How to create an OpenVPN tunnel

Create a Certification Authority

First of all, you need a Certification Authority (CA). You can see here how to create your own CA.

Set up an OCSP responder

Secondly, you need an Online Certificate Status Protocol (OCSP) service. You can see here how to create your OCSP server.

Install OpenVPN

You can install OpenVPN on your client and server with the following command.

sudo apt-get install openvpn

Create a certificate for each gateway

Like the CA and OCSP servers, we need to create certificates for each gateway of the OpenVPN tunnel.

cd /etc/pki/CA/
mkdir openvpn
openssl dhparam -out openvpn/dh2048.pem 2048
sudo openvpn --genkey secret private/ta.key
openssl genrsa -des3 -out private/tun0-client.keyopenssl genrsa -des3 -out private/tun0-server.key
openssl req -new -key private/tun0-client.key -out openvpn/tun0-client.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Client       -passin pass:example-passwordopenssl req -new -key private/tun0-server.key -out openvpn/tun0-server.csr -subj /C=PT/ST=Coimbra/L=Coimbra/O=MyOrg/OU=MyOrgDep/CN=TUN0-Server       -passin pass:example-password
openssl ca -in openvpn/tun0-client.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-client.crt -passin         pass:example-passwordopenssl ca -in openvpn/tun0-server.csr -cert certs/ca.crt -keyfile private/ca.key -out certs/tun0-server.crt -passin       pass:example-password

Set up the OCSP_check script

Go to the PKI directory and download the script from OpenVPN’s GitHub

cd /etc/pki/
wget https://raw.githubusercontent.com/OpenVPN/openvpn/master/contrib/OCSP_check/OCSP_check.sh
sudo chmod 777 OCSP_check.sh
nano OCSP_check.sh
...
ocsp_url="http://127.0.0.1:81/"
issuer="/etc/pki/CA/certs/ca.crt"
nonce="-nonce"
verify="/etc/pki/CA/certs/ca.crt"
...

Configure the Server

Create the OpenVPN server configuration.

cd /etc/openvpn/
nano server.conf
local       192.168.172.70
port 1195
proto udp
dev tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-server.crt
key /etc/pki/CA/private/tun0-server.key
dh /etc/pki/CA/openvpn/dh2048.pem
server 10.7.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push \"route 10.8.0.0 255.255.255.0\"
keepalive 10 120
tls-auth /etc/pki/CA/private/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
script-security 2
tls-verify /etc/pki/OCSP_check.sh
verb 3
explicit-exit-notify 1

Configure the Client

Create the OpenVPN client configuration. (On the client device!)

cd /etc/openvpn/
nano client.conf
client
dev tun
proto udp
remote 192.168.172.70 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/pki/CA/certs/ca.crt
cert /etc/pki/CA/certs/tun0-client.crt
key /etc/pki/CA/private/tun0-client.key
tls-auth /etc/pki/CA/private/ta.key 1
cipher AES-256-CBC
verb 3

Start the services on both sides

After starting the services down below, both terminals will prompt a message for authentication. Run this command with the password.

sudo systemd-tty-ask-password-agent --query
sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl start openvpn
sudo systemctl enable openvpn
sudo systemctl daemon-reload
sudo systemctl start openvpn@client
sudo systemctl enable openvpn@client

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store