OpenVPN 2024-11-10 As I mentioned in my previous post on VPNs, it's pretty easy to set up an OpenVPN server. This is my quick setup guide and pretty much what I use on my Debian VPS. I have PKI set up on a different local machine and that's where I generate my client configs. Once set up you only need a single .ovpn file for a client to connect. Config files for openvpn server go to: /etc/openvpn/server Files you want to have there: avpn.conf, ca.crt, avpn.crt, avpn.key, ta.key The 'avpn' part is simply a name for my config, so you can change it with no problem, just be consistent. Install the proper package, move config files, then enable 'openvpn-server@avpn' service. Update your DNS entries for the VPN access too. Setup with cloud-init and my server conf follows. cloud-init
#cloud-config package_update: true package_upgrade: true packages: - openvpn - ufw - ca-certificates runcmd: - ufw allow 1194/udp - ufw allow 22/tcp - ufw enable - | cat <<'EOF' > /root/openvpn-ready.sh #!/bin/bash CONFIG_FILE="/etc/openvpn/server/avpn.conf" if [ -f "$CONFIG_FILE" ]; then systemctl enable --now openvpn-server@avpn systemctl status openvpn-server@avpn echo "OpenVPN service enabled" else echo "Please copy your configuration to $CONFIG_FILE and run this script again." fi EOF - chmod +x /root/openvpn-ready.sh final_message: "Cloud-Init finished. Copy your OpenVPN configuration files to /etc/openvpn/server/avpn.conf and run /root/openvpn-ready.sh"avpn.conf
port 1194 proto udp4 dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/avpn.crt key /etc/openvpn/server/avpn.key topology subnet server 10.8.0.0 255.255.255.0 keepalive 10 120 dh none ecdh-curve secp384r1 tls-crypt /etc/openvpn/server/ta.key auth-nocache cipher AES-256-GCM data-ciphers AES-256-GCM auth SHA512 persist-key persist-tun verb 5 client-to-client explicit-exit-notify 1Below is a script that I use to generate my client keys and .ovpn config files. Omit spaces within tags. add-vpn-client.sh
#!/bin/bash name="client-$1" echo $name export EASYRSA=$PWD easyrsa gen-req $name nopass easyrsa sign-req client $name mkdir $name cp $EASYRSA/pki/private/$name.key ./$name/ cp $EASYRSA/pki/issued/$name.crt ./$name/ chmod go+r -R $name echo "writing .ovpn config" touch ./$name/avpn.ovpn cat >> ./$name/avpn.ovpn << EOF client remote vpn.wykwit.pl 1194 proto udp4 dev tun ca [inline] cert [inline] key [inline] tls-crypt [inline] ecdh-curve secp384r1 cipher AES-256-GCM auth SHA512 < ca > EOF cat ca.crt >> ./$name/avpn.ovpn cat >> ./$name/avpn.ovpn << EOF < /ca > < cert > EOF cat ./$name/$name.crt >> ./$name/avpn.ovpn cat >> ./$name/avpn.ovpn << EOF < /cert > < key > EOF cat ./$name/$name.key >> ./$name/avpn.ovpn cat >> ./$name/avpn.ovpn << EOF < /key > < tls-crypt > EOF cat ta.key >> ./$name/avpn.ovpn cat >> ./$name/avpn.ovpn << EOF < /tls-crypt > EOFSetting up PKI with Easy-RSA is described very well on ArchWiki: https://wiki.archlinux.org/title/Easy-RSA