notes/archive/OpenVPN and CA install.md

# OpenVPN and CA install

### sources
- https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04 
- https://chatgpt.com/share/672b8e75-5a08-8009-9d13-f062d91bfac8

### Prereqs

ubunutu 24 with ufw configured

### Update/Upgrade
```
sudo apt update
sudo apt upgrade -y
```

### Install OpenVPN and Easy-RSA


`sudo apt install openvpn easy-rsa -y`

### Setup CA
```
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
```
```
vi vars
```
```
set_var EASYRSA_REQ_COUNTRY    "YourCountry"
set_var EASYRSA_REQ_PROVINCE   "YourProvince"
set_var EASYRSA_REQ_CITY       "YourCity"
set_var EASYRSA_REQ_ORG        "YourOrganization"
set_var EASYRSA_REQ_EMAIL      "email@example.com"
set_var EASYRSA_REQ_OU         "YourOrganizationalUnit"
```

```
./easyrsa init-pki
./easyrsa build-ca
```

add password to ca

### Generate Certs and Keys

`./easyrsa gen-req server nopass`

`./easyrsa sign-req server server`
Type yes and enter ca password

`./easyrsa gen-dh`

`openvpn --genkey --secret ta.key` // this is deperacated need update

### Config OpenVPN Server

`sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/`

`sudo vi /etc/openvpn/server.conf`

```
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
tls-auth ta.key 0  # This file should be kept secret
cipher AES-256-CBC
auth SHA256

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route {ip.addr.ess.0 last byte is masked} 255.255.255.0"  # Replace with masked ip address

keepalive 10 120
persist-key
persist-tun

user nobody
group nogroup

status openvpn-status.log
verb 3
```

### Enable IP Forwarding

`sudo vi /etc/sysctl.conf`
```
net.ipv4.ip_forward=1
```

`sudo sysctl -p`

### Config Firewall

`sudo vi /etc/default/ufw`

change: `DEFAULT_FORWARD_POLICY="ACCEPT"`

`sudo vi /etc/ufw/before.rules`

Replace IP Address:
```
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o {ADD IP ADDRESS} -j MASQUERADE
COMMIT
# END OPENVPN RULES
```

`sudo ufw allow 1194/udp`
`sudo ufw enable`

### Start OpenVPN

```
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server
```

### Client Config

```
mkdir -p ~/client-configs/keys
mkdir -p ~/client-configs/files
```

`vi ~/client-configs/base.conf`

Rplace MY IP ADDRESS
```
client
dev tun
proto udp
remote {MY IP ADDRESS} 1194
resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
```

### Client Certificates and Keys

`cd ~/openvpn-ca`

Replace client1 with client_name
```
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
```

`cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client-configs/keys/`

`vi ~/client-configs/make_config.sh`

### Generate Client Keys
Replace client name
```
#!/bin/bash

CLIENT_NAME={client name}

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

mkdir -p $OUTPUT_DIR

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${CLIENT_NAME}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${CLIENT_NAME}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn
```

`chmod 700 ~/client-configs/make_config.sh`
`./client-configs/make_config.sh`

### Distribute Client Config
{client name}.ovpn is now available in ~/client-configs/files/.