search

    OpenVPN

    The First Tutorial

    This is how to check the client’s service status on the rig when you upload config and it’s not working:

    
    systemctl status [email protected]
    journalctl -u [email protected] -e --no-pager -n 100
    

    Just to give you a valid example of the working config: /etc/openvpn/server.conf

    
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert myservername.crt
    key myservername.key
    dh dh2048.pem
    topology subnet
    server 10.4.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    client-config-dir ccd
    client-to-client
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    log            openvpn.log
    verb 3
    

    And the most important - client.conf. It should go with certificate files.

    
    client
    dev tun
    proto udp
    remote mysupermegaserver.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    remote-cert-tls server
    comp-lzo
    verb 3
    

    Please note that in config certificates should be named as in the example:

    ca ca.crt

    cert client.crt

    key client.key

    You can upload files with any names, but then they will be renamed to ca.crt, client.crt, client.key. In this way you will have one config for all rigs.

    Also you can embed your certificates into one file to client.conf, so your file will look like this:

    
    client
    dev tun
    proto udp
    remote mysupermegaserver.com 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    comp-lzo
    verb 3
    
    #No need for file names, comment or delete them
    #ca ca.crt
    #cert client.crt
    #key client.key
    
    -----BEGIN CERTIFICATE-----
    ***Paste CA Cert Text Here***
    
    -----END CERTIFICATE-----
    
    
    -----BEGIN CERTIFICATE-----
    ***Paste Your Cert Text Here***
    
    -----END CERTIFICATE-----
    
    
    -----BEGIN PRIVATE KEY-----
    ***Paste Your Cert Private Key Here***
    
    -----END PRIVATE KEY-----
    
    

    Also if you want TLS Auth, you can embed that key in this way:

    
    key-direction 1
    
    -----BEGIN OpenVPN Static key V1-----
    ...tls key...
    -----END OpenVPN Static key V1-----
    

    auth-user-pass is now supported also. So just put this option in client config and upload it with giving login and password in upload dialog.

    The Second Tutorial

    First of all you need to have a PC or a Server that needs to have a fixed IP on the internal network (the network where you host the VPN Server). Please remember that all VPN traffic will go to the VPN Server machine, coming from each VPN client (each of your rigs and yourself at your personal computer).

    We're assuming you already have installed your VPN Server software at your Windows or Linux. Please note that OpenVPN 2.4 installers will not work on Windows XP.

    If you use, for example, Debian, to install OpenVPN just type: apt-get install openvpn. With this you get the Debian OpenVPN package that you will use to set up your OpenVPN server and generate server and client keys.

    Links to download OpenVPN and install it manually at the time this tutorial was written:

    Linux: https://swupdate.openvpn.org/community/releases/openvpn-2.4.5.tar.gz

    Windows: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.5-I601.exe

    Configuring

    First we need to create the CA certificate. To do this use the following commands:

    If you are using Linux, BSD, or a Unix-like OS, open a shell and use the cd command to go to the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB file, the easy-rsa subdirectory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it’s best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won’t overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa subdirectory will be in the top level directory of the expanded source tree.

    At Debian, if you did apt-get install openvpn, execute the following commands:

    
    1:	make-cadir my_ca
    2:	cd my_ca
    3:	pico vars
    

    If you are using Windows, open up a Command Prompt window and use cd to get to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): init-config.

    Now edit the vars file (called vars.bat on Windows / at Linux use the pico vars command) and set the KEYCOUNTRY, KEYPROVINCE, KEYCITY, KEYORG, and KEY_EMAIL parameters. Don’t leave any of these parameters blank:

    Set KEY_SIZE to “4096”

    Exit and save the vars file.

    At Debian, if you did apt-get install openvpn, run this command: cp openssl-1.0.0.cnf openssl.cnf.

    Next, initialize the PKI.

    On Linux/BSD/Unix:

    
    source ./vars
    ./clean-all
    ./build-ca
    

    On Windows:

    
    vars
    clean-all
    build-ca
    

    Next, we will generate a certificate and private key for the server.

    On Linux/BSD/Unix: ./build-key-server server.

    On Windows: build-key-server server.

    As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter “server”. Two other queries require positive responses, “Sign the certificate? [y/n]” and “1 out of 1 certificate requests certified, commit? [y/n]”.

    Generate certificates & keys for 3 clients. Generating client certificates is very similar to the previous step.

    On Linux/BSD/Unix:

    
    ./build-key client1
    ./build-key client2
    ./build-key client3
    

    On Windows:

    
    build-key client1
    build-key client2
    build-key client3
    

    Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.

    Generate Diffie Hellman parameters

    Diffie Hellman parameters must be generated for the OpenVPN server.

    On Linux/BSD/Unix: ./build-dh

    On Windows: build-dh

    Key Files

    Now we will find our newly-generated keys and certificates in the keys subdirectory (my_ca/keys). Here is an explanation of the relevant files:

    openvpn image

    The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.

    Execute the su command to get root access.

    Execute the following command when you are at my_ca/keys directory: cp ca.crt server.key server.crt dh4096.pem /etc/openvpn/server/.

    Your server.conf file will be placed at Linux here: /etc/openvpn/server.conf. And it will look something like this:

    
    port 1194
    proto udp
    dev tun
    ca server/ca.crt
    cert server/server.crt
    key server/server.key
    dh server/dh4096.pem
    topology subnet
    server 10.200.200.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    client-config-dir ccd
    client-to-client
    keepalive 10 120
    comp-lzo
    persist-key
    persist-tun
    status openvpn-status.log
    log openvpn.log
    verb 3
    

    Create the server.conf file at /etc/openvpn/ using this command: cat > server.conf.

    Then copy all the configuration above, at the end of the file press “CTRL-C” and the “server.conf” will be created. Create the following directory: mkdir /etc/openvpn/ccd.

    Run OpenVPN server like this at /etc/openvpn/: openvpn server.conf

    Your OpenVPN server should be running with no errors.

    OpenVPN server should be working after booting and running if you used Debian package install. If not or manually installed, you need to get openvpn server.conf at the initscript.

    For the client.conf file you need to upload to Hive OS website:

    
    client
    dev tun
    proto udp
    remote dyndns.name.here.org 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    comp-lzo
    verb 3
    
    -----BEGIN CERTIFICATE-----
    ***Paste CA Cert Text Here***
    
    -----END CERTIFICATE-----
    
    
    -----BEGIN CERTIFICATE-----
    ***Paste Your Cert Text Here***
    
    -----END CERTIFICATE-----
    
    
    -----BEGIN PRIVATE KEY-----
    ***Paste Your Cert Private Key Here***
    
    -----END PRIVATE KEY-----
    

    Where ca it’s your “ca.crt” , cert it’s your “client.crt” and key it’s your “client.key” content. You need to copy and paste each of these files content into those 3 fields.

    Here at remote dyndns.name.here.org 1994 line, if you have a dynamic IP Address (it’s better if you get some DynDns Service), get a dynamic dns like dyndns.name.here.org, and set it at your local router at DynDns settings so the router update your dynamic IP Address automatically.

    Edit the remote directive to point to the hostname/IP address and port number of the OpenVPN server. If your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured for the gateway to forward to the OpenVPN server.

    To check client’s service status on the rig when you upload config and it’s not working:

    
    systemctl status [email protected]
    journalctl -u [email protected] -e --no-pager -n 100
    

    Finally, you can now setup and configure our OpenVPN client at our PC or laptop. Just install OpenVPN Client and use the same “client.conf” file, but rename it to hiveosvpn.ovpn if you are using Microsoft Windows. Copy it to your OpenVPN install dir under the sub dir called \config\ and get it there. Launch OpenVPN Client for your Windows and your done. Connect to the OpenVPN Server and you are at the same network as your remote rig is.

    Quick Nav