apt-get update
apt-get install openvpn easy-rsa
cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
vim /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.90.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status logs/status.log
log-append logs/openvpn.log
verb 3
mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log
Generating client certificates is kind of "complicated" and involves multiple steps by default.
To make it more friendly, I've created simple bash script.
vim /etc/openvpn/gen-client.sh
#!/bin/bash
username=$1
# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/$
{username}.ovpn
echo "Done"
mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/$
{username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/$
{username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}
echo "Done"
echo "
===========================================================================
==============
---------------------------------------------------------------------------
------
exit 0
Make it executable:
chmod +x /etc/openvpn/gen-client.sh
Now we need to create client config template which will be used in the next step.
mkdir -p /etc/openvpn/clients/.tmp/
vim /etc/openvpn/clients/.tmp/.tmp.ovpn
client
verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
cipher AES-128-CBC
cd /etc/openvpn/
./gen-client.sh username
tree /etc/openvpn/clients/
/etc/openvpn/clients/
username
ca.crt
username.crt
username.key
username.ovpn
username.tar.gz
Client side
Install the openvpn package:
apt-get update
apt-get install openvpn
ping 10.90.10.1