OpenVPN: Difference between revisions
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
=== Configure === | === Configure === | ||
==== Make a client key ==== | ==== Make a client key ==== | ||
Line 41: | Line 38: | ||
./easyrsa build-ca nopass | ./easyrsa build-ca nopass | ||
==== Debian OpenVPN ==== | ==== Install server ==== | ||
===== Debian OpenVPN ===== | |||
OpenVPN (OSS) is available with most distros' package managers. | OpenVPN (OSS) is available with most distros' package managers. | ||
sudo apt install openvpn | sudo apt install openvpn | ||
Line 54: | Line 52: | ||
sudo cp pki/private/server.key /etc/openvpn/ | sudo cp pki/private/server.key /etc/openvpn/ | ||
==== Docker OpenVPN ==== | ===== Docker OpenVPN ===== | ||
[https://github.com/kylemanna/docker-openvpn This] seems to be a good starting point [https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04?utm_source=githubreadme here] and [https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45 here] are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS". | [https://github.com/kylemanna/docker-openvpn This] seems to be a good starting point [https://www.digitalocean.com/community/tutorials/how-to-run-openvpn-in-a-docker-container-on-ubuntu-14-04?utm_source=githubreadme here] and [https://medium.com/@gurayy/set-up-a-vpn-server-with-docker-in-5-minutes-a66184882c45 here] are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS". | ||
==== | ==== Set up initial certs and keys ==== | ||
After installing, push things around between EasyRSA and OpenVPN... | After installing, push things around between EasyRSA and OpenVPN... | ||
Line 83: | Line 81: | ||
sudo cp ta.key ~/client-configs/keys/ | sudo cp ta.key ~/client-configs/keys/ | ||
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ | sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ | ||
==== Configure the service ==== | |||
Edit server settings as needed, here: | |||
sudo emacs /etc/openvpn/server.conf | |||
==== Configure networking ==== | |||
sudo nano /etc/sysctl.conf |
Revision as of 21:17, 3 February 2022
Configure
Make a client key
# FROM OPENVPN cd ~/apps/EasyRSA-3.0.8 && ./easyrsa gen-req mbm-client nopass cp pki/private/mbm-client.key ~/client-configs/keys/ emacs pki/reqs/mbm-client.req # copy # FROM EASYRSA emacs /tmp/mbm-client.req # paste cd ~/apps/EasyRSA-3.0.8 && ./easyrsa import-req /tmp/mbm-client.req mbm-client ./easyrsa sign-req client mbm-client emacs pki/issued/mbm-client.crt # copy # FROM OPENVPN cd ~/client-configs/keys/ emacs mbm-client.crt # paste
Install
Watch out, OpenVPN has tried to monetize with their "Access Server" product. What you want is OpenVPN "Open Source" aka "OSS".
You will need two machines to follow suggested installation: one for OpenVPN and a separate isolated machine to run EasyRSA to manage certificates.
We are basically following these instructions.
EasyRSA
Get the tarball link from the releases site, and install it:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz # uncomment && update vars as desired cd EasyRSA-3.0.8 && cp vars.example vars && emacs vars ./easyrsa init-pki ./easyrsa build-ca nopass
Install server
Debian OpenVPN
OpenVPN (OSS) is available with most distros' package managers.
sudo apt install openvpn
Also install EasyRSA via tarball similar to instructions above, but we will be running different commands:
mkdir -p ~/apps && cd ~/apps wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz cd EasyRSA-3.0.8 ./easyrsa init-pki ./easyrsa gen-req server nopass sudo cp pki/private/server.key /etc/openvpn/
Docker OpenVPN
This seems to be a good starting point here and here are some instructions. Not going there, Keith "you don't want to mix security concerns", Tom "KISS".
Set up initial certs and keys
After installing, push things around between EasyRSA and OpenVPN...
# FROM OPENVPN # push server.req to EasyRSA CA machine # you can just copy/paste it emacs pki/reqs/server.req # copy # FROM EASYRSA emacs /tmp/server.req # paste ./easyrsa import-req /tmp/server.req server ./easyrsa sign-req server server emacs pki/issued/server.crt # copy emacs pki/ca.crt # copy # FROM OPENVPN sudo emacs /etc/openvpn/server.crt # paste sudo emacs /etc/openvpn/ca.crt # paste ./easyrsa gen-dh sudo openvpn --genkey secret ta.key sudo cp ta.key /etc/openvpn/ sudo cp pki/dh.pem /etc/openvpn/ cd && mkdir -p client-configs/keys && chmod -R 700 ~/client-configs cd ~/apps/EasyRSA-3.0.8 sudo cp ta.key ~/client-configs/keys/ sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
Configure the service
Edit server settings as needed, here:
sudo emacs /etc/openvpn/server.conf
Configure networking
sudo nano /etc/sysctl.conf