Setting up a OpenVPN server
This article describes how to set up an OpenVPN server with the Alpine Linux. This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, Racoon/Opennhrp would provide better functionality.
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: WikiPedia
If your Internet-connected machine doesn't have a static IP address, DynDNS can be used for resolving DNS names to IP addresses.
Follow Installing_Alpine to setup Alpine Linux.
Prepare autostart of OpenVPN
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.
To extract the three parts of each .pfx file, use the following commands:
To get the ca cert out...
To get the cert file out...
To get the private key file out. Make sure this stays private.
On the VPN server, you can also install the acf-openvpn package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.
If you would prefer to generate your certificates using OpenVPN utilities, see #Alternative Certificate Method
Configure OpenVPN server
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:
local "Public Ip address" port 1194 proto udp dev tun ca openvpn_certs/server-ca.pem cert openvpn_certs/server-cert.pem dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024 server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 10.0.0.1" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3
(Instructions are based on openvpn.net/howto.html#server)
Test your configuration
Test configuration and certificates
Configure OpenVPN client
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks persist-key persist-tun ca client-ca.pem cert client-cert.pem key client-key.pem comp-lzo verb 3
(Instructions are based on openvpn.net/howto.html#client)
Don't forget to save all your settings if you are running a RAM-based system.
Alternative Certificate Method
Manual Certificate Commands
(Instructions are based on openvpn.net/howto.html#pki)
Initial setup for administrating certificates
The following instructions assume that you want to save your configs, certs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands
If not already done then create a folder where you will save your certificates and save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa are overwritten when the computer is restarted)
If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)
- Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
- Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.
source the vars to set properties
Set up a 'Certificate Authority' (CA)
Clean up the keys folder.
Generate Diffie Hellman parameters
Now lets make the CA certificates and keys
Set up a 'OpenVPN Server'
Create server certificates
Set up a 'OpenVPN Client'
Create client certificates
Revoke a certificate
To revoke a certificate
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration: