Run download:
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh $ chmod +x openvpn-install.sh
Next, run the executable installer script as shown.
$ sudo bash openvpn-install.sh
Category: openvpn
Update and Install OpneVPN
$ sudo apt-get update -y $ sudo apt-get upgrade -y $sudo apt-get install openvpn -y
Download the latest version of EasyRSA from the Git repository using the following command:
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
extract the downloaded file using the following command:
$ tar -xvzf EasyRSA-3.0.8.tgz
Next, copy the extracted directory to the OpenVPN directory:
$ sudo cp -r EasyRSA-3.0.8 /etc/openvpn/easy-rsa
Next, you will need to build the Certificate Authority (CA) for OpenVPN.
First, change the directory to EasyRSA with the following command:
$ sudo cd /etc/openvpn/easy-rsa
Next, you will need to create a vars file inside this. A vars file is a simple file that Easy-RSA will source for configuration.
You can create it with the following command:
$ sudo nano vars
Add the following lines as per your needs:
Add the following lines as per your needs:
set_var EASYRSA_REQ_COUNTRY "USA" set_var EASYRSA_REQ_PROVINCE "Texas" set_var EASYRSA_REQ_CITY "Buda" set_var EASYRSA_REQ_ORG "GEEKDECODER" set_var EASYRSA_REQ_EMAIL "admin@domain.com" set_var EASYRSA_REQ_OU "IT"
Save and close the file when you are finished.
Next, initiate the public key infrastructure with the following command:
$ sudo ./easyrsa init-pki
You should get the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
Next, you will need to run build-ca command to create ca.crt and ca.key file. You can run it with the following command:
$ sudo ./easyrsa build-ca nopass
You will be asked for several questions as shown below:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ......................................................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:vpnserver CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
Next, you will need to use the gen-req command followed by common name to generate the server key.
$ sudo ./easyrsa gen-req vpnserver nopass
You should see the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key .......................................................+++++ ....+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1428.Angtmh/tmp.C9prw4' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [vpnserver]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/vpnserver.req key: /etc/openvpn/easy-rsa/pki/private/vpnserver.key
Next, you will need to sign the vpnserver key using your CA certificate. You can do it with the following command:
$ sudo ./easyrsa sign-req server vpnserver
You should get the following output:
Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'vpnserver' Certificate is to be certified until Feb 6 14:38:52 2022 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnserver.crt
Next, you will need to generate a strong Diffie-Hellman key to use for the key exchange. You can generate it with the following command:
$ sudo ./easyrsa gen-dh
Next, you will need to copy all certificate and key file to the /etc/openvpn/server/ directory. You can copy the using the following command:
$ sudo cp pki/ca.crt /etc/openvpn/server/ $ sudo cp pki/dh.pem /etc/openvpn/server/ $ sudo cp pki/private/vpnserver.key /etc/openvpn/server/ $ sudo cp pki/issued/vpnserver.crt /etc/openvpn/server/
Next, you will need to generate a certificate and key file for the client system.
You can create it with the following command:
$ sudo ./easyrsa gen-req vpnclient nopass
You should get the following output:
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key ....+++++ .................................+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1563.TeOf5v/tmp.i4YxLz' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [vpnclient]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/vpnclient.req key: /etc/openvpn/easy-rsa/pki/private/vpnclient.key
Next, sign the client key with the following command:
$ sudo ./easyrsa sign-req client vpnclient
You should get the following output:
Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'vpnclient' Certificate is to be certified until Feb 6 14:43:18 2022 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/vpnclient.crt
Next, copy all client certificate and key to the /etc/openvpn/client/ directory.
$ sudo cp pki/ca.crt /etc/openvpn/client/ $ sudo cp pki/issued/vpnclient.crt /etc/openvpn/client/ $ sudo cp pki/private/vpnclient.key /etc/openvpn/client/
At this point, both server and client certificate and key are ready. Now, you will need to create an OpenVPN configuration file and define all certificates and keys.
$ sudo nano /etc/openvpn/server.conf
Add the following lines ( add in server_ip you ip for openvpn server):
port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/vpnserver.crt key /etc/openvpn/server/vpnserver.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nogroup log-append /var/log/openvpn.log verb 3
Save and close the file then start the OpenVPN service and enable it to start at system reboot:
$ sudo systemctl start openvpn@server $ sudo systemctl enable openvpn@server
If everything is fine, a new interface will be created. You can check it using the following command:
ip a show tun0
You should get the following output:
4: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::153d:f29:39a2:571a/64 scope link stable-privacy
valid_lft forever preferred_lft forever
IP forwarding allows your operating system to accept the incoming network packets and forward it to the other network. You can enable it with the following command:
$ sudo nano /etc/sysctl.conf
Uncomment or add the following line:
net.ipv4.ip_forward = 1
Save the file then apply the configuration changes with the following command:
sysctl -p
Next, you will need to install the OpenVPN client on another system and connect to the OpenVPN server.
First, install the OpenVPN with the following command:
apt-get install openvpn -y
Once installed, copy all Client certificate and key from the OpenVPN server to the Client machine. You can do it with the following command:
scp -r root@vpn-server-ip:/etc/openvpn/client .
Next, change the directory to client and create a Client configuration file:
cd client nano client.ovpn
Add the following lines:
remote server_ip 1194 client dev tun proto udp remote vpn-server-ip 1194 ca ca.crt cert vpnclient.crt key vpnclient.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3
Save and close the file then connect to your OpenVPN server with the following command:
openvpn --config client.ovpn
Once the connection has been established, you should get the following output:
Sat Feb 6 14:53:50 2021 SENT CONTROL [vpnserver]: 'PUSH_REQUEST' (status=1) Sat Feb 6 14:53:50 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 20,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: timers and/or timeouts modified Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: --ifconfig/up options modified Sat Feb 6 14:53:50 2021 OPTIONS IMPORT: route options modified
You can verify the OpenVPN interface on the client machine with the following command:
ip a show tun0
You should get the following output:
4: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::9206:94d7:8fb2:6b21/64 scope link stable-privacy
valid_lft forever preferred_lft forever
dfdf