keys/certificates!).
Note: Giving it an "Export" password will cause the remote OpenVPN client to ask for this password (from the user). You can leave this blank if you wish, but you should obviously be aware that this means anyone could potentially use the certificate if it fell in the wrong hands.
Now, the following OpenVPN client configuration, which is used to configure the remote user's client (thus don't do this on the server), is quite generic:
Code:
client
dev tun
proto udp
# THE IP OF THE REMOTE OPENVPN SERVER:
remote 91.12.34.56
# THE CSR FILE:
pkcs12 .p12
comp-lzo
However, where this configuration file is stored, depends on the OS. For example, on Linux it's
/etc/openvpn/.vpn.myserver.com.conf and on Windows it's
C:\Program Files\OpenVPN\config\.vpn.myserver.com.ovpn.
Obviously you replace the
as well as the domain name with their actual values. And another note on the filename, you don't
have to name these files as such, but I'm doing it here to help you (and the VPN user) to keep tabs on what file belongs to what server & user, simply by looking at the filename.
This directory will also be the one where you store the
.p12 file that was generated on the server earlier. For security reasons, on a Linux based system you may wish to use:
Great! At this point, the remote VPN user/client should have full access to the server and have Internet traffic routed through it. If you don't wish to have the latter (traffic routed through the server), remove - or comment - the following line from the server's configuration:
Code:
push "redirect-gateway def1 bypass-dns"
Revoking CSR
If for some reason you need to revoke the CSR (access to the server using that certificate), you do this as following (on the server):
Code:
cd /etc/openvpn/easy-rsa
source ./vars
revoke-full
Now make sure that you have uncommented the crl-verify line in your server's configuation (/etc/openvpn/ra-server.conf) by removing the # sign:
Code:
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
That's it!
Again, it looks daunting at first, but if you follow these steps it'll become clear to you why and how. The next time you need to add a user/client, a lot of this can be skipped as well, so making it quite easy to use.