First step is install VPN daemon. Best choice for me is to use OpenVPN. It is open source and well known VPN solution with huge community. To install OpenVPN issue following command:
# apt-get install openvpn
And that's it. VPN server software is installed.
To configure OpenVPN server you have to setup following files:
First four components are generated cryptography materials. Bow to build them is described in certificates page.
OpenVPN configuration files can be stored anywhere. Best practice is store it in
/etc/openvpn directory. I like to create separate directories for CA, keys and configuration files (both server and client, if necessary).
# mkdir /etc/openvpn/ca_certificates /etc/openvpn/certs /etc/openvpn/server
From easyrsa directory, copy CA, DH and key files to VPN server:
easy-rsa/easyrsa3$ scp pki/ca.crt pki/dh.pem root@<server IP>:/etc/openvpn/ca_certificates easy-rsa/easyrsa3$ scp pki/issued/<server-cert.crt> pki/private/<server-cert.key> root@<server IP>:/etc/openvpn/certs
Adjust following values:
<server IP>- Actual IP address of your server.
Now create configuration file
/etc/openvpn/server/central-broker.conf with following content:
port 1194 proto tcp dev tun ca <cafile> cert <crtfile> key <keyfile> dh <dhfile> server <network ip address> <network mask> ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun verb 4
Adjust configuration options based on your needs:
ca- Path to your CA file. For example:
cert- Path to your certificate request file. For example:
key- Path to your key file. For example:
dh- Path to your Diffie-Hellman parameters file. For example:
server- Address and mask of your virtual network. For example:
To test that OpenVPN is correctly configured, you can run it from console:
# openvpn --cd /etc/openvpn/server --config central-broker.conf
Now you need to configure OpenVPN to automatically establish a connection when your computer boots up. Let's create systemd unit to do this task.
Create template system unit configuration file
/etc/systemd/system/openvpn-server@.service with following content:
[Unit] Description=OpenVPN service for %I After=network.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=simple ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/server --config %i.conf Restart=always RestartSec=5 [Install] WantedBy=multi-user.target
This is generic description how to start OpenVPN server process. Template units use
%i placeholder for agruments, which creates unit instance. To initiate unit, issue following command:
# systemctl daemon-reload # systemctl enable openvpn-server\@central-broker.service # systemctl start openvpn-server\@central-broker.service
If you just created the unit file, don't forget to call
daemon-reload command lo load it. Then enable
central-broker instance of the template unit to instruct systemd to start it at computer boot. Finally, start the OpenVPN manually with
central-broker is not only name of the instance, but also is used as name of configuration file. If your configuration file has different name, change unit instance name accordingly.