Let's set up the second server first:
Step 1Install OpenVPN
Step 2: Create a CA Directory
OpenVPN is a virtual private network using TLS/SSL. This means that OpenVPN uses certificates to encrypt traffic between the server and clients. To issue trusted certificates, we will need to create our own CA.Create a user named e.g. openvpn-caand change to its home directory:
First, let's copy the template directory easy-rsato our home directory with the commandmake-cadir:
Step 3: Set up CA variables
To set up our CA variables, we need to edit the vars. Open this file in your text editor:Inside the file, you will find variables that you can edit and that set the parameters of the certificates when they are created. We only need to change a few variables.
While we are in this file, we will edit the value KEY_NAMEjust below, which fills in the subject field of the certificates. For simplicity, let's give it a name vpnsrv2:
Save and close the file.
Step 4: Create a Certificate Authority
Now we can use the variables and easy-rsa utilities we've set up to create a certificate authority.Make sure you are in the CA directory and use the command sourceon the vars. In my case, I also needed to add a symlink to the file openssl-1.0.0.cnf:
You should see the following output:
Let's make sure we're working in a "clean environment" by running the following command:
Now we can create our root CA with the command:
This command will start the process of generating the root CA key and certificate. Since we have set all the variables in the vars file, all the necessary values will be entered automatically. Press ENTER to confirm your selection.
We now have a certificate authority that we can use to create all the other files we need.
Step 5: Create a certificate, key, and encryption files for the server
Next, let's create a certificate, a key pair, and some additional files used to implement encryption for our server.Let's start by creating an OpenVPN certificate and keys for the server. This can be done with the following command:
The output will again contain the default values passed to this command ( server) as well as the values from the vars.
Accept all defaults by pressing ENTER . Don't set a challenge password . At the end of the process, type y twice to sign and validate the creation of the certificate:
Let's create the rest of the files. We can generate strong Diffie-Hellman keys used in key exchange with the command:
It may take several minutes for this command to complete.
Next, we can generate an HMAC signature to enhance the server's ability to verify TSL integrity :
QUOTE:
sudo openvpn --genkey --secret keys/ta.key
sudo chown openvpn-ca
penvpn-ca keys/ta.key
sudo chown openvpn-ca
penvpn-ca keys/ta.key
Step 6: Create a certificate and key pair for the client
Next, we can generate a certificate and a key pair for the client. In general, this can be done on the client machine and then signed by the server's certificate authority, but in this article, for simplicity, we will generate the signed key on the server.In this article, we will create a key and certificate for only one client. If you have multiple clients, you can repeat this process as many times as you like. Just pass a unique value to the script each time.
Since we can come back to this step later, we will repeat the command sourcefor the vars. We will use the option clientsrv2to generate the first certificate and key.
To create files without a password to facilitate automatic connections, use the command build-key:
During the file creation process, all default values will be entered, you can press ENTER . Do not specify a challenge password and enter y when prompted to sign and validate the creation of a certificate.
Step 7Configure OpenVPN Service
Next, we will configure the OpenVPN service using the files we created earlier.Copying files to the OpenVPN directory We need to copy the files we need to the directory/etc/openvpn.
First, let's copy the files we created. They are in the directory ~/openvpn-ca/keysin which they were created. We need to copy the certificate and key of the certificate authority, the certificate and key of the server, the HMAC signature and the Diffie-Hellman file :
Next, we need to copy and unpack the sample OpenVPN configuration file to the configuration directory, we will use this file as a base for our settings:
Setting up the OpenVPN configuration Now that our files are in place, let's set up the server's configuration file:
Basic setup
The address of the VPN server
Find the HMAC section by searching for the tls-auth. Remove ";" to uncomment the line with tls-auth. Next, add a parameter key-directionand set its value to "0" :
Next, let's find the encryption section, we are interested in the commented lines cipher. Remove ";" to uncomment the line AES-256-CBC:
Below this line, add a line authand select the HMAC algorithm . A good choice would be SHA512:
Finally, find settings userand groupremove ";" to uncomment these lines:
You need to comment out the following directives. Find the section redirect-gatewayand add ";" to the beginning of the line:
Below is the section dhcp-option.
(Optional) Port and Protocol Configuration By default , OpenVPN uses port 1194 and UDP protocol to connect with clients. If you need to change the port due to some restrictions on your clients, you can do so by changing the port.
(Optional) Using a custom certificate name and key If you specified a parameter other than , while using the command ./build-key-serverjust above vpnsrv2, change the settings of certand keyto point to the correct files .crtand .key. If you used vpnsrv2, these settings should look like this:
Save and close the file.
Step 8. Setting up the network configuration of the server
Next, we need to set up the server's network configuration so that OpenVPN can forward traffic correctly.Configuring IP Redirection First let's allow the server to redirect traffic. This is the core functionality of our VPN server.
Set it up in a file /etc/sysctl.conf:
Find the setting line net.ipv4.ip_forward. Remove the "#" from the beginning of the line to uncomment it:
Save and close the file.
To apply the settings to the current session, type the command:
Setting up UFW rules to hide client connections You need to install a UFW firewall . We will need a firewall to manipulate traffic entering the server. We have to change the settings file to hide connections (masquerading).
Open the file /etc/ufw/before.rulesand add the appropriate settings there:
This file contains the UFW settings that are applied before the UFW rules are applied . Add the lines highlighted in red to the beginning of the file. This will set up the default rules for the chain POSTROUTINGin the table natand will hide all traffic from the VPN :
Save and close the file.
Now we need to tell UFW that it needs to allow forwarded packets by default. To do this, open the file /etc/default/ufw:
Find the directive in the file DEFAULT_FORWARD_POLICY. We will change the value from DROPto ACCEPT:
Save and close the file.
Opening the OpenVPN Port and Applying the Changes Next, we'll configure the firewall itself to allow traffic to OpenVPN .
If you did not change the port and protocol in the file , you will need to allow UDP/etc/openvpn/server.conf traffic on port 1194 . If you have changed these settings, enter the values you specified. In my case it is TCP port 1194
Also add your SSH port
Now deactivate and activate UFW to apply the changes:
Our server is now configured to handle OpenVPN traffic.
Step 9Enable the OpenVPN service
We are ready to enable the OpenVPN service on our server. We can do this with systemd .We need to start the OpenVPN server by specifying the name of our configuration file as a variable after the systemd filename . The configuration file for our server is named /etc/openvpn/server.conf, so we'll add @serverto the end of the filename when we call it:
Verify that the service has been successfully started with the command:
If everything is in order, configure the service to automatically turn on when the server boots:
Step 10: Create the Client Configuration Infrastructure
Next, let's set up the system to easily create configuration files for clients.Creating the client configuration directory structure In your home directory, create a directory structure for storing files:
Since our configuration files will contain client keys, we need to set the permissions for the created directories:
Creating a base configuration Next, copy the example configuration into our directory to use as our base configuration:
Open this file in your text editor:
Let's make a few changes to this file.
First find the directive remote. This directive tells the client the address of our OpenVPN server . This should be the public IP address of your OpenVPN server . If you have changed the port that the OpenVPN server is listening on , change the default port to 1194your value:
Make sure the protocol matches the server settings:
Next, uncomment the directives userand groupremove the ";" :
Find the directives ca, certand key. Comment out these directives as we will be adding certificates and keys in the file itself:
Add settings cipherand authaccording to those specified in the file /etc/openvpn/server.conf:
Next, add the directive key-directionanywhere in the file. It must have the value "1" for the server to work correctly:
Creating a script to generate configuration files Now let's create a simple script to generate configuration files with relevant certificates, keys, and encryption files. It will place the generated configuration files in the ~/client-configs/files.
Create and open a file make_config.shinside the directory ~/client-configs:
Paste the following text into this file:
Save and close the file.
Make it executable with the command:
Step 11: Generating Client Configurations
Now we can easily generate client configuration files.If you followed all the steps in this article, you have generated clientsrv2.crtthe client certificate and key with the clientsrv2.keycommand ./build-key clientsrv2in step 6. You can generate the configuration for these files by navigating to the directory ~/client-configsand using the script we just created:
If everything went well, we should get the file clientsrv2.ovpnin the directory ~/client-configs/files:
Delivering configurations to the first server Now we need to move the configuration file to the first server SRV1 .
On the first server, we do everything identically, except for the following points:
Change interface eth0to tun1and address 10.8.1.0/24to10.8.0.0/24Save and close the file.
Redirect all traffic through the VPN server
The address of the VPN server
Set the protocol to udp4
Next, uncomment the following lines. Section redirect-gateway:
and sectiondhcp-option
also this directive
We write the routing rules on the first server:
Let's create a script /etc/openvpn/upstream-route.shcontaining the following commands:
Next, add them to the configuration file of the client that connects to the second server.
Also in this file it is necessary to specify that the OpenVPN client always occupies the interface tun1:
Copy clientsrv2.ovpn to OpenVPN root folder and rename it to client.conf
Setting up autostart
In the same way, we create the infrastructure for setting up clients. Step 10 And transfer the generated file to the client machine.
Connection on Linux
As a result, you will connect to the server.