This page is mostly based on these instructions (starting at appendix A2). I have followed the procedure below to get VPN servers running on 2 different virtual private servers. In each case, those have a “tun” interface (google how to check if tun interface is loaded for your VPS).
Everything is done as root. Comments on the various steps are marked with a pound sign (#).
Install OpenVPN and setup the structure to build the encryption keys
sudo -s #to become root
apt-get install openvpn #to install openvpn
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa #to copy rsa-config files and scripts
cd /etc/openvpn/easy-rsa
Open the file /etc/openvpn/easy-rsa/vars and make sure you have the following:
export EASY_RSA="/etc/openvpn/easy-rsa" #necessary
export KEY_COUNTRY="US"#optional
export KEY_PROVINCE="CA"#optional
export KEY_CITY="SanFrancisco"#optional
export KEY_ORG="MartinLys"#optional
export KEY_EMAIL="admin@myvpnserver.com"#optional
export KEY_EMAIL=mail@host.domain#optional
export KEY_CN=changeme#optional
export KEY_NAME=myvpnserver.com#optional
export KEY_OU=changeme#optional
export PKCS11_MODULE_PATH=changeme#optional
export PKCS11_PIN=1234#optional
Now build the certificates (from the easy-rsa directory):
source vars
./clean-all
./build-ca #the values that you enter are not important
Build the certificate/key files for the server
./build-key-server serverName
Answer the following questions:
Common Name [serverName]: #Must be the same as serverName
A challenge password: #Must leave blank!
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Now, generate the certificates for the clients (assuming you have a client called UserName, which does not need to be a linux user on your server)
./build-key UserName
Answer the questions
Common Name [UserName]: #must be the same as UserName
A challenge password: #Must leave blank!
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Repeat this for all clients (which will generate files in “keys/” called UserName.crt and UserName.key). Then, build the Diffie-Hellman key:
cd /etc/openvpn/easy-rsa/
./build-dh #(this takes a few seconds)
Then, create the OpenVPNaHMAC Key with:
openvpn –-genkey –-secret keys/ta.key
Create the file /etc/openvpn/server.conf with the following in it:
local XXX.XXX.XXX.XXX #this is the public IP of your server (try commenting this out if you get the error:" Socket bind failed on local address [AF_INET]xxxxx:1194: Cannot assign requested address"
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/serverName.crt #name that you gave build-ca
key /etc/openvpn/easy-rsa/keys/serverName.key #name that you gave build-ca
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 #range of IP address that it will give out (change this if it conflicts with your network and submask
push "dhcp-option DNS 8.8.8.8" #use Google DNS
push "dhcp-option DNS 8.8.8.4" #more Google DNS
push "redirect-gateway def1 bypass-dhcp"
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 #TLS auth key
keepalive 10 120
cipher AES-128-CBC
comp-lzo #use compression
user nobody #run openvpn as nobody:nogroup
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 0 #increase the number if you want more logging (max = 5?)
Make sure the IP V4 forwarding is on, by making sure that the following line in /etc/sysctl.conf is uncommented:
net.ipv4.ip_forward=1
Apply the changes with :
sysctl -p
You need to add rules using iptables to forward the VPN traffic. I’m not completely sure that all the lines are necessary, but this seemed to work! On one of my virtual servers running in OpenVZ, I had to replace “eth0″ by “venet0″, as that was apparently the name of the network interface (use ifconfig to check which interface has the external address). Note that the rules refer to the subnet that you chose in server.conf (10.8.0.0/24 in this case, so modify the rules as appropriate). You could place the following in a (executable, chmod 700) script, e.g., /etc/openvpn/firewallrules.sh:
#! /bin/bash
#probably not necessary (default for output should be accept)
iptables -A OUTPUT -o tun+ -j ACCEPT
#not sure that this is needed:
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
#these are most likely the ones that matter:
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
#definitely need this one:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exit 0
You can add this to your start-up scripts, for example when your network interface comes up. In which case, edit /etc/network/interfaces, and add the following code immediately below the line with “iface eth0 inet dhcp” (or similar I actually put it under the “lo” interface and it worked fine), with indentation:
iface eth0 inet dhcp
pre-up /etc/openvpn/firewallrules.sh
When you reboot the server, openvpn server should now be running, and the forwarding should work. On my OpenVZ machine, I found that /etc/network/interfaces gets over-written at reboot, so I added the following line to /etc/rc.local:
/etc/openvpn/firewallrules.sh
To start openvpn server, as root, type:
openvpn /etc/openvpn/server.conf
You then need to create a configuration file for each client. If you place the following (executable, chmod 700) script in the etc/openvpn/build-client-config-file.sh:
#! /bin/bash
client=$1
server="serverName" #this is the IP address of the server (or domain name)
keydir="/etc/openvpn/easy-rsa/keys" #where the keys were saved if you followed the instruction on this webpage
ca="$keydir/ca.crt"
cert="$keydir/$client.crt"
key="$keydir/$client.key"
tls="$keydir/ta.key"
configfile=$1".ovpn"
echo -e "client \ndev tun\nproto udp\nkey-direction 1\nremote $server 1194\nresolv-retry infinite\nnobind\nns-cert-type server\ncomp-lzo\nverb 3\ncipher AES-128-CBC\n">$configfile
echo "<ca>">>$configfile
cat $ca>>$configfile
echo "</ca>">>$configfile
echo "<cert>">>$configfile
cat $cert>>$configfile
echo "</cert>">>$configfile
echo "<key>">>$configfile
cat $key>>$configfile
echo "</key>">>$configfile
echo "<tls-auth>">>$configfile
cat $tls>>$configfile
echo "</tls-auth>">>$configfile
You can easily create a config files for each client (called UserName, same as before, as the script will look for the corresponding files) by typing:
./build-client-config-file.sh UserName
This will output an OpenVPN configuration file called “UserName.ovpn” which can be given (securely) to the client. At this point, you could delete the following files from the server:
ca.key #I'm not sure you can actually delete this one, if you wanted to generate more clients.
UserName.key
UserName.ovpn