OpenVPN
Intro
I’ve been using OpenVPN a lot for both work and personal, and have run into a number of issues in getting it running and maintaining connections.
Basic Connections
To get a basic OpenVPN connection cobbled together with minimal security requires some effort. This assumes Ubuntu 16.04.
Download pre-requisites
Download openvpn: https://openvpn.net/index.php/open-source/downloads.html Download easyrsa. These instructions use v3.0.5, but always use the newest: https://github.com/OpenVPN/easy-rsa
EasyRSA usage
after git cloning easy-rsa, find the easyrsa script and run it with no arguments to see what is available
michael@michael-VirtualBox:~/code/easy-rsa/easyrsa3$ ./easyrsa
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
‘help’ command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req [ cmd-opts ]
sign-req
build-client-full [ cmd-opts ]
build-server-full [ cmd-opts ]
revoke
gen-crl
update-db
show-req [ cmd-opts ]
show-cert [ cmd-opts ]
import-req
export-p7 [ cmd-opts ]
export-p12 [ cmd-opts ]
set-rsa-pass [ cmd-opts ]
set-ec-pass [ cmd-opts ]
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: .
PKI: /home/michael/code/easy-rsa/easyrsa3/pki
michael@michael-VirtualBox:~/code/easy-rsa/easyrsa3$
Generate a keystore
To generate a keystore, you must initialize your public key infrastructure
./easyrsa init-pki
Then create a certificate authority
./easyrsa build-ca
Give the CA a decent password, this will be used for generating new openvpn keys. Once you have done this, you can generate a key request.
Create key requests
./easyrsa gen-req MyVpnServer
MyVpnServer is the unique registered name for your client. This should be unique to the CA. Also generate a few clients:
./easyrsa gen-req MyClientOne
./easyrsa gen-req MyClientTwo
Sign key requests
After generating a request, you will sign it
./easyrsa sign-req server MyVpnServer
./easyrsa sign-req client MyClientOne
./easyrsa sign-req client MyClientTwo
The server and client portion is important: The server must be generated with server, and clients with client. After you do these commands, all the information needed to create your openvpn configs will be in the pki folder