Posted on by Sergio

OpenVPN on Slackware

First things first… Thanks to DigitalOcean for their excellent howtos which helped me countless times. Thanks also for Rudi Drusian for giving me some complementary information here

I used Rudi’s first part with a few changes. I changes a few parts, removed others to make it simpler. I expect you to already know how to protect a VPN Servers so dumb stuff won’t be here.

In my case, openvpn was already installed. In case you need…

# Slackware
slackpkg install openvpn

Now this is the most important part for me. Even with Digital Ocean’s howtos, I never memorize where to get easy rsa

cd /mnt/usb
git clone https://github.com/OpenVPN/easy-rsa

Also valuable info here.. setting up easyrsa

cd easy-rsa/easyrsa3/
cp vars.example vars
vi vars

# Organizational fields
set_var EASYRSA_REQ_COUNTRY  "US" # Country
set_var EASYRSA_REQ_PROVINCE "California" # State
set_var EASYRSA_REQ_CITY     "Los Angeles" # City
set_var EASYRSA_REQ_ORG      "My Company" # Organization name
set_var EASYRSA_REQ_EMAIL    "contact@mycompany.com.br" # Email
set_var EASYRSA_REQ_OU       "IT Department" # Organizational Unit

# Expiration (in days)
set_var EASYRSA_CA_EXPIRE   7300 # CA validity
set_var EASYRSA_CERT_EXPIRE 3650 # Validity of issued certificates

Initializing PKI

# Access the EasyRSA directory
cd /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/

# Initialize the PKI
./easyrsa init-pki
# Access the EasyRSA directory
cd /mnt/usb/easy-rsa/easyrsa3/

# Create the CA
./easyrsa build-ca
# Generate the TLS key
./easyrsa gen-tls-crypt-key

# Generate the Diffie-Hellman (DH) parameters
./easyrsa gen-dh

I don’t know why Rudi didn’t run this but please, do:

#Use this against DoS and port flooding
cd /etc/openvpn/keys
openvpn --genkey tls-auth ta.key
cd -

Create server auth stuff

Remember to answer yes to whatever is asked here:

./easyrsa gen-req office nopass

./easyrsa sign-req server office

Copy files from easyresa to openvpn config directory:

cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/issued/office.crt /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/certs/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/office.key /etc/openvpn/keys/
cp /<PATH TO WHERE YOU GIT CLONE>/easy-rsa/easyrsa3/pki/private/easyrsa-tls.key /etc/openvpn/keys/

 Grab a sample config file to setup server

cd /etc/openvpn/
cp sample-config-files/server.conf office.conf

 Change the file to match your needs, use the links I provided at the beggining or google it. Here’s an example:

##############################################
#   Example configuration for a OpenVPN      #
#  server with support for multiple clients. #
##############################################

local x.x.x.x  # Local IP address on which OpenVPN should listen
port  1194     # TCP/UDP port used by OpenVPN
proto udp      # Transport protocol (TCP or UDP)
dev   tun      # Tunnel type: routed (tun) or Ethernet (tap)

ca       /etc/openvpn/certs/ca.crt           # CA certificate
dh       /etc/openvpn/certs/dh.pem           # Diffie-Hellman (DH) parameters
cert     /etc/openvpn/certs/office.crt       # Server certificate
key      /etc/openvpn/keys/office.key        # Server private key
tls-auth /etc/openvpn/keys/easyrsa-tls.key 0 # TLS key (0 on server and 1 on client)

;crl-verify  /etc/openvpn/crl.pem # Certificate Revocation List

topology subnet                # Subnet /24 (255.255.255.0)
server 10.8.0.0 255.255.255.0  # Set the VPN network, server will be 10.8.0.1
ifconfig-pool-persist ipp.txt  # Keeps a record of IPs assigned to clients

# Sends a route to clients,
# allowing access to internal networks
push "route 192.168.10.0 255.255.255.0"

# Set a folder for client-specific
# configurations. Allows assigning
# fixed IPs and routes. 
client-config-dir ccd

# Uncomment to allow clients to
# communicate with each other
;client-to-client

# Sends a ping every 10 seconds and considers
# the client offline after 120 seconds
keepalive 10 120

cipher AES-256-GCM # Default encryption algorithm
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC # Supported algorithms
;data-ciphers-fallback AES-256-CBC # Support for older versions

# Disables compression for security reasons
allow-compression no

# Maximum number of simultaneous clients
max-clients 100

# Reduces privileges after initialization
user nobody
group nobody

# Improves connection stability
persist-key # Prevents reloading keys after a reconnection
persist-tun # Keeps the VPN interface active during a reconnection

# Path to log files
status      /var/log/openvpn-status.log
log-append  /var/log/openvpn.log

verb 3   # Log detail level
mute 20  # Silences repeated log messages after 20 displays

# Notifies clients when the server is
# restarted so they can reconnect
explicit-exit-notify 1

Allow it to openvpn start at boot:

chmod +x /etc/rc.d/rc.openvpn

From now on, please follow DigitalOcean HOWTO for client setup. It doesn’t make sense using anything else…

Leave a Reply

Your email address will not be published. Required fields are marked *