wykwit.pl / blog / openvpn

OpenVPN

2024-11-10

As I mentioned in my previous post on VPNs, it's pretty easy to set up an OpenVPN server. This is my quick setup guide and pretty much what I use on my Debian VPS. I have PKI set up on a different local machine and that's where I generate my client configs. Once set up you only need a single .ovpn file for a client to connect.

Config files for openvpn server go to: /etc/openvpn/server

Files you want to have there:

• avpn.conf
• ca.crt
• avpn.crt
• avpn.key
• ta.key

The 'avpn' part is simply a name for my config, so you can change it with no problem, just be consistent.

Install the proper package, move config files, then enable 'openvpn-server@avpn' service. Update your DNS entries for the VPN access too. Setup with cloud-init and my server conf follows.

cloud-init

#cloud-config
package_update: true
package_upgrade: true

packages:
  - openvpn
  - ufw
  - ca-certificates

runcmd:
  - ufw allow 1194/udp
  - ufw allow 22/tcp
  - ufw enable

  - |
    cat <<'EOF' > /root/openvpn-ready.sh
    #!/bin/bash

    CONFIG_FILE="/etc/openvpn/server/avpn.conf"

    if [ -f "$CONFIG_FILE" ]; then
      systemctl enable --now openvpn-server@avpn
      systemctl status openvpn-server@avpn
      echo "OpenVPN service enabled"
    else
      echo "Please copy your configuration to $CONFIG_FILE and run this script again."
    fi
    EOF

  - chmod +x /root/openvpn-ready.sh

final_message: "Cloud-Init finished. Copy your OpenVPN configuration files to /etc/openvpn/server/avpn.conf and run /root/openvpn-ready.sh"

avpn.conf

port 1194
proto udp4
dev tun

ca	/etc/openvpn/server/ca.crt
cert	/etc/openvpn/server/avpn.crt
key	/etc/openvpn/server/avpn.key

topology subnet

server 10.8.0.0 255.255.255.0
keepalive 10 120

dh none
ecdh-curve secp384r1
tls-crypt /etc/openvpn/server/ta.key
auth-nocache

cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512

persist-key
persist-tun

verb 5

client-to-client
explicit-exit-notify 1

Below is a script that I use to generate my client keys and .ovpn config files. Omit spaces within tags.

add-vpn-client.sh

#!/bin/bash

name="client-$1"
echo $name

export EASYRSA=$PWD
easyrsa gen-req $name nopass
easyrsa sign-req client $name
mkdir $name
cp $EASYRSA/pki/private/$name.key ./$name/
cp $EASYRSA/pki/issued/$name.crt ./$name/
chmod go+r -R $name

echo "writing .ovpn config"
touch ./$name/avpn.ovpn
cat >> ./$name/avpn.ovpn << EOF
client
remote vpn.wykwit.pl 1194
proto udp4
dev tun

ca   [inline]
cert [inline]
key  [inline]
tls-crypt [inline]

ecdh-curve secp384r1
cipher AES-256-GCM
auth SHA512

< ca >
EOF
cat ca.crt >> ./$name/avpn.ovpn
cat >> ./$name/avpn.ovpn << EOF
< /ca >

< cert >
EOF
cat ./$name/$name.crt >> ./$name/avpn.ovpn
cat >> ./$name/avpn.ovpn << EOF
< /cert >

< key >
EOF
cat ./$name/$name.key >> ./$name/avpn.ovpn
cat >> ./$name/avpn.ovpn << EOF
< /key >

< tls-crypt >
EOF
cat ta.key >> ./$name/avpn.ovpn
cat >> ./$name/avpn.ovpn << EOF
< /tls-crypt >
EOF

Setting up PKI with Easy-RSA is described very well on ArchWiki: https://wiki.archlinux.org/title/Easy-RSA