Install OpenVPN, Configure Easy-RSA & Setup CA
Okay, so you got your firewall opened up for your port of choice. Let’s jump into actually getting your server going. Login to your Ubuntu Server box and elevate your privileges to root. On ubuntu this can be done with:
Now you should be operating as root.
Go ahead and also run the following to update your repository file lists:
sudo apt-get update
And then dive into the install:
apt-get install openvpn
Okay OpenVPN is installed.The next thing you need to do is setup a Certification Authority and start pumping out and signing some certs for the server and for one user. Quick aside on OpenVPN authentication…
Default method of authentication with OpenVPN is using certificate files on both the Server and the Client machines. It works something like this…
You have one machine (which can be the same machine as your OpenVPN server) that acts as a certificate authority server. Basically a server that can “sign” a digital certificate with a special encoded signature. So the OpenVPN server gets a private key that is signed by this certification authority. The client also gets a private key that is signed by this certification authority. Each client gets a unique key but all are signed by the same “certification authority” server.
During authentication (this is very simplified as I don’t pertain to fully understand it) the server and the client exchange keys so each knows the other is legit and then the connection is allowed.
Ultimately we are going to be using Active Directory username/password for authentication. But we are going to test using cert authentication first. It isn’t as bad as it might sound.
Back to setting up a CA (certificate authority)…
OpenVPN by default installs a bunch of extra stuff (documents and example template files) at /usr/share/doc/openvpn/. So we are going to be copying some stuff from that folder to our /etc/openvpn folder to setup our CA.
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Okay, so we created a new directory called “easy-rsa” in our /etc/openvpn directory and then copied the example contents over to it. Now, we need to modify a file called “vars” to fit our environment (as right now it just has default/example data in it). So run this command (remember I use VIM, you can substitute VI or NANO or whatever):
You are going to see a lot of stuff in this file. Find and modify the following to suit your needs:
export KEY_SIZE=2048 #I recommend increasing to 2048, default is 1024
export CA_EXPIRE=3650 #I leave these at the default of 10 years as shown here
export KEY_EMAIL="[email protected]"
export [email protected]
Save the file and exit the editor. Hit the next page and we will start generating certs.