OpenVPN

From philcrump.co.uk
Jump to: navigation, search

Issue New Client Key

cd /etc/openvpn/easy-rsa/
source vars
./build-key client1

This creates the files 'client1.crt', and 'client1.key' in '/etc/openvpn/easy-rsa/keys/'.

These two files along with 'ca.crt' should be copied into a new directory in '/root/vpnkeys/'. You can then generate a tarball of the new directory for distribution to the client machine.

Client Config Template

### VPN Client config for CLIENTNAME ###
client
dev tun
proto udp
 
remote <hostname> 1194
remote <IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
 
ca "ca.crt"
cert "CLIENTNAME.crt"
key "CLIENTNAME.key"
 
tls-auth "hmac.key" 1
cipher AES-128-CBC
 
remote-cert-tls server
comp-lzo
verb 1

Script

#!/bin/bash
clientname=$1
 
if [ -z "$clientname" ]; then
  echo "Usage: ./client-generate-cert.sh <client-name>";
  exit;
fi
 
if [ -e /etc/openvpn/easy-rsa/keys/${clientname}.crt ]; then
  echo "ERROR: Certificate for this client name already exists!";
  exit;
fi
 
echo "Generating cert for ${1}, you'll need to answer the following questions:";
 
cd /etc/openvpn/easy-rsa;
. ./vars;
./build-key ${clientname};
 
echo "Thanks, wrapping up!";
 
mkdir -p /root/vpnkeys/${clientname}/;
 
cp /etc/openvpn/ca.crt /root/vpnkeys/${clientname}/;
cp /etc/openvpn/hmac.key /root/vpnkeys/${clientname}/;
cp /etc/openvpn/easy-rsa/keys/${clientname}.crt /root/vpnkeys/${clientname}/;
cp /etc/openvpn/easy-rsa/keys/${clientname}.key /root/vpnkeys/${clientname}/;
 
cp /root/vpnkeys/client-template.conf /root/vpnkeys/${clientname}/client.conf;
sed -i "s/CLIENTNAME/${clientname}/g" /root/vpnkeys/${clientname}/client.conf;
 
cd /root/vpnkeys/${clientname}/;
tar -cf ${clientname}.tar *.*;
 
echo "Done!";

Client Guide

Reference: Official 12.04 OpenVPN Guide

Do not use NetworkManager-OpenVPN, it appears to mess with the routing in a way that I can't work out how to fix.

sudo apt-get install openvpn

Unpack your key bundle into /etc/openvpn/

Then copy the below file to /etc/openvpn/client.conf and edit the cert and key entries for the filenames from your key bundle: (can also use 85.159.212.19 for clients that may not have working dns)

client
dev tun
proto udp
remote philcrump.co.uk 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
# Put your filenames here:
cert client.crt
key client.key
# ^^^^
ns-cert-type server
comp-lzo
cipher aes128-cbc
verb 3

Start the Client and you'll quickly be connected! Use the following command to stop the Client.

sudo service openvpn start
...
sudo service openvpn stop