OpenVPN

From FlimzyWiki

Keys

This can be done on any machine. I did it on my workstation, which happens not to be either the OpenVPN server or client.

There are many CA software packages. I use tinyca, because its interface is easier to use than easy-ca (which comes with OpenVPN).

apt-get install tinyca
tinyca2

Refer to the tinyca instructions to create a CA, one server key, and at least one client key.

For each key you create, go to the Certificates tab, and hit Export. Be sure to include the Key and Fingerprint, and export to a .zip or tar file. Transfer each file to its respective machine for use below.

On the server

apt-get install openvpn
cd /etc/openvpn
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > ./server.conf
unzip keys.zip
openssl dhparam -out dh1024.pem 1024

If you created your keys with passwords, you'll need to remove the password:

openssl rsa -in key.pem -out newkey.pem
Enter passphrase for key.pem: <Your passphrase>
writing RSA key
mv newkey.pem key.pem 

Edit server.conf to reflect the proper certificate filenames:

78 ca cacert.pem
79 cert cert.pem
80 key key.pem # This file should be kept secret

Configure OpenVPN for your network:

96 server 172.17.3.128 255.255.255.128

On the client

apt-get install openvpn
cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .
unzip keys.zip
openssl dhparam -out dh1024.pem 1024

If you created your keys with passwords, you'll need to remove the password:

openssl rsa -in key.pem -out newkey.pem
Enter passphrase for key.pem: <Your passphrase>
writing RSA key
mv newkey.pem key.pem

Edit client.conf to point to your OpenVPN server:

42 remote <IP or Hostname of server> 1194

And edit the Key file names:

88 ca cacert.pem
89 cert cert.pem
90 key key.pem