# OpenVPN Deployment Plan with Easy-RSA This plan describes how to set up a secure OpenVPN server with Easy-RSA for certificate management. It includes PKI initialization, server configuration, client certificate generation, and network routing considerations. --- ## Step 1: Install Dependencies On the Ubuntu server: ```bash sudo apt update sudo apt install openvpn easy-rsa ``` --- ## Step 2: Prepare Easy-RSA Environment ```bash make-cadir ~/openvpn-ca cd ~/openvpn-ca ``` The `make-cadir` command creates a working directory containing Easy-RSA scripts, including `easyrsa`. Initialize the PKI: ```bash ./easyrsa init-pki ``` --- ## Step 3: Build the Certificate Authority (CA) ```bash ./easyrsa build-ca ``` This creates the CA private key and certificate, which are required to sign server and client certificates. --- ## Step 4: Generate Server Certificate and Key ```bash ./easyrsa gen-req server nopass ./easyrsa sign-req server server ``` The server certificate will be placed in `pki/issued/`. Also generate Diffie-Hellman parameters and TLS key: ```bash ./easyrsa gen-dh openvpn --genkey --secret ta.key ``` --- ## Step 5: Create Client Certificates (Per User/Device) Each client **must have a unique certificate**. For example, for client `alice`: ```bash ./easyrsa gen-req alice nopass ./easyrsa sign-req client alice ``` Repeat this for every user/device. Example for `bob`: ```bash ./easyrsa gen-req bob nopass ./easyrsa sign-req client bob ``` > 🔹 Do **not** reuse client certificates. One certificate = one user/device. --- ## Step 6: Configure OpenVPN Server Create `/etc/openvpn/server.conf`: ```conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 server 172.16.20.0 255.255.255.0 push "route 192.168.100.0 255.255.255.0" # NAS subnet push "route 172.16.14.0 255.255.255.0" # Server subnet keepalive 10 120 cipher AES-256-GCM persist-key persist-tun user nobody group nogroup status /var/log/openvpn-status.log verb 3 ``` Enable IP forwarding: ```bash echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p ``` --- ## Step 7: Start OpenVPN Service ```bash sudo systemctl start openvpn@server sudo systemctl enable openvpn@server ``` Check logs: ```bash journalctl -u openvpn@server -f ``` --- ## Step 8: Prepare Client Configuration Example client config (`client.ovpn`): ```conf client dev tun proto udp remote 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM verb 3 # paste contents of ca.crt # paste clientname.crt # paste clientname.key # paste ta.key key-direction 1 ``` Each client receives a customized `.ovpn` file with its unique certificate and key. --- ## Step 9: Verify Connectivity On the client: ```bash openvpn --config client.ovpn ``` Check connectivity to NAS: ```bash ping 192.168.100.10 ``` Check connectivity to server subnet: ```bash ping 172.16.14.240 ``` --- ## Notes - Each client certificate is bound to **one user/device**. - Use `revocation` if a certificate is compromised: ```bash ./easyrsa revoke ./easyrsa gen-crl ``` - Consider enabling `client-config-dir` for assigning static IPs per user. - Use firewall rules to restrict client access if needed. --- ✅ This completes the OpenVPN setup with Easy-RSA, per-user certificates, and subnet routing.