Setting up a OpenVPN server
Setup Alpine
This article describes how to set up an OpenVPN server with the Alpine distro. This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, Racoon/Opennhrp would provide better functionality.
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[1]
In the case that your Internet-connected machine doesn't have a static IP address, DynDNS can be used for resolving DNS names to IP addresses.
Initial Setup
Follow [2] to setup Alpine Linux.
Install programs
Install openvpn
apk_add openvpn
Prepare autostart of OpenVPN
rc_add -s 40 -k openvpn
Certificates
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: Generating_SSL_certs_with_ACF. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.
Configure OpenVPN-server
Example configuration file for server:
local "Public Ip address" port 1194 proto udp dev tun ca ca.crt cert server.crt dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024 server 10.0.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" push "dhcp-option DNS 10.0.0.1" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log log-append openvpn.log verb 3
(Instructions is based on openvpn.net/howto.html#server)
Test your configuration
Test configuration and certificates
openvpn --config /etc/openvpn/openvpn.conf
Configure OpenVPN-client
Example client.conf:
client dev tun proto udp remote "public IP" 1194 resolv-retry infinite nobind ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks persist-key persist-tun ca ca.crt cert client.crt key client.key comp-lzo verb 3
(Instructions is based on openvpn.net/howto.html#client)
Save settings
Don't forget to save all your settings
lbu commit -v sdb1
Manual Certificate Commands
(Instructions is based on openvpn.net/howto.html#pki)
Initial setup for administrating certificates
The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands
cd /usr/share/openvpn/easy-rsa
If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)
mkdir /etc/openvpn/keys cp ./vars /etc/openvpn/keys
If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)
vim /etc/openvpn/keys/vars * Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys" * Change KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL to match your system.
source the vars to set properties
source /etc/openvpn/keys/vars
Set up a 'Certificate Authority' (CA)
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Clean up the keys folder.
./clean-all
Generate Diffie Hellman parameters
./build-dh
Now lets make the CA certificates and keys
./build-ca
Set up a 'OpenVPN Server'
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Create server certificates
./build-key-server {commonname}
Set up a 'OpenVPN Client'
- Start by doing the steps in #Initial_setup_for_administrating_certificates
Create client certificates
./build-key {commonname}
Revoke a certificate
- Start by doing the steps in #Initial_setup_for_administrating_certificates
To revoke a certificate...
./revoke-full {commonname}
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem