Configuring OpenVPN: Difference between revisions

Let the server be foo, client bar.

• Setup easy-rsa v.3:

# cd
# git clone http://github.com/OpenVPN/easy-rsa
# cd easy-rsa/easyrsa3

• To customise defaulr settings,

cp vars.example vars

and edit vars (in particular, the variables EASYRSA_CA_EXPIRE, EASYRSA_CERT_EXPIRE, and EASYRSA_CRL_DAYS)

• Now run (skip nopass if you want to protect the server with a password):

# ./easyrsa init-pki
# ./easyrsa build-ca

# ./easyrsa gen-req foo nopass
# ./easyrsa sign-req server foo

# cd /etc/openvpn/certs/
# openssl dhparam -out dh2048.pem 2048
# cd /etc/openvpn/keys/
# /usr/sbin/openvpn --genkey --secret ta.key

# cp /root/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/certs/
# cp /root/easy-rsa/easyrsa3/pki/issued/foo.crt /etc/openvpn/certs/
# cp /root/easy-rsa/easyrsa3/pki/private/foo.key /etc/openvpn/keys/

• The server is ready. On the client, first setup easy-rsa v.3 and customize vars as above.
• Then run:

# ./easyrsa init-pki
# ./easyrsa gen-req bar nopass

• Copy pki/reqs/bar.req to the server.
• On the server run:

# ./easyrsa import-req /root/bar.req bar
# ./easyrsa sign-req client bar

• Copy pki/issued/bar.crt to the client.