1.Installing OpenVPN and EasyRSA
$ sudo -i
$ sudo apt update
$ sudo apt install openvpn
$ wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
$ tar xvf EasyRSA-3.0.4.tgz
2.Configuring the EasyRSA Variables and Building the CA
$ cd ~/EasyRSA-3.0.4/
$ cp vars.example vars
$ nano vars
นำ # ของบรรทัดที่มี set_var ออก
set_var EASYRSA_REQ_COUNTRY “TH”
set_var EASYRSA_REQ_PROVINCE “BKK”
set_var EASYRSA_REQ_CITY “BANGKOK”
set_var EASYRSA_REQ_ORG “INFRA”
set_var EASYRSA_REQ_EMAIL “[email protected]”
set_var EASYRSA_REQ_OU “Nipa Technology”
$ ./easyrsa init-pki
$ ./easyrsa build-ca nopass
output:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
3. Creating the Server Certificate, Key, and Encryption Files
$ cd EasyRSA-3.0.4/
$ ./easyrsa init-pki
$ ./easyrsa gen-req server nopass
$ sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
$ ./easyrsa import-req /pki/req/server.req server
$ ./easyrsa sign-req server server
พิมพ์ yes จากนั้นกด Enter
Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
ย้าย server.crt และ ca.crt ไปที่ /etc/openvpn/
$ cp pki/issued/server.crt /etc/openvpn/
$ cp pki/ca.crt /etc/openvpn/
gen-dh จะได้ file dh.pem ใน Directory pki
$ cd EasyRSA-3.0.4/
$ ./easyrsa gen-dh
genkey ta.key
$ openvpn –genkey –secret ta.key
ย้าย file ที่เรา gen ไปไว้ที่ /etc/openvpn
$ sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
$ sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/
4.Generating a Client Certificate and Key Pair
$ mkdir -p ~/client-configs/keys
$ chmod -R 700 ~/client-configs
$ cd ~/EasyRSA-3.0.4/
ถ้าไม่ใส่ nopass จะให้ตั้งรหัส
$ ./easyrsa gen-req client1 nopass
ย้าย file client.key ไปที่ /client-configs/keys
$ cp pki/private/client1.key ~/client-configs/keys/
$ ./easyrsa sign-req client client1
Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes
ย้าย file client.crt , ta.key , ca.crt ไปที่ /client-configs/keys
$ cp pki/issued/client1.crt ~/client-configs/keys/
$ cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
$ sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/
5.Configuring the OpenVPN Service
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ sudo gzip -d /etc/openvpn/server.conf.gz
$ sudo vim /etc/openvpn/server.conf
นำ ; ออก
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
cert server.crt
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push “route 10.16.0.0 255.255.0.0”
push “route 10.17.0.0 255.255.0.0”
push “route 172.17.31.0 255.255.255.0”
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
verb 3
explicit-exit-notify 0
6.Adjusting the Server Networking Configuration
$ sudo vim /etc/sysctl.conf
ลบ # ของ net.ipv4.ip_forward=1
$ sudo sysctl -p
output:net.ipv4.ip_forward = 1
$ ip route | grep default
output:default via 203.0.113.1 dev <interface name> proto static
เพิ่มข้อความต่อไปนี้
$ sudo vim /etc/ufw/before.rules
START OPENVPN RULES
NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o ens19 -j MASQUERADE
-A POSTROUTING -s 10.16.0.0/16 -o ens19 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/8 -o ens20 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/8 -o ens21 -j MASQUERADE
COMMIT
END OPENVPN RULES
แก้ไขเป็น Accept
$ sudo nano /etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT”
$ sudo ufw allow 1194/udp
$ ufw allow OpenSSH
$ sudo ufw disable
$ sudo ufw enable
7.Starting and Enabling the OpenVPN Service
$ sudo systemctl start openvpn@server
$ sudo systemctl status openvpn@server
Active: active (running)
$ sudo systemctl enable openvpn@server
8.Creating the Client Configuration Infrastructure
$ mkdir -p ~/client-configs/files
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
$ vim ~/client-configs/base.conf
client
dev tun
proto tcp
tls-auth ta.key 0
remote <my server> 443
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
$ vim ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
$ chmod 700 ~/client-configs/make_config.sh
9.Generating Client Configurations
$ cd ~/client-configs
$ sudo ./make_config.sh client1
ต้องนำ file client1.key และ client1.crt ไปไว้ใน /client-configs/keys ก่อน
$ ls ~/client-configs/files
output:
client1.ovpn