Create Certificates
Type the following commands (exactly as shown) to generate your certs and then move them where they need to be.
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
Finally we need to generate one client certificate to test with so do the following:
cd /etc/openvpn/easy-rsa
./pkitool client1
./pkitool client1
Okay… so all of the keys have been created and moved around. Here is what you should end up with
In /etc/openvpn you should see these files:
- ca.crt
- dh2048.pem
- server.crt
- server.key
- ta.key
and in /etc/openvpn/easy-rsa/keys you will see all of the above and:
- client1.key
- client1.crt
Shew….
Next we are going to do server configuration!
Just an FYI, one of the commands after the second to last reboot prevents any connection to the Linux server
That’s interesting, do you know which command or configuration item is killing the connection? I am wondering if I fat-fingered something somewhere in the write-up. It has been a while since I worked on this. I know when I was testing that VPN connectivity still worked and that the final result was “no split-tunneling” i.e. proxy client machines had all traffic forced through the VPN tunnel. What I am not sure is if I somehow broke SSH connectivity but didn’t realize it because I was working on the machine directly (i.e. not remotely via SSH).
If you can shed some light on this so I can fix the write-up that would be awesome. Hate to have anyone breaking things on there end 🙂
Thanks for the heads up!
Yeah so basically for some reason, doesn’t make sense to me, adding that entry into the iptables and setting the file to load upon restart locks out any connection in, the system i implemented this in is in azure so remote access is the only option, it’s most probably a requirement to add an accept for SSH?
adding the entry without setting the file to load upon restart doesn’t cause any issues (as far as i can tell haven’t checked thoroughly enough)
great post, really love it!
greets, Wilfried
I did it but start openvpn is failed .
openvpn-auth-ldap plugin is 2.03 and download using “yum instal openvpn_auth-ldap.x86_84” on Centos 6
Thanks for this guide. I suggest copy and past attributes from AD directly into “/etc/openvpn/auth/auth-ldap.conf” . This was my issue. Good luck
This saved me a ton of time. Thanks for taking the time to post it.
Just wonder is there a way to secure client certificate from being compromised and used from another PC ?
cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/
here should dh1024 should be changed to dh2048 i believe
Great article! Helped me a lot! Little supplement: Add the following to your server.config:
push “dhcp-option DOMAIN fqdn.yourADDomain.com”
Otherwise a had to use the fullname e.g. servername.fqdn.mydomain.ch to contact my internal infrastructur.
Thanks! Appreciate the tip as well 🙂 – Sure it will help others. OpenVPN Community Edition is honestly a bit of a bear. I finally gave up and just moved to the paid version (which is relatively cheap vs. other similar solutions) which is like a completely different product from an administrative perspective. The thing I really needed was two-factor authentication and the community edition (at the time) was very hard to get setup with this.