install_24_4_openvpn [RADIUSdesk]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
====== Install OpenVPN on Ubuntu 24.04 ======
===== Introduction =====
  * When installing OpenVPN on a server, the item that takes the most preparation is the setup of the PKI. 
  * Although it is easy once you figured it out, because OpenVPN has been around for such a long time there are lots of outdated or over complicated documentation out there.
  * Even when I asked one of the AI engines for instructions it provided me with old outdated instructions.
  * The following instructions should work well on any of the recent versions of OpenVPN

------

===== Install OpenVPN  =====
  * We will install **openvpn** and **easy-rsa**.
  * Easy-rsa is a CLI utility to build and manage a PKI CA.
<code bash>
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa -y
</code>

------

===== Create PKI  =====
  * Easy-rsa includes a couple of utility programs which you should use in a specific sequence to get a working PKI.
  * Start of by using the **make-cadir** program and specify the folder name where the CA / PKI files will live.
<code bash>
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
</code>
  * You will see the following files inside the CA directory.
<code bash>
ls -l
total 20
lrwxrwxrwx 1 system system   27 Nov 18 11:57 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 system system 5145 Nov 18 11:57 openssl-easyrsa.cnf
-rw-r--r-- 1 system system 9085 Nov 18 11:57 vars
lrwxrwxrwx 1 system system   30 Nov 18 11:57 x509-types -> /usr/share/easy-rsa/x509-types
</code>
  * We need to edit the **vars** file in order to direct Easy-rsa how to generate the PKI files.
  * This is where the more recent enhancements to crypto-logy can be utilized instead of the older, less secure and slower encryption methods.
  * For this we have to add the following to the **vars** file:
<code bash>
set_var EASYRSA_ALGO   "ec"
set_var EASYRSA_DIGEST "sha512"
set_var EASYRSA_CURVE  "prime256v1"
</code> 
  * This instruct Easy-rsa to use the Elliptic Curve (instead of RSA algorithm) for encryption.
  * Once those changes to the **vars** file are complete you can issue the following command to initiate the PKI
<code bash>
./easyrsa init-pki
</code>
  * This is the feedback from the command on my server:
<code bash>
Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/system/openvpn-ca/pki

Using Easy-RSA configuration:
* /home/system/openvpn-ca/vars
</code>
  * There will now be a **pki** sub folder which will contain things like certificates and sign requests.
  * The last step will be to create the Certificate Authority (CA).
  * For this you will need to specify a name (typically an organisation name like RADIUSdesk) and a passphrase.
<code bash>
./easyrsa build-ca
</code>
   * This is the feedback from the command on my server:
<code bash>
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars

Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)

Enter New CA Key Passphrase: 

Confirm New CA Key Passphrase: 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:RADIUSdesk CA

Notice
------
CA creation complete. Your new CA certificate is at:
* /home/system/openvpn-ca/pki/ca.crt
</code>
  * Now everything is in place for us to sign certificate requests.
  * This will be covered in the next section.

-------------

===== Generate Server Certificate, Key  =====
  * To create a certificate is a two step process.
    * First we generate a sign request for the certificate.
    * Then we (as the CA) sign the request in order generate a complete and usable certificate.
<code bash>
./easyrsa gen-req server nopass
</code>
  * This is the feedback from the command on my server:
<code bash>
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars

Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /home/system/openvpn-ca/pki/reqs/server.req
* key: /home/system/openvpn-ca/pki/private/server.key
</code>
  * Now we can sign the request. You will be asked to confirm the process by typing **yes** and you also need to supply the CA's passphrase.
<code bash>
./easyrsa sign-req server server
</code>
  * This is the feedback from the command on my server:
<code bash>
./easyrsa sign-req server server
Using Easy-RSA 'vars' configuration:
* /home/system/openvpn-ca/vars

Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate 
for '825' days:

subject=
    commonName                = server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /home/system/openvpn-ca/pki/openssl-easyrsa.cnf
Enter pass phrase for /home/system/openvpn-ca/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 21 12:44:13 2028 GMT (825 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /home/system/openvpn-ca/pki/issued/server.crt
</code>

===== Generate TLS-crypt key  =====
  * This step is used to harden the OpenVPN installation further and is optional (although recommended)
  * Issue the following command:
<code bash>
openvpn --genkey tls-crypt-v2-server tls-crypt-v2-server.key
</code>
  * This will create the **tls-crypt-v2-server.key** file which looks like this on my server:
<code bash>
cat tls-crypt-v2-server.key 
-----BEGIN OpenVPN tls-crypt-v2 server key-----
a/T1frlxbTuUYojvB/0P2csxOC04prDtWWuPIbQC+o2I+DuMWkzK0OFalucBQPki
9JcEXN3sZNCWYP1bohAzIYkzxiRNWSPwtzSg/etfZIXWWseJvGQ+UqbEBjQjTRVE
9zfhjdL6Ltm5J6LiEC1N4mqV0BTwe77xSIBJsy2LjYk=
-----END OpenVPN tls-crypt-v2 server key-----
</code>
  * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.
  * This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server.
  * All the required items are now present to have a working OpenVPN server.

----------------

===== Server Config File =====
  * This is how our **/etc/openvpn/server.conf** file looks:
<code bash>
port 1194
proto udp
dev tun

# --- PKI / TLS (ECC only, no DH) ---
ca ca.crt
cert server.crt
key server.key

# No "dh none" when using EC certificates
dh none

# Optional but recommended: match your Easy-RSA curve (if you set EASYRSA_CURVE)
# ecdh-curve prime256v1

# Protect and hide the control channel
tls-crypt-v2 tls-crypt-v2-server.key

# Only allow modern TLS
tls-version-min 1.2
remote-cert-eku "TLS Web Client Authentication"

# --- VPN network ---
topology subnet
server 10.8.0.0 255.255.255.0

# Push default route + DNS to clients (adjust if you want split tunnel)
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 9.9.9.9"

# --- Encryption (data channel) ---
data-ciphers AES-256-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM

# --- Misc hardening / behavior ---
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
verb 3

</code>
  * We also have to make sure the all the files from our PKI location is copied to the /etc/openvpn directory:
<code bash>
sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key tls-crypt-v2-server.key /etc/openvpn/
</code>

----------------

===== Start and Enable OpenVPN =====
<code bash>
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server
</code>