OpenVPN Setup Tutorial

Posted on Edited on In

Installation

Via source code

  1. Download tar ball from release link

  2. Dependencies

    1
    2
    apt install libssl-dev liblzo2-dev libpam0g-dev
    apt install easy-rsa

  3. Build source code

    1
    2
    3
    4
    5
    tar xfz ./openvpn<version>.tar.gz
    cd openvpn<version>
    ./configure
    make
    make install

Via official apt repositories

1
2
3
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt update && apt install openvpn

Via script

1
2
3
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh

Setup

CA

1
make-cadir CA && cd CA

In CA directory, edit the vars file and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL parameters.

1
2
3
source ./vars
./clean-all
./build-ca

Key generation

In keys directory, generate the private keys, certification and Diffie Hellman parameters.

  1. Server key generation
    1
    ./build-key-server server
  2. Client key generation
    1
    2
    3
    ./build-key client1
    ./build-key client2
    ./build-key client3
  3. Diffie Hellman parameters generation
    1
    ./build-dh

Here is an explanation of the relevant files in keys subdir:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES

Configuration

  • In VPNServer, put server.conf, ca.crt, server.crt, server.key and dh{n}.pem in the same directory(e.g. /etc/openvpn/).
  • In Client, put client.conf, client{n}.crt, client{n}.key and ca.crt in the same directory.
  • In client.conf, modify the remote value to VPNServer’s IPv4 address, modify cert and key to corresponding filename.

Running

  1. In VPNServer:
    1
    openvpn --config /etc/openvpn/server.conf --daemon
  2. In Client:
    1
    openvpn --config /etc/openvpn/client{n}.conf --daemon