OpenVPN is a robust and widely-used open-source VPN (Virtual Private Network) solution that provides secure and encrypted connections over the internet. This guide outlines the process of installing and configuring OpenVPN on a Linux server to establish secure connections.
Prerequisites
- Linux Server: A VPS or dedicated server running a Linux distribution such as Ubuntu, Debian, or CentOS.
- Root or Sudo Access: Administrative privileges to install and configure OpenVPN.
- Public IP Address: A public-facing IP for your server.
- Updated System: Run the following command to ensure your system is updated:
sudo apt update && sudo apt upgrade -y # For Ubuntu/Debian sudo yum update -y # For CentOS/RHEL
Step 1: Install OpenVPN and Easy-RSA
Ubuntu/Debian
- Install OpenVPN and Easy-RSA:
sudo apt install openvpn easy-rsa -y - Verify the installation:
openvpn --version
CentOS/RHEL
- Enable the EPEL repository and install OpenVPN:
sudo yum install epel-release -y sudo yum install openvpn easy-rsa -y - Verify the installation:
openvpn --version
Step 2: Configure the OpenVPN Server
- Set Up the PKI (Public Key Infrastructure):
Copy the Easy-RSA scripts to the OpenVPN directory:
make-cadir ~/openvpn-ca cd ~/openvpn-ca - Edit the Variables File:
Open the
varsfile for editing:nano varsUpdate the following values as needed:
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "MyOrg" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "IT" - Build the CA and Server Certificates:
Initialize the PKI:
./easyrsa init-pkiBuild the Certificate Authority (CA):
./easyrsa build-caGenerate the server certificate and key:
./easyrsa gen-req server nopass ./easyrsa sign-req server server - Generate Diffie-Hellman Parameters:
./easyrsa gen-dh - Create the HMAC Signature for TLS Authentication:
openvpn --genkey --secret ta.key - Move Certificates and Keys:
Copy the necessary files to the
/etc/openvpndirectory:sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn/
Step 3: Configure the OpenVPN Service
- Create the Server Configuration File:
sudo nano /etc/openvpn/server.confAdd the following configuration:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA256 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 explicit-exit-notify 1 - Enable and Start the OpenVPN Service:
sudo systemctl enable openvpn@server sudo systemctl start openvpn@server - Verify the Service:
sudo systemctl status openvpn@server
Step 4: Configure Client Access
- Generate Client Certificates:
cd ~/openvpn-ca ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1Copy the client certificates and keys:
sudo cp pki/issued/client1.crt pki/private/client1.key /etc/openvpn/client/ - Create a Client Configuration File:
nano client1.ovpnAdd the following:
client dev tun proto udp remote YOUR_SERVER_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 cipher AES-256-CBC auth SHA256 verb 3 - Transfer the Configuration File:
Securely transfer the
client1.ovpnfile to the client device usingscpor similar tools:scp client1.ovpn user@client-ip:/path/to/save
Step 5: Connect to the VPN
- Install the OpenVPN Client:
On the client device, install the OpenVPN client application:
sudo apt install openvpn -y # For Linux clients - Start the VPN Connection:
sudo openvpn --config client1.ovpn - Verify Connectivity:
Test the VPN connection by accessing internal resources or checking your public IP address.
Conclusion
By following this guide, you’ve successfully installed and configured OpenVPN on a Linux server for secure connections. Regular updates, monitoring, and backups will ensure a reliable and secure VPN environment for your needs.
