Openvpn

Fri, Feb 5, 2021 2-minute read

Install

apt-get install openvpn easy-rsa

Copy easy-rsa to openvpn, sometimes I’ve found it was already done:

mkdir /etc/openvpn/easy-rsa/ 
cp -r /usr/share/easy-rsa/* 
/etc/openvpn/easy-rsa/

Modify the vars with our environment. Then create certificates:

source vars ./clean-all ./build-ca

Server certificates

./build-key-server servername

Diffie Hellman, this must be done:

./build-dh

Now copy everything we just generated to /etc/openvpn

cp servername.crt servername.key ca.crt dh2048.pem /etc/openvpn

Client certificates
Inside /etc/openvpn/easy-rsa/ source vars don’t do the clean-all

./build-key clientname

Now to create the files for the client, instead of copying all this, I use a script that exists. This works with a Default.txt file, which has the basic configuration and then the script introduces the certificates inline. The Default.txt should be something like this:

client
dev tun
proto udp
remote direccionippublica 1194
resolv-retry infinite
nobind
persist-key 
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1 
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

Once we have this, we execute:

./MakeOPVN.sh

It asks for the client name we used before to make the client certificates clientname, once we do this we’ll have a clientname.conf that we can then use on clients. On Ubuntu, copying that file to /etc/openvpn is sufficient, restart openvpn first.

Start and status Server

/etc/init.d/openvpn restart

This restarts openvpn, since we already have a server.conf in the /etc/openvpn folder it runs, if there are more .conf files it also runs them all. To see the status

systemctl status openvpn*.service

service openvpn status  or
service openvpn@servername status

Client on macOS Install tunnelblick and copy the clientname.conf to the machine, once tunnelblick is installed click on the conf file and it should work.

Static IP addresses By default DHCP is used on the server but I use the option in the server configuration file to be able to give static IP addresses

client-config-dir ccd

That’s why I have a ccd folder at the base and there I have a file with the client name, and in that file we put:

ifconfig-push 10.8.0.2 10.8.0.1

The first address being the one we want and the second the gateway.

pktbl

Openvpn