OpenVPN Server Configuration

By December 26, 2019 Blog, Networking
How to Configure an OpenVPN

Description:

This document describes the process of building an OpenVPN server to facilitate secure remote access to systems. The installation utilizes the base ArchLinux build we posted a few weeks ago.

Ever have the need for a secure VPN into a private network that accommodates simultaneous connections? Need something free that can be setup on any Linux instance? Then this guide is for you!

OpenVPN Installation

  1. First we login to the device and change the hostname, edit /etc/hostname and make it looks like the following:
Pei-Hq-OpenVPN01
  1. Edit /etc/hosts and make entries look like the following
# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1 localhost
::1 localhost
127.0.1.1 Pei-Hq-OpenVPN01.localdomain Pei-Hq-OpenVPN01
  1. Now disable the dhcp netctl profile
[root@changeme ~]# netctl disable ethernet-dhcp
removed ‘/etc/systemd/system/multi-user.target.wants/netctl@ethernet\x2ddhcp.service’
removed ‘/etc/systemd/system/netctl@ethernet\x2ddhcp.service.d/profile.conf’
removed directory ‘/etc/systemd/system/netctl@ethernet\x2ddhcp.service.d’
  1. Create /etc/netctl/ethernet-static with your IP and gateway information
Description=’Main Interface’
Interface=ens192
Connection=ethernet
IP=static
Address=(‘192.168.222.100/24′)
Gateway=’192.168.222.1’
DNS=(‘8.8.8.8’)
  1. Go ahead and enable the new interface profile
[root@Pei-Hq-OpenVPN01 ~]# netctl enable ethernet-static
‘/etc/systemd/system/multi-user.target.wants/netctl@ethernet\x2dstatic.service’ -> ‘/usr/lib/systemd/system/netctl@.service’
generated ‘/etc/systemd/system/netctl@ethernet\x2dstatic.service.d/profile.conf’
  1. Reboot, and verify connectivity.
  2. Now install openvpn
[root@Pei-Hq-OpenVPN01 ~]# pacman -S openvpn
resolving dependencies…
looking for conflicting packages…Packages (5) lzo-2.10-2 nspr-4.21-1 nss-3.43-1 pkcs11-helper-1.25.1-1
openvpn-2.4.7-1

Total Download Size: 2.06 MiB
Total Installed Size: 7.47 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages…
lzo-2.10-2-x86_64 81.7 KiB 229K/s 00:00 [######################] 100%
nspr-4.21-1-x86_64 189.2 KiB 1051K/s 00:00 [######################] 100%
nss-3.43-1-x86_64 1356.9 KiB 2.47M/s 00:01 [######################] 100%
pkcs11-helper-1.25…. 65.4 KiB 0.00B/s 00:00 [######################] 100%
openvpn-2.4.7-1-x86_64 415.1 KiB 135M/s 00:00 [######################] 100%
(5/5) checking keys in keyring [######################] 100%
(5/5) checking package integrity [######################] 100%
(5/5) loading package files [######################] 100%
(5/5) checking for file conflicts [######################] 100%
(5/5) checking available disk space [######################] 100%
:: Processing package changes…
(1/5) installing lzo [######################] 100%
(2/5) installing nspr [######################] 100%
(3/5) installing nss [######################] 100%
(4/5) installing pkcs11-helper [######################] 100%
(5/5) installing openvpn [######################] 100%
Optional dependencies for openvpn
easy-rsa: easy CA and certificate handling
pam: authenticate via PAM [installed]
:: Running post-transaction hooks…
(1/3) Reloading system manager configuration…
(2/3) Creating temporary files…
(3/3) Arming ConditionNeedsUpdate…
[root@Pei-Hq-OpenVPN01 ~]#

  1. Now install easy-rsa
[root@Pei-Hq-OpenVPN01 ~]# pacman -S easy-rsa
resolving dependencies…
looking for conflicting packages…Packages (1) easy-rsa-3.0.6-1

Total Download Size: 0.03 MiB
Total Installed Size: 0.09 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages…
easy-rsa-3.0.6-1-any 31.4 KiB 175K/s 00:00 [######################] 100%
(1/1) checking keys in keyring [######################] 100%
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
(1/1) checking for file conflicts [######################] 100%
(1/1) checking available disk space [######################] 100%
:: Processing package changes…
(1/1) installing easy-rsa [######################] 100%
:: Running post-transaction hooks…
(1/1) Arming ConditionNeedsUpdate…
[root@Pei-Hq-OpenVPN01 ~]#

  1. Build your CA certificates (use the 14 password)
[root@Pei-Hq-OpenVPN01 ~]# cd /etc/easy-rsa/
[root@Pei-Hq-OpenVPN01 easy-rsa]# export EASYRSA=$(pwd)
[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki

[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
………………………………………………………………………………………..+++++
….+++++
e is 65537 (0x010001)
Can’t load /etc/easy-rsa/pki/.rnd into RNG
140348830196224:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
–—
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Pei-Hq-OpenVPN01

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

  1. Copy over the CA certificate
[root@Pei-Hq-OpenVPN01 ~]# cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server
[root@Pei-Hq-OpenVPN01 ~]# chown root:root /etc/openvpn/server/ca.crt
  1. Now generate a keypair for the server
[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa gen-req Pei-Hq-OpenVPN01 nopass

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019
Generating a RSA private key
…………….+++++
………….+++++
writing new private key to ‘/etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key.x69qZvOmH6’
–—
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
–—
Common Name (eg: your user, host, or server name) [Pei-Hq-OpenVPN01]:

Keypair and certificate request completed. Your files are:
req: /etc/easy-rsa/pki/reqs/Pei-Hq-OpenVPN01.req
key: /etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key

  1. Copy over the server keyfile
[root@Pei-Hq-OpenVPN01 easy-rsa]# cp /etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key /etc/openvpn/server/
  1. Create DH parameters file
[root@Pei-Hq-OpenVPN01 ~]# openssl dhparam -out /etc/openvpn/server/dh.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
………..+……………………………+……..+…………………………………………………………………………………………..+…………………………………………………………………………………………………………………………..+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+………………………………………………………+…………………………………………….+…………………………………………………………………………………………………………………………………………………………..+………..+…………………………………………………………………………………………….+………………………………………………………………………………………………………………………………………………………………………………………………………………….+..+.+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………+……………………+…………………………………………………………………..+……………………………………………………………..+…………………………………………………………………………………………………..+..+……………………………………………………………………………….+……………..+…+……………………………………+……………………………………………………………………………………………………………………………..+.+………………………………………………………………………………………………………………………………………………………………………………..++*++*++*++*
[root@Pei-Hq-OpenVPN01 ~]#
  1. Generate a HMAC key
[root@Pei-Hq-OpenVPN01 ~]# openvpn –genkey –secret /etc/openvpn/server/ta.key
[root@Pei-Hq-OpenVPN01 ~]#
  1. Finally sign our server key with the CA
[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa sign-req server Pei-Hq-OpenVPN01

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
commonName = Pei-Hq-OpenVPN01
Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:’Pei-Hq-OpenVPN01′
Certificate is to be certified until Mar 12 22:47:19 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/easy-rsa/pki/issued/Pei-Hq-OpenVPN01.crt

  1. Now copy over your server certificate
[root@Pei-Hq-OpenVPN01 ~]# cp /etc/easy-rsa/pki/issued/Pei-Hq-OpenVPN01.crt /etc/openvpn/server/
  1. Now create directory for everything to work
[root@Pei-Hq-OpenVPN01 ~]# mkdir /usr/local/scripts
  1. Create /etc/openvpn/server/server.conf with the following contents
local 192.168.222.100
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/Pei-Hq-OpenVPN01.crt
key /etc/openvpn/server/Pei-Hq-OpenVPN01.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
topology subnet
server 172.25.66.0 255.255.255.0
ifconfig-pool-persist ip-leases
push “route 10.222.2.0 255.255.255.0”
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
  1. Now let’s startup the openvpn server
[root@Pei-Hq-OpenVPN01 server]# openvpn –config /etc/openvpn/server/server.conf
Thu Mar 28 17:04:41 2019 us=349434 Current Parameter Settings:
Thu Mar 28 17:04:41 2019 us=349480 config = ‘/etc/openvpn/server/server.conf’
Thu Mar 28 17:04:41 2019 us=349492 mode = 1
Thu Mar 28 17:04:41 2019 us=349500 persist_config = DISABLED
Thu Mar 28 17:04:41 2019 us=349508 persist_mode = 1
Thu Mar 28 17:04:41 2019 us=349516 show_ciphers = DISABLED
Thu Mar 28 17:04:41 2019 us=349523 show_digests = DISABLED
Thu Mar 28 17:04:41 2019 us=349532 show_engines = DISABLED
Thu Mar 28 17:04:41 2019 us=349539 genkey = DISABLED
Thu Mar 28 17:04:41 2019 us=349546 key_pass_file = ‘[UNDEF]’
Thu Mar 28 17:04:41 2019 us=349594 show_tls_ciphers = DISABLED
Thu Mar 28 17:04:41 2019 us=349605 connect_retry_max = 0
Thu Mar 28 17:04:41 2019 us=349613 Connection profiles [0]:
Thu Mar 28 17:04:41 2019 us=349632 proto = udp
Thu Mar 28 17:04:41 2019 us=349653 local = ‘192.168.222.100’
Thu Mar 28 17:04:41 2019 us=349663 local_port = ‘1194’
Thu Mar 28 17:04:41 2019 us=349671 remote = ‘[UNDEF]’
Thu Mar 28 17:04:41 2019 us=349689 remote_port = ‘1194’
Thu Mar 28 17:04:41 2019 us=349710 remote_float = DISABLED
Thu Mar 28 17:04:41 2019 us=349732 bind_defined = DISABLED
Thu Mar 28 17:04:41 2019 us=349739 NOTE: –mute triggered…
Thu Mar 28 17:04:41 2019 us=349761 267 variation(s) on previous 20 message(s) suppressed by –mute
Thu Mar 28 17:04:41 2019 us=349788 OpenVPN 2.4.7 [git:makepkg/2b8aec62d5db2c17+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Thu Mar 28 17:04:41 2019 us=349830 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
Thu Mar 28 17:04:41 2019 us=350162 Diffie-Hellman initialized with 2048 bit key
Thu Mar 28 17:04:41 2019 us=350439 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 17:04:41 2019 us=350464 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 17:04:41 2019 us=350477 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Mar 28 17:04:41 2019 us=350691 TUN/TAP device tun0 opened
Thu Mar 28 17:04:41 2019 us=350724 TUN/TAP TX queue length set to 100
Thu Mar 28 17:04:41 2019 us=350741 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 28 17:04:41 2019 us=350802 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Mar 28 17:04:41 2019 us=352537 /usr/bin/ip addr add dev tun0 172.25.66.1/24 broadcast 172.25.66.255
Thu Mar 28 17:04:41 2019 us=354008 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Mar 28 17:04:41 2019 us=354282 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Mar 28 17:04:41 2019 us=354315 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Mar 28 17:04:41 2019 us=354335 UDPv4 link local (bound): [AF_INET]192.168.222.100:1194
Thu Mar 28 17:04:41 2019 us=354372 UDPv4 link remote: [AF_UNSPEC]
Thu Mar 28 17:04:41 2019 us=354410 GID set to nobody
Thu Mar 28 17:04:41 2019 us=354430 UID set to nobody
Thu Mar 28 17:04:41 2019 us=354449 MULTI: multi_init called, r=256 v=256
Thu Mar 28 17:04:41 2019 us=354487 IFCONFIG POOL: base=172.25.66.2 size=252, ipv6=0
Thu Mar 28 17:04:41 2019 us=354518 IFCONFIG POOL LIST
Thu Mar 28 17:04:41 2019 us=354553 Initialization Sequence Completed
  1. Enable start on boot and then manually startup the OpenVPN server and check to make sure it is running.
[root@Pei-Hq-OpenVPN01 server]# systemctl enable openvpn-server@server.service
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.[root@Pei-Hq-OpenVPN01 ~]# systemctl start openvpn-server@server.service[root@Pei-Hq-OpenVPN01 ~]# ps -ef|grep openvpn
nobody 1209 1 0 17:10 ? 00:00:00 /usr/bin/openvpn –status /run/openvpn-server/status-server.log –status-version 2 –suppress-timestamps –config server.conf

Generate a Client Key

  1. Real simple, first generate a request and key
[root@Pei-Hq-OpenVPN01]# cd /etc/easy-rsa
[root@Pei-Hq-OpenVPN01 easy-rsa]# echo "\n" | easyrsa gen-req client1 nopass

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019
Generating a RSA private key
......+++++
..................+++++
writing new private key to '/etc/easy-rsa/pki/private/client1.key.CIlCoYEmpv'
--—
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--—
Common Name (eg: your user, host, or server name) [client1]:
Keypair and certificate request completed. Your files are:
req: /etc/easy-rsa/pki/reqs/client1.req
key: /etc/easy-rsa/pki/private/client1.key
  1. Along with the key, generate the following client configuration, call it something that makes sense like client.ovpn
client
dev tun
proto udp
remote 192.168.222.100 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/client/client1.crt
key /etc/openvpn/client/client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
tls-auth /etc/openvpn/client/ta.key 1
verb 4
mute 20
  1. Create /etc/netctl/ethernet-static with your IP and gateway information
  • /etc/openvpn/client/client1.crt
  • /etc/openvpn/client/client1.key
  • /etc/openvpn/client.ovpn
  • /etc/openvpn/server/ca.crt

mfuller, PEI

Leave a Reply