inital commit

OpenVPN and CA install.md

@@ -0,0 +1,205 @@
+# OpenVPN and CA install
+
+### sources
+- https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 
+- https://chatgpt.com/share/672b8e75-5a08-8009-9d13-f062d91bfac8
+
+### Prereqs
+
+ubunutu 24 with ufw configured
+
+### Update/Upgrade
+```
+sudo apt update
+sudo apt upgrade -y
+```
+
+### Install OpenVPN and Easy-RSA
+
+
+`sudo apt install openvpn easy-rsa -y`
+
+### Setup CA
+```
+make-cadir ~/openvpn-ca
+cd ~/openvpn-ca
+```
+```
+vi vars
+```
+```
+set_var EASYRSA_REQ_COUNTRY    "YourCountry"
+set_var EASYRSA_REQ_PROVINCE   "YourProvince"
+set_var EASYRSA_REQ_CITY       "YourCity"
+set_var EASYRSA_REQ_ORG        "YourOrganization"
+set_var EASYRSA_REQ_EMAIL      "email@example.com"
+set_var EASYRSA_REQ_OU         "YourOrganizationalUnit"
+```
+
+```
+./easyrsa init-pki
+./easyrsa build-ca
+```
+
+add password to ca
+
+### Generate Certs and Keys
+
+`./easyrsa gen-req server nopass`
+
+`./easyrsa sign-req server server`
+Type yes and enter ca password
+
+`./easyrsa gen-dh`
+
+`openvpn --genkey --secret ta.key` // this is deperacated need update
+
+### Config OpenVPN Server
+
+`sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/`
+
+`sudo vi /etc/openvpn/server.conf`
+
+```
+port 1194
+proto udp
+dev tun
+
+ca ca.crt
+cert server.crt
+key server.key  # This file should be kept secret
+dh dh.pem
+tls-auth ta.key 0  # This file should be kept secret
+cipher AES-256-CBC
+auth SHA256
+
+server 10.8.0.0 255.255.255.0
+ifconfig-pool-persist ipp.txt
+
+push "route {ip.addr.ess.0 last byte is masked} 255.255.255.0"  # Replace with masked ip address
+
+keepalive 10 120
+persist-key
+persist-tun
+
+user nobody
+group nogroup
+
+status openvpn-status.log
+verb 3
+```
+
+### Enable IP Forwarding
+
+`sudo vi /etc/sysctl.conf`
+```
+net.ipv4.ip_forward=1
+```
+
+`sudo sysctl -p`
+
+### Config Firewall
+
+`sudo vi /etc/default/ufw`
+
+change: `DEFAULT_FORWARD_POLICY="ACCEPT"`
+
+`sudo vi /etc/ufw/before.rules`
+
+Replace IP Address:
+```
+# START OPENVPN RULES
+*nat
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 10.8.0.0/8 -o {ADD IP ADDRESS} -j MASQUERADE
+COMMIT
+# END OPENVPN RULES
+```
+
+`sudo ufw allow 1194/udp`
+`sudo ufw enable`
+
+### Start OpenVPN
+
+```
+sudo systemctl start openvpn@server
+sudo systemctl enable openvpn@server
+sudo systemctl status openvpn@server
+```
+
+### Client Config
+
+```
+mkdir -p ~/client-configs/keys
+mkdir -p ~/client-configs/files
+```
+
+`vi ~/client-configs/base.conf`
+
+Rplace MY IP ADDRESS
+```
+client
+dev tun
+proto udp
+remote {MY IP ADDRESS} 1194
+resolv-retry infinite
+nobind
+
+user nobody
+group nogroup
+
+persist-key
+persist-tun
+
+remote-cert-tls server
+cipher AES-256-CBC
+auth SHA256
+key-direction 1
+verb 3
+```
+
+### Client Certificates and Keys
+
+`cd ~/openvpn-ca`
+
+Replace client1 with client_name
+```
+./easyrsa gen-req client1 nopass
+./easyrsa sign-req client client1
+```
+
+`cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client-configs/keys/`
+
+`vi ~/client-configs/make_config.sh`
+
+### Generate Client Keys
+Replace client name
+```
+#!/bin/bash
+
+CLIENT_NAME={client name}
+
+KEY_DIR=~/client-configs/keys
+OUTPUT_DIR=~/client-configs/files
+BASE_CONFIG=~/client-configs/base.conf
+
+mkdir -p $OUTPUT_DIR
+
+cat ${BASE_CONFIG} \
+    <(echo -e '<ca>') \
+    ${KEY_DIR}/ca.crt \
+    <(echo -e '</ca>\n<cert>') \
+    ${KEY_DIR}/${CLIENT_NAME}.crt \
+    <(echo -e '</cert>\n<key>') \
+    ${KEY_DIR}/${CLIENT_NAME}.key \
+    <(echo -e '</key>\n<tls-auth>') \
+    ${KEY_DIR}/ta.key \
+    <(echo -e '</tls-auth>') \
+    > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn
+```
+
+`chmod 700 ~/client-configs/make_config.sh`
+`./client-configs/make_config.sh`
+
+### Distribute Client Config
+{client name}.ovpn is now available in ~/client-configs/files/.