Step-By-Step install and cofigure OpenVPN and EasyRSA

Step-By-Step install and cofigure OpenVPN and EasyRSA

I’ll provide you with a step-by-step guide for installing and configuring OpenVPN and EasyRSA on your Amazon Linux instance. We’ll go through the process from start to finish. In this guide, we’ll use OpenVPN and EasyRSA.

Installation and Configuration of OpenVPN and Easy-RSA

Step 1: Update Your System

sudo yum update -y

Step 2: Install OpenVPN

sudo yum install -y openvpn

Step 3: Download and Extract Easy-RSA

cd /tmp

wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.tar.gz

tar -xzvf v3.0.7.tar.gz

Step 4: Move Easy-RSA to the Appropriate Location

sudo mv easy-rsa-3.0.7 /etc/openvpn/easy-rsa

Step 5: Create a Configuration File for Easy-RSA (vars)

sudo cp /etc/openvpn/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars

Edit the `vars` file:

sudo nano /etc/openvpn/easy-rsa/vars

Update the variables in the `vars` file as needed. For example:

 

export EASYRSA_REQ_COUNTRY="US"

export EASYRSA_REQ_PROVINCE="CA"

export EASYRSA_REQ_CITY="SanFrancisco"

export EASYRSA_REQ_ORG="MyCompany"

export EASYRSA_REQ_EMAIL="admin@mycompany.com"

export EASYRSA_REQ_OU="IT"

export EASYRSA_KEY_SIZE=2048

export EASYRSA_CA_EXPIRE=3650

export EASYRSA_CERT_EXPIRE=3650

export EASYRSA_CRL_DAYS=3650

Save and close the file.

Step 6: Initialize the PKI and Build the Certificate Authority

cd /etc/openvpn/easy-rsa

sudo ./easyrsa init-pki

sudo ./easyrsa build-ca nopass

Step 7: Generate the Server Key and Certificate

sudo ./easyrsa gen-req server nopass

sudo ./easyrsa sign server server

Step 8: Generate the Diffie-Hellman Parameters

sudo ./easyrsa gen-dh

Step 9: Create the Server Configuration File

Create a server configuration file in `/etc/openvpn/server.conf` and add the following basic configuration:

port 1194

proto udp

dev tun

ca /etc/openvpn/easy-rsa/pki/ca.crt

cert /etc/openvpn/easy-rsa/pki/issued/server.crt

key /etc/openvpn/easy-rsa/pki/private/server.key

dh /etc/openvpn/easy-rsa/pki/dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

log-append /var/log/openvpn.log

Step 10: Start and Enable OpenVPN

sudo systemctl enable openvpn@server

sudo systemctl start openvpn@server

Step 11: Enable IP Forwarding

Edit the sysctl configuration:

sudo nano /etc/sysctl.conf

Uncomment or add the following line to enable IP forwarding:

net.ipv4.ip_forward=1

Save and close the file, then apply the changes:

sudo sysctl -p

Step 12: Configure IP Tables (NAT)

Configure IP tables to allow routing of traffic through the VPN:

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

You may need to replace `eth0` with the name of your network interface. To make this rule persistent, consider using a tool like `iptables-persistent`.

Step 13: Adjust Security Groups

Make sure that your AWS security groups and network ACLs allow the necessary traffic to and from your OpenVPN server.

Step 14: Generate Client Certificates (Optional)

If you want to create client certificates for connecting devices, you can repeat similar steps to those used for generating the server certificate but specify a different Common Name (CN) for each client.

That’s it! You have now installed and configured OpenVPN and EasyRSA on your Amazon Linux instance. You can create client profiles, distribute certificates, and connect devices to your OpenVPN server.

Read More: How NTRIP Revolutionizes Real-Time GNSS Positioning

OpenVPN Client Configuration Steps:

To configure the client side of OpenVPN, you’ll need to generate client configuration files and certificates using Easy-RSA and configure the OpenVPN client software on the client device. Here are the steps for setting up the client side:

1. Generate a Client Certificate and Key:

   On the OpenVPN server, navigate to the Easy-RSA directory:

     cd /etc/openvpn/easy-rsa

   Generate a certificate request (replace `<client_name>` with a unique client identifier):

     sudo ./easyrsa gen-req <client_name> nopass

   Sign the client certificate:

     sudo ./easyrsa sign client <client_name>

2. Transfer Client Certificate and Key:

After generating the client certificate and key, you need to transfer them securely to the client device. You can use `scp`, `rsync`, or any other method of your choice.

    Copy the following files to the client device:

     `/etc/openvpn/easy-rsa/pki/issued/<client_name>.crt`

     `/etc/openvpn/easy-rsa/pki/private/<client_name>.key`

     `/etc/openvpn/easy-rsa/pki/ca.crt`

3. Client Configuration File:

   Create a client configuration file (e.g., `client.ovpn`) on the client device and include the following content:

     client

     dev tun

     proto udp

     remote <server_ip> 1194  # Replace <server_ip> with the IP address or hostname of your OpenVPN server.

     resolv-retry infinite

     nobind

     persist-key

     persist-tun

     remote-cert-tls server

     ca ca.crt
     cert <client_name>.crt  # Replace <client_name> with the client's certificate name.

     key <client_name>.key  # Replace <client_name> with the client's key name.

     comp-lzo

     verb 3

   Save the `client.ovpn` configuration file.

4. Install OpenVPN Client Software:

   Install the OpenVPN client software on the client device. You can use the appropriate client software for your operating system.

   On Linux, you can use the `openvpn` package.

5. Connect to the OpenVPN Server:

   Use the OpenVPN client software to connect to the server using the `client.ovpn` configuration file.

   For the command-line client, you can use the following command:

          sudo openvpn --config client.ovpn

   If you are using a graphical client, import the `client.ovpn` configuration file into the client software.

After these steps, the client device should be able to establish a VPN connection to the OpenVPN server. Make sure that the client configuration file (`client.ovpn`) and the necessary certificates and keys are correctly set up on the client device.

Leave a Reply

Your email address will not be published. Required fields are marked *