notes/reference/server-setup/OpenVPN and CA install.md

OpenVPN and CA install

sources

• https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04
• https://chatgpt.com/share/672b8e75-5a08-8009-9d13-f062d91bfac8

Prereqs

ubunutu 24 with ufw configured

Update/Upgrade

sudo apt update
sudo apt upgrade -y

Install OpenVPN and Easy-RSA

sudo apt install openvpn easy-rsa -y

Setup CA

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

vi vars

set_var EASYRSA_REQ_COUNTRY    "YourCountry"
set_var EASYRSA_REQ_PROVINCE   "YourProvince"
set_var EASYRSA_REQ_CITY       "YourCity"
set_var EASYRSA_REQ_ORG        "YourOrganization"
set_var EASYRSA_REQ_EMAIL      "email@example.com"
set_var EASYRSA_REQ_OU         "YourOrganizationalUnit"

./easyrsa init-pki
./easyrsa build-ca

add password to ca

Generate Certs and Keys

./easyrsa gen-req server nopass

./easyrsa sign-req server server Type yes and enter ca password

./easyrsa gen-dh

openvpn --genkey --secret ta.key // this is deperacated need update

Config OpenVPN Server

sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/

sudo vi /etc/openvpn/server.conf

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
tls-auth ta.key 0  # This file should be kept secret
cipher AES-256-CBC
auth SHA256

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "route {ip.addr.ess.0 last byte is masked} 255.255.255.0"  # Replace with masked ip address

keepalive 10 120
persist-key
persist-tun

user nobody
group nogroup

status openvpn-status.log
verb 3

Enable IP Forwarding

sudo vi /etc/sysctl.conf

net.ipv4.ip_forward=1

sudo sysctl -p

Config Firewall

sudo vi /etc/default/ufw

change: DEFAULT_FORWARD_POLICY="ACCEPT"

sudo vi /etc/ufw/before.rules

Replace IP Address:

# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o {ADD IP ADDRESS} -j MASQUERADE
COMMIT
# END OPENVPN RULES

sudo ufw allow 1194/udp sudo ufw enable

Start OpenVPN

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server

Client Config

mkdir -p ~/client-configs/keys
mkdir -p ~/client-configs/files

vi ~/client-configs/base.conf

Rplace MY IP ADDRESS

client
dev tun
proto udp
remote {MY IP ADDRESS} 1194
resolv-retry infinite
nobind

user nobody
group nogroup

persist-key
persist-tun

remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3

Client Certificates and Keys

cd ~/openvpn-ca

Replace client1 with client_name

./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client-configs/keys/

vi ~/client-configs/make_config.sh

Generate Client Keys

Replace client name

#!/bin/bash

CLIENT_NAME={client name}

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

mkdir -p $OUTPUT_DIR

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${CLIENT_NAME}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${CLIENT_NAME}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn

chmod 700 ~/client-configs/make_config.sh ./client-configs/make_config.sh

Distribute Client Config

{client name}.ovpn is now available in ~/client-configs/files/.