Setting Up an OpenVPN Server with Easy-RSA Certificate Management
Posted inHow To Technology

Setting Up an OpenVPN Server with Easy-RSA Certificate Management

No Comments

Setting up an OpenVPN server requires proper configuration and secure certificate management to ensure that all connections are protected. One popular tool for managing OpenVPN certificates is Easy-RSA, a command-line utility that simplifies the process of generating and managing the Public Key Infrastructure (PKI) for OpenVPN. In this article, we will explore how to set up an OpenVPN server with Easy-RSA for certificate management, focusing on a technical, step-by-step guide.

Contents show

Installing OpenVPN and Easy-RSA

Before configuring the OpenVPN server, you need to install OpenVPN and Easy-RSA on your server. Follow these steps:

sudo apt update
sudo apt install openvpn easy-rsa

This installs both OpenVPN and the Easy-RSA package, which will allow us to manage the certificates later in the setup process.

Setting Up Easy-RSA

Easy-RSA is a tool that allows you to create your own Certificate Authority (CA) and manage the certificate lifecycle for OpenVPN. To begin, we need to initialize a new Easy-RSA PKI (Public Key Infrastructure) directory:

make-cadir /easy-rsa
cd /easy-rsa

Now, configure the Easy-RSA environment by editing the vars file to specify your organization’s details:

 nano vars

Modify the following variables in the vars file:

 export KEY_COUNTRY="US" export KEY_PROVINCE="California" export KEY_CITY="San Francisco" export KEY_ORG="MyCompany" export KEY_EMAIL="admin@mycompany.com" export KEY_OU="OpenVPN"

Creating the Certificate Authority

Now that the environment is set, it’s time to generate the Certificate Authority (CA) keypair. This step will create the root certificate, which is necessary to sign all client and server certificates. Run the following command:

 ./easyrsa init-pki ./easyrsa build-ca

When prompted, enter a passphrase for the CA key. This passphrase will protect the root certificate.

Generating the Server Certificate and Key

Next, we will generate the OpenVPN server’s SSL certificate and private key, which are required to establish secure communication with clients:

 ./easyrsa gen-req server nopass ./easyrsa sign-req server server

In this case, we generate the request for the server certificate and then sign it using the previously created CA. The nopass option indicates that we don’t want a passphrase for the server private key.

Generating Client Certificates

For each client that will connect to the OpenVPN server, you must create a unique client certificate. The process is similar to the server certificate generation:

 ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1

This generates and signs the certificate for a client called client1. Repeat this process for each additional client.

Creating Diffie-Hellman Parameters

Diffie-Hellman parameters are used to securely exchange cryptographic keys between the server and clients. You can generate them with the following command:

 ./easyrsa gen-dh

The resulting dh.pem file will be used by the OpenVPN server during the connection process to securely establish a shared key with clients.

Configuring the OpenVPN Server

With all the certificates and keys created, you can now configure the OpenVPN server. First, create a configuration directory for OpenVPN:

sudo mkdir -p /etc/openvpn/server

Then, copy the necessary files into the configuration directory:

 sudo cp /easy-rsa/pki/ca.crt /etc/openvpn/server/ sudo cp /easy-rsa/pki/private/server.key /etc/openvpn/server/ sudo cp /easy-rsa/pki/issued/server.crt /etc/openvpn/server/ sudo cp /easy-rsa/pki/dh.pem /etc/openvpn/server/

Next, create an OpenVPN server configuration file, which defines how the server should operate:

 sudo nano /etc/openvpn/server.conf

Below is a basic configuration for the OpenVPN server:

 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3

Starting the OpenVPN Server

Now, start the OpenVPN server with the following command:

sudo systemctl start openvpn@server

Enable the OpenVPN service to start on boot:

 sudo systemctl enable openvpn@server

Testing the OpenVPN Server

To ensure that the OpenVPN server is running correctly, check the OpenVPN service status:

 sudo systemctl status openvpn@server

If everything is configured correctly, you should see that the server is active and running.

Client Configuration

To configure the client, copy the client certificates and configuration files to the client machine. The client configuration should look something like this:

 client dev tun proto udp remote your-server-ip 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key cipher AES-256-CBC auth SHA256 verb 3

Ensure that the server’s IP address is correctly set in the remote directive. After setting this up, start the OpenVPN client and verify the connection.

We earn commissions using affiliate links.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *