Configure OpenVPN Server

This guide was adapted from the following original posting:

https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-
rsa-3-on-centos-7/

http://www.startupcto.com/server-tech/centos/setting-up-openvpn-server-on-centos

Parts of the above guides have been modified to suite the following activity. The screenshots
were taken from the above original guide, therefore please note that your output may slightly
vary depending on the linux distribution you are using.

You will need a Linux VM such as Ubuntu for this activity. If your VM is based on CentOS
you may use the above guide as-is.

Step 1 - Install OpenVPN and Easy-RSA

It is assumed that all the following commands are executed as root. You can do this by
entering the following command or prefixing each command with sudo.

sudo -s

You will then be required to enter your password.

apt update
apt install openvpn easy-rsa -y

When the installation is complete, check the openvpn and easy-rsa version.

openvpn --version
ls -lah /usr/share/easy-rsa/

OpenVPN with easy-rsa has been installed.

Step 2 - Configure Easy-RSA 3

In this step, we will will configure easy-rsa by creating new 'vars' file. The 'vars' file contains
the Easy-RSA settings.

Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script.

cd /etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/
Now go to the 'easy-rsa/3/' directory and create new vars file using vim.

cd /etc/openvpn/easy-rsa/
vim vars

Paste the vars easy-rsa configuration below.

set_var EASYRSA "$PWD"

set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "ID"
set_var EASYRSA_REQ_PROVINCE "Jakarta"
set_var EASYRSA_REQ_CITY "Jakarta"
set_var EASYRSA_REQ_ORG "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "openvpn@hakase-labs.io"
set_var EASYRSA_REQ_OU "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"

Save and exit.

Note:

 Change values of the variables as you need.

 Increase the 'EASYRSA_KEY_SIZE' for better security.
 Change 'EASYRSA_CA_EXPIRE' and 'EASYRSA_CERT_EXPIRE'.

Now make the 'vars' file executable by changing the permission of the file.

chmod +x vars

The vars file for Easy-RSA setting has been created.

Step 3 - Build OpenVPN Keys

In this step, we will build the OpenVPN keys based on the easy-rsa 'vars' file that we've
created. We will build the CA key, Server and Client keys, DH and CRL PEM file.

We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-
rsa/' directory.

cd /etc/openvpn/easy-rsa/
Initialization and Build CA

Before building any keys, we need to initialize the PKI directory and build the CA key.
Initiate the PKI directory and build the CA key using the command below.

./easyrsa init-pki
./easyrsa build-ca

Now type the password for your CA key and you will get your 'ca.crt' and 'ca.key' files under
the 'pki' directory.

Build Server Key

Now we want to build the server key, and we will build the server key named 'hakase-server'.

Build the server key 'hakase-server' using the command below.

./easyrsa gen-req hakase-server nopass

Note:

 nopass = option for disable password for the 'hakase-server' key.

And sign the 'hakase-server' key using our CA certificate.

./easyrsa sign-req server hakase-server

You will be asked for the 'CA' password, type the password and press Enter. And you will get
the 'hakase-server.crt' certificate file under the 'pki/issued/' directory.

Verify the certificate file using the OpenSSL command and make sure there is no error.

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt

All server certificate keys have been created. The server private key is located at the
'pki/private/hakase-server.key', and the server certificate on the 'pki/issued/hakase-server.crt'.

Build Client Key

Now we need to build keys for the client. We will generate new client key named 'client01'.

Generate the 'client01' key using the command below.

./easyrsa gen-req client01 nopass

Now sign the 'client01' key using our CA certificate as below.

./easyrsa sign-req client client01

Type 'yes' to confirm the client certificate request, then type the CA password.
The client certificate named 'client01' has been generated, verify the client certificate using
the openssl command.

openssl verify -CAfile pki/ca.crt pki/issued/client01.crt

Build Diffie-Hellman Key

This action will take a lot of time, depending on the key length that we chose and the
available entropy on the server. We will be using the length key that we define on the 'vars'
file.

Generate the Diffie-Hellman key using command below.

./easyrsa gen-dh

The DH key has been generated, located at the 'pki' directory.

Optional: Generate the CRL Key

The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have
multiple client certificates on your vpn server, and you want to revoke some key, you just
need to revoke using the easy-rsa command.

If you want to revoke some key, run the command as below.

./easyrsa revoke someone

And then generate the CRL key.

./easyrsa gen-crl

The CRL PEM file has been generated under the 'pki' directory - following is an example on
my server.

Copy Certificates Files

All certificates have been generated, now copy the certificate files and PEM files.

Copy Server Key and Certificate.

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/

Copy client01 Key and Certificate.

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client01.crt /etc/openvpn/client/
cp pki/private/client01.key /etc/openvpn/client/

Copy DH and CRL Key.

cp pki/dh.pem /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

Step 4 - Configure OpenVPN

In this step, we will create new configuration 'server.conf' for the openvpn server.

Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vim.

cd /etc/openvpn/
vim server.conf

Paste the following OpenVPN server configuration there.

# OpenVPN Port, Protocol and the Tun

port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key

#DH and CRL key

dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network

# Redirect all Connection through OpenVPN Server
server 10.10.1.0 255.255.255.0
push "redirect-gateway def1"

# Using the DNS from https://dns.watch

push "dhcp-option DNS 84.200.69.80"
push "dhcp-option DNS 84.200.70.40"

#Enable multiple client to connect with same Certificate key

duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-
CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

Save and exit.

The configuration for OpenVPN has been created.

Step 5 - Enable Port-Forwarding and Configure Routing

iptables

First, edit /etc/sysctl.conf and add the following lines:

# Packet forwarding
net.ipv4.ip_forward = 1

Save the file, and then run sysctl -p to load the changes.

You can run the following as a bash script to make the required changes in iptables.

#!/bin/bash

# REMEMBER: Run this as a single bash script or you'll lock yourself out of
your machine.

# Flushing all rules

iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Accept outbound on the primary interface
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
# Accept inbound TCP packets
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j
ACCEPT
# Allow incoming OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j
ACCEPT
# Enable NAT for the VPN
iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun0 -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j
ACCEPT
# Allow outbound access to all networks on the Internet from the VPN
iptables -A FORWARD -i tun0 -s 10.10.1.0/24 -d 0.0.0.0/0 -j ACCEPT
# Block client-to-client routing on the VPN
iptables -A FORWARD -i tun0 -s 10.10.1.0/24 -d 10.10.1.0/24 -j DROP

Now start the openvpn service and enable it to launch automatically everytime at system
boot.

systemctl start openvpn@server

systemctl enable openvpn@server

Check it using commands below.

systemctl status openvpn@server.service

Step 6 - OpenVPN Client Setup

Go to the '/etc/openvpn/client' directory and create a new openvpn client configuration file
'client01.ovpn' using vim.

cd /etc/openvpn/client
vim client01.ovpn

Paste the following OpenVPN client configuration there.

client
dev tun
proto udp

remote 139.xx.xx.xx 1194

ca ca.crt
cert client01.crt
key client01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-
CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

Save and exit.

Now compress the '/etc/openvpn/client' directory to 'zip' or 'tar.gz' file and download the
compressed file using scp from your local computer.

Compress the '/etc/openvpn/client' directory to the 'client01.tar.gz' file.

cd /etc/openvpn/
tar -czvf client01.tar.gz client/*

You may then copy these compressed files to the client computer and use them to connect to
your OpenVPN Server.

Step 7 - Testing OpenVPN

Testing on the Clients.

- On Linux

Install OpenVPN package and if you want a GUI configuration, install OpenVPN network-
manager.

sudo apt install openvpn network-manager-openvpn network-manager-openvpn-

gnome -y

If you want to connect using a terminal shell, run the OpenVPN command below.
openvpn --config client01.ovpn

When you're connected to OpenVPN, open new terminal tab and check the connection using
curl command.

curl ifconfig.io

And you will get the OpenVPN server IP address.

On Mac OS

Download Tunnelblick and install it.

Extract the 'client01.tar.gz' file and rename the 'client' directory to the 'client01.tblk'.

tar -xzvf client01.tar.gz

mv client client01.tblk

Double-click the 'client01.tblk' and the Tunnelblick will automatically detect OpenVPN
configuration and then import.

Now connect through the Tunnelblick on the Top bar.

On Windows

Download the openvpn client for windows and import the configuration.