Jump to: navigation, search

OpenVPN

OpenVPN

Intro

I've been using OpenVPN a lot for both work and personal, and have run into a number of issues in getting it running and maintaining connections.

Basic Connections

To get a basic OpenVPN connection cobbled together with minimal security requires some effort. This assumes Ubuntu 16.04.

Download pre-requisites

Download openvpn: https://openvpn.net/index.php/open-source/downloads.html Download easyrsa. These instructions use v3.0.5, but always use the newest: https://github.com/OpenVPN/easy-rsa

EasyRSA usage

after git cloning easy-rsa, find the easyrsa script and run it with no arguments to see what is available

michael@michael-VirtualBox:~/code/easy-rsa/easyrsa3$ ./easyrsa 
Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
 ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
 ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

 init-pki
 build-ca [ cmd-opts ]
 gen-dh
 gen-req <filename_base> [ cmd-opts ]
 sign-req <type> <filename_base>
 build-client-full <filename_base> [ cmd-opts ]
 build-server-full <filename_base> [ cmd-opts ]
 revoke <filename_base>
 gen-crl
 update-db
 show-req <filename_base> [ cmd-opts ]
 show-cert <filename_base> [ cmd-opts ]
 import-req <request_file_path> <short_basename>
 export-p7 <filename_base> [ cmd-opts ]
 export-p12 <filename_base> [ cmd-opts ]
 set-rsa-pass <filename_base> [ cmd-opts ]
 set-ec-pass <filename_base> [ cmd-opts ]

DIRECTORY STATUS (commands would take effect on these locations)
 EASYRSA: .
     PKI: /home/michael/code/easy-rsa/easyrsa3/pki


michael@michael-VirtualBox:~/code/easy-rsa/easyrsa3$

Generate a keystore

To generate a keystore, you must initialize your public key infrastructure

./easyrsa init-pki

Then create a certificate authority

./easyrsa build-ca

Give the CA a decent password, this will be used for generating new openvpn keys. Once you have done this, you can generate a key request.

Create key requests

./easyrsa gen-req MyVpnServer

MyVpnServer is the unique registered name for your client. This should be unique to the CA. Also generate a few clients:

./easyrsa gen-req MyClientOne
./easyrsa gen-req MyClientTwo

Sign key requests

After generating a request, you will sign it

./easyrsa sign-req server MyVpnServer
./easyrsa sign-req client MyClientOne
./easyrsa sign-req client MyClientTwo

The server and client portion is important: The server *must* be generated with server, and clients with client. After you do these commands, all the information needed to create your openvpn configs will be in the pki folder