OpenVPN is a software to create your VPN server. A VPN server is useful for encrypting communications, bypassing geographical restrictions and facilitating teleworking by allowing direct connection to the remote network.
apt install openvpn easy-rsa `./etc/openvpn/server_name./usr/share/easy-rsa to the working directory./usr/share/easy-rsa/vars.# Encryption key size
export KEY_SIZE=<2048|4096>
# Certificate settings
export KEY_COUNTRY="EN"
export KEY_PROVINCE="EN"
export KEY_CITY="Laval"
export KEY_ORG="Whitecyber.corp"
export KEY_EMAIL="*********************************"
export KEY_OU="VPN"
The certificate parameters are entered here.
source vars command. Here we will store the information previously entered to create the certificates../build-ca command to generate the certificates.Check the
keysdirectory to see if the certificates are present.
./build-key-server <server-name>, then check the keys directory to see if the certificates exist.openvpn --genkey --secret /etc/openvpn/vldvpn/keys/ta.key.openssl dhparam 4096 > /path/keys/dh-4096.pem./usr/share/doc/openvpn/examples/sample-config-files.port <port number> #1194 by default
proto <udp/tcp>
dev tun/tap
# "dev tun" will create an IP tunnel, "dev tap" will create an ethernet tunnel #
# Configuration of keys and certificates
ca /path/to/ca.crt
cert /path/to/vpn.crt
key /path/to/vpn.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /path/to/dh2048.pem
tls-auth /path/to/ta.key 0 # This file is secret
Good practice: We will create a dedicated user to launch OpenVPN. This will avoid access to the root account in case of intrusion via the openvpn protocol.
adduser --system --shell /usr/sbin/nologin --no-create-home openvpn.user openvpn
group nogroup
source vars../build-key <client_name>/usr/share/doc/openvpn/examples/sample-config-files named client.conf.client
# Choose the same parameter as for the server
;dev tap
dev tun
#Likewise
;proto tcp
proto udp
#VPN server address
remote <ip> <port>
#You have to create the user on the client if needed
use openvpn
nogroup
#Ensure that the links are appropriate for the client
ca /path/to/authority_certificate/ca.crt
cert /path/to/certificate/client.crt
key /path/to/key/client.key
tls-auth /path/to/key/tls/ta.key 1