In this guide we will setup a “Debian 9(stretch)” virtual machine on our Microsoft Azure account and configure a OpenVPN server.
Let’s begin by navigating to our AWS Management Console home page.
We shall now continue to start configuring the instance.
With the instance created we can now use the SSH key/pair we downloaded during the creation of the instance to connect to it over SSH.
wget https://git.io/vpn -O openvpn-configuration.sh chmod +x openvpn-configuration.sh
Upon running the script asks us about the ip address of the machine. We select the number corresponding to the Public IP address of the machine.
Next we choose to use TCP as the base connection type for our VPN.
Now we will set the port that we added an Inbound rule for so that the OpenVPN server can listen for incoming connections on that port.
The DNS option can be set as preferred.
Finally we give a name that will be used to create a certificate for a user to be allowed to connect. The script will create the required files that a user will need to be able to connect to the server.
Welcome to this OpenVPN road warrior installer! I need to ask you a few questions before starting setup. You can use the default options and just press enter if you are ok with them. This server is behind NAT. What is the public IPv4 address or hostname? Public IPv4 address / hostname [126.96.36.199]: Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol : 2 What port do you want OpenVPN listening to? Port : Which DNS do you want to use with the VPN? 1) Current system resolvers 2) 188.8.131.52 3) Google 4) OpenDNS 5) Verisign DNS : Finally, tell me a name for the client certificate. Client name [client]: 1234 Okay, that was all I needed. We are ready to set up your OpenVPN server now. Press any key to continue...
With the server up and running we can run the script again in order to create new client certificates or to revoke existing certificates.
We can rerun the script we downloaded to install OpenVPN. The script will now as us if we want to add or remove a user.
Entering the number corresponding to “Add a new user” and then providing a name for the user when prompted for shall create the certificate file required for the user to connect to the VPN server.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 1 Tell me a name for the client certificate. Client name: test2 Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Generating a RSA private key .......................................................................+++++ ...........+++++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/test2.key.DVI9WyFmtZ' ----- Using configuration from ./safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'test2' Certificate is to be certified until Mar 21 16:49:44 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client test2 added, configuration is available at: /root/test2.ovpn
On the other hand if we enter the number corresponding to “Revoke an existing user”; we will be presented with a list of the available clients. Entering the number corresponding to the user that we intend to remove shall destroy the certificate generated for that user; resulting in them not being able to connect to the VPN.
Looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke an existing user 3) Remove OpenVPN 4) Exit Select an option: 2 Select the existing client certificate you want to revoke: 1) client 2) test2 Select one client: 2 Do you really want to revoke access for client test2? [y/N]: y Using configuration from ./safessl-easyrsa.cnf Revoking Certificate 12B01D572096F0E4512D3DE9E0480C88. Data Base Updated Using SSL: openssl OpenSSL 1.1.0l 10 Sep 2019 Using configuration from ./safessl-easyrsa.cnf An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem Certificate for client test2 revoked!
Since we only allow SSH connection to the machine other than the VPN; we can use any SFTP client to connect to the server and download the user certificate files.
Users can then connect to the VPN server using their ovpn certificate files.