OpenVPN Server Configuration

Pei-Hq-OpenVPN01

# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1 localhost
::1 localhost
127.0.1.1 Pei-Hq-OpenVPN01.localdomain Pei-Hq-OpenVPN01

[root@changeme ~]# netctl disable ethernet-dhcp
removed ‘/etc/systemd/system/multi-user.target.wants/[email protected]’
removed ‘/etc/systemd/system/[email protected]/profile.conf’
removed directory ‘/etc/systemd/system/[email protected]’

Description=’Main Interface’
Interface=ens192
Connection=ethernet
IP=static
Address=(‘192.168.222.100/24′)
Gateway=’192.168.222.1’
DNS=(‘8.8.8.8’)

[root@Pei-Hq-OpenVPN01 ~]# netctl enable ethernet-static
‘/etc/systemd/system/multi-user.target.wants/[email protected]’ -> ‘/usr/lib/systemd/system/[email protected]’
generated ‘/etc/systemd/system/[email protected]/profile.conf’

[root@Pei-Hq-OpenVPN01 ~]# pacman -S openvpn
resolving dependencies…
looking for conflicting packages…Packages (5) lzo-2.10-2 nspr-4.21-1 nss-3.43-1 pkcs11-helper-1.25.1-1
openvpn-2.4.7-1

Total Download Size: 2.06 MiB
Total Installed Size: 7.47 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages…
lzo-2.10-2-x86_64 81.7 KiB 229K/s 00:00 [######################] 100%
nspr-4.21-1-x86_64 189.2 KiB 1051K/s 00:00 [######################] 100%
nss-3.43-1-x86_64 1356.9 KiB 2.47M/s 00:01 [######################] 100%
pkcs11-helper-1.25…. 65.4 KiB 0.00B/s 00:00 [######################] 100%
openvpn-2.4.7-1-x86_64 415.1 KiB 135M/s 00:00 [######################] 100%
(5/5) checking keys in keyring [######################] 100%
(5/5) checking package integrity [######################] 100%
(5/5) loading package files [######################] 100%
(5/5) checking for file conflicts [######################] 100%
(5/5) checking available disk space [######################] 100%
:: Processing package changes…
(1/5) installing lzo [######################] 100%
(2/5) installing nspr [######################] 100%
(3/5) installing nss [######################] 100%
(4/5) installing pkcs11-helper [######################] 100%
(5/5) installing openvpn [######################] 100%
Optional dependencies for openvpn
easy-rsa: easy CA and certificate handling
pam: authenticate via PAM [installed]
:: Running post-transaction hooks…
(1/3) Reloading system manager configuration…
(2/3) Creating temporary files…
(3/3) Arming ConditionNeedsUpdate…
[root@Pei-Hq-OpenVPN01 ~]#

[root@Pei-Hq-OpenVPN01 ~]# pacman -S easy-rsa
resolving dependencies…
looking for conflicting packages…Packages (1) easy-rsa-3.0.6-1

Total Download Size: 0.03 MiB
Total Installed Size: 0.09 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages…
easy-rsa-3.0.6-1-any 31.4 KiB 175K/s 00:00 [######################] 100%
(1/1) checking keys in keyring [######################] 100%
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
(1/1) checking for file conflicts [######################] 100%
(1/1) checking available disk space [######################] 100%
:: Processing package changes…
(1/1) installing easy-rsa [######################] 100%
:: Running post-transaction hooks…
(1/1) Arming ConditionNeedsUpdate…
[root@Pei-Hq-OpenVPN01 ~]#

[root@Pei-Hq-OpenVPN01 ~]# cd /etc/easy-rsa/
[root@Pei-Hq-OpenVPN01 easy-rsa]# export EASYRSA=$(pwd)
[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/easy-rsa/pki

[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
………………………………………………………………………………………..+++++
….+++++
e is 65537 (0x010001)
Can’t load /etc/easy-rsa/pki/.rnd into RNG
140348830196224:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
–—
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Pei-Hq-OpenVPN01

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/easy-rsa/pki/ca.crt

[root@Pei-Hq-OpenVPN01 ~]# cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server
[root@Pei-Hq-OpenVPN01 ~]# chown root:root /etc/openvpn/server/ca.crt

[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa gen-req Pei-Hq-OpenVPN01 nopass

Note: using Easy-RSA configuration from: /etc/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019
Generating a RSA private key
…………….+++++
………….+++++
writing new private key to ‘/etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key.x69qZvOmH6’
–—
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
–—
Common Name (eg: your user, host, or server name) [Pei-Hq-OpenVPN01]:

Keypair and certificate request completed. Your files are:
req: /etc/easy-rsa/pki/reqs/Pei-Hq-OpenVPN01.req
key: /etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key

[root@Pei-Hq-OpenVPN01 easy-rsa]# cp /etc/easy-rsa/pki/private/Pei-Hq-OpenVPN01.key /etc/openvpn/server/

[root@Pei-Hq-OpenVPN01 ~]# openssl dhparam -out /etc/openvpn/server/dh.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
………..+……………………………+……..+…………………………………………………………………………………………..+…………………………………………………………………………………………………………………………..+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………..+………………………………………………………+…………………………………………….+…………………………………………………………………………………………………………………………………………………………..+………..+…………………………………………………………………………………………….+………………………………………………………………………………………………………………………………………………………………………………………………………………….+..+.+………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………+……………………+…………………………………………………………………..+……………………………………………………………..+…………………………………………………………………………………………………..+..+……………………………………………………………………………….+……………..+…+……………………………………+……………………………………………………………………………………………………………………………..+.+………………………………………………………………………………………………………………………………………………………………………………..++*++*++*++*
[root@Pei-Hq-OpenVPN01 ~]#

[root@Pei-Hq-OpenVPN01 ~]# openvpn –genkey –secret /etc/openvpn/server/ta.key
[root@Pei-Hq-OpenVPN01 ~]#

[root@Pei-Hq-OpenVPN01 easy-rsa]# easyrsa sign-req server Pei-Hq-OpenVPN01

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
commonName = Pei-Hq-OpenVPN01
Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:’Pei-Hq-OpenVPN01′
Certificate is to be certified until Mar 12 22:47:19 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/easy-rsa/pki/issued/Pei-Hq-OpenVPN01.crt

[root@Pei-Hq-OpenVPN01 ~]# cp /etc/easy-rsa/pki/issued/Pei-Hq-OpenVPN01.crt /etc/openvpn/server/

[root@Pei-Hq-OpenVPN01 ~]# mkdir /usr/local/scripts

local 192.168.222.100
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/Pei-Hq-OpenVPN01.crt
key /etc/openvpn/server/Pei-Hq-OpenVPN01.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
topology subnet
server 172.25.66.0 255.255.255.0
ifconfig-pool-persist ip-leases
push “route 10.222.2.0 255.255.255.0”
keepalive 10 120
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

[root@Pei-Hq-OpenVPN01 server]# openvpn –config /etc/openvpn/server/server.conf
Thu Mar 28 17:04:41 2019 us=349434 Current Parameter Settings:
Thu Mar 28 17:04:41 2019 us=349480 config = ‘/etc/openvpn/server/server.conf’
Thu Mar 28 17:04:41 2019 us=349492 mode = 1
Thu Mar 28 17:04:41 2019 us=349500 persist_config = DISABLED
Thu Mar 28 17:04:41 2019 us=349508 persist_mode = 1
Thu Mar 28 17:04:41 2019 us=349516 show_ciphers = DISABLED
Thu Mar 28 17:04:41 2019 us=349523 show_digests = DISABLED
Thu Mar 28 17:04:41 2019 us=349532 show_engines = DISABLED
Thu Mar 28 17:04:41 2019 us=349539 genkey = DISABLED
Thu Mar 28 17:04:41 2019 us=349546 key_pass_file = ‘[UNDEF]’
Thu Mar 28 17:04:41 2019 us=349594 show_tls_ciphers = DISABLED
Thu Mar 28 17:04:41 2019 us=349605 connect_retry_max = 0
Thu Mar 28 17:04:41 2019 us=349613 Connection profiles [0]:
Thu Mar 28 17:04:41 2019 us=349632 proto = udp
Thu Mar 28 17:04:41 2019 us=349653 local = ‘192.168.222.100’
Thu Mar 28 17:04:41 2019 us=349663 local_port = ‘1194’
Thu Mar 28 17:04:41 2019 us=349671 remote = ‘[UNDEF]’
Thu Mar 28 17:04:41 2019 us=349689 remote_port = ‘1194’
Thu Mar 28 17:04:41 2019 us=349710 remote_float = DISABLED
Thu Mar 28 17:04:41 2019 us=349732 bind_defined = DISABLED
Thu Mar 28 17:04:41 2019 us=349739 NOTE: –mute triggered…
Thu Mar 28 17:04:41 2019 us=349761 267 variation(s) on previous 20 message(s) suppressed by –mute
Thu Mar 28 17:04:41 2019 us=349788 OpenVPN 2.4.7 [git:makepkg/2b8aec62d5db2c17+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Thu Mar 28 17:04:41 2019 us=349830 library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
Thu Mar 28 17:04:41 2019 us=350162 Diffie-Hellman initialized with 2048 bit key
Thu Mar 28 17:04:41 2019 us=350439 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 17:04:41 2019 us=350464 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Thu Mar 28 17:04:41 2019 us=350477 TLS-Auth MTU parms [ L:1621 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Thu Mar 28 17:04:41 2019 us=350691 TUN/TAP device tun0 opened
Thu Mar 28 17:04:41 2019 us=350724 TUN/TAP TX queue length set to 100
Thu Mar 28 17:04:41 2019 us=350741 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Mar 28 17:04:41 2019 us=350802 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Mar 28 17:04:41 2019 us=352537 /usr/bin/ip addr add dev tun0 172.25.66.1/24 broadcast 172.25.66.255
Thu Mar 28 17:04:41 2019 us=354008 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Mar 28 17:04:41 2019 us=354282 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Mar 28 17:04:41 2019 us=354315 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Mar 28 17:04:41 2019 us=354335 UDPv4 link local (bound): [AF_INET]192.168.222.100:1194
Thu Mar 28 17:04:41 2019 us=354372 UDPv4 link remote: [AF_UNSPEC]
Thu Mar 28 17:04:41 2019 us=354410 GID set to nobody
Thu Mar 28 17:04:41 2019 us=354430 UID set to nobody
Thu Mar 28 17:04:41 2019 us=354449 MULTI: multi_init called, r=256 v=256
Thu Mar 28 17:04:41 2019 us=354487 IFCONFIG POOL: base=172.25.66.2 size=252, ipv6=0
Thu Mar 28 17:04:41 2019 us=354518 IFCONFIG POOL LIST
Thu Mar 28 17:04:41 2019 us=354553 Initialization Sequence Completed

[root@Pei-Hq-OpenVPN01 server]# systemctl enable [email protected]
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /usr/lib/systemd/system/[email protected].[root@Pei-Hq-OpenVPN01 ~]# systemctl start [email protected][root@Pei-Hq-OpenVPN01 ~]# ps -ef|grep openvpn
nobody 1209 1 0 17:10 ? 00:00:00 /usr/bin/openvpn –status /run/openvpn-server/status-server.log –status-version 2 –suppress-timestamps –config server.conf

[root@Pei-Hq-OpenVPN01]# cd /etc/easy-rsa
[root@Pei-Hq-OpenVPN01 easy-rsa]# echo "n" | easyrsa gen-req client1 nopass

Using SSL: openssl OpenSSL 1.1.1b 26 Feb 2019
Generating a RSA private key
......+++++
..................+++++
writing new private key to '/etc/easy-rsa/pki/private/client1.key.CIlCoYEmpv'
--—
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--—
Common Name (eg: your user, host, or server name) [client1]:
Keypair and certificate request completed. Your files are:
req: /etc/easy-rsa/pki/reqs/client1.req
key: /etc/easy-rsa/pki/private/client1.key

client
dev tun
proto udp
remote 192.168.222.100 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/client/client1.crt
key /etc/openvpn/client/client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
tls-auth /etc/openvpn/client/ta.key 1
verb 4
mute 20