Openvpn on raspberry pi: Difference between revisions

From lippmann wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
This page is fully copied from https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/.
This page is largely copied from https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/.


That page is probably kept up to date more, and has active comments. This is a copy I made in case I need access and that site is down or unavailable for other reasons.
That page is probably kept up to date more, and has active comments. This is a copy I made in case I need access and that site is down or unavailable for other reasons. I also added some steps for my own needs.
 
=prepwork=
 
change language so the keyboard works
sudo vi /etc/default/keyboard
set a better password
passwd
edit sshd and add ssh to startup
sudo vi /etc/ssh/sshd_config
sudo systemctl enable ssh.service


= Tutorial for OpenVPN TAP Bridge Mode =
= Tutorial for OpenVPN TAP Bridge Mode =
Line 77: Line 87:


Those commands will generate the root certificate, the server certificate and the DH keys. I give two choices to generate the DH Param, either you use your own machine or DHTool free service.
Those commands will generate the root certificate, the server certificate and the DH keys. I give two choices to generate the DH Param, either you use your own machine or DHTool free service.
Generate DH Param yourself


cd /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
./build-ca
./build-ca
./build-key-server server
./build-key-server server
./build-dh #takes time
./build-dh #takes time


==Disabling Current Systemd Service==
==Disabling Current Systemd Service==
Line 90: Line 99:
We don’t want that since you’re installing another service configuration that takes care of the Bridge.
We don’t want that since you’re installing another service configuration that takes care of the Bridge.


sudo systemctl disable openvpn
sudo systemctl disable openvpn
sudo systemctl stop openvpn
sudo systemctl stop openvpn
 
==Disabling Current dhcpcd Service==
 
Raspberry pie sets ips using the dhcpd service. We are setting them by hand with the bridge start/stop scripts.
Below disables that service from interfering.
 
sudo systemctl disable dhcpcd.service
sudo systemctl stop dhcpcd.service


==Packet Forwarding==
==Packet Forwarding==
Line 97: Line 114:
Because we’re going to create a bridge, we need to set the kernel to let the IP packet transit through it. To do this, we’ll use sysctl.
Because we’re going to create a bridge, we need to set the kernel to let the IP packet transit through it. To do this, we’ll use sysctl.


You’ll need to edit the file /etc/sysctl.conf to add the following line: net.ipv4.ip_forward = 1
You’ll need to edit the file /etc/sysctl.conf to add or uncomment the following line: net.ipv4.ip_forward = 1


Then you reload the configuration: sysctl -p /etc/sysctl.conf
Then you reload the configuration: sysctl -p /etc/sysctl.conf


The packet switching is not set in your kernel and will stay after reboot.
The packet switching is not set in your kernel and will stay after reboot.
==Bridge Scripts==
==Bridge Scripts==


Line 117: Line 135:


You’ll find all the following file in /tmp/openvpn-scripts/ if you used the command to download the gist.
You’ll find all the following file in /tmp/openvpn-scripts/ if you used the command to download the gist.
Bridge-conf
 
===Bridge-conf===


You NEED to modify this file with your own configuration.
You NEED to modify this file with your own configuration.
Line 144: Line 163:
  # Define list of TAP interfaces to be bridged together
  # Define list of TAP interfaces to be bridged together
  tap="tap0"
  tap="tap0"
view raw
 
bridge-conf hosted with ❤ by GitHub
===Bridge-start===
Bridge-start


If you’re using VMWare for your OpenVPN server, you have some extra steps to do (thanks Per Mejdal Rasmussen)
If you’re using VMWare for your OpenVPN server, you have some extra steps to do (thanks Per Mejdal Rasmussen)
Line 154: Line 172:
     Source: StackOverflow
     Source: StackOverflow


#!/bin/bash
#!/bin/bash
. /etc/openvpn/bridge/bridge-conf
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
    openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
    iptables -A INPUT -i $t -j ACCEPT
done
iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br


. /etc/openvpn/bridge/bridge-conf
===Bridge-stop===
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################


for t in $tap; do
#!/bin/bash
    openvpn --mktun --dev $t
done
. /etc/openvpn/bridge/bridge-conf
 
####################################
brctl addbr $br
# Tear Down Ethernet bridge on Linux
brctl addif $br $eth
####################################
 
for t in $tap; do
    brctl addif $br $t
iptables -D INPUT -i $br -j ACCEPT
done
iptables -D FORWARD -i $br -j ACCEPT
 
for t in $tap; do
ifconfig $br down
    ifconfig $t 0.0.0.0 promisc up
brctl delbr $br
    iptables -A INPUT -i $t -j ACCEPT
done
for t in $tap; do
 
    openvpn --rmtun --dev $t
iptables -A INPUT -i $br -j ACCEPT
    iptables -D INPUT -i $t -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT
done
 
ifconfig $eth 0.0.0.0 promisc up
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 
route add default gw $eth_gateway $eth
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br


view raw
==Server Configuration==
bridge-start hosted with ❤ by GitHub
Bridge-stop
#!/bin/bash
 
. /etc/openvpn/bridge/bridge-conf
####################################
# Tear Down Ethernet bridge on Linux
####################################
 
 
iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT
 
ifconfig $br down
brctl delbr $br
 
for t in $tap; do
    openvpn --rmtun --dev $t
    iptables -D INPUT -i $t -j ACCEPT
done
 
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth
view raw
bridge-stop hosted with ❤ by GitHub
Server Configuration


In the same folder, you find the server.conf. The file contains the configuration for OpenVPN in server mode.
In the same folder, you find the server.conf. The file contains the configuration for OpenVPN in server mode.
Line 219: Line 235:
You should update the port, protocol (proto) and the server-bridge with your network setting.
You should update the port, protocol (proto) and the server-bridge with your network setting.


    Port: the port your sever will listen on
insert my own example here.
    Proto: which protocol used (either TCP or UDP)
    server-bridge:
        192.168.42.2: the internal IP of your device in your home network
        255.255.255.0: it’s mask (represent the /24)
        192.168.42.128: starting IP to get assigned to the clients
        192.168.42.254: the last IP to be assigned to the clients
    compress/comp-lzo: WARNING Only activate compress lz4 if you’re using OpenVPN version >= 2.4. else keep the comp-lzo.


You’ll find also this:
You’ll find also this:
Line 236: Line 245:


It needs to be changed also, the first one to point at your router (that surely act as a DNS server) and the second one to your SAMBA server (NAS). In my case, it’s the same IP as the server because I’m hosting the Samba server and the OpenVPN server on the same device.
It needs to be changed also, the first one to point at your router (that surely act as a DNS server) and the second one to your SAMBA server (NAS). In my case, it’s the same IP as the server because I’m hosting the Samba server and the OpenVPN server on the same device.
dev tap0
#tun-mtu 1500
#tun-ipv6
tls-server
proto udp
port 5555
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
topology subnet
user nobody
group nogroup
server-bridge 192.168.42.2 255.255.255.0 192.168.42.128 192.168.42.254
#server-ipv6 2001:db8::/64
mssfix
persist-key
persist-tun
#log /var/log/openvpn
status /var/log/openvpn-status.log
verb 4
client-to-client


keepalive 10 120
==Client Configuration Script==
mute 50
 
#set the dns servers
push "dhcp-option DNS 192.168.42.1"
#set the WINS server (SAMBA)
push "dhcp-option WINS 192.168.42.2"
#For windows, to make the network recognized
push "route 0.0.0.0 0.0.0.0 192.168.42.2"
cipher AES-256-CBC
auth SHA512
 
log-append /var/log/openvpn
 
compress lz4-v2
# Activate this option only if you're running OpenVPN < 2.4.X
# In that case, you can disable the compress lz4-v2 and enable comp-lzo.
#comp-lzo
 
#replay-window 128
view raw
server.conf hosted with ❤ by GitHub
Client Configuration Script


Last file that needs to be changed for your needs, build-client. The script generates a configuration file for OpenVPN in the folder you launch it. Either you edit the configuration script with your variable or use the environment variable to set it (See Generate a client configuration)
Last file that needs to be changed for your needs, build-client. The script generates a configuration file for OpenVPN in the folder you launch it. Either you edit the configuration script with your variable or use the environment variable to set it (See Generate a client configuration)
Line 301: Line 258:
     OPENVPN_CLIENT_DIRECTIVE: if you need to add another directive in the client configuration
     OPENVPN_CLIENT_DIRECTIVE: if you need to add another directive in the client configuration


#!/bin/bash
<pre>#!/bin/bash
#This script generate the key for the wanted client and it's configuration file
#This script generate the key for the wanted client and it's configuration file
#to be used with OpenVPN. If the key has already been generated it will only
#to be used with OpenVPN. If the key has already been generated it will only
Line 392: Line 349:


clientConfig > $CLIENT.ovpn
clientConfig > $CLIENT.ovpn
exit 0
exit 0</pre>
view raw
 
build-client hosted with ❤ by GitHub
==Installing the configuration and scripts==
Installing the configuration and scripts


Now that the preparation is ready, let’s put all the script and configuration where they should be.
Now that the preparation is ready, let’s put all the script and configuration where they should be.
OpenVPN configuration
==OpenVPN configuration==


Move the server.conf into /etc/openvpn/
Move the server.conf into /etc/openvpn/


sudo mv /tmp/openvpn-scripts/server.conf /etc/openvpn/
sudo mv /tmp/openvpn-scripts/server.conf /etc/openvpn/
Bridge scripts
==Bridge scripts==


sudo mkdir /etc/openvpn/bridge
sudo mkdir /etc/openvpn/bridge
Line 409: Line 365:
sudo chmod +x /etc/openvpn/bridge/bridge-*
sudo chmod +x /etc/openvpn/bridge/bridge-*


Client Generator Script
==Client Generator Script==


sudo mv /tmp/openvpn-scripts/build-client /etc/openvpn/easy-rsa/
sudo mv /tmp/openvpn-scripts/build-client /etc/openvpn/easy-rsa/
sudo chmod +x /etc/openvpn/easy-rsa/build-client
sudo chmod +x /etc/openvpn/easy-rsa/build-client


Service Script for systemd
==Service Script for systemd==


If you are using Debian Jessie or your distribution is using systemd as an init do this to add service unit for OpenVPN Bridged.
If you are using Debian Jessie or your distribution is using systemd as an init do this to add service unit for OpenVPN Bridged.
Line 425: Line 381:
sudo systemctl enable openvpn@server
sudo systemctl enable openvpn@server


Generate a client configuration
==Generate a client configuration==


Now we will generate a client configuration that will be used on your computer to connect to the OpenVPN server. Here we build for the client OnMyWay.
Now we will generate a client configuration that will be used on your computer to connect to the OpenVPN server. Here we build for the client OnMyWay.


cd /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
sudo ./build-client OnMyWay
sudo ./build-client OnMyWay


or
or


cd /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
sudo PROTO=udp REMOTE=example.com PORT=1255 COMPRESS=comp-lzo ./build-client OnMyWay
sudo PROTO=udp REMOTE=example.com PORT=1255 COMPRESS=comp-lzo ./build-client OnMyWay


   
   
Line 445: Line 401:
You should see something like this:
You should see something like this:


/etc/openvpn/easy-rsa /home/pi
<pre>/etc/openvpn/easy-rsa /home/pi
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Generating a 2048 bit RSA private key
Generating a 2048 bit RSA private key
Line 489: Line 445:
1 out of 1 certificate requests certified, commit? [y/n]y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Write out database with 1 new entries
Data Base Updated
Data Base Updated</pre>


You’ll find an OnMyWay.ovpn in the same folder you are. It’s the configuration with the certificate embedded into it.


You’ll find an OnMyWay.ovpn in the same folder you are. It’s the configuration with the certificate embedded into it.
==Revoke a user==
Revoke a user


sudo -s
sudo -s
cd /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
. ./vars
. ./vars
./revoke-full OnMyWay
./revoke-full OnMyWay
exit
exit


Start the server
==Start the server==


If you used my service unit for systemd :
If you used my service unit for systemd :
Line 513: Line 468:
sudo service openvpn start
sudo service openvpn start


Stop the server
==Stop the server==


If you used my service unit for systemd :
If you used my service unit for systemd :


sudo service openvpn@server stop
sudo service openvpn@server stop


else
else


sudo service openvpn stop
sudo service openvpn stop
sudo /etc/openvpn/bridge/bridge-stop
sudo /etc/openvpn/bridge/bridge-stop

Latest revision as of 21:25, 23 April 2018

This page is largely copied from https://www.aaflalo.me/2015/01/openvpn-tap-bridge-mode/.

That page is probably kept up to date more, and has active comments. This is a copy I made in case I need access and that site is down or unavailable for other reasons. I also added some steps for my own needs.

prepwork

change language so the keyboard works

sudo vi /etc/default/keyboard

set a better password

passwd

edit sshd and add ssh to startup

sudo vi /etc/ssh/sshd_config
sudo systemctl enable ssh.service

Tutorial for OpenVPN TAP Bridge Mode

I’m using my raspberry pi as a NAS with a samba server to provide the content through my home network. I wanted to have that content directly accessible from the rest of the world but without the traffic to be visible to anybody else than me. I then decide to use OpenVPN TAP in bridged mode.

OpenVPN Tap: Setup

  • TL-841 as router
  • Raspberry Pi as NAS
  • Internal IP : 192.168.42.0/24
  • Range IP router: 192.168.42.10 – 192.168.42.120
  • Range IP OpenVPN: 192.168.42.128 – 192.168.42.254
  • OpenVPN version: 2.4

Preparation

First, important point, if you have a DHCP server on your router, be sure to configure it to not assign IP address for the whole subnet, but only a part (as I’ve done in the setup). If you don’t, you could encounter 2 devices sharing the same IP, and trust me you don’t want that.

Download scripts/conf

You need to download and extract my scripts and configuration. I’ll walk you through each of those. The following command will download the files and extract them into /tmp/openvpn-scripts:

wget -O /tmp/master.zip https://gist.github.com/Belphemur/3b03eaad96172b2159fc/archive/master.zip && mkdir /tmp/openvpn-scripts && unzip /tmp/master.zip -d /tmp/openvpn-scripts/


Installing OpenVPN

sudo aptitude install openvpn

Enable TLS

We need the easy-rsa to easily create our root certificate, the certificate of the server and the one for each client. Using those cert, the client will authenticate themselves to the server. No need for login/password.

sudo aptitude install easy-rsa
sudo mkdir /etc/openvpn/easy-rsa
sudo cp -R /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
sudo ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Configuring TLS

Edit /etc/openvpn/easy-rsa/vars bottom according to your organization.

Look for those in the file and change them for your needs.

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="mail@domain"
export KEY_EMAIL=mail@domain
export KEY_SIZE=4096

Now execute those command to prepare for the generation of the certificate and keys:

cd /etc/openvpn/easy-rsa/
sudo -s #because of the sourcing of the ./vars file you need to be root to do this
mkdir keys
touch keys/index.txt
echo 01 > keys/serial
. ./vars # set environment variables
./clean-all


From Debian wiki on OpenVPN:

   Remember:
   
       only .key files should be kept confidential.
       .crt and .csr files can be sent over insecure channels such as plaintext email.
       do not need to copy a .key file between computers.
       each computer will have its own certificate/key pair.

Generating the certs and keys

Those commands will generate the root certificate, the server certificate and the DH keys. I give two choices to generate the DH Param, either you use your own machine or DHTool free service.

cd /etc/openvpn/easy-rsa/
./build-ca
./build-key-server server
./build-dh #takes time

Disabling Current Systemd Service

By default when you’re installing the OpenVPN server, the installer take care of setting OpenVPN to start with your system.

We don’t want that since you’re installing another service configuration that takes care of the Bridge.

sudo systemctl disable openvpn
sudo systemctl stop openvpn

Disabling Current dhcpcd Service

Raspberry pie sets ips using the dhcpd service. We are setting them by hand with the bridge start/stop scripts. Below disables that service from interfering.

sudo systemctl disable dhcpcd.service
sudo systemctl stop dhcpcd.service

Packet Forwarding

Because we’re going to create a bridge, we need to set the kernel to let the IP packet transit through it. To do this, we’ll use sysctl.

You’ll need to edit the file /etc/sysctl.conf to add or uncomment the following line: net.ipv4.ip_forward = 1

Then you reload the configuration: sysctl -p /etc/sysctl.conf

The packet switching is not set in your kernel and will stay after reboot.

Bridge Scripts

Following the OpenVPN tutorial on how to create a bridge and make it work with OpenVPN, I created my own scripts to do this. First, you need to install the bridge-utils, scripts used to create network bridge then create a directory to put my scripts into it.

sudo aptitude install bridge-utils

My bridge scripts are in 3 parts:

   Bridge-conf: to configure the scripts
   Bridge-start: to start the bridge
   Bridge-stop: to destroy the bridge

My scripts are made to restore the system to its previous state after destroying the bridge. I tested them and they work on Debian Jessie on a raspberry pi.

You’ll find all the following file in /tmp/openvpn-scripts/ if you used the command to download the gist.

Bridge-conf

You NEED to modify this file with your own configuration.

sudo ip addr

or

sudo ifconfig

Should give you the information you need to put here. The idea is to make your bridge act like your normal Ethernet interface with the same properties

#!/bin/bash

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.42.2"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.42.255"
eth_gateway="192.168.42.1"
eth_mac="XX:XX:XX:XX:XX:XX"

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

Bridge-start

If you’re using VMWare for your OpenVPN server, you have some extra steps to do (thanks Per Mejdal Rasmussen)

   When using VMware, you need to set the port group in promiscuous mode and add “brctl setageing $br 0” to bridge-start.
   Source: StackOverflow
#!/bin/bash

. /etc/openvpn/bridge/bridge-conf 
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
    iptables -A INPUT -i $t -j ACCEPT
done

iptables -A INPUT -i $br -j ACCEPT
iptables -A FORWARD -i $br -j ACCEPT

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
ip link set $br address $eth_mac
route add default gw $eth_gateway $br

Bridge-stop

#!/bin/bash

. /etc/openvpn/bridge/bridge-conf
####################################
# Tear Down Ethernet bridge on Linux
####################################


iptables -D INPUT -i $br -j ACCEPT
iptables -D FORWARD -i $br -j ACCEPT

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
    iptables -D INPUT -i $t -j ACCEPT
done

ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast
route add default gw $eth_gateway $eth

Server Configuration

In the same folder, you find the server.conf. The file contains the configuration for OpenVPN in server mode.

You should update the port, protocol (proto) and the server-bridge with your network setting.

insert my own example here.

You’ll find also this:

  1. set the dns servers

push "dhcp-option DNS 192.168.42.1"

  1. set the WINS server (SAMBA)

push "dhcp-option WINS 192.168.42.2"

It needs to be changed also, the first one to point at your router (that surely act as a DNS server) and the second one to your SAMBA server (NAS). In my case, it’s the same IP as the server because I’m hosting the Samba server and the OpenVPN server on the same device.

Client Configuration Script

Last file that needs to be changed for your needs, build-client. The script generates a configuration file for OpenVPN in the folder you launch it. Either you edit the configuration script with your variable or use the environment variable to set it (See Generate a client configuration)

You’ll find a section VARIABLES with :

   PROTO: The protocol used on the server. (Need to be the same as you set on the server)
   REMOTE: The IP address or HOST of your server. It needs to be your external IP address or an hostname (like exmaple.com) that point to your external IP. (I’m using no-ip as a DDNS service). If you leave it empty, the script will retrieve your external IP for you.
   PORT: the port used by the server
   COMPRESS: the compression algorithm used. If you’re using OpenVPN >= 2.4, replace the default argument by compress. This will make the client ask the server for the compression algorithm.
   OPENVPN_CLIENT_DIRECTIVE: if you need to add another directive in the client configuration
#!/bin/bash
#This script generate the key for the wanted client and it's configuration file
#to be used with OpenVPN. If the key has already been generated it will only
#generate the configuration file for OpenVPN

#VARIABLES
#If you don't set a remote (the external IP of the server or the hostname)
#the script will try to gather it using dig
#You need to change the port to the one set in your server
#if you want to add new directive to client configuration use $OPENVPN_CLIENT_DIRECTIVE

PROTO="${PROTO:-udp}"
REMOTE="${REMOTE:-}"
PORT="${PORT:-5555}"
OPENVPN_EASY_RSA_PATH="/etc/openvpn/easy-rsa/"
OPENVPN_CLIENT_DIRECTIVE="${OPENVPN_CLIENT_DIRECTIVE:-}"
DEV_TYPE=${DEV_TYPE:-tap0}
COMPRESS=${COMPRESS:-compress}

#DO NOT MODIFY BELOW
function usage {
	echo "Usage: $0 clientName"
	echo "ENV Variables:"
	echo "PROTO:				protocol used"
	echo "REMOTE:				host or IP address of the server"
	echo "PORT:				port on the server"
	echo "DEV_TYPE:			device type (tun+/tap+)"
	echo "COMPRESS:			The compression algorithm used (comp-lzo, compress (if pushed by the server), compress snappy)"
	exit -1
}

function getIp {
	echo  `dig +short myip.opendns.com @resolver1.opendns.com`
}

function clientConfig {
cat <<CLIENT_CONF
client
dev $DEV_TYPE
proto $PROTO
remote $REMOTE $PORT
resolv-retry infinite
nobind	
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
$COMPRESS
verb 3
pull
$OPENVPN_CLIENT_DIRECTIVE
<ca>
$CA
</ca>
<cert>
$CERT
</cert>
<key>
$KEY
</key>
CLIENT_CONF
}
if [ $# -eq 0 ]; then
	echo "No arguments supplied"
	usage	
fi
if [ -z "$1" ]; then
	echo "Client name not supplied"
	usage
fi

if [ -z "$REMOTE" ]; then
	REMOTE=$(getIp)
fi
CLIENT=$1
if [ ! -f $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt ]; then	
	pushd $OPENVPN_EASY_RSA_PATH
	source ./vars
	./build-key $CLIENT 
	popd
fi


CA=`cat $OPENVPN_EASY_RSA_PATH/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`

CERT=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE"`

KEY=`cat $OPENVPN_EASY_RSA_PATH/keys/${CLIENT}.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY"`

clientConfig > $CLIENT.ovpn
exit 0

Installing the configuration and scripts

Now that the preparation is ready, let’s put all the script and configuration where they should be.

OpenVPN configuration

Move the server.conf into /etc/openvpn/

sudo mv /tmp/openvpn-scripts/server.conf /etc/openvpn/

Bridge scripts

sudo mkdir /etc/openvpn/bridge sudo mv /tmp/openvpn-scripts/bridge-* /etc/openvpn/bridge/ sudo chmod +x /etc/openvpn/bridge/bridge-*

Client Generator Script

sudo mv /tmp/openvpn-scripts/build-client /etc/openvpn/easy-rsa/ sudo chmod +x /etc/openvpn/easy-rsa/build-client

Service Script for systemd

If you are using Debian Jessie or your distribution is using systemd as an init do this to add service unit for OpenVPN Bridged.

sudo mv /tmp/openvpn-scripts/openvpn@.service /etc/systemd/system/ sudo systemctl daemon-reload

To make SystemD start the service at boot time

sudo systemctl enable openvpn@server

Generate a client configuration

Now we will generate a client configuration that will be used on your computer to connect to the OpenVPN server. Here we build for the client OnMyWay.

cd /etc/openvpn/easy-rsa/
sudo ./build-client OnMyWay

or

cd /etc/openvpn/easy-rsa/
sudo PROTO=udp REMOTE=example.com PORT=1255 COMPRESS=comp-lzo ./build-client OnMyWay


Using the environment variable is another way to generate a client configuration.

You need to say yes to the signing of the cert and the commit.

You should see something like this:

/etc/openvpn/easy-rsa /home/pi
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
Generating a 2048 bit RSA private key
..................................................................................+++
...................................+++
writing new private key to 'OnMyWay.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [New-York]:
Organization Name (eg, company) [Raspy]:
Organizational Unit Name (eg, section) [RaspberryPiOrg]:
Common Name (eg, your name or your server's hostname) [OnMyWay]:
Name [RaspyKey]:
Email Address [raspy@raspy.net]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName                                             :PRINTABLE:'US'
stateOrProvinceName                                     :PRINTABLE:'NY'
localityName                                            :PRINTABLE:'New-York'
organizationName                                        :PRINTABLE:'Raspy'
organizationalUnitName                                  :PRINTABLE:'RaspberryPiOrg'
commonName                                              :PRINTABLE:'OnMyWay'
name                                                    :PRINTABLE:'RaspyKey'
emailAddress                                            :IA5STRING:'raspy@raspy.net'
Certificate is to be certified until Jan 18 17:49:16 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

You’ll find an OnMyWay.ovpn in the same folder you are. It’s the configuration with the certificate embedded into it.

Revoke a user

sudo -s
cd /etc/openvpn/easy-rsa
. ./vars
./revoke-full OnMyWay
exit

Start the server

If you used my service unit for systemd :

sudo service openvpn@server start

else

sudo /etc/openvpn/bridge/bridge-start sudo service openvpn start

Stop the server

If you used my service unit for systemd :

sudo service openvpn@server stop

else

sudo service openvpn stop
sudo /etc/openvpn/bridge/bridge-stop