Ensure the following is installed
sudo apt-get install openvpn bridge-utils
Copy files to the /etc/openvpn/easy-rsa/ directory
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="ZA" export KEY_PROVINCE="Gauteng" export KEY_CITY="Pretoria" export KEY_ORG="YFi" export KEY_EMAIL="dvdwalt@ri.co.za"
Initialize the PKI:
cd /etc/openvpn/easy-rsa sudo su . ./vars ./clean-all ./build-ca
The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:
ai:easy-rsa # ./build-ca Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ZA]: State or Province Name (full name) [Gauteng]: Locality Name (eg, city) [Pretoria]: Organization Name (eg, company) [YFi]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [dvdwalt@ri.co.za]:
Note that in the above sequence, most queried parameters were defaulted to the values set in the vars file.
Generate a certificate and private key for the server
./build-key-server server
As in the previous step, most parameters can be defaulted.
Generating client certificates is very similar to the previous step.
./build-key client-1 ./build-key client-2
Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3".
Diffie Hellman parameters must be generated for the OpenVPN server.
./build-dh
Do not forget to type exit, to exit root admin mode
Filename
Needed By
Purpose
Secret
ca.crt
server + all clients
Root CA certificate
NO
ca.key
key signing machine only
Root CA key
YES
dh{n}.pem
server only
Diffie Hellman parameters
NO
server.crt
server only
Server Certificate
NO
server.key
server only
Server Key
YES
client1.crt
client1 only
Client1 Certificate
NO
client1.key
client1 only
Client1 Key
YES
Now configure the OpenVPN server by creating /etc/openvpn/server.conf from the example file. In a terminal enter:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ sudo gzip -d /etc/openvpn/server.conf.gz
We need to configure the server's configuration file in order that clients can connect to it. See the following example file (/etc/openvpn/server.conf) and change to suit your environment.
local 100.7.37.100 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt client-config-dir ccd keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3
important is the client-config-dir ccd. This will be a sub directory under /etc/openvpn/ which we will put specific settings per client connection to the server (Like the IP which has to be handed to that client)
The following is an example of the client-1 configuration (file /etc/openvpm/ccd/client-1).
ifconfig-push 10.8.0.5 10.8.0.6
This will configure 'client-1' to have an IP of 10.8.0.5
Be sure to copy the keys you just created to the /etc/openvpn directory or openvpn will not start
sudo cp ca.crt /etc/openvpn sudo cp server.crt /etc/openvpn sudo cp server.key /etc/openvpn sudo cp dh1024.pem /etc/openvpn
You can check if the openvpn server starts up usining the following command:
sudo openvpn --config /etc/openvpn/server.conf
If everything seems OK, Ctrl-c the process and start the daemon.
sudo /etc/init.d/openvpn start