Install OpenPNV and easy-rsa packages
user@localhost:~$ sudo apt update
user@localhost:~$ sudo apt install openvpn easyrsa
Basic configuration
- Configuration file
Copy the example from the documentation folder
user@localhost:~$ sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Go to the program settings folder
user@localhost:~$ cd /etc/openvpn
Open the main configuration file in a text editor
user@localhost:~$ sudo nano server.conf
Set the dh parameter pointing to the file ‘/etc/openvpn/dh.pem’
dh /etc/openvpn/dh.pem
After, you need to find the line:
;push redirect-gateway def1 bypass-dhcp "
Then uncomment it
push redirect-gateway def1 bypass-dhcp
Find the user parameter and set its value to nobody:
user nobody
The same thing with the group:
group nobody
The paths to keys and certificates:
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0
- Generation of keys and certificates
user@localhost:~$ mkdir -p ~/easy-rsa
user@localhost:~$ cp cp -rf /usr/share/easy-rsa/3.0.3/* ~/easy-rsa
user@localhost:~$ cd ~/easy-rsa
user@localhost:~$ ./easyrsa init-pki
A pki folder will be created with utility files in subdirectories
user@localhost:~$ ./easyrsa gen-dh
It will take some time and the file will be generated in the easy-rsa / pki / dh.pem folder
user@localhost:~$ ./easyrsa build-ca
You will be asked for a new password for the private key of your root certificate.
Plese, enter the password and write it down in a safe place, this password will be requested every time that everyone else signs this certificate.
user@localhost:~$ ./easyrsa build-server-full server nopass
user@localhost:~$ ./easyrsa build-client-full client nopass
user@localhost:~$ sudo cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/
user@localhost:~$ sudo chown root /etc/openvpn/*
Check the operability of the configuration
user@localhost:~$ sudo openvpn /etc/openvpn/server.conf
We get something like this “exhaust”
Tue Aug 13 09:31:11 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Aug 13 09:31:11 2019 Diffie-Hellman initialized with 2048 bit key
Tue Aug 13 09:31:11 2019 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 ROUTE_GATEWAY 172.16.2.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:10:3b:15
Tue Aug 13 09:31:11 2019 TUN/TAP device tun0 opened
Tue Aug 13 09:31:11 2019 TUN/TAP TX queue length set to 100
Tue Aug 13 09:31:11 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 13 09:31:11 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Aug 13 09:31:11 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Aug 13 09:31:11 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Aug 13 09:31:11 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 13 09:31:11 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Aug 13 09:31:11 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Aug 13 09:31:11 2019 MULTI: multi_init called, r=256 v=256
Tue Aug 13 09:31:11 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 13 09:31:11 2019 IFCONFIG POOL LIST
Tue Aug 13 09:31:11 2019 Initialization Sequence Completed
Press Ctrl + C and interrupt the process
Tue Aug 13 09:31:12 2019 event_wait : Interrupted system call (code=4)
Tue Aug 13 09:31:14 2019 /sbin/ip route del 10.8.0.0/24
Tue Aug 13 09:31:14 2019 Closing TUN/TAP interface
Tue Aug 13 09:31:14 2019 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Aug 13 09:31:14 2019 SIGINT[hard,] received, process exiting
We start OpenVPN as a service, systemd allows you to run individual configurations by entering a name through ‘@’
user@localhost:~$ sudo systemctl start openvpn@server
user@localhost:~$ systemctl status openvpn@server
Open port 1194 in the firewall
If firewalld is active, we execute the commands
user@localhost:~$ sudo firewall-cmd --zone public --add-service=openvpn
user@localhost:~$ sudo firewall-cmd --runtime-to-permanent
For those who prefer iptables + netfilter-persistent before prohibiting rules, insert something like this
(It depends heavily on the current settings and before adding see what rules are already in iptables -nvL –line command)
user@localhost:~$ sudo iptables -I INPUT 4 -p tcp --dport 1194 -j ACCEPT user@localhost:~$ sudo service netfilter-persistent save
For those who chose nftables, we add the line in the /etc/nftables.conf file in the (chain) input chain before the prohibition rules
ip tcp dport 1194 accept
Reload the rules
On this, the basic setup on the server side can be considered complete
Hi there, after reading this remarkable post i am too happy to share my know-how here with friends.| а