IDS-Viet/VPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ebb6fde04d
VPN/vpn-plan.md
arthur ebb6fde04d initialize project
2025-09-27 23:06:32 +07:00

214 lines
3.4 KiB
Markdown
Raw Blame History

# OpenVPN Deployment Plan with Easy-RSA
This plan describes how to set up a secure OpenVPN server with Easy-RSA for certificate management. It includes PKI initialization, server configuration, client certificate generation, and network routing considerations.
---
## Step 1: Install Dependencies
On the Ubuntu server:
```bash
sudo apt update
sudo apt install openvpn easy-rsa
```
---
## Step 2: Prepare Easy-RSA Environment
```bash
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
```
The `make-cadir` command creates a working directory containing Easy-RSA scripts, including `easyrsa`.
Initialize the PKI:
```bash
./easyrsa init-pki
```
---
## Step 3: Build the Certificate Authority (CA)
```bash
./easyrsa build-ca
```
This creates the CA private key and certificate, which are required to sign server and client certificates.
---
## Step 4: Generate Server Certificate and Key
```bash
./easyrsa gen-req server nopass
./easyrsa sign-req server server
```
The server certificate will be placed in `pki/issued/`.
Also generate Diffie-Hellman parameters and TLS key:
```bash
./easyrsa gen-dh
openvpn --genkey --secret ta.key
```
---
## Step 5: Create Client Certificates (Per User/Device)
Each client **must have a unique certificate**.
For example, for client `alice`:
```bash
./easyrsa gen-req alice nopass
./easyrsa sign-req client alice
```
Repeat this for every user/device. Example for `bob`:
```bash
./easyrsa gen-req bob nopass
./easyrsa sign-req client bob
```
> 🔹 Do **not** reuse client certificates. One certificate = one user/device.
---
## Step 6: Configure OpenVPN Server
Create `/etc/openvpn/server.conf`:
```conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
server 172.16.20.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0" # NAS subnet
push "route 172.16.14.0 255.255.255.0" # Server subnet
keepalive 10 120
cipher AES-256-GCM
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
verb 3
```
Enable IP forwarding:
```bash
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
```
---
## Step 7: Start OpenVPN Service
```bash
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
```
Check logs:
```bash
journalctl -u openvpn@server -f
```
---
## Step 8: Prepare Client Configuration
Example client config (`client.ovpn`):
```conf
client
dev tun
proto udp
remote <SERVER_PUBLIC_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
# paste contents of ca.crt
</ca>
<cert>
# paste clientname.crt
</cert>
<key>
# paste clientname.key
</key>
<tls-auth>
# paste ta.key
</tls-auth>
key-direction 1
```
Each client receives a customized `.ovpn` file with its unique certificate and key.
---
## Step 9: Verify Connectivity
On the client:
```bash
openvpn --config client.ovpn
```
Check connectivity to NAS:
```bash
ping 192.168.100.10
```
Check connectivity to server subnet:
```bash
ping 172.16.14.240
```
---
## Notes
- Each client certificate is bound to **one user/device**.
- Use `revocation` if a certificate is compromised:
```bash
./easyrsa revoke <clientname>
./easyrsa gen-crl
```
- Consider enabling `client-config-dir` for assigning static IPs per user.
- Use firewall rules to restrict client access if needed.
---
✅ This completes the OpenVPN setup with Easy-RSA, per-user certificates, and subnet routing.
Reference in New Issue View Git Blame Copy Permalink