Install OpenVPN, Configure Easy-RSA & Setup CA

Okay, so you got your firewall opened up for your port of choice. Let’s jump into actually getting your server going. Login to your Ubuntu Server box and elevate your privileges to root. On ubuntu this can be done with:

sudo -s

Now you should be operating as root.

Go ahead and also run the following to update your repository file lists:

sudo apt-get update

And then dive into the install:

apt-get install openvpn

Okay OpenVPN is installed.The next thing you need to do is setup a Certification Authority and start pumping out and signing some certs for the server and for one user. Quick aside on OpenVPN authentication…

————
Default method of authentication with OpenVPN is using certificate files on both the Server and the Client machines. It works something like this…

You have one machine (which can be the same machine as your OpenVPN server) that acts as a certificate authority server. Basically a server that can “sign” a digital certificate with a special encoded signature. So the OpenVPN server gets a private key that is signed by this certification authority. The client also gets a private key that is signed by this certification authority. Each client gets a unique key but all are signed by the same “certification authority” server.

During authentication (this is very simplified as I don’t pertain to fully understand it) the server and the client exchange keys so each knows the other is legit and then the connection is allowed.

Ultimately we are going to be using Active Directory username/password for authentication. But we are going to test using cert authentication first. It isn’t as bad as it might sound.
———————

Back to setting up a CA (certificate authority)…

OpenVPN by default installs a bunch of extra stuff (documents and example template files) at /usr/share/doc/openvpn/. So we are going to be copying some stuff from that folder to our /etc/openvpn folder to setup our CA.

mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Okay, so we created a new directory called “easy-rsa” in our /etc/openvpn directory and then copied the example contents over to it. Now, we need to modify a file called “vars” to fit our environment (as right now it just has default/example data in it). So run this command (remember I use VIM, you can substitute VI or NANO or whatever):

vim /etc/openvpn/easy-rsa/vars

You are going to see a lot of stuff in this file. Find and modify the following to suit your needs:

export KEY_SIZE=2048 #I recommend increasing to 2048, default is 1024
export CA_EXPIRE=3650 #I leave these at the default of 10 years as shown here
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="NC"
export KEY_CITY="Charlotte"
export KEY_ORG="CompanyName"
export KEY_EMAIL="[email protected]"
export [email protected]

Save the file and exit the editor. Hit the next page and we will start generating certs.

11 comments on: OpenVPN – Microsoft Active Directory Authentication – Force All Traffic Through VPN Tunnel

  1. Shane
    Reply

    Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server

    • nbeam
      Reply

      That’s interesting, do you know which command or configuration item is killing the connection? I am wondering if I fat-fingered something somewhere in the write-up. It has been a while since I worked on this. I know when I was testing that VPN connectivity still worked and that the final result was “no split-tunneling” i.e. proxy client machines had all traffic forced through the VPN tunnel. What I am not sure is if I somehow broke SSH connectivity but didn’t realize it because I was working on the machine directly (i.e. not remotely via SSH).

      If you can shed some light on this so I can fix the write-up that would be awesome. Hate to have anyone breaking things on there end 🙂

      Thanks for the heads up!

      • Shane

        Yeah so basically for some reason, doesn’t make sense to me, adding that entry into the iptables and setting the file to load upon restart locks out any connection in, the system i implemented this in is in azure so remote access is the only option, it’s most probably a requirement to add an accept for SSH?

        adding the entry without setting the file to load upon restart doesn’t cause any issues (as far as i can tell haven’t checked thoroughly enough)

  2. Anton Bach
    Reply

    great post, really love it!
    greets, Wilfried

  3. Joe
    Reply

    I did it but start openvpn is failed .
    openvpn-auth-ldap plugin is 2.03 and download using “yum instal openvpn_auth-ldap.x86_84” on Centos 6

  4. RAF
    Reply

    Thanks for this guide. I suggest copy and past attributes from AD directly into “/etc/openvpn/auth/auth-ldap.conf” . This was my issue. Good luck

  5. Adam
    Reply

    This saved me a ton of time. Thanks for taking the time to post it.

  6. RAF
    Reply

    Just wonder is there a way to secure client certificate from being compromised and used from another PC ?

  7. coolthecold
    Reply

    cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/

    here should dh1024 should be changed to dh2048 i believe

  8. dataCore
    Reply

    Great article! Helped me a lot! Little supplement: Add the following to your server.config:
    push “dhcp-option DOMAIN fqdn.yourADDomain.com”
    Otherwise a had to use the fullname e.g. servername.fqdn.mydomain.ch to contact my internal infrastructur.

    • nbeam
      Reply

      Thanks! Appreciate the tip as well 🙂 – Sure it will help others. OpenVPN Community Edition is honestly a bit of a bear. I finally gave up and just moved to the paid version (which is relatively cheap vs. other similar solutions) which is like a completely different product from an administrative perspective. The thing I really needed was two-factor authentication and the community edition (at the time) was very hard to get setup with this.

Leave a Reply to Anton Bach Cancel reply

Your email address will not be published. Required fields are marked *