Skip to content

Instantly share code, notes, and snippets.

@frengky
Last active December 28, 2015 14:51
Show Gist options
  • Save frengky/79597bad4eda1a3f1f24 to your computer and use it in GitHub Desktop.
Save frengky/79597bad4eda1a3f1f24 to your computer and use it in GitHub Desktop.
OpenVPN setup and configuration, complete with example for Linux
For NEW Installation
#############################################################
1. Install it with your linux distribution installation command
$ yum install openvpn easy-rsa
$ cp -vr /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa
2. Now edit ./easy-rsa/vars to suit you
$ source vars; ./clean-all ; ./build-ca
$ source vars; ./build-key-server server
$ source vars; ./build-dh
3. Link or copy the certificates in /etc/openvpn
$ ln -s easy-rsa/keys/dh2048.pem
$ ln -s easy-rsa/keys/ca.crt
$ ln -s easy-rsa/keys/server.crt
$ ln -s easy-rsa/keys/server.key
Security Hardening
#############################################################
$ openvpn --genkey --secret ta.key
This command will generate an OpenVPN static key and write it to the file ta.key.
This key should be copied over a pre-existing secure channel to the server and all client machines.
It can be placed in the same directory as the RSA .key and .crt files.
In the server configuration, add:
tls-auth ta.key 0
In the client configuration, add:
tls-auth ta.key 1
Create a new certificate for openvpn client using EASYRSA 2
#############################################################
1. Execute
$ source ./vars; ./build-key <unique-hostname>
Create a new certificate for openvpn client using EASYRSA 3
#############################################################
1. Create the certificate from the server machine
$ ./easyrsa gen-req <unique-hostname> nopass
$ ./easyrsa sign-req client <unique-hostname>
2. Copy required files to client machine
Note: you may create single client config file with embedded certificates and skip this step.
$ ./easy-rsa/pki/ca.crt
$ ./easy-rsa/pki/private/<unique-hostname>.key
$ ./easy-rsa/pki/issued/<unique-hostname>.crt
$ ./ta.key
Starting the service using SystemD
#############################################################
$ systemctl start openvpn@[your-config-file-name-without-dot-conf]
Updating firewall rules
#############################################################
$ firewall-cmd --permanent --add-port=1194/udp
$ firewall-cmd --permanent --add-masquerade
$ firewall-cmd --reload
#!/bin/sh
echo "auth-script: authentication for username: ${username}, password: ${password}"
if [ "$username" == "your-username" ] && [ "$password" == "your-password" ]
then
echo "auth-script: login success"
exit 0
else
echo "auth-script: invalid username or password"
fi
## Return success (0) or (1) Failed
exit 1
ifconfig-push 10.7.7.90 255.255.255.0
push "topology subnet"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client
dev tun
proto udp
remote your.openvpn.host 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher BF-CBC
comp-lzo
verb 3
#
# Proto UDP only
#
explicit-exit-notify 2
ping 10
ping-restart 60
route-method exe
route-delay 2
#
# Auth Using Username and Password
#
auth-user-pass
#
# Auth Security Harderning (prevent middle man attack)
#
#tls-auth ta.key 1
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
fa1c2c307b353eac5b39921b83fe7d74
56d0e879d97f7af2cg55821f262cd44d
255a65eac8d3abcaf6c308c95bcdece2
28b31554e32g477a296addd5f6e7680e
41d529b504s6acb43a8a6ddac8ae7dab
52173d061f855e16be7c9f5635fd1bf9
2c0c565b5ffe8d71a9sd273935dc3582
b219f808a50d5918f48525f46dd3dfa6
04e1xb67c45aba5df4baa5e60cce930a
9ec7a5647059ca93b1a1aaef4f20c6f1
680e2e1cadhjca6eeeke152e947c18bf
c4dcb7a93b3c9a9af1829ab2418b1429
c2805572952ed320fc746619d56437ee
ebdea3fdf2973bc9b4e909e8b1989f13
08658d8d6b2dx2b839fa9f30cc4a9624
bc4cedfb38396c038e2377bc9975135a
-----END OpenVPN Static key V1-----
</tls-auth>
#
# Using External Certificate files
# If 'client-cert-not-required' then only 'ca' is needed, comment the 'cert', and 'key'
#
#ca ca.crt
#cert client.crt
#key client.key
#
# Using Embedded Certificate files
#
# ca.crt
<ca>
-----BEGIN CERTIFICATE-----
MIIE1jCCA76gAwIBAgIJAN/PrrurkhYCMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
VQQGEwJJRDEMMAoGA1UECBMDSktUMRAwDgYDVQQHEwdKYWthcnRhMRQwEgYDVQQK
EwtGcmVuZ2t5LaZQTjzMMAoGA1UECxMDZWw3MRgwFgYDVQaDEw9lbDcuZnJlbmdr
eS5jb20xDzANBgNVBCkTBnNlcnslcjEkMCIGCSqGSIb3DQEJARYVZnJlbmdreS5s
aW1AZ21haWwuY29tMB4XDTE1MDQyNzAzMjkxNFoXDTI1MDQyNDAzMjkxNFowgaIx
CzAJBgNVBAYTAklEMQwwCgYDVQQIEwNKS1QxEDAOBgNVBAcTB0pha2FydGExFDAS
BgNVBAoTC0ZyZW5na3ktVlBOMxwwCgYDVQQLEwNlbDcxGDAWBgNVBAMTD2VsNy5m
cmVuZ2t5LmNvbTEhMA0GA1UEKRMGc2VydaVyMSQwIgYJKoZIhvcNAQkBFhVmcmVu
Z2t5LmxpbUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC+36EEfci31EoZdnqU9EDpEaQRTuukZ3coyPYwOXKb5oiuw1FqMe0INi3R4b7Y
hyGQ2tg/gDbTKiD4E2tyZHDONgpMIvNQzUaqI3z/6T3OGofPMgm+njhRlnlq5YtV
Zf00DbbgDTz/IXh6nWgfwQ3TWhCX/SCwUfCqE5Pcw9Y6CNAZOfrkOc+BcW5tYxw3
0f0bwA4qhFOJhDo41XGuGedGo771ZhBbc7lxCbBBVOg1SXXtwvtJiPQZmAZfYtYV
HPPvMf38MkSRBY7kFjh9qnUo/PGk2LAvs9nU8lA0d5Zynv6v9X5ogsQn9hwTJKZT
FFQQMIJ88BjU7k0YbkuD5wwvAgMBAAGjggELMIIxBzAdBzNVHQ4EFgQUptXrEF9A
UhyEvqgB6UdrF5Mji7gwgdcGA1UdIwSBzzCBzIAUptXrEF9AUhyEvqgB6UdrF5Mj
i7ihgaikgaUwgaIxCzAJBgNVBAYTAklEMQwwCgYDVQQIEwNKS1QxEDAOBgNVBAcT
B0pha2FydGExFDASBgNVBAoTC0ZyZW5na3ktVlBOMQwwCgYDVQQLEwNlbDcxGDAW
BgNVBAMTD2VsNy5mcmVuZ2t5LmNvbTEPMA0GA1UEKRMGc2VydmVyMSQwIgYJKoZI
hvcNAQkBFhVmcmVuZ2t5LmxpbUBnbWFpbC5jb22CCQDfz667q5IWAjAMBgNVHRME
BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAFlcYDJIQXR5OVuOpm8sBnFfTXae7r
BwtxkbnpplHhkrhvN4r2sYFaT1tyVc5VX0fjkNLcLbvoCYwMoqmI7TVA1r8F0mO5
WsUp1BTkuq7tm9B3nOm84VrjvoD7HYan5BmcjFJ7UnrOpdX/MDULzwoo6fqCO2cN
ROBF9MIS7BJ0HZc9tF4ZuNpeQvMZ+kCiwlP66HFrfPm3ESvl0tsiC2qX19Yu5+vv
r85L158k8d0VvLVH6Dl/59MglWjClvyGDB92jMrfEVA5n5daTuvM/op/PGpJuiGX
L/mp8t9ybVtyo532OO1kpqkuCOGEZ7OkLz91N9qb0lW/DfiETOdLiQal
-----END CERTIFICATE-----
</ca>
# iphone.crt
<cert>
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIBAzANBgkqhkiG9x0BAQsFADCBojELMAkGA1UEBhMCSUQx
DDAKBgNVBAgTA0pLVDEQMA4GA1UEBxMHSmFrYXJ0YTEUMBIGA1UEChMLRnJlbmdr
eS1WUE4xDDAKBgNVBAsTA2VsNzEYMBYGAaUEAxMPZWw3LmZyZW5na3kuY29tMQ8w
DQYDVQQpEwZzZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFWZyZW5na3kubGltQGdtYWls
LmNvbTAeFw0xNTEyMTQwMjEwNTVaFw0yNTEyMTEwMjEwNTVaMIGZMQswCQYDVQQG
EwJJRDEMMAxGA1UECBMDSatUMRAwDgYDVQQHEwdKYWthcnRhMRQwEgYDVQQKEwtG
cmVuZ2t5LVZQTjEMMAoGA1UECxMDZWw3MQ8wDQYDVQQDEwZpcGhvbmUxDzANBgNV
BCkTBnNlcnZxcjEkMCIGCSqGSIb3DQEJARaVZnJlbmdreS5saW1AZ21haWwuY29t
MIIBIjANBgkqxkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPA7CZdyWZRISd1UvgF/
2gi8ZdWllYekhif+IGRnzlLXYulRtIRLHfjNLWDefgaoxlOFexP1G78yYtSS2BXm
86t6fKa9dJkv1Hxr78fjebta6P6AWBs0RA/SZivELuUUrrpjVWqapC9uYLACEx0u
UNOSbCubyY8kGHGwpfw3h2XWFUt+p0Dkfvz0nKCWHbBWDkxHJBbcaWvxksKDijzu
mNK5dDEDnDe6Jt5teb06g+qTQuXXySW4nRJTrfqKkdr0t/TaonspMhCgotDbUiE+
uj4cN2PNF0uGdLaeT+/t+4yZsMSmN0f8LUsKUVd7mhJRGybMipg5z+VQ4v69EvcA
AQIDAQABo4IBWTrCAVUwCQYDVR0TBAIwaDAtBglghkgBhvhCAQ0EIBYeRWFzeS1S
U0EgR2VuZXJhdGVxIENlcnRpZmljYXRlMB0GA1UdDgQWBBQXImFxEx7zJcG4Fk/6
p19vfPN9ZjCB1wYDVR0jBIHPMIHMgBSm1esQX0BSHIS+qAHpR2sXkyOLuKGBqKSB
pTCBojELMAkGA1UEBhMCSUQxDDAKBgNVBAgTA0pLVDEQMA4GA1UEBxMHSmFrYXJ0
YTEUMBIGA1UEChMLRnJlbmdreS1WUE4xDDAKBgNVBAsTA2VsNzEYMBYGA1UEAxMP
ZWw3LmZyZW5na3kuY29tMQ8wDQYDVQQpEwZzZXJ2ZXIxJDAiBgkqhkiG9w0BCQEW
FWZyZW5na3kubGltQGdtYWlsLmNvbYIJAN/PrrurkhYCMBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAWvc8mQzvDVpr
1ZtubYaWvgDMpvO2pH87EJlqyRImBH4a04TsdOWvP0GaEIWEziNsfbnD0qargPEE
W6ArMTeTtfnRisrm6uEosfYEl7QV5TPYa9a719/RHKTHOIA9UACke+IVhYzrEpP6
kWvZVJrD0mzix9aSy+oFb3gUDHSVeDcaa0i79Y613hTsGL+QAN0Vqk/rq3rVv0Ol
lfZyHnXn2vW21aiew1qgn7nurj/4vikI5HuiTMCO4G4/zOsBa72MckqRkNqkyfc+
7iX4TOzWXPnsvjunmifjlgP1xe3260G0v0CCiefL0Z5H+k+J7M5B96wKO9oSQH6R
cknraJldLA==
-----END CERTIFICATE-----
</cert>
# iphone.key
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC48DsJl3JZlEhJ
3VS+AX/aCLxl1aWVh6SGJ/4gZGfOUtdi6VG0hEsd+M0tYN5+BqjGU4V7E/UbvzJi
1JLYFebzq3p8pr10mS/Ufuvvx+N5u1ro/oBYGzRaD9JmK8Qu5RSuumNVapqkL25g
sAITHS5Q05JsK5vJjyQYcbClPDeHZdYVS36nQOR+/PScozYdsFYOTEckFtxpa/GS
woOKPO6Y0rl0MQOcN7om3m15aTqD6pNC5dfJJbidElOt+ogR2vS39NqieykyEKCi
0NtSIT66Phw3Y80XS4Z0vV5P7+37jJmwxKY3R/wtSwaRV3uxElEbJsyKmDnP5VDi
/r0S9wABAgMBAAECggEBAK2ox4dGMxZy6z6RG1YgSlIPCfoGGKrE6HUhcLwyDFft
6lrzBMohv/ew/dmysLpevnUdU4Y2I1+etk2flxRZ3LjLOQV7/UNT5VoApMRQSwaw
K7nF4fbZ9MZEpSlTx7DRZA5+72/x3ax17YvVOt1/9VHomgIBIRSv2RErENjYJrx4
BaAdfnZKQH9Rw7pAQKtvxrY9JFlG/dz3xt8DB7mOiFFBmor/REGFVY1S3zB0G2U1
dBXg2QbdP3/wmDdC/DspEGs0ZSBWbaIpGqInfGnLISOTJz+vZ83/bTyCCkA0xnAx
bEjELXLVFRqZFgE5W5WvCVrjo0JOihh/PZmK+JI81sECgYEA7qq+VbwWU/k5Y5dk
cNj8xL9E44+0ZWLDIVzllElBB/6beA5Eq5hjDSuGUXBhwqKKvXuXkJLBNTpytCVG
j7XvSU5EW3svRVBmJZvVsTlH3rZVztnbwg6z+hbfpwsmBs0tVSIFbUncYsBMtxwd
jrQzpcUv45vVh6I/dNaWdvXmH8UCgYEAxl6TFuYa2F2erjTKfC2e16cJRm8DzlFD
tj21gQfiWepk3YqfY4r8zC/GFBGp0ycaBcDUP34u1zon2c5xX6+e4TDco9+/g7xN
h090TnuGFO0cJ/KgsD392gYcpucUHwlENbj+Maj4nrwwUxCwOr3shHUtHNtRaXvl
9pGWkrNVBw0CgYB/1NgJV6ql45EHdKkxgE8ymjetouS+gP1+uyEEIZBBVe+ziADj
38T94tgYepcCBslE4BO4DcKKXfnd3zFB+/JkUxVt4jbZa0yqzCLSv5ltAkBHgIyi
Dfn785BrCh+d+PtU49oARVVTVyg/00FJk98t5MXXpTnjYdWXIPCKWv6c+QKBgQCh
xy+eVTs/idqHqHYan/oTVh6yWod4E75tbhZ0jMGFIyvvocYroIZa3/tjEqS1koTY
fFKdFYON89fcQgkkSE4CyZ6n5yqBfWidGad4+jR3jIiR68Yw9d25mZJ0a7B1P1Fp
nt1wEqXwjvm6RLn0rj/eJtIL3rGenXUGieWK7sZBYQKBgHMJqnsUR1gQd45mxjmz
64yNZaIM01BgM37CB9gYJCyFHSgQfxvyeB8ur24t0bubpJwSHvjDQE27V9NZ4OFk
6sVY0OX0jQ0M7OE4PDGP4eib6PPvosOSm6aLMJ3sG+HdKdkI8jPkzt8ccZ/LqWZ3
N3xweZ8jl3s9ThGSclyxl0Bz
-----END PRIVATE KEY-----
</key>
#
# Default port are 1194/tcp and 1194/udp
#
port 1194
proto udp
dev tun
## you may choose any subnet. 10.0.77.x is used for this example.
server 10.7.7.0 255.255.255.0
#server 10.7.7.0 10.7.7.1
user nobody
group nobody
client-to-client
# see 'iphone' file
client-config-dir /etc/openvpn/client.d
#
# Server Certificate Files (See readme.txt)
#
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
#
# Authentication Hardening (See readme.txt)
#
#tls-auth ta.key 0
key-direction 0
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
fa1c2c307b353eac5b39921b83fe7d74
56d0e879d97f7af2cg55821f262cd44d
255a65eac8d3abcaf6c308c95bcdece2
28b31554e32g477a296addd5f6e7680e
41d529b504s6acb43a8a6ddac8ae7dab
52173d061f855e16be7c9f5635fd1bf9
2c0c565b5ffe8d71a9sd273935dc3582
b219f808250d5918f48525f46dd3dfa6
04e1xb67c45aba5df4baa5e60cce930a
9ec7a5647059ca93b1a1aaef4f20c6f1
680e2e1cadhjca6eeeke152e947c18bf
c4dcb7a93b3c9a9af1829ab2418b1429
c2805572952ed320fc746619d56437ee
ebdea3fdf2973bc9b4e909e8b1989f13
08658d8d6b2dx2b839fa9f30cc4a9624
bc4cedfb38396c038e2377bc9975135a
-----END OpenVPN Static key V1-----
</tls-auth>
#
# Auth Using Username and Password
# 'auth-user-pass' and 'auth-nocache' need to be specified in the client config file
#
auth-user-pass-verify auth-script.sh via-env
script-security 3 execve
#client-cert-not-required
cipher BF-CBC
## the following commands are optional
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 1
#
# Log Files
#
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment