Example of OpenVPN server configuration on Linux operating system. First, install the OpenVPN package:
sudo apt-get install openvpn
Set the correct time on all devices that will work in the VPN network, otherwise, the created certificates may be not valid!
Create certificates and keys for server
The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). In summary, this consists of:
- a public master Certificate Authority (CA) certificate and a private key;
- a separate public certificate and private key pair for server;
- a separate public certificate and private key pair for each client.
For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN. Build easy-rsa utility on the CA machine:
sudo apt-get install python-markdown
sudo apt-get install dos2unix
sudo apt-get install unzip
tar xvzf ./dist-staging/EasyRSA-git-development.tgz
On the CA machine, initialize a new PKI:
Generate a CA keypair that will be used to sign certificates. It is important that you create a strong password. Fill in the Common Name (CN) field with your server name.
The Diffie-Hellman (DH) parameters file:
Generate server keypair with the name "server". Enter a server Private Key Password, you will need to enter it every time the server starts:
|./easyrsa build-server-full server|
If you do not want to protect the server certificate with a password, use the following command:
|./easyrsa build-server-full server nopass|
For extra security beyond that provided by SSL/TLS, create an HMAC TLS static key:
|openvpn --genkey --secret ta.key|
Upon completing the steps, you will have generated the following files for the OpenVPN server:
|ca.crt||The master Certificate Authority (CA) certificate, required by both server and client|
|dh.pem||The Diffie-Hellman (DH) parameters file, required for TLS mode|
|ta.key||TLS static key, if needed|
|/pki/private/server.key||The server private key from server key pair|
|/pki/issued/server.crt||The server public certificate from server key pair|
Create certificates and keys for clients
It is important that when creating key pairs for clients they have a different Common Name. Later, by this name it will be possible to determine the connected client. For each monitoring device in the VPN, you need to create an individual key pair.
Create a key pair for the monitoring unit, set the Common Name as "unit1":
|./easyrsa build-client-full unit1 nopass|
We will also create keys for other units: unit2, unit3, etc.
Create a key pair for the user "client1", with this key you can connect your PC to the OpenVPN network:
|./easyrsa build-client-full client1 nopass|
Upon completing the steps, you will have generated the following files for OpenVPN clients:
|/pki/private/unit1.key||The client private key from client key pair, used for monitoring system|
|/pki/issued/unit1.crt||The client public certificate from client key pair, used for monitoring system|
|/pki/private/client1.key||The client private key from the client key pair, used by the user to access the network|
|/pki/issued/client1.crt||The client public certificate from client key pair, used by the user to access the network|
OpenVPN server configuration
Copy the OpenVPN server certificate and key files on the server machine to the /etc/openvpn/ directory. Create a configuration file /etc/openvpn/server.conf with the following contents:
# Sample OpenVPN 2.0 config file for multi-client server.
# Private subnet
push "route 10.8.0.0 255.255.255.0"
# Virtual network address and mask
server 10.8.0.0 255.255.255.0
# Use the subdirectory "ccd" for client-specific configuration files (to assign specific IP addresses to specific clients).
# DNS servers
push "dhcp-option DNS 126.96.36.199"
# For extra security TLS key, if used
# tls-auth /etc/openvpn/server/ta.key 0
# If you enable it here, you must also enable it in the client config file.
# The maximum number of concurrently connected clients we want to allow.
keepalive 30 180
# Log settings
# Notify the client that when the server restarts so it can automatically reconnect.
Now place client-specific configuration files in the /etc/openvpn/ccd directory to define the fixed IP address for each VPN client. Create files with the name of Common Name of client certificate (unit1, unit2, etc.). The content of the file describe the assigned IP address.
|ifconfig-push 10.8.0.101 255.255.255.0|
|ifconfig-push 10.8.0.102 255.255.255.0|
For those clients for which the rule is not described, an IP address will be assigned from the pool of free addresses.
Start OpenVPN server by command:
|sudo openvpn --config /etc/openvpn/server.conf|