Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

In this section we describe how to configure an OpenVPN server. This allows is to connect OpenVino clients in the field for remote updates and testing. Clients include sensor Weather Station relays and Netrabricks at wineries.

Most of the information found here is an amalgamation from these tutorials: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-8 and https://vitux.com/how-to-install-openvpn-on-almalinux-8-centos-8-or-rocky-linux-8/ and https://openvpn.net/community-resources/how-to/ https://kifarunix.com/assign-static-ip-addresses-for-openvpn-clients/ https://www.paulligocki.com/auto-connect-openvpn-client-startup-raspian/

About OpenVPN and Easy-RSA

A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this section, we will set up OpenVPN on Rocky Linux 8, and then configure it to be accessible from client machines.

Easy-RSA is a public key infrastructure (PKI) management tool used to generate a certificate request that you will then verify and sign on the CA Server.

Install OpenVPN and Easy-RSA

  1. Install OpenVPN and Easy-RSA packages

sudo dnf install openvpn easy-rsa
[sudo] password for mb93837: 
DigitalOcean Agent                                            151 kB/s | 3.3 kB     00:00    
DigitalOcean Droplet Agent                                    105 kB/s | 3.3 kB     00:00    
Dependencies resolved.
==============================================================================================
 Package                   Architecture       Version                  Repository        Size
==============================================================================================
Installing:
 easy-rsa                  noarch             3.0.8-1.el8              epel              47 k
 openvpn                   x86_64             2.4.12-1.el8             epel             545 k
Installing dependencies:
 pkcs11-helper             x86_64             1.22-7.el8               epel              64 k

Transaction Summary
==============================================================================================
Install  3 Packages

Total download size: 656 k
Installed size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): easy-rsa-3.0.8-1.el8.noarch.rpm                        172 kB/s |  47 kB     00:00    
(2/3): pkcs11-helper-1.22-7.el8.x86_64.rpm                    234 kB/s |  64 kB     00:00    
(3/3): openvpn-2.4.12-1.el8.x86_64.rpm                        1.1 MB/s | 545 kB     00:00    
----------------------------------------------------------------------------------------------
Total                                                         900 kB/s | 656 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                      1/1 
  Installing       : pkcs11-helper-1.22-7.el8.x86_64                                      1/3 
  Running scriptlet: openvpn-2.4.12-1.el8.x86_64                                          2/3 
  Installing       : openvpn-2.4.12-1.el8.x86_64                                          2/3 
  Running scriptlet: openvpn-2.4.12-1.el8.x86_64                                          2/3 
  Installing       : easy-rsa-3.0.8-1.el8.noarch                                          3/3 
  Running scriptlet: easy-rsa-3.0.8-1.el8.noarch                                          3/3 
  Verifying        : easy-rsa-3.0.8-1.el8.noarch                                          1/3 
  Verifying        : openvpn-2.4.12-1.el8.x86_64                                          2/3 
  Verifying        : pkcs11-helper-1.22-7.el8.x86_64                                      3/3 

Installed:
  easy-rsa-3.0.8-1.el8.noarch  openvpn-2.4.12-1.el8.x86_64  pkcs11-helper-1.22-7.el8.x86_64 

Complete!

2. Create a new directory on the OpenVPN Server as your non-root user called ~/easy-rsa:

mkdir ~/easy-rsa

3. Create a symlink from the easyrsa script that the package installed into the new ~/easy-rsa directory:

ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/

4. Ensure the directory’s owner is your non-root sudo user and restrict access to that user using chmod:

chmod 700 easy-rsa/

Create PKI

Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server so that you can request and manage TLS certificates for clients and other servers that will connect to your VPN. You will use this directory to manage the server and clients’ certificate requests instead of making them directly on your CA server.

To build a PKI directory on your OpenVPN server, you’ll need to populate a file called vars with some default values. First you will cd into the easy-rsa directory, then you will create and edit the vars file with your preferred text editor.

cd easy-rsa
vi vars

set_var EASYRSA_REQ_COUNTRY    "AR"
set_var EASYRSA_REQ_PROVINCE   "Mendoza"
set_var EASYRSA_REQ_CITY       "Costaflores"
set_var EASYRSA_REQ_ORG        "OpenVino"
set_var EASYRSA_REQ_EMAIL      "admin@openvino.org"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"

These lines will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server.

Configuring your OpenVPN & CA servers to use ECC means when a client and server attempt to establish a shared symmetric key, they can use Elliptic Curve algorithms to do their exchange. Using ECC for a key exchange is significantly faster than using plain Diffie-Hellman with the classic RSA algorithm since the numbers are much smaller and the computations are faster.

Background: When clients connect to OpenVPN, they use asymmetric encryption (also known as public/private key) to perform a TLS handshake. However, when transmitting encrypted VPN traffic, the server and clients use symmetric encryption, which is also known as shared key encryption.

There is much less computational overhead with symmetric encryption compared to asymmetric: the numbers that are used are much smaller, and modern CPUs integrate instructions to perform optimized symmetric encryption operations. To make the switch from asymmetric to symmetric encryption, the OpenVPN server and client will use the Elliptic Curve Diffie-Hellman (ECDH) algorithm to agree on a shared secret key as quickly as possible.

To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa command again, this time with the build-ca option.

In the output, you’ll see some lines about the OpenSSL version and you will be prompted to enter a passphrase for your key pair. Be sure to choose a strong passphrase, and note it down somewhere safe. You will need to input the passphrase any time that you need to interact with your CA, for example to sign or revoke a certificate.

You will also be asked to confirm the Common Name (CN) for your CA. The CN is the name used to refer to this machine in the context of the Certificate Authority. You can enter any string of characters for the CA’s Common Name but for simplicity’s sake, press ENTER to accept the default name.

./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................................................................................................................+++++
..................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:sierra

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/mtb/easy-rsa/pki/ca.crt

Once you have populated the vars file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option:

./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/mb93837/easy-rsa/pki

Now call the easyrsa with the gen-req option followed by a Common Name (CN) for the machine. The CN can be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be server. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.

Create an OpenVPN Server Certificate Request and Private Key

Now that the OpenVPN server has all the prerequisites installed, the next step is to generate a private key and Certificate Signing Request (CSR) on the OpenVPN server. After that we’ll transfer the request over to the CA to be signed, creating the required certificate.

Once we have a signed certificate, we can transfer it back to the OpenVPN server and install it for the server to use.

To start, navigate to the ~/easy-rsa directory on your OpenVPN Server as your non-root user:

Now we’ll call easyrsa with the gen-req option followed by a Common Name (CN) for the machine. The CN can be anything we like, but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be jujitsu. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.

$ cd easy-rsa/

./easyrsa gen-req jujitsu nopass
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021
Generating a RSA private key
.........................+++++
...........................................+++++
writing new private key to '/home/mtb/easy-rsa/pki/easy-rsa-167240.ZwGFxk/tmp.Jchss'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [jujitsu]:

Keypair and certificate request completed. Your files are:
req: /home/mtb/easy-rsa/pki/reqs/jujitsu.req
key: /home/mtb/easy-rsa/pki/private/jujitsu.key

This will create a private key for the server and a certificate request file called server.req. Copy the server key to the /etc/openvpn/server directory:

sudo cp /home/mb93837/easy-rsa/pki/private/jujitsu.key /etc/openvpn/server/

After completing these steps, we have successfully created a private key the your OpenVPN server. We have also generated a Certificate Signing Request for the OpenVPN server. The CSR is now ready for signing by our CA.

In the next section of this tutorial we will learn how to sign a CSR with the CA server’s private key.

Signing the OpenVPN Server’s Certificate Request

In the previous step we created a Certificate Signing Request (CSR) and private key for the OpenVPN server. Now the CA server needs to know about the jujitsu certificate and validate it. Once the CA validates and relays the certificate back to the OpenVPN server, clients that trust our CA will be able to trust the OpenVPN server as well.

On the OpenVPN server, as our non-root user, use SCP or another transfer method to copy the jujitsu.req certificate request to the CA server for signing:

scp /home/mb93837/easy-rsa/pki/reqs/jujitsu.req mb93837@your_ca_server:/tmp

Now log in to the CA server as the non-root user that owns the easy-rsa directory, where you created your PKI. Import the certificate request using the easyrsa script:

cd ~/easy-rsa
./easyrsa import-req /tmp/jujitsu server

Output
. . .
The request has been successfully imported with a short name of: server
You may now use this name to perform signing operations on this request.

Next, sign the request by running the easyrsa script with the sign-req option, followed by the request type and the Common Name. The request type can either be client or server. Since we’re working with the OpenVPN server’s certificate request, be sure to use the server request type:

./easyrsa sign-req server jujitsu
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = jujitsu


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /home/mb93837/easy-rsa/pki/easy-rsa-173154.vNkGC/tmp.N1FFKn
Enter pass phrase for /home/mb93837/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'jujitsu'
Certificate is to be certified until Oct 16 14:56:37 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/mb93837/easy-rsa/pki/issued/jujitsu.crt

Note that if you encrypted your CA private key, you’ll be prompted for your password at this point.

With those steps complete, you have signed the OpenVPN server’s certificate request using the CA server’s private key. The resulting jujitsu.crt file contains the OpenVPN server’s public encryption key, as well as a signature from the CA server. The point of the signature is to tell anyone who trusts the CA server that they can also trust the OpenVPN server when they connect to it.

To finish configuring the certificates, copy the jujitsu.crt and ca.crt files from the CA server to the OpenVPN server:

scp pki/issued/jujitsu.crt sammy@your_vpn_server_ip:/tmp
scp pki/ca.crt sammy@your_vpn_server_ip:/tmp

Now back on your OpenVPN server, copy the files from /tmp to /etc/openvpn/server:

sudo cp /tmp/{jujitsu.crt,ca.crt} /etc/openvpn/server

Now your OpenVPN server is nearly ready to accept connections. In the next step you’ll perform some additional steps to increase the security of the server.

Configuring OpenVPN Cryptographic Material

For an additional layer of security, we’ll add an extra shared secret key that the server and all clients will use with OpenVPN’s tls-crypt directive. This option is used to obfuscate the TLS certificate that is used when a server and client connect to each other initially. It is also used by the OpenVPN server to perform quick checks on incoming packets: if a packet is signed using the pre-shared key, then the server processes it; if it is not signed, then the server knows it is from an untrusted source and can discard it without having to perform additional decryption work.

This option will help ensure that your OpenVPN server is able to cope with unauthenticated traffic, port scans, and Denial of Service attacks, which can tie up server resources. It also makes it harder to identify OpenVPN network traffic.

To generate the tls-crypt pre-shared key, run the following on the OpenVPN server in the ~/easy-rsadirectory:

cd ~/easy-rsa
openvpn --genkey --secret ta.key

The result will be a file called ta.key. Copy it to the /etc/openvpn/server/ directory:

sudo cp ta.key /etc/openvpn/server

With these files in place on the OpenVPN server we are ready to create client certificates and key files for your users, which you will use to connect to the VPN.

Generating a Client Certificate and Key Pair

Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the OpenVPN server. The benefit of this approach is that we can create a script that will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.

We will generate a single client key and certificate pair for this guide. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as client1.

Get started by creating a directory structure within your home directory to store the client certificate and key files:

mkdir -p ~/client-configs/keys

Since you will store your clients’ certificate/key pairs and configuration files in this directory, you should lock down its permissions now as a security measure:

chmod -R 700 ~/client-configs

Next, navigate back to the EasyRSA directory and run the easyrsa script with the gen-req and nopassoptions, along with the common name for the client:

cd ~/easy-rsa
./easyrsa gen-req foxtrot nopass

Press ENTER to confirm the common name. Then, copy the client1.key file to the ~/client-configs/keys/ directory you created earlier:

cp pki/private/foxtrot.key ~/client-configs/keys/

Next, transfer the foxtrot.req file to your CA Server using a secure method:

scp pki/reqs/foxtrot.req sammy@your_ca_server_ip:/tmp

Now log in to your CA Server. Then, navigate to the EasyRSA directory, and import the certificate request:

cd ~/easy-rsa
./easyrsa import-req /tmp/foxtrot.req foxtrot_opvn

Next, sign the request the same way as you did for the server in the previous step. This time, though, be sure to specify the client request type:

./easyrsa sign-req client foxtrot_opvn

When prompted, enter yes to confirm that you intend to sign the certificate request and that it came from a trusted source.

Again, if you encrypted your CA key, you’ll be prompted for your password here.

This will create a client certificate file named foxtrot.crt. Transfer this file back to the server:

./easyrsa sign-req client foxtrot_opvn
Using SSL: openssl OpenSSL 1.1.1k  FIPS 25 Mar 2021


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = foxtrot


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes         
Using configuration from /home/mtb/easy-rsa/pki/easy-rsa-2126405.rYvSXd/tmp.0bCYxi
Enter pass phrase for /home/mtb/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'foxtrot'
Certificate is to be certified until Oct 27 09:00:51 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/mtb/easy-rsa/pki/issued/foxtrot_opvn.crt

This will create a client certificate file named foxtrot_opvn.crt. Transfer this file back to the server:

scp pki/issued/client1.crt sammy@your_server_ip:/tmp

Back on your OpenVPN server, copy the client certificate to the ~/client-configs/keys/ directory:

cp /tmp/client1.crt ~/client-configs/keys/

Next, copy the ca.crt and ta.key files to the ~/client-configs/keys/ directory as well, and set the appropriate permissions for your sudo user:

cp ~/easy-rsa/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/
sudo chown mb93837:mb93837 ~/client-configs/keys/*

With that, your server and client’s certificates and keys have all been generated and are stored in the appropriate directories on your OpenVPN server. There are still a few actions that need to be performed with these files, but those will come in a later step. For now, you can move on to configuring OpenVPN.

Configuring OpenVPN

Like many other widely used open-source tools, OpenVPN has numerous configuration options available to customize your server for your specific needs. In this section, we will provide instructions on how to set up an OpenVPN server configuration based on one of the sample configuration files that is included within this software’s documentation.

First, copy the sample server.conf file as a starting point for your own configuration file:

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server

Open the new file for editing with the text editor of your choice. We’ll use vi for our example, because we weren’t born yesterday:

sudo vi /etc/openvpn/server/server.conf

We’ll need to change a few lines in this file. First, find the HMAC section of the configuration by searching for the tls-auth directive. This line should be uncommented. Comment it out by adding a ; to the beginning of the line. Then add a new line after it containing the value tls-crypt ta.key only:

;tls-auth ta.key 0 # This file is secret
tls-crypt ta.key

Next, find the section on cryptographic ciphers by looking for the cipher lines. The default value is set to AES-256-CBC, however, the AES-256-GCM cipher offers a better level of encryption, performance, and is well supported in up-to-date OpenVPN clients. We’ll comment out the default value by adding a ; sign to the beginning of this line, and then we’ll add another line after it containing the updated value of AES-256-GCM:

;cipher AES-256-CBC
cipher AES-256-GCM

Right after this line, add an auth directive to select the HMAC message digest algorithm. For this, SHA256is a good choice:

auth SHA256

Next, find the line containing a dh directive, which defines Diffie-Hellman parameters. Since we’ve configured all the certificates to use Elliptic Curve Cryptography, there is no need for a Diffie-Hellman seed file. Comment out the existing line that looks like dh dh2048.pem or dh dh.pem. The filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. Then add a line after it with the contents dh none:

;dh dh2048.pem
dh none

Next, we want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user and group of nobody. To enable this, find and uncomment the user nobody and group nobody lines by removing the ; sign from the beginning of each line:

user nobody
group nobody

Modify the certand key lines in the server.conf configuration file so that they point to the appropriate jujitsu.crt and jujitsu.keyfiles. :

cert jujitsu.crt
key jujitsu.key

When you are finished, save and close the file.

You have now finished configuring your OpenVPN general settings. In the next step, we’ll customize the server’s networking options.

Adjusting the OpenVPN Server Networking Configuration

There are some aspects of the server’s networking configuration that need to be tweaked so that OpenVPN can correctly route traffic through the VPN. The first of these is IP forwarding, a method for determining where IP traffic should be routed. This is essential to the VPN functionality that your server will provide.

To adjust your OpenVPN server’s default IP forwarding setting, open the /etc/sysctl.conf file using vi or your preferred editor:

sudo vi /etc/sysctl.conf

Then add the following line at the top of the file:

net.ipv4.ip_forward = 1

Save and close the file when you are finished.

To read the file and load the new values for the current session, type:

sudo sysctl -p
net.ipv4.ip_forward = 1

Now your OpenVPN server will be able to forward incoming traffic from one ethernet device to another. This setting makes sure the server can direct traffic from clients that connect on the virtual VPN interface out over its other physical ethernet devices. This configuration will route all web traffic from your client via your server’s IP address, and your client’s public IP address will effectively be hidden.

In the next step you will need to configure some firewall rules to ensure that traffic to and from your OpenVPN server flows properly.

Firewall Configuration

So far, you’ve installed OpenVPN on your server, configured it, and generated the keys and certificates needed for your client to access the VPN. However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations.

Assuming you followed the prerequisites at the start of this tutorial, you should already have firewalldinstalled and running on your server. To allow OpenVPN through the firewall, you’ll need to know what your active firewalld zone is. Find this with the following command:

sudo firewall-cmd --get-active-zones
docker
  interfaces: docker0
public
  interfaces: eth1 eth0

If you do not see a trusted zone that lists the tun0 interface, run the following commands to add the VPN device to that zone:

sudo firewall-cmd --zone=trusted --add-interface=tun0
sudo firewall-cmd --permanent --zone=trusted --add-interface=tun0

Next, add the openvpn service to the list of services allowed by firewalld within your active zone, and then make that setting permanent by running the command again but with the --permanent option added:

sudo firewall-cmd --permanent --add-service openvpn
sudo firewall-cmd --permanent --zone=trusted --add-service openvpn

To apply the changes on the firewall, run:

sudo firewall-cmd --reload

You can now check that the service was added correctly with the following command:

sudo firewall-cmd --list-services --zone=trusted
openvpn

Next, we’ll add a masquerade rule to the firewall. Masquerading allows your OpenVPN server to translate your OpenVPN clients’ addresses into the server’s own public address, and then do the reverse with traffic that is sent back to clients. This process is also known as Network Address Translation (NAT).

Add masquerade rules with the following commands:

sudo firewall-cmd --add-masquerade
sudo firewall-cmd --add-masquerade --permanent

You can check that the masquerade was added correctly with this command:

sudo firewall-cmd --query-masquerade
yes

Next, you’ll need to create the specific masquerade rule for your OpenVPN subnet only. You can do this by first creating a shell variable (DEVICE in our example) which will represent the primary network interface used by your server, and then using that variable to permanently add the routing rule:

DEVICE=$(ip route | awk '/^default via/ {print $5}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $DEVICE -j MASQUERADE

Be sure to reload firewalld so that all your changes take effect:

sudo firewall-cmd --reload

The commands with the --permanent flag will ensure that the rules will persist across reboots. The firewall-cmd --reload command makes sure that all the outstanding changes to the firewall are applied. With the firewall rules in place, we can start the OpenVPN service on the server.

Starting OpenVPN

OpenVPN runs as a systemd service, so we can use systemctl for managing it. We will configure OpenVPN to start up at boot so you can connect to your VPN at any time as long as your server is running. To do this, enable the OpenVPN service by adding it to systemctl:

sudo systemctl -f enable openvpn-server@server.service

Then start the OpenVPN service:

sudo systemctl start openvpn-server@server.service

Double check that the OpenVPN service is active with the following command. You should see active (running) in the output:

sudo systemctl -f enable openvpn-server@server.service
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.
[mtb@sierra easy-rsa]$ sudo systemctl start openvpn-server@server.service
[mtb@sierra easy-rsa]$ sudo systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for server
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor prese>
   Active: active (running) since Mon 2022-07-25 09:37:32 UTC; 25s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 2127755 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 49268)
   Memory: 1.0M
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
           └─2127755 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --s>

Jul 25 09:37:32 sierra openvpn[2127755]: Could not determine IPv4/IPv6 protocol. Using AF>
Jul 25 09:37:32 sierra openvpn[2127755]: Socket Buffers: R=[212992->212992] S=[212992->21>
Jul 25 09:37:32 sierra openvpn[2127755]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jul 25 09:37:32 sierra openvpn[2127755]: UDPv4 link remote: [AF_UNSPEC]
Jul 25 09:37:32 sierra openvpn[2127755]: GID set to nobody
Jul 25 09:37:32 sierra openvpn[2127755]: UID set to nobody
Jul 25 09:37:32 sierra openvpn[2127755]: MULTI: multi_init called, r=256 v=256
Jul 25 09:37:32 sierra openvpn[2127755]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jul 25 09:37:32 sierra openvpn[2127755]: IFCONFIG POOL LIST
Jul 25 09:37:32 sierra openvpn[2127755]: Initialization Sequence Completed
lines 1-23/23 (END)

We’ve now completed the server-side configuration for OpenVPN. Next, you will configure your client machine and connect to the OpenVPN Server.

Creating the Client Configuration Infrastructure

Creating configuration files for OpenVPN clients can be somewhat involved, as every client must have its own config and each must align with the settings outlined in the server’s configuration file. Rather than writing a single configuration file that can only be used on one client, this step outlines a process for building a client configuration infrastructure which you can use to generate config files on-the-fly. You will first create a “base” configuration file then build a script which will allow you to generate unique client config files, certificates, and keys as needed.

Get started by creating a new directory where you will store client configuration files within the client-configs directory you created earlier:

mkdir -p ~/client-configs/files

Next, copy an example client configuration file into the client-configs directory to use as your base configuration:

cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf ~/client-configs/base.conf

Open this new file using vi or your preferred text editor:

vi ~/client-configs/base.conf

Inside, locate the remote directive. This points the client to your OpenVPN server address — the public IP address of your OpenVPN server. If you decided to change the port that the OpenVPN server is listening on, you will also need to change 1194 to the port you selected:

. . .
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your_server_ip 1194
. . .

Be sure that the protocol matches the value you are using in the server configuration:

proto udp

Next, uncomment the user and group directives by removing the ; sign at the beginning of each line:

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody

Find the directives that set the ca, cert, and key. Comment out these directives since you will add the certs and keys within the file itself shortly:

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key

Similarly, comment out the tls-auth directive, as you will add ta.key directly into the client configuration file (and the server is set up to use tls-crypt):

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

Mirror the cipher and auth settings that you set in the /etc/openvpn/server/server.conf file:

cipher AES-256-GCM
auth SHA256

Next, add the key-direction directive somewhere in the file. You must set this to “1” for the VPN to function correctly on the client machine:

key-direction 1

Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf

If your client is running Linux and has an /etc/openvpn/update-resolv-conf file, uncomment these lines from the client’s configuration file after it has been generated.

Save and close the file when you are finished.

Next, we’ll create a script that will compile your base configuration with the relevant certificate, key, and encryption files and then place the generated configuration in the ~/client-configs/files directory. Open a new file called make_config.sh within the ~/client-configs directory:

vi ~/client-configs/make_config.sh

Inside, add the following content:

#!/bin/bash
 
# First argument: Client identifier
 
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
 
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${OUTPUT_DIR}/${1}.ovpn

Save and close the file when you are finished.

Before moving on, be sure to mark this file as executable by typing:

chmod 700 ~/client-configs/make_config.sh

This script will make a copy of the base.conf file you made, collect all the certificate and key files you’ve created for your client, extract their contents, append them to the copy of the base configuration file, and export all of this content into a new client configuration file. This means that, rather than having to manage the client’s configuration, certificate, and key files separately, all the required information is stored in one place. The benefit of using this method is that if you ever need to add a client in the future, you can run this script to quickly create a new config file and ensure that all the important information is stored in a single, easy-to-access location.

Please note that any time you add a new client, you will need to generate new keys and certificates for it before you can run this script and generate its configuration file. You will get some practice using this script in the next step.

Generating Client Configurations

If you followed along with the guide, you created a client certificate and key named foxtrot.crt and foxtrot.key, respectively, in Step 6. You can generate a config file for these credentials by moving into your ~/client-configs directory and running the script you made at the end of the previous step:

cd ~/client-configs
./make_config.sh foxtrot

This will create a file named foxtrot.ovpn in your ~/client-configs/files directory:

ls files
foxtrot.ovpn

You need to transfer this file to the device you plan to use as the client.

Installing the Client Configuration

This section covers how to install a client VPN profile on macOS, Linux, and iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.

The OpenVPN connection will have the same name as whatever you called the .ovpn file. In regards to this tutorial, this means that the connection is named foxtrot.ovpn, aligning with the first client file you generated.

macOS

Installing

Tunnelblick is a free, open source OpenVPN client for macOS. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded .dmg file and follow the prompts to install.

Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. Answer I have configuration files and let Tunnelblick finish. Open a Finder window and double-click foxtrot.ovpn. Tunnelblick will install the client profile. Administrative privileges are required.

Connecting

Launch Tunnelblick by double-clicking the Tunnelblick icon in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect client1 menu item to initiate the VPN connection.

Linux

Installing

If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.

The most universal way of connecting, however, is to just use the OpenVPN software.

On Ubuntu or Debian, you can install it just as you did on the server by typing:

sudo apt update
sudo apt install openvpn

Copy

On CentOS you can enable the EPEL repositories and then install it by typing:

sudo yum install epel-release
sudo yum install openvpn

Copy

Configuring

Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script:

ls /etc/openvpn

Copy

Outputupdate-resolv-conf

Next, edit the OpenVPN client configuration file you transfered:

vi client1.ovpn

Copy

If you were able to find an update-resolv-conf file, uncomment the three lines you added to adjust the DNS settings:

client1.ovpn

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

If you are using CentOS, change the group directive from nogroup to nobody to match the distribution’s available groups:

client1.ovpn

group nobody

Save and close the file.

Now, you can connect to the VPN by just pointing the openvpn command to the client configuration file:

sudo openvpn --config foxtrot.ovpn

Copy

This should connect you to your VPN.

Automatic client start

To ensure that OVPN starts on boot with the proper configuration, move the foxtrot.ovpnfile to /etc/openvpn/client/client.conf and make sure the permissions are set to 600 and owned by root.

Raspberry Pi

How to have an OpenVPN client connect on system Startup. How to set up a persistant OpenVPN client connection on Raspian.

Ensure *.conf file is located in /etc/openvpn/
*.ovpn files will not work, they will need to be renamed to *.conf.
Renaming a ovpen file to conf is ok and does work.

Edit /etc/default/openvpn

  • Ensure a similar line below exist.

  • Ensure the value does not have an extension.

  • Ensure the value matches the certificate name.

AUTOSTART=”ClientName”

Example: Lets say there is a client certificate called LocationB and the config/settings file is called LocationB.ovpn.
Copy LocationB.ovpn into /etc/openvpn/LocationB.conf
Then add a line into /etc/default/openvpn
AUTOSTART=”LocationB”

Client Fixed IP addresses

OpenVPN clients will be assigned a dynamic IP address when connecting unless we force a static configuration.

OpenVPN has the ability to assign clients specific IP addresses from the IP pool defined. To achieve this, it uses three types of client IP address selection algorithms. These include, in the order in which they are used;

  1. Use of --client-connect script. This involves execution of the specified script that generates file containing static IP addresses on the server when a client connects. This method is usually the first choice to be considered.

  2. Use of --client-config-dir. This involves the use of a file which contains static IP addresses for the clients as per their client certificate common name (CN) (second choice).

  3. Use of --ifconfig-pool for the allocation for dynamic IP (last choice).

For more information, consult man openvpn.

In this guide, we are going to use the second option, where by we will configure our OpenVPN server to read a specific file, that contains the client common names and mapped IP addresses. This ensures that, a connecting client is assigned static IP address based on the common name defined on their client certificate.

Create a File to Store Static IP addresses

The use of the client-config-dir option, requires that the static IP addresses to be assigned to connecting clients be stored in a file that can be read by OpenVPN server.

Therefore, open the OpenVPN server configuration file, /etc/openvpn/server/server.conf, and set your path to static IP assignment file as the value for the client-config-dir parameter.

vi /etc/openvpn/server/server.conf
...
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /etc/openvpn/ccd
...

In this demo, we set the path to store static/fixed IP addresses assignment file to, /etc/openvpn/ccd.

mkdir /etc/openvpn/ccd
chown root:openvpn /etc/openvpn/ccd
chmod 750 /etc/openvpn/ccd

Assign Static IP Addresses to OpenVPN Clients

For every OpenVPN client that you want to assign static IP address to, you need to extract the common name from that specific client certificate.

In our demo, we have the OpenVPN client jujitsu. To extract the common names from the clients certificate, use openssl command as shown below. Be sure to replace the clients certificates.

openssl x509 -subject -noout -in ~/client-configs/keys/jujitsu.crt
subject=CN = jujitsu

Once you have the common name for the client, you can then assign static IP addresses using the ifconfig-push option. For example, to assign the client using the certificate with jujitsu as common name an IP address, 10.8.0.50, this is how the assignment is done;

echo "ifconfig-push 10.8.0.50 255.255.255.0" > /etc/openvpn/ccd/jujitsu

Set the proper file permissions:

chown root:openvpn /etc/openvpn/ccd/*
chmod 640 /etc/openvpn/ccd/*

Note that, how you assign the static IP addresses depends on the topology you configured your OpenVPN server. In our, case, we set the topology to subnet;

# Network topology
...
topology subnet

Restart OpenVPN Server;

systemctl restart openvpn-server@server

Be sure to always check the logs;

tail -f /var/log/openvpn/openvpn.log

  • No labels