This is an old revision of the document!
OpenVPN
OpenVPN server with client certificate and password authentication.
Work-in-progress :- Documentation based on working system built with easyrsa from 2014. Current version (2022) is completely different.
TODO: Use this guide instead of trying to work it out: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Install
sudo -s cd /root apt update apt upgrade apt install openvpn easy-rsa rehash /etc/init.d/openvpn stop update-rc.d openvpn disable
Setup
Init
Create the certificate store and intialise it.
make-cadir easy-rsa cd easy-rsa ./easyrsa init-pki hard-reset init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/ovpn/pki
Edit the `vars' file changing organisational data.
Eg.
set_var EASYRSA_REQ_COUNTRY "GB" set_var EASYRSA_REQ_PROVINCE "England" set_var EASYRSA_REQ_CITY "London" set_var EASYRSA_REQ_ORG "OVPN" set_var EASYRSA_REQ_EMAIL "root@example.com" set_var EASYRSA_REQ_OU "CA"
The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.
set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
Create Certificate Authority
Create a CA for managing certificates. Choose a secret passphrase.
./easyrsa --vars=./vars build-ca Enter New CA Key Passphrase: ... Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /root/ovpn/pki/ca.crt
Create Server Certificate
The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.
./easyrsa --vars=./vars build-server-full server nopass Enter pass phrase for /root/ovpn/pki/private/ca.key: ...
Create DH Certificate
./easyrsa --vars=./vars gen-dh
Create TA Certificate
TODO determine if not superceded.
openvpn --genkey secret pki/ta.key
Create Client Certificate
./easyrsa --vars=./vars build-client-full vpn1 nopass