Setting up a OpenVPN server

From Alpine Linux
Revision as of 12:09, 2 June 2009 by Ms13sp (talk | contribs)
Jump to: navigation, search

This article will describe how to set up a OpenVPN server with the Alpine distro. This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office.

Setup Alpine

Initial Setup

Follow [1] on how to setup Alpine

Install programs

Install openvpn

apk_add openvpn

Prepare autostart of OpenVPN

rc_add -s 40 -k openvpn

Configure OpenVPN-server

Example configuration file for server [2]

(Instructions is based on

Test your configuration

Test configuration and certificates

 openvpn --config /etc/openvpn/openvpn.conf

Configure OpenVPN-client

(Instructions is based on

Manage Certificates

See Generating_SSL_certs_with_ACF for a web interface way to manage Certificates.

Save settings

Don't forget to save all your settings

lbu ci floppy

Manual Certificate Commands

(Instructions is based on

Initial setup for administrating certificates

The following instructions assume that you want to save your configs, certcs and keys in /etc/openvpn/keys.
Start by moving to the /usr/share/openvpn/easy-rsa folder to execute commands

cd /usr/share/openvpn/easy-rsa

If not already done then create a folder where you will save your certificates and
save a copy of your /usr/share/openvpn/easy-rsa/vars for later use.
(All files in /usr/share/openvpn/easy-rsa is overwritten when the computer is restarted)

mkdir /etc/openvpn/keys
cp ./vars /etc/openvpn/keys

If not already done then edit /etc/openvpn/keys/vars
(This file is used for defining paths and other standard settings)

vim /etc/openvpn/keys/vars
* Change KEY_DIR= from "$EASY_RSA/keys" to "/etc/openvpn/keys"

source the vars to set properties

source /etc/openvpn/keys/vars
Set up a 'Certificate Authority' (CA)

Clean up the keys folder.


Generate Diffie Hellman parameters


Now lets make the CA certificates and keys

Set up a 'OpenVPN Server'

Create server certificates

./build-key-server {commonname}
Set up a 'OpenVPN Client'

Create client certificates

./build-key {commonname}
Revoke a certificate

To revoke a certificate...

./revoke-full {commonname}

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory.
The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem