OpenVPN server configuration
The first thing to do is install OpenVPN:
root@localhost:~# apt-get install openvpn
The apt-get
command locates and downloads the OpenVPN package and all the necessary dependencies for you. Once installation is complete, we're ready to start configuring our server. We can use scripts included with OpenVPN to create our certificates. Let's start by copying these scripts to a new folder:
root@localhost:~# cp -pr /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Now, let's move into that directory and start configuring the scripts:
root@localhost:~# cd /etc/openvpn/easy-rsa
We need to edit the vars file. You can use Vim or Nano (or any text editor, of course). If you're not familiar with Vim, you'll find Nano to be easier.
root@localhost:/etc/openvpn/easy-rsa# nano vars
At the bottom of the file, you'll see several variables that you can change to reflect your location and other information. These can also be left as is if you do not want or need to specify that information:
# These are the default values for fields
# that will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
Save the file (Ctrl-O in Nano) and exit the editor.
Now, we need to source the vars file:
root@localhost:/etc/openvpn/easy-rsa# source ./vars
Next, we need to make the scripts executable:
root@localhost:/etc/openvpn/easy-rsa# chmod +x ./*
To make sure we're ready to go, initialize the key directory:
root@localhost:/etc/openvpn/easy-rsa# ./clean-all
Then we build our CA (certificate authority):
root@localhost:/etc/openvpn/easy-rsa# ./build-ca
This process will prompt you for some more information, but the information you added to the vars file should be the defaults.
Now we build a keyfile:
root@localhost:/etc/openvpn/easy-rsa# ./build-key-server server
You will again be prompted for the certificate information, and usually you can just hit Enter at each prompt. You do not need to enter a password here. When asked to sign the certificate, answer "y," and enter "y" again when prompted to commit the request.
Next, we need to build a Diffie-Hellman file:
root@localhost:/etc/openvpn/easy-rsa# ./build-dh
Then we need to build a remote client certificate:
root@localhost:/etc/openvpn/easy-rsa# ./build-key remote1
If you want to protect this certificate with a password, use this command:
root@localhost:/etc/openvpn/easy-rsa# ./build-key-pass remote1
The password will be required every time you connect to the VPN; if that's not desired, use the build-key command listed first. Most installations will not need or want a password on the certificate.
You will again be prompted for the certificate information, and you can usually just hit Enter through all the prompts, answering "y" at the end as you did with the build-key-server command above.
Now that we've made all the keys, we need to put the new files into place. To do that, we move into the keys directory that the script created:
root@localhost:/etc/openvpn/easy-rsa# cd keys
root@localhost:/etc/openvpn/easy-rsa/keys#
And we copy the files to the /etc/openvpn directory:
root@localhost:/etc/openvpn/easy-rsa/keys# cp ca.crt /etc/openvpn
root@localhost:/etc/openvpn/easy-rsa/keys# cp server.crt /etc/openvpn
root@localhost:/etc/openvpn/easy-rsa/keys# cp server.key /etc/openvpn
root@localhost:/etc/openvpn/easy-rsa/keys# cp dh1024.pem /etc/openvpn