====== Set up OpenVPN ======

===== Setup using a certificate authority (CA) =====

Notice: Make sure you have openssl available.

==== Server configuration ====

Build CA and client certificate:

<code>
cp -a /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/
vim vars    # adjust as needed
source vars
mkdir keys
touch keys/index.txt
echo "01" > keys/serial
./build-ca
./build-key-server server
./build-key client1   # set common name to a useful value!
./build-dh
cd /etc/openvpn/easy-rsa/keys/ && openvpn --genkey --secret ta.key
mkdir /etc/openvpn/keys/
cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/keys/
cd /etc/openvpn/easy-rsa/keys/ && cp ta.key ca.crt server.crt server.key /etc/openvpn/keys/
</code>

==== Adjust server configuration ====

<code>
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/openvpn.conf
vim /etc/openvpn/openvpn.conf
</code>

Reference: /etc/openvpn/openvpn.conf on server:

<code>
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/something.crt
key keys/something.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth keys/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
# management 127.0.0.1 1234
</code>

==== Provide keys to the client ====

<code>
cd /etc/openvpn/easy-rsa/keys && cp ta.key ca.crt client1.crt client1.key $USBSTICK/
</code>

==== Start openvpn server ====

<code>
# Start openvpn
</code>

==== Client configuration ====

<code>
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/openvpn.conf
vim /etc/openvpn/openvpn.conf
</code>

... and adjust 'remote $IP 1194', activate 'tls-auth ta.key 1' and 'ns-cert-type server' and adjust ca/cert/key stuff

Reference: /etc/openvpn/openvpn.conf on client:

<code>
client
dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/somethingclient2.crt
key keys/somethingclient2.key
ns-cert-type server
tls-auth keys/ta.key 1
comp-lzo
verb 3
# mssfix 1200
# fragment 1200
</code>

===== Setup with static key =====

==== Server configuration ====

<code>
cd /etc/openvpn
openvpn --genkey --secret secret.key
</code>

Reference: /etc/openvpn/openvpn.conf on server:

<code>
dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
secret secret.key 1
</code>

==== Client Configuration ====

Reference: /etc/openvpn/openvpn.conf on client:

<code>
dev tun
proto udp
remote 10.12.240.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
secret secret.key 1
# mssfix 1200
# fragment 1200
</code>

===== Tips =====

  * do not forget to source 'vars' before running easy-rsa scripts
  * revoke a dummy client so you get a crl.pem and don't have to restart openvpn
  * use management interface: management 127.0.0.1 1234
  * use 'push "route 192.168.10.0 255.255.255.0"' to redirect clients...
  * example how to revoke a client:

<code>
cd /etc/openvpn/easy-rsa && ./revoke-full client2
cp keys/crl.pem /etc/openvpn/
</code>

===== Ressources =====

  * [[http://openvpn.net/|OpenVPN.net]]
  * [[http://openvpn.net/howto.html|OpenVPN Howto]]