Last active
December 28, 2015 14:51
-
-
Save frengky/79597bad4eda1a3f1f24 to your computer and use it in GitHub Desktop.
OpenVPN setup and configuration, complete with example for Linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| For NEW Installation | |
| ############################################################# | |
| 1. Install it with your linux distribution installation command | |
| $ yum install openvpn easy-rsa | |
| $ cp -vr /usr/share/easy-rsa/2.0 /etc/openvpn/easy-rsa | |
| 2. Now edit ./easy-rsa/vars to suit you | |
| $ source vars; ./clean-all ; ./build-ca | |
| $ source vars; ./build-key-server server | |
| $ source vars; ./build-dh | |
| 3. Link or copy the certificates in /etc/openvpn | |
| $ ln -s easy-rsa/keys/dh2048.pem | |
| $ ln -s easy-rsa/keys/ca.crt | |
| $ ln -s easy-rsa/keys/server.crt | |
| $ ln -s easy-rsa/keys/server.key | |
| Security Hardening | |
| ############################################################# | |
| $ openvpn --genkey --secret ta.key | |
| This command will generate an OpenVPN static key and write it to the file ta.key. | |
| This key should be copied over a pre-existing secure channel to the server and all client machines. | |
| It can be placed in the same directory as the RSA .key and .crt files. | |
| In the server configuration, add: | |
| tls-auth ta.key 0 | |
| In the client configuration, add: | |
| tls-auth ta.key 1 | |
| Create a new certificate for openvpn client using EASYRSA 2 | |
| ############################################################# | |
| 1. Execute | |
| $ source ./vars; ./build-key <unique-hostname> | |
| Create a new certificate for openvpn client using EASYRSA 3 | |
| ############################################################# | |
| 1. Create the certificate from the server machine | |
| $ ./easyrsa gen-req <unique-hostname> nopass | |
| $ ./easyrsa sign-req client <unique-hostname> | |
| 2. Copy required files to client machine | |
| Note: you may create single client config file with embedded certificates and skip this step. | |
| $ ./easy-rsa/pki/ca.crt | |
| $ ./easy-rsa/pki/private/<unique-hostname>.key | |
| $ ./easy-rsa/pki/issued/<unique-hostname>.crt | |
| $ ./ta.key | |
| Starting the service using SystemD | |
| ############################################################# | |
| $ systemctl start openvpn@[your-config-file-name-without-dot-conf] | |
| Updating firewall rules | |
| ############################################################# | |
| $ firewall-cmd --permanent --add-port=1194/udp | |
| $ firewall-cmd --permanent --add-masquerade | |
| $ firewall-cmd --reload | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| echo "auth-script: authentication for username: ${username}, password: ${password}" | |
| if [ "$username" == "your-username" ] && [ "$password" == "your-password" ] | |
| then | |
| echo "auth-script: login success" | |
| exit 0 | |
| else | |
| echo "auth-script: invalid username or password" | |
| fi | |
| ## Return success (0) or (1) Failed | |
| exit 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ifconfig-push 10.7.7.90 255.255.255.0 | |
| push "topology subnet" | |
| push "redirect-gateway def1 bypass-dhcp" | |
| push "dhcp-option DNS 8.8.8.8" | |
| push "dhcp-option DNS 8.8.4.4" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| client | |
| dev tun | |
| proto udp | |
| remote your.openvpn.host 1194 | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| cipher BF-CBC | |
| comp-lzo | |
| verb 3 | |
| # | |
| # Proto UDP only | |
| # | |
| explicit-exit-notify 2 | |
| ping 10 | |
| ping-restart 60 | |
| route-method exe | |
| route-delay 2 | |
| # | |
| # Auth Using Username and Password | |
| # | |
| auth-user-pass | |
| # | |
| # Auth Security Harderning (prevent middle man attack) | |
| # | |
| #tls-auth ta.key 1 | |
| key-direction 1 | |
| <tls-auth> | |
| -----BEGIN OpenVPN Static key V1----- | |
| fa1c2c307b353eac5b39921b83fe7d74 | |
| 56d0e879d97f7af2cg55821f262cd44d | |
| 255a65eac8d3abcaf6c308c95bcdece2 | |
| 28b31554e32g477a296addd5f6e7680e | |
| 41d529b504s6acb43a8a6ddac8ae7dab | |
| 52173d061f855e16be7c9f5635fd1bf9 | |
| 2c0c565b5ffe8d71a9sd273935dc3582 | |
| b219f808a50d5918f48525f46dd3dfa6 | |
| 04e1xb67c45aba5df4baa5e60cce930a | |
| 9ec7a5647059ca93b1a1aaef4f20c6f1 | |
| 680e2e1cadhjca6eeeke152e947c18bf | |
| c4dcb7a93b3c9a9af1829ab2418b1429 | |
| c2805572952ed320fc746619d56437ee | |
| ebdea3fdf2973bc9b4e909e8b1989f13 | |
| 08658d8d6b2dx2b839fa9f30cc4a9624 | |
| bc4cedfb38396c038e2377bc9975135a | |
| -----END OpenVPN Static key V1----- | |
| </tls-auth> | |
| # | |
| # Using External Certificate files | |
| # If 'client-cert-not-required' then only 'ca' is needed, comment the 'cert', and 'key' | |
| # | |
| #ca ca.crt | |
| #cert client.crt | |
| #key client.key | |
| # | |
| # Using Embedded Certificate files | |
| # | |
| # ca.crt | |
| <ca> | |
| -----BEGIN CERTIFICATE----- | |
| MIIE1jCCA76gAwIBAgIJAN/PrrurkhYCMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD | |
| VQQGEwJJRDEMMAoGA1UECBMDSktUMRAwDgYDVQQHEwdKYWthcnRhMRQwEgYDVQQK | |
| EwtGcmVuZ2t5LaZQTjzMMAoGA1UECxMDZWw3MRgwFgYDVQaDEw9lbDcuZnJlbmdr | |
| eS5jb20xDzANBgNVBCkTBnNlcnslcjEkMCIGCSqGSIb3DQEJARYVZnJlbmdreS5s | |
| aW1AZ21haWwuY29tMB4XDTE1MDQyNzAzMjkxNFoXDTI1MDQyNDAzMjkxNFowgaIx | |
| CzAJBgNVBAYTAklEMQwwCgYDVQQIEwNKS1QxEDAOBgNVBAcTB0pha2FydGExFDAS | |
| BgNVBAoTC0ZyZW5na3ktVlBOMxwwCgYDVQQLEwNlbDcxGDAWBgNVBAMTD2VsNy5m | |
| cmVuZ2t5LmNvbTEhMA0GA1UEKRMGc2VydaVyMSQwIgYJKoZIhvcNAQkBFhVmcmVu | |
| Z2t5LmxpbUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB | |
| AQC+36EEfci31EoZdnqU9EDpEaQRTuukZ3coyPYwOXKb5oiuw1FqMe0INi3R4b7Y | |
| hyGQ2tg/gDbTKiD4E2tyZHDONgpMIvNQzUaqI3z/6T3OGofPMgm+njhRlnlq5YtV | |
| Zf00DbbgDTz/IXh6nWgfwQ3TWhCX/SCwUfCqE5Pcw9Y6CNAZOfrkOc+BcW5tYxw3 | |
| 0f0bwA4qhFOJhDo41XGuGedGo771ZhBbc7lxCbBBVOg1SXXtwvtJiPQZmAZfYtYV | |
| HPPvMf38MkSRBY7kFjh9qnUo/PGk2LAvs9nU8lA0d5Zynv6v9X5ogsQn9hwTJKZT | |
| FFQQMIJ88BjU7k0YbkuD5wwvAgMBAAGjggELMIIxBzAdBzNVHQ4EFgQUptXrEF9A | |
| UhyEvqgB6UdrF5Mji7gwgdcGA1UdIwSBzzCBzIAUptXrEF9AUhyEvqgB6UdrF5Mj | |
| i7ihgaikgaUwgaIxCzAJBgNVBAYTAklEMQwwCgYDVQQIEwNKS1QxEDAOBgNVBAcT | |
| B0pha2FydGExFDASBgNVBAoTC0ZyZW5na3ktVlBOMQwwCgYDVQQLEwNlbDcxGDAW | |
| BgNVBAMTD2VsNy5mcmVuZ2t5LmNvbTEPMA0GA1UEKRMGc2VydmVyMSQwIgYJKoZI | |
| hvcNAQkBFhVmcmVuZ2t5LmxpbUBnbWFpbC5jb22CCQDfz667q5IWAjAMBgNVHRME | |
| BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAFlcYDJIQXR5OVuOpm8sBnFfTXae7r | |
| BwtxkbnpplHhkrhvN4r2sYFaT1tyVc5VX0fjkNLcLbvoCYwMoqmI7TVA1r8F0mO5 | |
| WsUp1BTkuq7tm9B3nOm84VrjvoD7HYan5BmcjFJ7UnrOpdX/MDULzwoo6fqCO2cN | |
| ROBF9MIS7BJ0HZc9tF4ZuNpeQvMZ+kCiwlP66HFrfPm3ESvl0tsiC2qX19Yu5+vv | |
| r85L158k8d0VvLVH6Dl/59MglWjClvyGDB92jMrfEVA5n5daTuvM/op/PGpJuiGX | |
| L/mp8t9ybVtyo532OO1kpqkuCOGEZ7OkLz91N9qb0lW/DfiETOdLiQal | |
| -----END CERTIFICATE----- | |
| </ca> | |
| # iphone.crt | |
| <cert> | |
| -----BEGIN CERTIFICATE----- | |
| MIIFEzCCA/ugAwIBAgIBAzANBgkqhkiG9x0BAQsFADCBojELMAkGA1UEBhMCSUQx | |
| DDAKBgNVBAgTA0pLVDEQMA4GA1UEBxMHSmFrYXJ0YTEUMBIGA1UEChMLRnJlbmdr | |
| eS1WUE4xDDAKBgNVBAsTA2VsNzEYMBYGAaUEAxMPZWw3LmZyZW5na3kuY29tMQ8w | |
| DQYDVQQpEwZzZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFWZyZW5na3kubGltQGdtYWls | |
| LmNvbTAeFw0xNTEyMTQwMjEwNTVaFw0yNTEyMTEwMjEwNTVaMIGZMQswCQYDVQQG | |
| EwJJRDEMMAxGA1UECBMDSatUMRAwDgYDVQQHEwdKYWthcnRhMRQwEgYDVQQKEwtG | |
| cmVuZ2t5LVZQTjEMMAoGA1UECxMDZWw3MQ8wDQYDVQQDEwZpcGhvbmUxDzANBgNV | |
| BCkTBnNlcnZxcjEkMCIGCSqGSIb3DQEJARaVZnJlbmdreS5saW1AZ21haWwuY29t | |
| MIIBIjANBgkqxkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuPA7CZdyWZRISd1UvgF/ | |
| 2gi8ZdWllYekhif+IGRnzlLXYulRtIRLHfjNLWDefgaoxlOFexP1G78yYtSS2BXm | |
| 86t6fKa9dJkv1Hxr78fjebta6P6AWBs0RA/SZivELuUUrrpjVWqapC9uYLACEx0u | |
| UNOSbCubyY8kGHGwpfw3h2XWFUt+p0Dkfvz0nKCWHbBWDkxHJBbcaWvxksKDijzu | |
| mNK5dDEDnDe6Jt5teb06g+qTQuXXySW4nRJTrfqKkdr0t/TaonspMhCgotDbUiE+ | |
| uj4cN2PNF0uGdLaeT+/t+4yZsMSmN0f8LUsKUVd7mhJRGybMipg5z+VQ4v69EvcA | |
| AQIDAQABo4IBWTrCAVUwCQYDVR0TBAIwaDAtBglghkgBhvhCAQ0EIBYeRWFzeS1S | |
| U0EgR2VuZXJhdGVxIENlcnRpZmljYXRlMB0GA1UdDgQWBBQXImFxEx7zJcG4Fk/6 | |
| p19vfPN9ZjCB1wYDVR0jBIHPMIHMgBSm1esQX0BSHIS+qAHpR2sXkyOLuKGBqKSB | |
| pTCBojELMAkGA1UEBhMCSUQxDDAKBgNVBAgTA0pLVDEQMA4GA1UEBxMHSmFrYXJ0 | |
| YTEUMBIGA1UEChMLRnJlbmdreS1WUE4xDDAKBgNVBAsTA2VsNzEYMBYGA1UEAxMP | |
| ZWw3LmZyZW5na3kuY29tMQ8wDQYDVQQpEwZzZXJ2ZXIxJDAiBgkqhkiG9w0BCQEW | |
| FWZyZW5na3kubGltQGdtYWlsLmNvbYIJAN/PrrurkhYCMBMGA1UdJQQMMAoGCCsG | |
| AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAWvc8mQzvDVpr | |
| 1ZtubYaWvgDMpvO2pH87EJlqyRImBH4a04TsdOWvP0GaEIWEziNsfbnD0qargPEE | |
| W6ArMTeTtfnRisrm6uEosfYEl7QV5TPYa9a719/RHKTHOIA9UACke+IVhYzrEpP6 | |
| kWvZVJrD0mzix9aSy+oFb3gUDHSVeDcaa0i79Y613hTsGL+QAN0Vqk/rq3rVv0Ol | |
| lfZyHnXn2vW21aiew1qgn7nurj/4vikI5HuiTMCO4G4/zOsBa72MckqRkNqkyfc+ | |
| 7iX4TOzWXPnsvjunmifjlgP1xe3260G0v0CCiefL0Z5H+k+J7M5B96wKO9oSQH6R | |
| cknraJldLA== | |
| -----END CERTIFICATE----- | |
| </cert> | |
| # iphone.key | |
| <key> | |
| -----BEGIN PRIVATE KEY----- | |
| MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC48DsJl3JZlEhJ | |
| 3VS+AX/aCLxl1aWVh6SGJ/4gZGfOUtdi6VG0hEsd+M0tYN5+BqjGU4V7E/UbvzJi | |
| 1JLYFebzq3p8pr10mS/Ufuvvx+N5u1ro/oBYGzRaD9JmK8Qu5RSuumNVapqkL25g | |
| sAITHS5Q05JsK5vJjyQYcbClPDeHZdYVS36nQOR+/PScozYdsFYOTEckFtxpa/GS | |
| woOKPO6Y0rl0MQOcN7om3m15aTqD6pNC5dfJJbidElOt+ogR2vS39NqieykyEKCi | |
| 0NtSIT66Phw3Y80XS4Z0vV5P7+37jJmwxKY3R/wtSwaRV3uxElEbJsyKmDnP5VDi | |
| /r0S9wABAgMBAAECggEBAK2ox4dGMxZy6z6RG1YgSlIPCfoGGKrE6HUhcLwyDFft | |
| 6lrzBMohv/ew/dmysLpevnUdU4Y2I1+etk2flxRZ3LjLOQV7/UNT5VoApMRQSwaw | |
| K7nF4fbZ9MZEpSlTx7DRZA5+72/x3ax17YvVOt1/9VHomgIBIRSv2RErENjYJrx4 | |
| BaAdfnZKQH9Rw7pAQKtvxrY9JFlG/dz3xt8DB7mOiFFBmor/REGFVY1S3zB0G2U1 | |
| dBXg2QbdP3/wmDdC/DspEGs0ZSBWbaIpGqInfGnLISOTJz+vZ83/bTyCCkA0xnAx | |
| bEjELXLVFRqZFgE5W5WvCVrjo0JOihh/PZmK+JI81sECgYEA7qq+VbwWU/k5Y5dk | |
| cNj8xL9E44+0ZWLDIVzllElBB/6beA5Eq5hjDSuGUXBhwqKKvXuXkJLBNTpytCVG | |
| j7XvSU5EW3svRVBmJZvVsTlH3rZVztnbwg6z+hbfpwsmBs0tVSIFbUncYsBMtxwd | |
| jrQzpcUv45vVh6I/dNaWdvXmH8UCgYEAxl6TFuYa2F2erjTKfC2e16cJRm8DzlFD | |
| tj21gQfiWepk3YqfY4r8zC/GFBGp0ycaBcDUP34u1zon2c5xX6+e4TDco9+/g7xN | |
| h090TnuGFO0cJ/KgsD392gYcpucUHwlENbj+Maj4nrwwUxCwOr3shHUtHNtRaXvl | |
| 9pGWkrNVBw0CgYB/1NgJV6ql45EHdKkxgE8ymjetouS+gP1+uyEEIZBBVe+ziADj | |
| 38T94tgYepcCBslE4BO4DcKKXfnd3zFB+/JkUxVt4jbZa0yqzCLSv5ltAkBHgIyi | |
| Dfn785BrCh+d+PtU49oARVVTVyg/00FJk98t5MXXpTnjYdWXIPCKWv6c+QKBgQCh | |
| xy+eVTs/idqHqHYan/oTVh6yWod4E75tbhZ0jMGFIyvvocYroIZa3/tjEqS1koTY | |
| fFKdFYON89fcQgkkSE4CyZ6n5yqBfWidGad4+jR3jIiR68Yw9d25mZJ0a7B1P1Fp | |
| nt1wEqXwjvm6RLn0rj/eJtIL3rGenXUGieWK7sZBYQKBgHMJqnsUR1gQd45mxjmz | |
| 64yNZaIM01BgM37CB9gYJCyFHSgQfxvyeB8ur24t0bubpJwSHvjDQE27V9NZ4OFk | |
| 6sVY0OX0jQ0M7OE4PDGP4eib6PPvosOSm6aLMJ3sG+HdKdkI8jPkzt8ccZ/LqWZ3 | |
| N3xweZ8jl3s9ThGSclyxl0Bz | |
| -----END PRIVATE KEY----- | |
| </key> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Default port are 1194/tcp and 1194/udp | |
| # | |
| port 1194 | |
| proto udp | |
| dev tun | |
| ## you may choose any subnet. 10.0.77.x is used for this example. | |
| server 10.7.7.0 255.255.255.0 | |
| #server 10.7.7.0 10.7.7.1 | |
| user nobody | |
| group nobody | |
| client-to-client | |
| # see 'iphone' file | |
| client-config-dir /etc/openvpn/client.d | |
| # | |
| # Server Certificate Files (See readme.txt) | |
| # | |
| ca ca.crt | |
| cert server.crt | |
| key server.key | |
| dh dh2048.pem | |
| # | |
| # Authentication Hardening (See readme.txt) | |
| # | |
| #tls-auth ta.key 0 | |
| key-direction 0 | |
| <tls-auth> | |
| -----BEGIN OpenVPN Static key V1----- | |
| fa1c2c307b353eac5b39921b83fe7d74 | |
| 56d0e879d97f7af2cg55821f262cd44d | |
| 255a65eac8d3abcaf6c308c95bcdece2 | |
| 28b31554e32g477a296addd5f6e7680e | |
| 41d529b504s6acb43a8a6ddac8ae7dab | |
| 52173d061f855e16be7c9f5635fd1bf9 | |
| 2c0c565b5ffe8d71a9sd273935dc3582 | |
| b219f808250d5918f48525f46dd3dfa6 | |
| 04e1xb67c45aba5df4baa5e60cce930a | |
| 9ec7a5647059ca93b1a1aaef4f20c6f1 | |
| 680e2e1cadhjca6eeeke152e947c18bf | |
| c4dcb7a93b3c9a9af1829ab2418b1429 | |
| c2805572952ed320fc746619d56437ee | |
| ebdea3fdf2973bc9b4e909e8b1989f13 | |
| 08658d8d6b2dx2b839fa9f30cc4a9624 | |
| bc4cedfb38396c038e2377bc9975135a | |
| -----END OpenVPN Static key V1----- | |
| </tls-auth> | |
| # | |
| # Auth Using Username and Password | |
| # 'auth-user-pass' and 'auth-nocache' need to be specified in the client config file | |
| # | |
| auth-user-pass-verify auth-script.sh via-env | |
| script-security 3 execve | |
| #client-cert-not-required | |
| cipher BF-CBC | |
| ## the following commands are optional | |
| keepalive 10 120 | |
| comp-lzo | |
| persist-key | |
| persist-tun | |
| verb 1 | |
| # | |
| # Log Files | |
| # | |
| status /var/log/openvpn/status.log | |
| log-append /var/log/openvpn/openvpn.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment