Setting up a OpenVPN server
This article will describe how to set up a OpenVPN server with the Alpine distro. This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office.
You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses: [1]
Setup Alpine
Initial Setup
Follow [2] on how to setup Alpine
Install programs
Install openvpn
apk_add openvpn
Prepare autostart of OpenVPN
rc_add -s 40 -k openvpn
Certificates
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.
Configure OpenVPN-server
Example configuration file for server:
local "Public Ip address" port 1194 proto udp dev tun ca ca.crt cert server.crt dh dh1024.pem server 10.252.252.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 10.252.253.9" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 3
(Instructions is based on openvpn.net/howto.html#server)
Test your configuration
Test configuration and certificates
openvpn --config /etc/openvpn/openvpn.conf
Configure OpenVPN-client
(Instructions is based on openvpn.net/howto.html#client)
Save settings
Don't forget to save all your settings
lbu ci floppy
Manual Certificate Commands
(Instructions is based on openvpn.net/howto.html#pki)
Initial setup for administrating certificates
The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands
cd /usr/share/openvpn/easy-rsa
If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)
mkdir /etc/openvpn/keys cp ./vars /etc/openvpn/keys
If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)
vim /etc/openvpn/keys/vars * Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys" * Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.
source the vars to set properties
source /etc/openvpn/keys/vars
Set up a 'Certificate Authority' (CA)
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Clean up the keys folder.
./clean-all
Generate Diffie Hellman parameters
./build-dh
Now lets make the CA certificates and keys
./build-ca
Set up a 'OpenVPN Server'
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Create server certificates
./build-key-server {commonname}
Set up a 'OpenVPN Client'
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Create client certificates
./build-key {commonname}
Revoke a certificate
- Start by doing the steps in #Initial_setup_for_administrating_certificates
To revoke a certificate...
./revoke-full {commonname}
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem