Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| install_24_4_openvpn [2025/11/18 13:49] – created system | install_24_4_openvpn [2025/11/19 04:44] (current) – system | ||
|---|---|---|---|
| Line 6: | Line 6: | ||
| * The following instructions should work well on any of the recent versions of OpenVPN | * The following instructions should work well on any of the recent versions of OpenVPN | ||
| - | ===== Install | + | ------ |
| - | * We will install the openvpn and easy-rsa | + | |
| + | ===== Install OpenVPN | ||
| + | * We will install **openvpn** and **easy-rsa**. | ||
| + | * Easy-rsa is a CLI utility to build and manage a PKI CA. | ||
| + | <code bash> | ||
| + | sudo apt update && sudo apt upgrade -y | ||
| + | sudo apt install openvpn easy-rsa -y | ||
| + | </ | ||
| + | |||
| + | ------ | ||
| + | |||
| + | ===== Create PKI ===== | ||
| + | * Easy-rsa includes a couple of utility programs which you should use in a specific sequence to get a working PKI. | ||
| + | * Start of by using the **make-cadir** program and specify the folder name where the CA / PKI files will live. | ||
| + | <code bash> | ||
| + | make-cadir ~/ | ||
| + | cd ~/ | ||
| + | </ | ||
| + | * You will see the following files inside the CA directory. | ||
| + | <code bash> | ||
| + | ls -l | ||
| + | total 20 | ||
| + | lrwxrwxrwx 1 system system | ||
| + | -rw-r--r-- 1 system system 5145 Nov 18 11:57 openssl-easyrsa.cnf | ||
| + | -rw-r--r-- 1 system system 9085 Nov 18 11:57 vars | ||
| + | lrwxrwxrwx 1 system system | ||
| + | </ | ||
| + | * We need to edit the **vars** file in order to direct Easy-rsa how to generate the PKI files. | ||
| + | * This is where the more recent enhancements to crypto-logy can be utilized instead of the older, less secure and slower encryption methods. | ||
| + | * For this we have to add the following to the **vars** file: | ||
| + | <code bash> | ||
| + | set_var EASYRSA_ALGO | ||
| + | set_var EASYRSA_DIGEST " | ||
| + | set_var EASYRSA_CURVE | ||
| + | </ | ||
| + | * This instruct Easy-rsa to use the Elliptic Curve (instead of RSA algorithm) for encryption. | ||
| + | * Once those changes to the **vars** file are complete you can issue the following command to initiate the PKI | ||
| + | <code bash> | ||
| + | ./easyrsa init-pki | ||
| + | </ | ||
| + | * This is the feedback from the command on my server: | ||
| + | <code bash> | ||
| + | Notice | ||
| + | ------ | ||
| + | ' | ||
| + | |||
| + | Your newly created PKI dir is: | ||
| + | * / | ||
| + | |||
| + | Using Easy-RSA configuration: | ||
| + | * / | ||
| + | </ | ||
| + | * There will now be a **pki** sub folder which will contain things like certificates and sign requests. | ||
| + | * The last step will be to create the Certificate Authority (CA). | ||
| + | * For this you will need to specify a name (typically an organisation name like RADIUSdesk) and a passphrase. | ||
| + | <code bash> | ||
| + | ./easyrsa build-ca | ||
| + | </ | ||
| + | * This is the feedback from the command on my server: | ||
| + | <code bash> | ||
| + | Using Easy-RSA ' | ||
| + | * / | ||
| + | |||
| + | Using SSL: | ||
| + | * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) | ||
| + | |||
| + | Enter New CA Key Passphrase: | ||
| + | |||
| + | Confirm New CA Key Passphrase: | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter ' | ||
| + | ----- | ||
| + | Common Name (eg: your user, host, or server name) [Easy-RSA CA]: | ||
| + | |||
| + | Notice | ||
| + | ------ | ||
| + | CA creation complete. Your new CA certificate is at: | ||
| + | * / | ||
| + | </ | ||
| + | * Now everything is in place for us to sign certificate requests. | ||
| + | * This will be covered in the next section. | ||
| + | |||
| + | ------------- | ||
| + | |||
| + | ===== Generate Server Certificate, | ||
| + | * To create a certificate is a two step process. | ||
| + | * First we generate a sign request for the certificate. | ||
| + | * Then we (as the CA) sign the request in order generate a complete and usable certificate. | ||
| + | <code bash> | ||
| + | ./easyrsa gen-req server nopass | ||
| + | </ | ||
| + | * This is the feedback from the command on my server: | ||
| + | <code bash> | ||
| + | Using Easy-RSA ' | ||
| + | * / | ||
| + | |||
| + | Using SSL: | ||
| + | * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter ' | ||
| + | ----- | ||
| + | Common Name (eg: your user, host, or server name) [server]: | ||
| + | |||
| + | Notice | ||
| + | ------ | ||
| + | Private-Key and Public-Certificate-Request files created. | ||
| + | Your files are: | ||
| + | * req: / | ||
| + | * key: / | ||
| + | </ | ||
| + | * Now we can sign the request. You will be asked to confirm the process by typing **yes** and you also need to supply the CA's passphrase. | ||
| + | <code bash> | ||
| + | ./easyrsa sign-req server server | ||
| + | </ | ||
| + | * This is the feedback from the command on my server: | ||
| + | <code bash> | ||
| + | ./easyrsa sign-req server server | ||
| + | Using Easy-RSA ' | ||
| + | * / | ||
| + | |||
| + | Using SSL: | ||
| + | * openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) | ||
| + | You are about to sign the following certificate: | ||
| + | Please check over the details shown below for accuracy. Note that this request | ||
| + | has not been cryptographically verified. Please be sure it came from a trusted | ||
| + | source or that you have verified the request checksum with the sender. | ||
| + | Request subject, to be signed as a server certificate | ||
| + | for ' | ||
| + | |||
| + | subject= | ||
| + | commonName | ||
| + | |||
| + | Type the word ' | ||
| + | Confirm request details: yes | ||
| + | |||
| + | Using configuration from / | ||
| + | Enter pass phrase for / | ||
| + | Check that the request matches the signature | ||
| + | Signature ok | ||
| + | The Subject' | ||
| + | commonName | ||
| + | Certificate is to be certified until Feb 21 12:44:13 2028 GMT (825 days) | ||
| + | |||
| + | Write out database with 1 new entries | ||
| + | Database updated | ||
| + | |||
| + | Notice | ||
| + | ------ | ||
| + | Certificate created at: | ||
| + | * / | ||
| + | </ | ||
| + | |||
| + | ===== Generate TLS-crypt key ===== | ||
| + | * This step is used to harden the OpenVPN installation further and is optional (although recommended) | ||
| + | * Issue the following command: | ||
| + | <code bash> | ||
| + | openvpn --genkey tls-crypt-v2-server tls-crypt-v2-server.key | ||
| + | </ | ||
| + | * This will create the **tls-crypt-v2-server.key** file which looks like this on my server: | ||
| + | <code bash> | ||
| + | cat tls-crypt-v2-server.key | ||
| + | -----BEGIN OpenVPN tls-crypt-v2 server key----- | ||
| + | a/ | ||
| + | 9JcEXN3sZNCWYP1bohAzIYkzxiRNWSPwtzSg/ | ||
| + | 9zfhjdL6Ltm5J6LiEC1N4mqV0BTwe77xSIBJsy2LjYk= | ||
| + | -----END OpenVPN tls-crypt-v2 server key----- | ||
| + | </ | ||
| + | * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client' | ||
| + | * This is an extra obfuscation on OpenVPN' | ||
| + | * All the required items are now present to have a working OpenVPN server. | ||
| + | |||
| + | ---------------- | ||
| + | |||
| + | ===== Server Config File ===== | ||
| + | * This is how our **/ | ||
| + | <code bash> | ||
| + | port 1194 | ||
| + | proto udp | ||
| + | dev tun | ||
| + | |||
| + | # --- PKI / TLS (ECC only, no DH) --- | ||
| + | ca ca.crt | ||
| + | cert server.crt | ||
| + | key server.key | ||
| + | |||
| + | # No "dh none" when using EC certificates | ||
| + | dh none | ||
| + | |||
| + | # Optional but recommended: | ||
| + | # ecdh-curve prime256v1 | ||
| + | |||
| + | # Protect and hide the control channel | ||
| + | tls-crypt-v2 tls-crypt-v2-server.key | ||
| + | |||
| + | # Only allow modern TLS | ||
| + | tls-version-min 1.2 | ||
| + | remote-cert-eku "TLS Web Client Authentication" | ||
| + | |||
| + | # --- VPN network --- | ||
| + | topology subnet | ||
| + | server 10.8.0.0 255.255.255.0 | ||
| + | |||
| + | # Push default route + DNS to clients (adjust if you want split tunnel) | ||
| + | push " | ||
| + | push " | ||
| + | push " | ||
| + | |||
| + | # --- Encryption (data channel) --- | ||
| + | data-ciphers AES-256-GCM: | ||
| + | data-ciphers-fallback AES-256-GCM | ||
| + | |||
| + | # --- Misc hardening / behavior --- | ||
| + | user nobody | ||
| + | group nogroup | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | keepalive 10 120 | ||
| + | verb 3 | ||
| + | |||
| + | </ | ||
| + | * We also have to make sure the all the files from our PKI location is copied to the / | ||
| + | <code bash> | ||
| + | sudo cp pki/ca.crt pki/ | ||
| + | </ | ||
| + | |||
| + | ---------------- | ||
| + | |||
| + | ===== Start and Enable OpenVPN ===== | ||
| + | <code bash> | ||
| + | sudo systemctl start openvpn@server | ||
| + | sudo systemctl enable openvpn@server | ||
| + | sudo systemctl status openvpn@server | ||
| + | </ | ||