/etc/openvpn

The /etc/openvpn directory is where OpenVPN configuration files are stored on a Linux system. OpenVPN is a popular open-source VPN solution that enables secure point-to-point or site-to-site connections. The configuration files in this directory control how OpenVPN operates and connects clients and servers. Here’s a detailed overview of what you might find in this directory and how to manage OpenVPN configurations.

Key Components in /etc/openvpn

1. Configuration Files

   • Server Configuration: Typically named server.conf or similar, this file contains settings for the OpenVPN server.

   • Client Configuration: Often named client.conf or client.ovpn, this file holds settings for connecting to the OpenVPN server.

   • Sample Configurations: Files like sample-config or example.conf can be provided as templates or examples for setting up various configurations.

2. Certificates and Keys

   • Certificates: Files such as server.crt and client.crt hold the certificates used for authentication.

   • Keys: Files like server.key and client.key are private keys associated with the certificates.

   • Certificate Authority: The ca.crt file is the certificate authority’s certificate, which is used to verify the authenticity of other certificates.

3. Static Key Files

   • Static Key: In configurations that use static keys rather than certificates, files such as static.key might be present.

4. Additional Files

   • Diffie-Hellman Parameters: dh.pem or dh2048.pem files contain the Diffie-Hellman parameters used for key exchange.

   • TLS Authentication: Files like ta.key are used for TLS authentication to prevent certain types of attacks.

Example Configuration Files

Server Configuration (/etc/openvpn/server.conf)

# OpenVPN Server Configuration
port 1194
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

status openvpn-status.log
verb 3

• port: The port on which the server listens.

• proto: Protocol used (UDP or TCP).

• dev: The type of virtual network device to use (usually tun for routed VPNs).

• ca, cert, key, dh: Paths to the CA certificate, server certificate, server key, and Diffie-Hellman parameters, respectively.

• server: Defines the VPN subnet and netmask.

• ifconfig-pool-persist: File to persist IP address assignments.

• keepalive: Parameters to maintain the connection.

• cipher: Encryption cipher used.

• comp-lzo: Compression setting.

• status: Log file for monitoring server status.

• verb: Verbosity level for logging.

Client Configuration (/etc/openvpn/client.conf)

client
dev tun
proto udp
remote example.com 1194

ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

cipher AES-256-CBC
comp-lzo
verb 3

• client: Indicates that this is a client configuration.

• remote: Specifies the server address and port.

• ca, cert, key: Paths to the CA certificate, client certificate, and client key.

• cipher: Encryption cipher used.

• comp-lzo: Compression setting.

• verb: Verbosity level for logging.

Common Commands

• Start OpenVPN:

  sudo systemctl start openvpn@server

  For client configurations:

  sudo systemctl start openvpn@client

• Stop OpenVPN:

  sudo systemctl stop openvpn@server

• Check Status:

  sudo systemctl status openvpn@server

• View Logs: Logs are typically found in /var/log/openvpn.log or can be configured in the OpenVPN configuration files.

Security Considerations

• File Permissions: Ensure that sensitive files (keys and certificates) have appropriate permissions to prevent unauthorized access.

• Regular Updates: Keep OpenVPN and its associated software up to date to mitigate vulnerabilities.

• Firewall Configuration: Ensure that the firewall is properly configured to allow OpenVPN traffic.

Summary

The /etc/openvpn directory contains crucial configuration files for managing OpenVPN. Properly setting up and maintaining these files is essential for ensuring secure and reliable VPN connections. Configuration files for both the server and client define how OpenVPN operates, including network settings, security options, and logging.