- Technology
- No Comment
Step-By-Step install and cofigure OpenVPN and EasyRSA
I’ll provide you with a step-by-step guide for installing and configuring OpenVPN and EasyRSA on your Amazon Linux instance. We’ll go through the process from start to finish. In this guide, we’ll use OpenVPN and EasyRSA.
Installation and Configuration of OpenVPN and Easy-RSA
Step 1: Update Your System
sudo yum update -y
Step 2: Install OpenVPN
sudo yum install -y openvpn
Step 3: Download and Extract Easy-RSA
cd /tmp wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.tar.gz tar -xzvf v3.0.7.tar.gz
Step 4: Move Easy-RSA to the Appropriate Location
sudo mv easy-rsa-3.0.7 /etc/openvpn/easy-rsa
Step 5: Create a Configuration File for Easy-RSA (vars)
sudo cp /etc/openvpn/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars Edit the `vars` file: sudo nano /etc/openvpn/easy-rsa/vars
Update the variables in the `vars` file as needed. For example:
export EASYRSA_REQ_COUNTRY="US" export EASYRSA_REQ_PROVINCE="CA" export EASYRSA_REQ_CITY="SanFrancisco" export EASYRSA_REQ_ORG="MyCompany" export EASYRSA_REQ_EMAIL="admin@mycompany.com" export EASYRSA_REQ_OU="IT" export EASYRSA_KEY_SIZE=2048 export EASYRSA_CA_EXPIRE=3650 export EASYRSA_CERT_EXPIRE=3650 export EASYRSA_CRL_DAYS=3650
Save and close the file.
Step 6: Initialize the PKI and Build the Certificate Authority
cd /etc/openvpn/easy-rsa sudo ./easyrsa init-pki sudo ./easyrsa build-ca nopass
Step 7: Generate the Server Key and Certificate
sudo ./easyrsa gen-req server nopass sudo ./easyrsa sign server server
Step 8: Generate the Diffie-Hellman Parameters
sudo ./easyrsa gen-dh
Step 9: Create the Server Configuration File
Create a server configuration file in `/etc/openvpn/server.conf` and add the following basic configuration:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 log-append /var/log/openvpn.log
Step 10: Start and Enable OpenVPN
sudo systemctl enable openvpn@server sudo systemctl start openvpn@server
Step 11: Enable IP Forwarding
Edit the sysctl configuration:
sudo nano /etc/sysctl.conf
Uncomment or add the following line to enable IP forwarding:
net.ipv4.ip_forward=1
Save and close the file, then apply the changes:
sudo sysctl -p
Step 12: Configure IP Tables (NAT)
Configure IP tables to allow routing of traffic through the VPN:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
You may need to replace `eth0` with the name of your network interface. To make this rule persistent, consider using a tool like `iptables-persistent`.
Step 13: Adjust Security Groups
Make sure that your AWS security groups and network ACLs allow the necessary traffic to and from your OpenVPN server.
Step 14: Generate Client Certificates (Optional)
If you want to create client certificates for connecting devices, you can repeat similar steps to those used for generating the server certificate but specify a different Common Name (CN) for each client.
That’s it! You have now installed and configured OpenVPN and EasyRSA on your Amazon Linux instance. You can create client profiles, distribute certificates, and connect devices to your OpenVPN server.
Read More: How NTRIP Revolutionizes Real-Time GNSS Positioning
OpenVPN Client Configuration Steps:
To configure the client side of OpenVPN, you’ll need to generate client configuration files and certificates using Easy-RSA and configure the OpenVPN client software on the client device. Here are the steps for setting up the client side:
1. Generate a Client Certificate and Key:
On the OpenVPN server, navigate to the Easy-RSA directory:
cd /etc/openvpn/easy-rsa
Generate a certificate request (replace `<client_name>` with a unique client identifier):
sudo ./easyrsa gen-req <client_name> nopass
Sign the client certificate:
sudo ./easyrsa sign client <client_name>
2. Transfer Client Certificate and Key:
After generating the client certificate and key, you need to transfer them securely to the client device. You can use `scp`, `rsync`, or any other method of your choice.
Copy the following files to the client device:
`/etc/openvpn/easy-rsa/pki/issued/<client_name>.crt` `/etc/openvpn/easy-rsa/pki/private/<client_name>.key` `/etc/openvpn/easy-rsa/pki/ca.crt`
3. Client Configuration File:
Create a client configuration file (e.g., `client.ovpn`) on the client device and include the following content:
client dev tun proto udp remote <server_ip> 1194 # Replace <server_ip> with the IP address or hostname of your OpenVPN server. resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server ca ca.crt
cert <client_name>.crt # Replace <client_name> with the client's certificate name. key <client_name>.key # Replace <client_name> with the client's key name. comp-lzo verb 3
Save the `client.ovpn` configuration file.
4. Install OpenVPN Client Software:
Install the OpenVPN client software on the client device. You can use the appropriate client software for your operating system.
On Linux, you can use the `openvpn` package.
5. Connect to the OpenVPN Server:
Use the OpenVPN client software to connect to the server using the `client.ovpn` configuration file.
For the command-line client, you can use the following command:
sudo openvpn --config client.ovpn
If you are using a graphical client, import the `client.ovpn` configuration file into the client software.
After these steps, the client device should be able to establish a VPN connection to the OpenVPN server. Make sure that the client configuration file (`client.ovpn`) and the necessary certificates and keys are correctly set up on the client device.