OpenVPN
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections. It can be used to connect remote users or sites securely over the internet. This guide covers the installation, configuration, and use of OpenVPN.
Installation
On Debian/Ubuntu:
sudo apt update
sudo apt install openvpn
On CentOS/RHEL:
sudo yum install epel-release
sudo yum install openvpn
Configuration
Server Configuration
Generate Server Certificates and Keys
OpenVPN uses the OpenSSL library to provide encryption, and you need to set up a Certificate Authority (CA) to generate server and client certificates and keys.
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz tar xvf EasyRSA-3.0.8.tgz cd EasyRSA-3.0.8/ ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa gen-req server nopass ./easyrsa sign-req server server ./easyrsa gen-dh openvpn --genkey --secret ta.key
Configure the Server
Create the server configuration file, usually located at
/etc/openvpn/server.conf
:sudo nano /etc/openvpn/server.conf
Example configuration:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Start and Enable OpenVPN Service
sudo systemctl start openvpn@server sudo systemctl enable openvpn@server
Client Configuration
Generate Client Certificates and Keys
./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1
Create the Client Configuration File
Create the client configuration file, usually located at
/etc/openvpn/client/client1.ovpn
:sudo nano /etc/openvpn/client/client1.ovpn
Example configuration:
client dev tun proto udp remote your_server_ip 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert client1.crt key client1.key remote-cert-tls server cipher AES-256-CBC verb 3
Transfer Configuration and Certificates to Client
Transfer the configuration file (
client1.ovpn
), CA certificate (ca.crt
), client certificate (client1.crt
), and client key (client1.key
) to the client machine.Start the OpenVPN Client
On the client machine, start OpenVPN with the configuration file:
sudo openvpn --config /path/to/client1.ovpn
Management and Usage
OpenVPN Management Commands
Start OpenVPN Service
sudo systemctl start openvpn@server
Stop OpenVPN Service
sudo systemctl stop openvpn@server
Enable OpenVPN Service at Boot
sudo systemctl enable openvpn@server
Disable OpenVPN Service at Boot
sudo systemctl disable openvpn@server
Check OpenVPN Service Status
sudo systemctl status openvpn@server
Security Considerations
Regularly Update OpenVPN: Ensure that OpenVPN and all dependencies are regularly updated to the latest version to benefit from security patches and improvements.
Use Strong Encryption: Use strong encryption methods such as AES-256-CBC.
Firewall Configuration: Ensure that the necessary ports (e.g., 1194) are open on your firewall to allow OpenVPN traffic.
Secure Certificates and Keys: Protect the CA, server, and client certificates and keys. Never share private keys.
Conclusion
OpenVPN is a versatile and secure tool for setting up VPN connections. By following the installation and configuration steps, you can create a robust VPN solution for connecting remote users or sites securely. Regular maintenance and security practices will ensure the VPN remains secure and reliable.
Last updated