IDS-Viet/VPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ebb6fde04d
VPN/vpn-plan.md
arthur ebb6fde04d initialize project
2025-09-27 23:06:32 +07:00

3.4 KiB
Raw Blame History

OpenVPN Deployment Plan with Easy-RSA

This plan describes how to set up a secure OpenVPN server with Easy-RSA for certificate management. It includes PKI initialization, server configuration, client certificate generation, and network routing considerations.

Step 1: Install Dependencies

On the Ubuntu server:

sudo apt update
sudo apt install openvpn easy-rsa

Step 2: Prepare Easy-RSA Environment

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

The make-cadir command creates a working directory containing Easy-RSA scripts, including easyrsa.
Initialize the PKI:

./easyrsa init-pki

Step 3: Build the Certificate Authority (CA)

./easyrsa build-ca

This creates the CA private key and certificate, which are required to sign server and client certificates.

Step 4: Generate Server Certificate and Key

./easyrsa gen-req server nopass
./easyrsa sign-req server server

The server certificate will be placed in pki/issued/.

Also generate Diffie-Hellman parameters and TLS key:

./easyrsa gen-dh
openvpn --genkey --secret ta.key

Step 5: Create Client Certificates (Per User/Device)

Each client must have a unique certificate.
For example, for client alice:

./easyrsa gen-req alice nopass
./easyrsa sign-req client alice

Repeat this for every user/device. Example for bob:

./easyrsa gen-req bob nopass
./easyrsa sign-req client bob

🔹 Do not reuse client certificates. One certificate = one user/device.

Step 6: Configure OpenVPN Server

Create /etc/openvpn/server.conf:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0

server 172.16.20.0 255.255.255.0

push "route 192.168.100.0 255.255.255.0"   # NAS subnet
push "route 172.16.14.0 255.255.255.0"     # Server subnet

keepalive 10 120
cipher AES-256-GCM
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3

Enable IP forwarding:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 7: Start OpenVPN Service

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server

Check logs:

journalctl -u openvpn@server -f

Step 8: Prepare Client Configuration

Example client config (client.ovpn):

client
dev tun
proto udp
remote <SERVER_PUBLIC_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3

<ca>
# paste contents of ca.crt
</ca>

<cert>
# paste clientname.crt
</cert>

<key>
# paste clientname.key
</key>

<tls-auth>
# paste ta.key
</tls-auth>
key-direction 1

Each client receives a customized .ovpn file with its unique certificate and key.

Step 9: Verify Connectivity

On the client:

openvpn --config client.ovpn

Check connectivity to NAS:

ping 192.168.100.10

Check connectivity to server subnet:

ping 172.16.14.240

Notes

  • Each client certificate is bound to one user/device.
  • Use revocation if a certificate is compromised:
./easyrsa revoke <clientname>
./easyrsa gen-crl
  • Consider enabling client-config-dir for assigning static IPs per user.
  • Use firewall rules to restrict client access if needed.

This completes the OpenVPN setup with Easy-RSA, per-user certificates, and subnet routing.