How to install and setup OpenVPN in ArchLinux

How to install and setup OpenVPN in ArchLinux

In this tutorial we will show you how to install and setup OpenVPN in ArchLinux.

While OpenVPN support user/pass, pre-shared key (PSK), SSL Certificates etc. to authenticate users/clients, I’m rolling with SSL Certificates as they are superior to other authentication methods.

As always, make sure you also consult the official OpenVPN WiKi page as well. So lets’ start!


1. MAKE SURE THE ARCHLINUX SYSTEM IS UP TO DATE

First log in to your VPS as ROOT via SSH. Once you are in the first thing you need to do is to downloads the package lists from the repositories and “update” them to get information on the newest versions of packages and their dependencies using pacman. To do that type:

pacman -Syyu

2. VERIFY THAT TUN SUPPORT IS ENABLED ON THE SYSTEM

You can use the following one-liner to verify if TUN support is enabled on the ArchLinux system. If you are using a VPS (Virtual Private Server), some virtualization layers such as vServers and OpenVZ require TUN to be enabled on/from the host machine, so please contact your hosting provider to enable them before you can continue. If you are one of our clients, you can do that by you self from the VPS control panel.

If you are on a dedicated server or use KVM, ESXI or XEN virtual server make sure that the CONFIG_TUN module is enabled in the kernel. So, let’s continue and see if TUN is enabled by typeing:

test ! -c /dev/net/tun && echo openvpn requires tun support || echo tun is available

3. INSTALL OPENVPN

To install the OpenVPN service just type:

pacman -S openvpn

4. SET-UP EASY-RSA

Next we will install the easy-rsa package using pacman from extra repository and set it up in /root/easy-rsa:

pacman -S easy-rsa
cp -prv /usr/share/easy-rsa /root/easy-rsa
cd /root/easy-rsa
cp vars{,.orig}

5. SET-UP DEFAULT VALUES IN EASY-RSA

Now set-up default values for use by the scripts. To do that edit:

nano ./vars

and add:

KEY_SIZE=2048
KEY_COUNTRY="NL"
KEY_PROVINCE="NL"
KEY_CITY="Amsterdam"
KEY_ORG="The Streets"
KEY_EMAIL="[email protected]_domain_name.com"

Save and close the file and export them:

source ./vars

Once the export is done delete previously created certs:

./clean-all

6. GENERATE THE CA CERTIFICATE

Generate the CA certificate using the build-ca script:

./build-ca

7. GENERATE THE SERVER CERTIFICATE

Generate VPN server certificate using the build-key-server script:

/build-key-server pulsar

• Sign the certificate? [y/n]:y
• 1 out of 1 certificate requests certified, commit? [y/n]yolism


8. GENERATE THE DIFFIE-HELLMAN PEM CERTIFICATE

Generate the Diffie-Hellman PEM certificate using the build-dh script:

./build-dh

9. GENERATE CLIENT CERTIFICATE

Generate client certificate using the build-key script:

./build-key nexus4

• Sign the certificate? [y/n]:y
• 1 out of 1 certificate requests certified, commit? [y/n]y


10. GENERATE (HMAC)

Generate secret Hash-based Message Authentication Code (HMAC) using:

openvpn --genkey --secret /root/easy-rsa/keys/ta.key

11. DEPLOY THE CERTIFICATES

Copy the required certificates to the particular machine/device (server or client). The public ca.crt certificate is needed on all servers and clients:
• The public ca.crt certificate is needed on all servers and clients
• The private ca.key key is secret and only needed on the key generating machine
• A server needs server.crt, dh2048.pem (public), server.key and ta.key (private)
• A client needs client.crt (public), client.key and ta.key (private)


SET_UP CERTIFICATES AND KEYS ON THE SERVER

Place the certificates and keys on the server in the /etc/openvpn/certs directory:

mkdir -p /etc/openvpn/certs
cp -pv /root/easy-rsa/keys/{ca.{crt,key},pulsar.{crt,key},ta.key,dh2048.pem} /etc/openvpn/certs/

13. CONFIGURE THE OPENVPN SERVER

Set-up OpenVPN server configuration file in /etc/openvpn/pulsar-vpn.conf so edit the file:

nano /etc/openvpn/pulsar-vpn.conf

and put:

port 1194
proto udp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/pulsar.crt
key /etc/openvpn/certs/pulsar.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo

max-clients 10

user nobody
group nobody

persist-key
persist-tun

#log /var/log/openvpn.log
#status /var/log/openvpn-status.log
verb 5
mute 20

#client-config-dir ccd

Save and close the file.


14. TEST AND START THE OPENVPN SERVER

Test the OpenVPN server set-up using something like:

openvpn /etc/openvpn/pulsar-vpn.conf

…and if everything is ok start the OpenVPN server and add enable it to run on system’s start-up using

systemctl start [email protected]
systemctl enable [email protected]
systemctl status [email protected]

15. ENABLE FORWARDING AND SET-UP IPTABLES

Enable network forwarding by uncommenting/adding net.ipv4.ip_forward = 1 to /etc/sysctl.d/99-sysctl.conf, so edit:

nano /etc/sysctl.d/99-sysctl.conf

and replace:

net.ipv4.ip_forward = 0

with:

net.ipv4.ip_forward = 1

close and safe the file, and for the changes to take effects type:

sysctl -p

Next, setup the following IPTABLES rules by typing:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o eth0 -j MASQUERADE

and save the with:

iptables-save > /etc/iptables/iptables.rules

Restart IPTABLES for the changes to take effects:

systemctl restart iptables
systemctl enable iptables

16. SET-UP OPENVPN CLIENT

• deploy the generated certificates to the vpn client/device
• install OpenVPN client on the machine/device

and create the following client.conf configuration file:

touch /etc/openvpn/client.conf

edit the file:

nano /etc/openvpn/client.conf

and put:

client
remote 
ca /home/d/confs/certs/vpn/ca.crt
cert /home/d/confs/certs/vpn/blackhole.crt
key /home/d/confs/certs/vpn/blackhole.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /home/d/confs/certs/vpn/ta.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup

Save and close the file. That’s it.


If you’re one of our Linux VPS Hosting customers we can install and setup OpenVPN on your virtual server for you free of charge. Just contact us and some of our experts will complete your request immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>