Setting up a OpenVPN server

From Alpine Linux
Revision as of 20:32, 1 June 2009 by Ms13sp (talk | contribs) (Manage Certificates)
Jump to: navigation, search

This article will describe how to set up a OpenVPN server with the Alpine distro.

Documentation based on alpine-1.6

Setup Alpine

Initial Setup

Follow [1] on how to setup Alpine

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN
(The number is the start-order. Choose between 1-99)

rc_add -vks 95 openvpn

Configure OpenVPN-server

(Instructions is based on

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf

Configure OpenVPN-client

(Instructions is based on

Manage Certificates

See Generating_SSL_certs_with_ACF for a web interface way to manage Certificates.

(Instructions is based on

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"

source the vars to set properties

source /etc/openvpn/keys/vars

Set up a 'Certificate Authority' (CA)

Clean up the keys folder.


Generate Diffie Hellman parameters


Now lets make the CA certificates and keys


Set up a 'OpenVPN Server'

Create server certificates

./build-key-server {commonname}

Set up a 'OpenVPN Client'

Create client certificates

./build-key {commonname}

Revoke a certificate

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem

Save settings

Don't forget to save all your settings

lbu ci floppy