There are three big things that need to be done to set up a OpenVPN server.

  1. Generate keys and certificates for the server and clients
  2. Create the server config file
  3. Create client config files

Setting up a OpenVPN server has become a tiny bit easier since last time I did it back in 2014. Esay-rsa is the tool that will help us set up the keys and certificates, and it has gotten a major update and had its version number bumped up to three. You can fetch the repository from https://github.com/OpenVPN/easy-rsa.git. Easy-rsa now uses better default values, like rsa key lengths of 2048-bits instead of 1024-bits and will automatically encrypt the private keys using aes-256. If you want to change some of the defaults make a copy of the vars.example called just vars and make the changes you need.

Keys and Certificats

To start off we need to initialise our public key infratstructure. This is done with two simple commands, the first one generates the pki folder and the second will generate the CA root certificate which should be kept secret and preferably not on the same machine as openvpn will be running on, in case it is compromised. Therefore I recommend running easy-rsa on a seperate, preferrably air-gapped computer.

  ./easyrsa init-pki
  ./easyrsa build-ca

Now that the root certificate is generated we can start generating the server and client keys. build-server-full will generate server private key and certificate for the server and build-client-full for the client. Both will ask you for PEM password to encrypt the key, and the ca.cert password to sign the keys.

  ./easyrsa build-server-full ServerName
  ./easyrsa build-client-full ClientName

Generate a Diffie-Hellman prime number with ./easyrsa gen-dh. This should be done on the server as it does not need to be signed by the CA. Generate a ta.key to protect against UDP port flooding and DoS attacks, openvpn --genkey --secret ta.key.

The keys and certificates should be distributed as per the following table. Duplicate for however many clients you need.

| Filename | Needed by | Purpose | Secret| | ------------- |------------- | ------ | ------ | |ca.crt |server + all clients | Root CA certificate | NO | |ca.key |key signing machine only | Root CA key | YES| | dh{n}.pem | server only | Diffie Hellman parameters | NO | | ServerName.crt | server only | Server Certificate | NO | | ServerName.key | server only | Server Key | YES | | ClientName.crt | clientName only | Client Certificate | NO | | ClientName.key | clientName only | Client Certificate | YES | | ta.key | Server + all clients| OpenVPN-HMAC Key | YES |

Create the server config file

You can find examples of both configuration files over at openvpn.net, you should use them as templates. Below is a consise version with the comments removed. Remember to decrypt the server.key after you copied it over, you can do this with openssl rsa -in pki/private/server.key.

local a.b.c.d
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /vat/log/openvpn.log
verb 1

Create the client config file

Setting up the client config file is similar

client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 1
mute 20