Skip to content

Module 5 of 16 · 📖 4 min read · ⏱ 60 min total

FUTO 05 OpenVPN Server (EN)

Table of contents (6 sections)
  1. Concepts and Background
  2. Architecture Diagram
  3. Practical Steps
  4. Common Pitfalls
  5. Further Resources
  6. Knowledge Check

FUTO 05 OpenVPN Server

In this module, you will set up a secure VPN server with OpenVPN. You will learn to configure both access from external devices (Client-to-Site) and connection between two sites (Site-to-Site). The focus is on a robust, productive setup with TLS authentication and Easy-RSA for certificate management.

Concepts and Background

OpenVPN
An open-source VPN protocol that uses SSL/TLS for secure data transmission. It supports both TCP and UDP connections and offers high compatibility with various operating systems.
TLS (Transport Layer Security)
A security protocol used for authenticating servers and clients as well as encrypting data channels. OpenVPN uses TLS to establish a secure connection between client and server.
Site-to-Site
A VPN configuration that connects two or more networks. All devices in the connected networks can reach each other as if they were in a single local network.
Client-to-Site
A VPN configuration where individual devices (clients) from the internet connect to the corporate network. Each client gets access to the network resources defined in the VPN.
Easy-RSA
A command-line tool for managing PKI (Public Key Infrastructure). It simplifies the creation and management of certificates for OpenVPN servers and clients.

Architecture Diagram

flowchart LR
  A[Internet] --> B[OpenVPN Server]
  B --> C[LAN]
  B --> D[DMZ]
  E[Client] --> B

Practical Steps

  1. Install OpenVPN on your server with the command 
    apt update && apt install openvpn easy-rsa
    . This installs the necessary packages for the VPN service and certificate management.
  2. Initialize the PKI directory with 
    make-cadir ~/easy-rsa && cd ~/easy-rsa
    . This creates a structured environment for certificate management.
  3. Adjust the configuration file vars by setting at least the lines 
    export EASY_RSA="`pwd`"
export KEY_NAME="server"
export KEY_COUNTRY="DE"
export KEY_PROVINCE="BY"
export KEY_CITY="Muenchen"
export KEY_ORG="MeinUnternehmen"
export KEY_EMAIL="[email protected]"
    . These values are used for creating the certificates.
  4. Create the server certification authority key with 
    ./easyrsa init-pca && ./easyrsa build-ca nopass
    . This creates the Root-CA for your VPN infrastructure.
  5. Generate the server key with 
    ./easyrsa build-server-full server nopass
    . This key is used for authenticating the VPN server.
  6. Create Diffie-Hellman parameters with 
    ./easyrsa gen-dh
    . These parameters increase the security of the key exchange.
  7. Copy the generated certificates and keys to the OpenVPN directory with 
    cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem /etc/openvpn/
    . These files are required for operating the server.
  8. Configure the OpenVPN server by creating the file /etc/openvpn/server.conf and adding basic settings: 
    port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
  9. Start the OpenVPN service with 
    systemctl start openvpn@server
    and enable it for autostart with 
    systemctl enable openvpn@server
    . The server is now operational and waiting for connections.

Common Pitfalls

Further Resources

Knowledge Check

Four questions for self-assessment. Click on each question to see the correct answer and explanation.

1. What is the main characteristic that distinguishes Client-to-Site from Site-to-Site VPN configurations?
  • A) The encryption method used
  • B) The number of networks involved
  • C) The protocol used (TCP vs UDP)
  • D) The type of authentication

Correct Answer: B. In Client-to-Site, a single device connects to a network, while Site-to-Site connects two or more networks with each other. The other options are common to both types of VPN configurations.

2. What is the primary purpose of Easy-RSA in OpenVPN configuration?
  • A) Creating network configuration files
  • B) Managing PKI and certificates
  • C) Optimizing VPN connection speed
  • D) Authenticating users via LDAP

Correct Answer: B. Easy-RSA is specifically designed for managing PKI (Public Key Infrastructure) and certificates. The other options describe different functions that are not part of the core of Easy-RSA.

3. Which security feature makes OpenVPN particularly secure?
  • A) The use of static IP addresses