How to create an OpenVPN tunnel

Create a Certification Authority

Set up an OCSP responder

Install OpenVPN

sudo apt-get install openvpn

Create a certificate for each gateway

cd /etc/pki/CA/
mkdir openvpn
openssl dhparam -out openvpn/dh2048.pem 2048
sudo openvpn --genkey secret private/ta.key
openssl genrsa -des3 -out private/tun0-client.keyopenssl genrsa -des3 -out private/tun0-server.key
openssl req -new -key private/tun0-client.key -out openvpn/tun0-client.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Client       -passin pass:example-passwordopenssl req -new -key private/tun0-server.key -out openvpn/tun0-server.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Server       -passin pass:example-password
openssl ca -in openvpn/tun0-client.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-client.crt -passin         pass:example-passwordopenssl ca -in openvpn/tun0-server.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-server.crt -passin       pass:example-password

Set up the OCSP_check script

cd /etc/pki/
wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/contrib/OCSP_check/OCSP_check.sh
sudo chmod 777 OCSP_check.sh
nano OCSP_check.sh
...
ocsp_url="http://127.0.0.1:81/"
issuer="/etc/pki/CA/certs/ca.crt"
nonce="-nonce"
verify="/etc/pki/CA/certs/ca.crt"
...

Configure the Server

cd /etc/openvpn/
nano server.conf
local       192.168.172.70
port 1195
proto udp
dev tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-server.crt
key /etc/pki/CA/private/tun0-server.key
dh /etc/pki/CA/openvpn/dh2048.pem
server 10.7.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push \"route 10.8.0.0 255.255.255.0\"
keepalive 10 120
tls-auth /etc/pki/CA/private/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
script-security 2
tls-verify /etc/pki/OCSP_check.sh
verb 3
explicit-exit-notify 1

Configure the Client

cd /etc/openvpn/
nano client.conf
client
dev tun
proto udp
remote 192.168.172.70 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-client.crt
key /etc/pki/CA/private/tun0-client.key
tls-auth /etc/pki/CA/private/ta.key 1
cipher AES-256-CBC
verb 3

Start the services on both sides

sudo systemd-tty-ask-password-agent --query
sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@client
sudo systemctl enable openvpn@client

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store