Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-
rsa-3-on-centos-7/
http://www.startupcto.com/server-tech/centos/setting-up-openvpn-server-on-centos
Parts of the above guides have been modified to suite the following activity. The screenshots
were taken from the above original guide, therefore please note that your output may slightly
vary depending on the linux distribution you are using.
You will need a Linux VM such as Ubuntu for this activity. If your VM is based on CentOS
you may use the above guide as-is.
sudo -s
apt update
apt install openvpn easy-rsa -y
When the installation is complete, check the openvpn and easy-rsa version.
openvpn --version
ls -lah /usr/share/easy-rsa/
cd /etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/
Now go to the 'easy-rsa/3/' directory and create new vars file using vim.
cd /etc/openvpn/easy-rsa/
vim vars
Note:
Now make the 'vars' file executable by changing the permission of the file.
chmod +x vars
We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-
rsa/' directory.
cd /etc/openvpn/easy-rsa/
Initialization and Build CA
Before building any keys, we need to initialize the PKI directory and build the CA key.
Initiate the PKI directory and build the CA key using the command below.
./easyrsa init-pki
./easyrsa build-ca
Now type the password for your CA key and you will get your 'ca.crt' and 'ca.key' files under
the 'pki' directory.
Now we want to build the server key, and we will build the server key named 'hakase-server'.
Note:
You will be asked for the 'CA' password, type the password and press Enter. And you will get
the 'hakase-server.crt' certificate file under the 'pki/issued/' directory.
Verify the certificate file using the OpenSSL command and make sure there is no error.
All server certificate keys have been created. The server private key is located at the
'pki/private/hakase-server.key', and the server certificate on the 'pki/issued/hakase-server.crt'.
Now we need to build keys for the client. We will generate new client key named 'client01'.
Type 'yes' to confirm the client certificate request, then type the CA password.
The client certificate named 'client01' has been generated, verify the client certificate using
the openssl command.
This action will take a lot of time, depending on the key length that we chose and the
available entropy on the server. We will be using the length key that we define on the 'vars'
file.
./easyrsa gen-dh
The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have
multiple client certificates on your vpn server, and you want to revoke some key, you just
need to revoke using the easy-rsa command.
./easyrsa gen-crl
The CRL PEM file has been generated under the 'pki' directory - following is an example on
my server.
All certificates have been generated, now copy the certificate files and PEM files.
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/
Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vim.
cd /etc/openvpn/
vim server.conf
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-
CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append /var/log/openvpn.log
verb 3
# Packet forwarding
net.ipv4.ip_forward = 1
Save the file, and then run sysctl -p to load the changes.
You can run the following as a bash script to make the required changes in iptables.
#!/bin/bash
# REMEMBER: Run this as a single bash script or you'll lock yourself out of
your machine.
Now start the openvpn service and enable it to launch automatically everytime at system
boot.
cd /etc/openvpn/client
vim client01.ovpn
client
dev tun
proto udp
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-
CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
Now compress the '/etc/openvpn/client' directory to 'zip' or 'tar.gz' file and download the
compressed file using scp from your local computer.
cd /etc/openvpn/
tar -czvf client01.tar.gz client/*
You may then copy these compressed files to the client computer and use them to connect to
your OpenVPN Server.
- On Linux
Install OpenVPN package and if you want a GUI configuration, install OpenVPN network-
manager.
If you want to connect using a terminal shell, run the OpenVPN command below.
openvpn --config client01.ovpn
When you're connected to OpenVPN, open new terminal tab and check the connection using
curl command.
curl ifconfig.io
On Mac OS
Extract the 'client01.tar.gz' file and rename the 'client' directory to the 'client01.tblk'.
Double-click the 'client01.tblk' and the Tunnelblick will automatically detect OpenVPN
configuration and then import.
On Windows
Download the openvpn client for windows and import the configuration.