1. Install OpenVPN and Easy-RSA: -------------------------------- @ Server: ~~~~~~~~~ Linux: # apt install openvpn easy-rsa -y @ Client: ~~~~~~~~~ Linux: # apt install openvpn -y OR Windows: Download Windows Binary: https://openvpn.net/community-downloads/ - Install OpenVPN GUI ==================================================================================================== ==================================================================================================== ==================================================================================================== 2. Set Up the Security System (CA, Server, Client, etc.): --------------------------------------------------------- USING EASY-RSA: =============== Prereqs: ~~~~~~~~ cd ~ mkdir VPN cd VPN make-cadir ./openvpn-ca cd ./openvpn-ca Initialize the PKI: ~~~~~~~~~~~~~~~~~~~ ./easyrsa init-pki Build Root CA: ~~~~~~~~~~~~~~ ./easyrsa build-ca nopass (Common Name: VPN-CA) Server Certificate: ~~~~~~~~~~~~~~~~~~~ ./easyrsa gen-req server nopass ./easyrsa sign-req server server Client Certificate: ~~~~~~~~~~~~~~~~~~~ ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 TLS Key: ~~~~~~~~ openvpn --genkey secret ta.key DH Key: ~~~~~~~ ./easyrsa gen-dh ==================================================================================================== ==================================================================================================== ==================================================================================================== 3. Server Config: ----------------- 0. Bring these files into /etc/openvpn/: ---------------------------------------- -> ~/VPN/openvpn-ca/pki/ca.crt -> /etc/openvpn/ (cp ~/VPN/openvpn-ca/pki/ca.crt /etc/openvpn/) -> ~/VPN/openvpn-ca/pki/issued/server.crt -> /etc/openvpn/ (cp ~/VPN/openvpn-ca/pki/issued/server.crt /etc/openvpn/) -> ~/VPN/openvpn-ca/pki/private/server.key -> /etc/openvpn/ (cp ~/VPN/openvpn-ca/pki/private/server.key /etc/openvpn/) -> ~/VPN/openvpn-ca/ta.key -> /etc/openvpn/ (cp ~/VPN/openvpn-ca/ta.key /etc/openvpn/) -> ~/VPN/openvpn-ca/pki/dh.pem -> /etc/openvpn/ (cp ~/VPN/openvpn-ca/pki/dh.pem /etc/openvpn/) 1. Server Config File: /etc/openvpn/server.conf: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cd /etc/openvpn Edit server.conf: port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key tls-crypt ta.key dh dh.pem topology subnet server 10.8.0.0 255.255.255.0 keepalive 10 120 # Modern crypto data-ciphers AES-256-GCM:AES-128-GCM auth SHA256 persist-key persist-tun user nobody group nogroup verb 3 2. Enable & Start Service: ~~~~~~~~~~~~~~~~~~~~~~~~~~ systemctl start openvpn@server systemctl enable openvpn@server ==================================================================================================== ==================================================================================================== ==================================================================================================== 4. Client Config: ----------------- 0. Copy required files from server to client: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> ~/VPN/openvpn-ca/pki/ca.crt -> Download to client machine. Then, put it in the proper place, according to connection method. -> ~/VPN/openvpn-ca/pki/issued/client1.crt -> Download to client machine. Then, put it in the proper place, according to connection method. -> ~/VPN/openvpn-ca/pki/private/client1.key -> Download to client machine. Then, put it in the proper place, according to connection method. -> ~/VPN/openvpn-ca/ta.key -> Download to client machine. Then, put it in the proper place, according to connection method. 1. Client Config File: /etc/openvpn/client.conf: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ client dev tun proto udp remote *.*.*.* 1194 (note that *.*.*.* is the actual server IP) nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key tls-crypt ta.key remote-cert-tls server # Modern crypto data-ciphers AES-256-GCM:AES-128-GCM auth SHA256 verb 3 3A. Client Connect - Enable & Start Service: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ systemctl start openvpn@client systemctl enable openvpn@client OR 3B. Client Connect - Episodic usage: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sudo openvpn --config client.ovpn 3C. Client Connect - Manua/Graphical ways: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @ Linux: Use Network Manager OpenVPN Plugin @ Windows: Use Windows OpenVPN GUI ==================================================================================================== ==================================================================================================== ==================================================================================================== 5. TEST: ======== ping 10.8.0.1