1. Install OpenVPN and Easy-RSA: -------------------------------- @ Server: ~~~~~~~~~ Linux: # apt install openvpn easy-rsa -y @ Client: ~~~~~~~~~ Linux: # apt install openvpn -y OR Windows: Download Windows Binary: https://swupdate.openvpn.org/community/releases/OpenVPN-2.6.13-I002-amd64.msi 2. Set Up the Security System (CA, Server, Client, etc.): --------------------------------------------------------- USING EASY-RSA: =============== Prereqs: ~~~~~~~~ make-cadir ~/openvpn-ca cd ~/openvpn-ca Initialize the PKI: ~~~~~~~~~~~~~~~~~~~ ./easyrsa init-pki Build Root CA: ~~~~~~~~~~~~~~ ./easyrsa build-ca Server Certificate: ~~~~~~~~~~~~~~~~~~~ ./easyrsa gen-req server nopass ./easyrsa sign-req server server Client Certificate: ~~~~~~~~~~~~~~~~~~~ ./easyrsa gen-req client1 nopass ./easyrsa sign-req client client1 Diffie-Hellman & HMAC key: ~~~~~~~~~~~~~~~~~~~~~~~~~~ ./easyrsa gen-dh openvpn --genkey secret ta.key USING OPENSSL: ============== mkdir tls cd tls # RootCA CRT: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -key RootCA.key -days 7305 -out RootCA.crt # A Server CSR: openssl genrsa -out server.key 3072 openssl req -new -key server.key -out server.csr # A Client CSR - Client #1: openssl genrsa -out client1.key 2048 openssl req -new -key client1.key -out client1.csr # A Client CSR - Client #2: openssl genrsa -out client2.key 2048 openssl req -new -key client2.key -out client2.csr # A Client CSR - Client #3: openssl genrsa -out client3.key 2048 openssl req -new -key client3.key -out client3.csr # Signing the Server CSR with CA: openssl x509 -req -days 1826 -in server.csr -CA RootCA.crt -CAkey RootCA.key -set_serial 01 -extfile /etc/ssl/myssl.conf -extensions serverauth -out server.crt # Signing the Client CSRs with CA: openssl x509 -req -days 1826 -in client1.csr -CA RootCA.crt -CAkey RootCA.key -set_serial 11 -extfile /etc/ssl/myssl.conf -extensions clientauth -out client1.crt openssl x509 -req -days 1826 -in client2.csr -CA RootCA.crt -CAkey RootCA.key -set_serial 12 -extfile /etc/ssl/myssl.conf -extensions clientauth -out client2.crt openssl x509 -req -days 1826 -in client3.csr -CA RootCA.crt -CAkey RootCA.key -set_serial 13 -extfile /etc/ssl/myssl.conf -extensions clientauth -out client3.crt #P12: #openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 --- this step is not necessary # DH Params: openssl dhparam -out dh.key 4096 # OpenVPN Auth Static Key: openvpn --genkey --secret vpntlsauth.key 3. Server Config: ----------------- 1. Server Config File: /etc/openvpn/server.conf: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ port 1194 proto udp dev tun ca /root/openvpn-ca/tls/RootCA.crt cert /root/openvpn-ca/tls/server.crt key /root/openvpn-ca/tls/server.key dh /root/openvpn-ca/tls/dh.key tls-auth /root/openvpn-ca/tls/vpntlsauth.key 0 server 192.168.169.0 255.255.255.240 topology subnet push "route 192.168.169.0 255.255.255.240" keepalive 10 120 cipher AES-256-CBC auth SHA1 persist-key persist-tun status vpn.log verb 3 2. Enable & Start Service: ~~~~~~~~~~~~~~~~~~~~~~~~~~ systemctl start openvpn@server systemctl enable openvpn@server 4. Client Config: ----------------- 1. Client Config File: client.ovpn: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ client proto udp dev tun remote 193.226.19.42 1194 nobind persist-key persist-tun ca keys/RootCA.crt cert keys/client1.crt key keys/client1.key tls-auth vpntlsauth.key 1 remote-cert-tls server keepalive 10 120 # Modern cipher negotiation data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC # Optional fallback if negotiation fails data-ciphers-fallback AES-256-CBC auth SHA1 link-mtu 1490 user nobody group nogroup 2. Copy the required files (ca.crt, client1.crt, client1.key, ta.key) to the client. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5. Client Connect to Server: ---------------------------- @ Linux: Use Network Manager OpenVPN Plugin @ Windows: Use Windows OpenVPN GUI