Install OpenVPN on Ubuntu 24.04

• When installing OpenVPN on a server, the item that takes the most preparation is the setup of the PKI.
• Although it is easy once you figured it out, because OpenVPN has been around for such a long time there are lots of outdated or over complicated documentation out there.
• Even when I asked one of the AI engines for instructions it provided me with old outdated instructions.
• The following instructions should work well on any of the recent versions of OpenVPN

• We will install openvpn and easy-rsa.
• Easy-rsa is a CLI utility to build and manage a PKI CA.

sudo apt update && sudo apt upgrade -y
sudo apt install openvpn easy-rsa -y

• Easy-rsa includes a couple of utility programs which you should use in a specific sequence to get a working PKI.
• Start of by using the make-cadir program and specify the folder name where the CA / PKI files will live.

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

• You will see the following files inside the CA directory.

ls -l
total 20
lrwxrwxrwx 1 system system   27 Nov 18 11:57 easyrsa -> /usr/share/easy-rsa/easyrsa
-rw-r--r-- 1 system system 5145 Nov 18 11:57 openssl-easyrsa.cnf
-rw-r--r-- 1 system system 9085 Nov 18 11:57 vars
lrwxrwxrwx 1 system system   30 Nov 18 11:57 x509-types -> /usr/share/easy-rsa/x509-types

• We need to edit the vars file in order to direct Easy-rsa how to generate the PKI files.
• This is where the more recent enhancements to crypto-logy can be utilized instead of the older, less secure and slower encryption methods.
• For this we have to add the following to the vars file:

set_var EASYRSA_ALGO   "ec"
set_var EASYRSA_DIGEST "sha512"
set_var EASYRSA_CURVE  "prime256v1"

• This instruct Easy-rsa to use the Elliptic Curve (instead of RSA algorithm) for encryption.
• Once those changes to the vars file are complete you can issue the following command to initiate the PKI

./easyrsa init-pki

• This is the feedback from the command on my server:

Notice
------
'init-pki' complete; you may now create a CA or requests.
 
Your newly created PKI dir is:
* /home/system/openvpn-ca/pki
 
Using Easy-RSA configuration:
* /home/system/openvpn-ca/vars

• There will now be a pki sub folder which will contain things like certificates and sign requests.
• The last step will be to create the Certificate Authority (CA).
• For this you will need to specify a name (typically an organisation name like RADIUSdesk) and a passphrase.

./easyrsa build-ca

• This is the feedback from the command on my server:

Using Easy-RSA 'vars' configuration:
* /home/system/Documents/openvpn-ca/vars
 
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
 
Enter New CA Key Passphrase: 
 
Confirm New CA Key Passphrase: 
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:RADIUSdesk CA
 
Notice
------
CA creation complete. Your new CA certificate is at:
* /home/system/Documents/openvpn-ca/pki/ca.crt

• Now everything is in place for us to sign certificate requests.
• This will be covered in the next section.