I'm installing this on an old machine running Debian Jessie, it should work on a Raspberry Pi too, the only things I have installed during the initial setup process as the standard Debian utilities and ssh server so I can do everything remotely.
I've found lots on instructions out there but the one from this website was the easiest to follow, I've modified it slightly to make it easier to get at the keys.
I've modified a few things myself
First thing is to ensure we are up to date, lets switch to root for the install
su
then
apt-get update
apt-get upgrade
Time to start installing stuff
apt-get install openvpn easy-rsa
Then copy some example files over to make the job easier
cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
Now we edit the certificate variables
nano /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"
# X509 Subject Field
export KEY_NAME="server"
Time to generate some stuff and go and have a coffee, on a Pi, this may take some time
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
Now we make the server certificate keys:
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server
Let's copy them to where they belong
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
Look for the following bit:
# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.ip_forward=1
. ./vars
./clean-all
./build-ca
./build-key-server server
Let's copy them to where they belong
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
Now time to make some changes to the network settings:
echo 1 > /proc/sys/net/ipv4/ip_forward
And let's make the changes permanent with:
nano /etc/sysctl.conf
Look for the following bit:
# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.ip_forward=1
Then remove the # from the second line so it looks like this:
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Now we make the server config file:
nano /etc/openvpn/server.conf
Paste this lot into the empty file, this will run the VPN server on port 1194.
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.90.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status logs/status.log
log-append logs/openvpn.log
verb 3
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Now we make the server config file:
nano /etc/openvpn/server.conf
Paste this lot into the empty file, this will run the VPN server on port 1194.
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.90.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status logs/status.log
log-append logs/openvpn.log
verb 3
Now we make the log files:
mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log
And let's do some firewall configuration:
iptables -t nat -A POSTROUTING -s 10.90.10.0/24 -o eth0 -j MASQUERADE
iptables-save
Now let's restart the server to put the changes into place:
systemctl restart openvpn@server.service
Now the original instructions came with a script file to help you create new keys for each user and device, pointless changing it.
nano /etc/openvpn/gen-client.sh
Paste this lot in:
#!/bin/bash
username=$1
# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"
# Adding ca certificate to ovpn client configuration file
echo "Adding ca certificate to ovpn client configuration file"
echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"
# Adding user certificate to ovpn client configuration file
echo "Adding user certificate to ovpn client configuration file"
echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"
# Adding user key to ovpn client configuration file
echo "Adding user key to ovpn client configuration file"
echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/${username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/${username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}
cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/
chmod 0777 -R /etc/openvpn/clients
echo "Done"
echo "
=========================================================================================
Configurations are located in /etc/openvpn/clients/${username}
---------------------------------------------------------------------------------
Download friendly version with:
'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .'
=========================================================================================
"
exit 0
Save it and then make it executable with:
chmod +x /etc/openvpn/gen-client.sh
Next we have to create the template file for this to use:
mkdir -p /etc/openvpn/clients/.tmp/
nano /etc/openvpn/clients/.tmp/.tmp.ovpn
Paste this in, change example.com for your external IP or server address
client
verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
cipher AES-128-CBC
Now, let's make some keys:
cd /etc/openvpn/
replace username with your username, I'm going to install this onto an S5 so it will be freds5 or something.
./gen-client.sh username
apt-get install samba samba-common
Once it's finished we edit the Samba config file:
nano /etc/samba/smb.conf
Change the workgroup name at the top of the file and you can also add:
netbios name = servername under it if you want.
Add the bottom add the following
[VPNKeys]
path = /etc/openvpn/clients/
browseable = yes
public = yes
writeable = no
Restart the server with:
service smbd restart
Just got to change the folder permissions to make sure we can get the files off:
chmod 0777 -R /etc/openvpn/clients
Onto my phone now, I've installed OpenVPN Connect from the play store, then I've copied the files from the Windows share into dropbox, then saved them into a folder on the phone called VPN, you could just install a file browser and do the same.
Then import the .ovpn file into OpenVPN connect and click on connect.
One last thing, make sure you give the server a static IP and forward port 1194 on the router.
One last thing, make sure you give the server a static IP and forward port 1194 on the router.
