OpenVPN server configuration

Owned by Technical Service Specialist
Last updated: Oct 26, 2023 by Vladimir Tayzhev
3 min read

Example of OpenVPN server configuration on Linux operating system. First, install the OpenVPN package:

sudo apt-get install openvpn

 

Warning

Set the correct time on all devices that will work in the VPN network, otherwise, the created certificates may be not valid!

Create certificates and keys for the server

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). In summary, this consists of:

  • a public master Certificate Authority (CA) certificate and a private key;

  • a separate public certificate and private key pair for the server;

  • a separate public certificate and private key pair for each client.

For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN. Build easy-rsa utility on the CA machine:

sudo apt-get install python-markdown
sudo apt-get install dos2unix
sudo apt-get install unzip

cd ~
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master
./build/build-dist.sh
tar xvzf ./dist-staging/EasyRSA-git-development.tgz
cd EasyRSA-git-development/

On the CA machine, initialize a new PKI:

./easyrsa init-pki

Generate a CA keypair that will be used to sign certificates. It is important that you create a strong password. Fill in the Common Name (CN) field with your server name.

./easyrsa build-ca

The Diffie-Hellman (DH) parameters file:

./easyrsa gen-dh

Generate server keypair with the name "server". Enter a server Private Key Password, you will need to enter it every time the server starts:

./easyrsa build-server-full server

If you do not want to protect the server certificate with a password, use the following command:

./easyrsa build-server-full server nopass

For extra security beyond that provided by SSL/TLS, create an HMAC TLS static key:

openvpn --genkey --secret ta.key

Upon completing the steps, you will have generated the following files for the OpenVPN server:

ca.crt

The master Certificate Authority (CA) certificate, required by both server and client

dh.pem

The Diffie-Hellman (DH) parameters file, required for TLS mode

ta.key

TLS static key, if needed

/pki/private/server.key

The server private key from server key pair

/pki/issued/server.crt

The server public certificate from server key pair

Create certificates and keys for clients

It is important that when creating key pairs for clients they have a different Common Name. Later, by this name, it will be possible to determine the connected client. For each monitoring device in the VPN, you need to create an individual key pair.

Create a key pair for the monitoring unit, and set the Common Name as "unit1":

./easyrsa build-client-full unit1 nopass

We will also create keys for other units: unit2, unit3, etc.

Create a key pair for the user "client1", with this key you can connect your PC to the OpenVPN network:

./easyrsa build-client-full client1 nopass

Upon completing the steps, you will have generated the following files for OpenVPN clients:

/pki/private/unit1.key

The client private key from client key pair, used for monitoring system

/pki/issued/unit1.crt

The client public certificate from client key pair, used for monitoring system

/pki/private/client1.key

The client private key from the client key pair, used by the user to access the network

/pki/issued/client1.crt

The client public certificate from client key pair, used by the user to access the network

OpenVPN server configuration

Copy the OpenVPN server certificate and key files on the server machine to the /etc/openvpn/ directory. Create a configuration file /etc/openvpn/server.conf with the following contents:

# Sample OpenVPN 2.0 config file for multi-client server.

port 1194

proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem

topology subnet
client-to-client
float

# Private subnet
push "route 10.8.0.0 255.255.255.0"

# Virtual network address and mask
server 10.8.0.0 255.255.255.0

# Use the subdirectory "ccd" for client-specific configuration files (to assign specific IP addresses to specific clients).
client-config-dir /etc/openvpn/ccd

# DNS servers
push "dhcp-option DNS 8.8.8.8"

# For extra security TLS key, if used
# tls-auth /etc/openvpn/server/ta.key 0

# If you enable it here, you must also enable it in the client config file.
# comp-lzo

# The maximum number of concurrently connected clients we want to allow.
max-clients 100

cipher AES-256-CBC

user nobody
group nobody

persist-key
persist-tun

keepalive 30 180

# Log settings
status /etc/openvpn/status.log
log /etc/openvpn/server.log
verb 4

# Notify the client that when the server restarts so it can automatically reconnect.
explicit-exit-notify 1

 

Now place client-specific configuration files in the /etc/openvpn/ccd directory to define the fixed IP address for each VPN client. Create files with the name of the Common Name of the client certificate (unit1, unit2, etc.). The content of the file describes the assigned IP address.

/etc/openvpn/ccd/unit1

ifconfig-push 10.8.0.101 255.255.255.0

/etc/openvpn/ccd/unit2

ifconfig-push 10.8.0.102 255.255.255.0

For those clients for which the rule is not described, an IP address will be assigned from the pool of free addresses.

 

Start OpenVPN server by command:

sudo openvpn --config /etc/openvpn/server.conf