An OpenVPN Setup


Recently I had to comb though 15 different websites in order to figure out what I was doing. Here are my notes, I hope they are helpful to you.

Install Common Packages

sudo apt-get update
sudo apt-get -y install vim openvpn easy-rsa

Create CA Directory

make-cadir ~/openvpn-ca
ca ~/openvpn-ca

Create VARS File

rm vars
vim vars

Content

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "Springfield"
set_var EASYRSA_REQ_CITY        "Springfield"
set_var EASYRSA_REQ_ORG         "PLUMSOS CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "openvpn@plumsos.lan"
set_var EASYRSA_REQ_OU          "PLUMSOS EASY CA"
set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "PLUMSOS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"
set_var EASYRSA_BATCH           1
:wq

Init the pki

./easyrsa ini-pki

Build the CA

./easyrsa build-ca nopass

Build Server Key

./easyrsa gen-req server-server nopass

Sign the Server Key

./easyrsa sign-req server server-server

Build the Client Key

./easyrsa gen-req client01 nopass

Sign the Client Key

./easyrsa sign-req client client01

Build the Diffie-Hellman Key

./easyrsa gen-dh

Copy Server Key and Certificate

sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/issued/server-server.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/private/server-server.key /etc/openvpn/server/

Copy Client Key and Certificate

sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/client/
sudo cp ~/openvpn-ca/pki/issued/client01.crt /etc/openvpn/client/
sudo cp ~/openvpn-ca/pki/private/client01.key /etc/openvpn/client/

Copy Diffie-Hellman Key

sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server/

Create Server Config

sudo vim /etc/openvpn/server.conf

Content:

port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server-server.crt
key /etc/openvpn/server/server-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway defl"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH
-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
:wq

Create the Client Config

sudo vim /etc/openvpn/client/client01.ovpn

Content:

client
dev tun
proto udp
remote 172.16.200.XXX 1194
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH
-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
:wq

Enable OpenVPN Server

systemctl enable openvpn@server
systemctl start openvpn@server

Configure IP Forwarding

sudo vim /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1
:wq

Add UFW becore content

sudo vim /etc/ufw/before.rules

Content:

Note Change ethernet address (eth0) name as needed!

# Nat table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
:wq

Customize UFW forwarding policy

sudo vim /etc/default/ufw

Content:

DEFAULT_FORWARD_POLICY="ACCEPT"
:wq

Open UFW ports for OpenVPN

sudo ufw allow openvpn

Enable UFW

sudo ufw --force enable