VPN/docs/vpn-plan.md

# OpenVPN Deployment Plan with Easy-RSA

This plan describes how to set up a secure OpenVPN server with Easy-RSA for certificate management. It includes PKI initialization, server configuration, client certificate generation, and network routing considerations.

---

## Step 1: Install Dependencies

On the Ubuntu server:

```bash
sudo apt update
sudo apt install openvpn easy-rsa
```

---

## Step 2: Prepare Easy-RSA Environment

```bash
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
```

The `make-cadir` command creates a working directory containing Easy-RSA scripts, including `easyrsa`.  
Initialize the PKI:

```bash
./easyrsa init-pki
```

---

## Step 3: Build the Certificate Authority (CA)

```bash
./easyrsa build-ca
```

This creates the CA private key and certificate, which are required to sign server and client certificates.

---

## Step 4: Generate Server Certificate and Key

```bash
./easyrsa gen-req server nopass
./easyrsa sign-req server server
```

The server certificate will be placed in `pki/issued/`.

Also generate Diffie-Hellman parameters and TLS key:

```bash
./easyrsa gen-dh
openvpn --genkey --secret ta.key
```

---

## Step 5: Create Client Certificates (Per User/Device)

Each client **must have a unique certificate**.  
For example, for client `alice`:

```bash
./easyrsa gen-req alice nopass
./easyrsa sign-req client alice
```

Repeat this for every user/device. Example for `bob`:

```bash
./easyrsa gen-req bob nopass
./easyrsa sign-req client bob
```

> 🔹 Do **not** reuse client certificates. One certificate = one user/device.

---

## Step 6: Configure OpenVPN Server

Create `/etc/openvpn/server.conf`:

```conf
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

server 172.16.20.0 255.255.255.0

push "route 192.168.100.0 255.255.255.0"   # NAS subnet
push "route 172.16.14.0 255.255.255.0"     # Server subnet

keepalive 10 120
cipher AES-256-GCM
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
```

Enable IP forwarding:

```bash
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```

---

## Step 7: Start OpenVPN Service

```bash
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
```

Check logs:

```bash
journalctl -u openvpn@server -f
```

---

## Step 8: Prepare Client Configuration

Information about the required file: 
- ca.crt — The certificate authority file, used to verify the server certificate.
- [client_name].crt — The client certificate created (`/home/arthur/openvpn-ca/pki/issued/[client_name].crt`).
- [client_name].key — The client private key file, which should be located at `/home/arthur/openvpn-ca/pki/private/[client_name].key`
- ta.key — The TLS authentication key generated during server setup.


Example client config (`client.ovpn`):

```conf
client
dev tun
proto udp
remote 113.22.221.198 1194 # use FTP IP address 
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
# push mac address info 
push-peer-info
verb 3

<ca>
# paste contents of ca.crt
</ca>

<cert>
# paste clientname.crt
</cert>

<key>
# paste clientname.key
</key>

<tls-auth>
# paste ta.key
</tls-auth>
key-direction 1
```

Each client receives a customized `.ovpn` file with its unique certificate and key.

---

## Step 9: Verify Connectivity

On the client:

```bash
openvpn --config client.ovpn
```

Check connectivity to NAS:

```bash
ping 192.168.100.10
```

Check connectivity to server subnet:

```bash
ping 172.16.14.240
```

---

## Notes

- Each client certificate is bound to **one user/device**.  
- Use `revocation` if a certificate is compromised:

```bash
./easyrsa revoke <clientname>
./easyrsa gen-crl
```

- Consider enabling `client-config-dir` for assigning static IPs per user.
- Use firewall rules to restrict client access if needed.

---

✅ This completes the OpenVPN setup with Easy-RSA, per-user certificates, and subnet routing.