OpenVPN Server
OpenVPN is a full-featured SSL VPN supporting various authentication methods.
Installation
# Debian/Ubuntu
sudo apt install openvpn easy-rsa
# RHEL/CentOS
sudo dnf install openvpn easy-rsaPKI Setup with Easy-RSA
# Create PKI directory
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
# Initialize PKI
./easyrsa init-pki
# Build CA
./easyrsa build-ca nopass
# Generate server certificate
./easyrsa gen-req server nopass
./easyrsa sign-req server server
# Generate Diffie-Hellman parameters
./easyrsa gen-dh
# Generate TLS auth key
openvpn --genkey secret ta.keyGenerate Client Certificates
# Generate client key and request
./easyrsa gen-req client1 nopass
# Sign client certificate
./easyrsa sign-req client client1Copy Files to Server
# Copy to OpenVPN directory
sudo cp pki/ca.crt /etc/openvpn/server/
sudo cp pki/issued/server.crt /etc/openvpn/server/
sudo cp pki/private/server.key /etc/openvpn/server/
sudo cp pki/dh.pem /etc/openvpn/server/
sudo cp ta.key /etc/openvpn/server/Server Configuration
/etc/openvpn/server/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
# TLS Authentication
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256
# Network
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Clients can't connect to each other
client-to-client
# Keepalive
keepalive 10 120
# Security
user nobody
group nogroup
persist-key
persist-tun
# Logging
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3Client Configuration
client1.ovpn
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Certificates (inline)
<ca>
-----BEGIN CERTIFICATE-----
[CA certificate content]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[Client certificate content]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[Client key content]
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
[TLS auth key content]
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
cipher AES-256-GCM
auth SHA256
verb 3Enable IP Forwarding
# Enable
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Configure NAT
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEStart Server
# Start service
sudo systemctl start openvpn-server@server
# Enable on boot
sudo systemctl enable openvpn-server@server
# Check status
sudo systemctl status openvpn-server@serverFirewall Configuration
# UFW
sudo ufw allow 1194/udp
# iptables
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -i tun0 -j ACCEPT
sudo iptables -A FORWARD -i tun0 -j ACCEPTRevoke Client Certificate
cd ~/openvpn-ca
# Revoke certificate
./easyrsa revoke client1
# Generate CRL
./easyrsa gen-crl
# Copy CRL to server
sudo cp pki/crl.pem /etc/openvpn/server/
# Add to server config
echo "crl-verify crl.pem" | sudo tee -a /etc/openvpn/server/server.conf
# Restart
sudo systemctl restart openvpn-server@serverMonitoring
# Connected clients
cat /var/log/openvpn/status.log
# Tail logs
sudo tail -f /var/log/openvpn/openvpn.logBest Practices
- Use TLS-auth - Prevent DoS attacks
- Strong ciphers - AES-256-GCM
- Drop privileges - Run as nobody
- Separate PKI - Keep CA offline
- CRL - Revoke compromised certs
- openvpn
- vpn
- ssl
- certificate
- encryption
- tunnel