OpenVPN
Jump to navigation
Jump to search
Generate the master Certificate Authority (CA) certificate & key
sudo rsync -a /usr/share/openvpn/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/vars set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
. ./vars ./clean-all ./build-ca
Answer yes on everything exept:
Generate certificate & key for server
When the Common Name is queried, enter "server"
./build-key-server server
Generate Diffie Hellman parameters
./build-dh
HMAC firewall
cd /etc/openvpn/easy-rsa/keys && openvpn --genkey --secret ta.key
Generate certificates & keys for client
Howto create a new client config.
cd /etc/openvpn/easy-rsa/ . vars ./build-key rollewrt cp keys/rollewrt.* /etc/openvpn/blt/ cd /etc/openvpn/blt cp blt_olle.ovpn blt_rollewrt.ovpn vim blt_rollewrt.ovpn for i in rollewrt ;do echo $i ;tar czf /tmp/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
for i in bob ;do echo $i ;tar czf /tmp/openvpn-client-$i-www.halfface.se.tar.gz $i.* ca.crt ta.key halfface_$i.ovpn;done
Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES
setup server and client
server
Copy example configuration files.
mkdir /etc/openvpn/config; cp /usr/share/doc/openvpn-2.1/sample-config-files/{client,server}.conf /etc/openvpn/config
Copy keys to location.
cp -p ca.crt server.crt server.key dh1024.pem ta.key ../..
Edit server.conf
# change this value to the network behind the openvpn server push "route 192.168.0.0 255.255.255.0" # Enable clients to comunicate with each other. client-to-client # Enable hmac firewall. tls-auth ta.key 0 # This file is secret
Copy server.conf to location:
cp /etc/openvpn/config/server.conf /etc/openvpn
Edit client.conf and save as /etc/openvpn/blt
# Change to name of openvpn server. remote blt.homeip.net 1194 # Change path to certificates. ca blt/ca.crt cert blt/bjorklun.crt key blt/bjorklun.key # Enable hmac firewall. tls-auth ta.key 1
Copy certificates.
cp -p /etc/openvpn/easy-rsa/keys/{ca.crt,bjorklun.*,ta.key} /etc/openvpn/blt/
Create openvpn config to transfer to client.
for i in rolle olle strate;do echo $i ;tar czf /install/program/windows/openvpn/openvpn-client-$i-blt.homeip.net.tar.gz $i.* ca.crt ta.key blt_$i.ovpn;done
Route a client network.
/etc/openvpn/server.conf:route 192.168.10.0 255.255.255.0 /etc/openvpn/server.conf:push "route 192.168.10.0 255.255.255.0" /etc/openvpn/ccd/rollewrt:iroute 192.168.10.0 255.255.255.0