<\/div>\n
Step 2: Set Up the CA Directory<\/h2>\n
OpenVPN is an TLS\/SSL VPN. This means that it utilizes certificates in order to encrypt traffic between the server and clients. In order to issue trusted certificates, we will need to set up our own simple certificate authority (CA).<\/p>\n
To begin, we can copy the\u00a0easy-rsa<\/code>\u00a0template directory into our home directory with the\u00a0make-cadir<\/code>command:<\/p>\n<\/code><\/pre>\n\n- make-cadir ~\/openvpn-ca<\/li>\n<\/ul>\n
<\/code><\/pre>\nMove into the newly created directory to begin configuring the CA:<\/p>\n
<\/code><\/pre>\n\n- cd ~\/openvpn-ca<\/li>\n<\/ul>\n
<\/code><\/pre>\n<\/div>\n
To configure the values our CA will use, we need to edit the\u00a0vars<\/code>\u00a0file within the directory. Open that file now in your text editor:<\/p>\n<\/code><\/pre>\n\n- nano vars<\/li>\n<\/ul>\n
<\/code><\/pre>\nInside, you will find some variables that can be adjusted to determine how your certificates will be created. We only need to worry about a few of these.<\/p>\n
Towards the bottom of the file, find the settings that set field defaults for new certificates. It should look something like this:<\/p>\n
~\/openvpn-ca\/vars<\/div>\n
. . .\n\nexport KEY_COUNTRY=\"US\"\nexport KEY_PROVINCE=\"CA\"\nexport KEY_CITY=\"SanFrancisco\"\nexport KEY_ORG=\"Fort-Funston\"\nexport KEY_EMAIL=\"me@myhost.mydomain\"\nexport KEY_OU=\"MyOrganizationalUnit\"\n\n. . .\n<\/code><\/pre>\nEdit the values in red to whatever you’d prefer, but do not leave them blank:<\/p>\n
~\/openvpn-ca\/vars<\/div>\n
. . .\n\nexport KEY_COUNTRY=\"US<\/span>\"\nexport KEY_PROVINCE=\"NY<\/span>\"\nexport KEY_CITY=\"New York City<\/span>\"\nexport KEY_ORG=\"DigitalOcean<\/span>\"\nexport KEY_EMAIL=\"admin@example.com<\/span>\"\nexport KEY_OU=\"Community<\/span>\"\n\n. . .\n<\/code><\/pre>\nWhile we are here, we will also edit the\u00a0KEY_NAME<\/code>\u00a0value just below this section, which populates the subject field. To keep this simple, we’ll call it\u00a0server<\/code>\u00a0in this guide:<\/p>\n~\/openvpn-ca\/vars<\/div>\n
export KEY_NAME=\"server<\/span>\"\n<\/code><\/pre>\nWhen you are finished, save and close the file.<\/p>\n
<\/div>\n
Step 4: Build the Certificate Authority<\/h2>\n
Now, we can use the variables we set and the\u00a0easy-rsa<\/code>\u00a0utilities to build our certificate authority.<\/p>\nEnsure you are in your CA directory, and then source the\u00a0vars<\/code>\u00a0file you just edited:<\/p>\n<\/code><\/pre>\n\n- cd ~\/openvpn-ca<\/li>\n
- source vars<\/li>\n<\/ul>\n
<\/code><\/pre>\nYou should see the following if it was sourced correctly:<\/p>\n
<\/code><\/pre>\nOutput<\/div>\n
NOTE: If you run .\/clean-all, I will be doing a rm -rf on \/home\/sammy\/openvpn-ca\/keys\n<\/code><\/pre>\nMake sure we’re operating in a clean environment by typing:<\/p>\n
<\/code><\/pre>\n\n- .\/clean-all<\/li>\n<\/ul>\n
<\/code><\/pre>\nNow, we can build our root CA by typing:<\/p>\n
<\/code><\/pre>\n\n- .\/build-ca<\/li>\n<\/ul>\n
<\/code><\/pre>\nThis will initiate the process of creating the root certificate authority key and certificate. Since we filled out the\u00a0vars<\/code>\u00a0file, all of the values should be populated automatically. Just press\u00a0ENTER<\/strong>\u00a0through the prompts to confirm the selections:<\/p>\n<\/code><\/pre>\nOutput<\/div>\n
Generating a 2048 bit RSA private key\n..........................................................................................+++\n...............................+++\nwriting new private key to 'ca.key'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [US]:\nState or Province Name (full name) [NY]:\nLocality Name (eg, city) [New York City]:\nOrganization Name (eg, company) [DigitalOcean]:\nOrganizational Unit Name (eg, section) [Community]:\nCommon Name (eg, your name or your server's hostname) [DigitalOcean CA]:\nName [server]:\nEmail Address [admin@email.com]:\n<\/code><\/pre>\nWe now have a CA that can be used to create the rest of the files we need.<\/p>\n
<\/div>\n
Step 5: Create the Server Certificate, Key, and Encryption Files<\/h2>\n
Next, we will generate our server certificate and key pair, as well as some additional files used during the encryption process.<\/p>\n
Start by generating the OpenVPN server certificate and key pair. We can do this by typing:<\/p>\n
Note<\/strong>: If you choose a name other than\u00a0server<\/code>\u00a0here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the\u00a0\/etc\/openvpn<\/code>\u00a0directroy, you will have to substitute the correct names. You will also have to modify the\u00a0\/etc\/openvpn\/server.conf<\/code>\u00a0file later to point to the correct\u00a0.crt<\/code>\u00a0and\u00a0.key<\/code>\u00a0files.
\n<\/span><\/p>\n<\/code><\/pre>\n\n- .\/build-key-server server<\/li>\n<\/ul>\n
<\/code><\/pre>\nOnce again, the prompts will have default values based on the argument we just passed in (server<\/code>) and the contents of our\u00a0vars<\/code>\u00a0file we sourced.<\/p>\nFeel free to accept the default values by pressing\u00a0ENTER<\/strong>. Do\u00a0not<\/em>\u00a0enter a challenge password for this setup. Towards the end, you will have to enter\u00a0y<\/strong>\u00a0to two questions to sign and commit the certificate:<\/p>\n<\/code><\/pre>\nOutput<\/div>\n
. . .\n\nCertificate is to be certified until May 1 17:51:16 2026 GMT (3650 days)\nSign the certificate? [y\/n]:y<\/span>\n\n\n1 out of 1 certificate requests certified, commit? [y\/n]y<\/span>\nWrite out database with 1 new entries\nData Base Updated\n<\/code><\/pre>\nNext, we’ll generate a few other items. We can generate a strong Diffie-Hellman keys to use during key exchange by typing:<\/p>\n
<\/code><\/pre>\n\n- .\/build-dh<\/li>\n<\/ul>\n
<\/code><\/pre>\nThis might take a few minutes to complete.<\/p>\n
Afterwards, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:<\/p>\n
<\/code><\/pre>\n\n- openvpn –genkey –secret keys\/ta.key<\/li>\n<\/ul>\n
<\/code><\/pre>\n<\/div>\n
Step 6: Generate a Client Certificate and Key Pair<\/h2>\n
Next, we can generate a client certificate and key pair. Although this can be done on the client machine and then signed by the server\/CA for security purposes, for this guide we will generate the signed key on the server for the sake of simplicity.<\/p>\n
We will generate a single client key\/certificate for this guide, but if you have more than one client, you can repeat this process as many times as you’d like. Pass in a unique value to the script for each client.<\/p>\n
Because you may come back to this step at a later time, we’ll re-source the\u00a0vars<\/code>\u00a0file. We will use\u00a0client1<\/code>\u00a0as the value for our first certificate\/key pair for this guide.<\/p>\nTo produce credentials without a password, to aid in automated connections, use the\u00a0build-key<\/code>command like this:<\/p>\n<\/code><\/pre>\n\n- cd ~\/openvpn-ca<\/li>\n
- source vars<\/li>\n
- .\/build-key client1<\/span><\/li>\n<\/ul>\n
<\/code><\/pre>\nIf instead, you wish to create a password-protected set of credentials, use the\u00a0build-key-pass<\/code>command:<\/p>\n<\/code><\/pre>\n\n- cd ~\/openvpn-ca<\/li>\n
- source vars<\/li>\n
- .\/build-key-pass client1<\/span><\/li>\n<\/ul>\n
<\/code><\/pre>\nAgain, the defaults should be populated, so you can just hit\u00a0ENTER<\/strong>\u00a0to continue. Leave the challenge password blank and make sure to enter\u00a0y<\/strong>\u00a0for the prompts that ask whether to sign and commit the certificate.<\/p>\n<\/div>\n
Next, we can begin configuring the OpenVPN service using the credentials and files we’ve generated.<\/p>\n
Copy the Files to the OpenVPN Directory<\/h3>\n
To begin, we need to copy the files we need to the\u00a0\/etc\/openvpn<\/code>\u00a0configuration directory.<\/p>\nWe can start with all of the files that we just generated. These were placed within the\u00a0~\/openvpn-ca\/keys<\/code>\u00a0directory as they were created. We need to move our CA cert and key, our server cert and key, the HMAC signature, and the Diffie-Hellman file:<\/p>\n<\/code><\/pre>\n\n- cd ~\/openvpn-ca\/keys<\/li>\n
- sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem \/etc\/openvpn<\/li>\n<\/ul>\n
<\/code><\/pre>\nNext, we need to copy and unzip a sample OpenVPN configuration file into configuration directory so that we can use it as a basis for our setup:<\/p>\n
<\/code><\/pre>\n\n- gunzip -c \/usr\/share\/doc\/openvpn\/examples\/sample-config-files\/server.conf.gz | sudo tee \/etc\/openvpn\/server.conf<\/li>\n<\/ul>\n
<\/code><\/pre>\nAdjust the OpenVPN Configuration<\/h3>\n
Now that our files are in place, we can modify the server configuration file:<\/p>\n
<\/code><\/pre>\n\n- sudo nano \/etc\/openvpn\/server.conf<\/li>\n<\/ul>\n
<\/code><\/pre>\nBasic Configuration<\/h4>\n
First, find the HMAC section by looking for the\u00a0tls-auth<\/code>\u00a0directive. Remove the “;<\/strong>” to uncomment the\u00a0tls-auth<\/code>\u00a0line. Below this, add the\u00a0key-direction<\/code>\u00a0parameter set to “0”:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
tls-auth ta.key 0 # This file is secret\nkey-direction 0<\/span>\n<\/code><\/pre>\nNext, find the section on cryptographic ciphers by looking for the commented out\u00a0cipher<\/code>\u00a0lines. The\u00a0AES-128-CBC<\/code>\u00a0cipher offers a good level of encryption and is well supported. Remove the “;<\/strong>” to uncomment the\u00a0cipher AES-128-CBC<\/code>\u00a0line:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
cipher AES-128-CBC\n<\/code><\/pre>\nBelow this, add an\u00a0auth<\/code>\u00a0line to select the HMAC message digest algorithm. For this,\u00a0SHA256<\/code>\u00a0is a good choice:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
auth SHA256\n<\/code><\/pre>\nFinally, find the\u00a0user<\/code>\u00a0and\u00a0group<\/code>\u00a0settings and remove the “;<\/strong>” at the beginning of to uncomment those lines:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
user nobody\ngroup nogroup\n<\/code><\/pre>\n(Optional) Push DNS Changes to Redirect All Traffic Through the VPN<\/h4>\n
The settings above will create the VPN connection between the two machines, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your traffic, you will likely want to push the DNS settings to the client computers.<\/p>\n
You can do this, uncomment a few directives that will configure client machines to redirect all web traffic through the VPN. Find the\u00a0redirect-gateway<\/code>\u00a0section and remove the semicolon “;<\/strong>” from the beginning of the\u00a0redirect-gateway<\/code>\u00a0line to uncomment it:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
push \"redirect-gateway def1 bypass-dhcp\"\n<\/code><\/pre>\nJust below this, find the\u00a0dhcp-option<\/code>\u00a0section. Again, remove the “;<\/strong>” from in front of both of the lines to uncomment them:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
push \"dhcp-option DNS 208.67.222.222\"\npush \"dhcp-option DNS 208.67.220.220\"\n<\/code><\/pre>\nThis should assist clients in reconfiguring their DNS settings to use the VPN tunnel for as the default gateway.<\/p>\n
(Optional) Adjust the Port and Protocol<\/h4>\n
By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the\u00a0port<\/code>\u00a0option. If you are not hosting web content your OpenVPN server, port 443 is a popular choice since this is usually allowed through firewall rules.<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
# Optional!\nport 443<\/span>\n<\/code><\/pre>\nOften if the protocol will be restricted to that port as well. If so, change\u00a0proto<\/code>\u00a0from UDP to TCP:<\/p>\n\/etc\/openvpn\/server.conf<\/div>\n
# Optional!\nproto tcp<\/span>\n<\/code><\/pre>\nIf you have no need to use a different port, it is best to leave these two settings as their default.<\/p>\n
(Optional) Point to Non-Default Credentials<\/h4>\n
If you selected a different name during the\u00a0.\/build-key-server<\/code>\u00a0command earlier, modify the\u00a0cert<\/code>and\u00a0key<\/code>\u00a0lines that you see to point to the appropriate\u00a0.crt<\/code>\u00a0and\u00a0.key<\/code>\u00a0files. If you used the default\u00a0server<\/code>, this should already be set correctly:<\/p>\n