Lénaïc Bagnères, lenaicb@singularity.fr
Personnal website
Cute duck
 

iconDebian GNU/Linux

iconOpenVPN (2023)

Source: https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-12/

Server

On the server.

Install dependencies (with root access):

apt install openvpn easy-rsa rsync

Generate reqs/server.req and private/server.key in /etc/openvpn/server/easy-rsa/pki (with root access):

mkdir /etc/openvpn/server/easy-rsa && cd /etc/openvpn/server/easy-rsa
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
./easyrsa gen-req server nopass
cp /etc/openvpn/server/easy-rsa/pki/reqs/server.req /etc/openvpn/server/
cp /etc/openvpn/server/easy-rsa/pki/private/server.key /etc/openvpn/server/

Generate extra shared secret key for server and clients (with root access):

./easyrsa gen-dh
openvpn --genkey secret ta.key
cp ta.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
(cd /etc/openvpn/server/ && ln -s dh.pem dh2048.pem)

Generate CA Certificate

Use a secure computer, ideally not the server and not a client.

Install dependencies (with root access):

apt install openvpn easy-rsa rsync

Generate CA Certificate (in ./easy-rsa_ca/pki/ca.crt)

mkdir easy-rsa_ca && cd easy-rsa_ca
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
# You can edit `pki/vars` to change configuration
./easyrsa build-ca # nopass

Get server.req from the server and sign it:

rsync -rlPthvc root@SERVER:/etc/openvpn/server/easy-rsa/pki/reqs/server.req ./
./easyrsa import-req server.req SERVER_NAME
./easyrsa sign-req server SERVER_NAME

Send pki/issued/SERVER_NAME.crt and pki/ca.crt to the server:

rsync -rlPthvc pki/issued/SERVER_NAME.crt root@SERVER:/etc/openvpn/server/server.crt
rsync -rlPthvc pki/ca.crt root@SERVER:/etc/openvpn/server/

Configure & Run Server

Configure (with root access):

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/

You can edit the /etc/openvpn/server/server.conf file. To redirect all clients' network traffic, you can add these lines:

push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

Edit the file /etc/sysctl.conf to uncomment this line to enable packet forwarding:

net.ipv4.ip_forward=1

You can run the server with these commands (with root access):

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens3 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fd42:feed:feed:feed::/64 -o eth0 -j MASQUERADE
(cd /etc/openvpn/server && openvpn server.conf)

Client

Generate reqs/CLIENT_NAME.req and private/CLIENT_NAME.key files (in ./easy-rsa_client-CLIENT_NAME/pki directory)

mkdir easy-rsa_client-CLIENT_NAME && cd easy-rsa_client-CLIENT_NAME
cp -r /usr/share/easy-rsa/* ./
chmod 700 .
./easyrsa init-pki
./easyrsa gen-req CLIENT_NAME nopass
cp pki/private/CLIENT_NAME.key ./client.key

On the CA computer, get CLIENT_NAME.req, copy it in ./easy-rsa_ca/pki/reqs and sign it:

./easyrsa sign-req client CLIENT_NAME

Send pki/issued/CLIENT_NAME.crt and pki/ca.crt to the client.

Configure the client:

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./

You can edit the client.conf file. Change the server hostname or IP. Add these lines:

# https://serverfault.com/questions/670440/in-openvpn-whats-the-risk-of-omitting-the-key-direction-when-using-tls-auth
key-direction 1

Client needs:

Run the client (with root access):

openvpn ./client.conf

It possible to combine all files in one:

sed 's/ca ca.crt/;ca ca.crt/g' client.conf | sed 's/cert client.crt/;cert client.crt/g' | sed 's/key client.key/;key client.key/g' | sed 's/tls-auth ta.key 1/;tls-auth ta.key 1/g' > client.ovpn
echo -e "\n<ca>\n`cat ca.crt`\n</ca>\n\n<cert>\n`cat client.crt`\n</cert>\n\n<key>\n`cat client.key`\n</key>\n\n<tls-auth>\n`cat ta.key`\n</tls-auth>" >> client.ovpn

Run the client (with root access):

openvpn ./client.ovpn