OpenVPN Server unter Linux Debian 10 Buster installieren und konfigurieren


Vorbereitung


Aktiveren Sie IPv4 und IPv6 Forwarding:
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g;s/#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/g' /etc/sysctl.conf
sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

apt update
apt -y upgrade


Installation


apt install openvpn


Zertifikate


cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa
mv vars.example vars
nano vars
export KEY_COUNTRY="DE"
export KEY_PROVINCE="BW"
export KEY_CITY="Zimmern ob Rottweil"
export KEY_ORG="4B42"
export KEY_EMAIL="info@4b42.com"
export KEY_OU="OpenVPN"
./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................+++++
..........................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
139867612611712:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:4B42 OpenVPN CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt


./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating a RSA private key
...............................+++++
........................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.MIaKNUCSqn'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:vpro05

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key


Signieren Sie nun mit der Zertifizerungsstelle CA das Server Zertifikat:
./easyrsa sign-req server server
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
commonName = vpro05


Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'vpro05'
Certificate is to be certified until Mar 28 11:08:07 2023 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt


./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........+...........+.........................+..............+.........................+...++*++*++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem


Erstellen Sie nun eine HMAC Signatur mit folgendem Befehl:
openvpn --genkey --secret ta.key

Kopieren Sie zum Schluss alle Zertifikate und privaten Schlüssel in das OpenVPN Verzeichnis:
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/



Konfiguration