Setup Alpine

This article will describe how to set up a OpenVPN server with the Alpine distro. This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office.

You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses: [1]

Initial Setup

Follow [2] on how to setup Alpine

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN

rc_add -s 40 -k openvpn

Certificates

One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.

Configure OpenVPN-server

Example configuration file for server:

local "Public Ip address"
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

(Instructions is based on openvpn.net/howto.html#server)

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf

Configure OpenVPN-client

Example client.conf:

client
dev tun
proto udp
 remote "public IP" 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3

(Instructions is based on openvpn.net/howto.html#client)

Save settings

Don't forget to save all your settings

lbu commit -v sdb1

Manual Certificate Commands

(Instructions is based on openvpn.net/howto.html#pki)

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"
* Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.

source the vars to set properties

source /etc/openvpn/keys/vars

Set up a 'Certificate Authority' (CA)

• Start by doing the steps in #Initial_setup_for_administrating_certificates

Clean up the keys folder.

./clean-all

Generate Diffie Hellman parameters

./build-dh

Now lets make the CA certificates and keys

./build-ca

Set up a 'OpenVPN Server'

• Start by doing the steps in #Initial_setup_for_administrating_certificates

Create server certificates

./build-key-server {commonname}

Set up a 'OpenVPN Client'

• Start by doing the steps in #Initial_setup_for_administrating_certificates

Create client certificates

./build-key {commonname}

Revoke a certificate

• Start by doing the steps in #Initial_setup_for_administrating_certificates

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem