Recommended OpenVPN Server Setup Tutorial

Is there a recommended Tutorial for setting up an OpenVPN server? I have not done this before so suggestions appreciated.

There are a lot of different VPN server options so its hard for us know which one to pick and do a click-by-click tutorial for. No matter which one we pick, someone will want a different one < grin >

I take it you have reviewed page 64 and 67 of the groov EPIC users guide and are looking for something a bit more blow-by-blow?

Also some VPN servers are free, the good ones are like free for 3 clients and paid for more.

Which specific server did you have in mind? Is your PC or laptop already connected to it?

Do you have an IT department that has one that you are looking to connect to? If so, can you work with them to get your EPIC connected?

Sounds like you are looking to self host? Will it be on Windows or Linux?
Do you have a domain name for the host? Do you have an SSL certificate for the domain name/host or is that part of what you are looking for help in setting up?

I have no preference so thought I would pick one. Just wanted to see if anyone else had done it. We want to self-host to avoid depending on outside support if possible. I will probably end up using a Ubuntu server. Nothing done yet, simply exploring a bit.

I’ve setup an OpenVPN server on a Debian based system that I use for EPIC controllers to connect to so I can access them as needed. It is not simple and it takes a lot of reading to get things correct and secure. Security is hard. You can use what I have below as a guideline/template to get started, it may be 90%+ of what you need, but I strongly recommend looking into each option and figure out why it is there. It may take a while, but it would be good to read down the entire man page and note any options that you think may need.

Best source of info on OpenVPN setup and options is here, scroll down to the man page for the version you are using.
https://community.openvpn.net/openvpn/wiki
Look in the above documentation for explanations for each option I have listed below to learn what they mean and see if you need them. What I have below may no longer be the recommended way to do things - this is from my notes from a couple years ago so I am sure some things are out of date.

Online Guides
I found most guides on the internet to be either for using a VPN so your ISP can’t spy on you or to get netflix from a different market. The guides that were for setting up a client/server VPN had setups that would be considered insecure today. Keep that in mind when using what I have presented below, it may no longer be the recommended way to do things.

I am currently running version 2.5. If I was setting up a fresh install, I would probably start with 2.6, since that is what is current. OpenVPN has many options and a lot of them you don’t want to use. I have noticed in 2.5 and 2.6 they are starting to deprecate more of the insecure options which is good, but can make connecting older 2.3 and 2.4 clients more difficult.

PKI
I use public key infrastructure. This is a pain, but necessary if you are going to have more than a few clients. The OpenVPN project comes with something called EasyRSA which really does make this easier, but it is still a pain. The EasyRSA tool has short commands that will generate the certificate authority (CA), server certificate and client certificates needed for OpenVPN. Your CA should be created on an offline machine, which is a pain. EasyRSA uses openssl to generate the certificates. The openssl configuration defaults to creating certificates that expire in one year, you probably won’t like that so be sure to change it to what you think is reasonable. When the CA expires, you will be setting everything up again (including all clients), so plan accordingly.

Here are some commands I documented when I set up the CA (it will ask you other questions).

#Only do these one time to setup the CA
./easyrsa init-pki
./easyrsa build-ca
#create server certificate
./easyrsa build-server-full <MyServerName.domain.com> nopass
#create client certificate
./easyrsa build-client-full <devicename> nopass

For the server, I use a FQDN and tell the clients to verify it in their configuration. This is to prevent man in the middle attacks. So the servers public IP will need to be on a public DNS server.

Certificates are placed in the pki/issued and pki/private directories. You will need a way to transfer these to where they are needed. The private ones need to stay private. The proper way to do this is to generate the keys on the client and then create a signing request for the CA to sign so the private key never traverses a network or leaves the originating device. This is what is done for web site certificates. I’m not doing that here and I don’t think there is a way to do that through groov manage anyways. Just keep the CA private key with the CA, it isn’t needed anywhere else and is the key to the whole kingdom.

OpenVPN install
This part is easy:

apt-get update
apt-get install openvpn

Server Configuration
You will need to build a server configuration file and also place the CA certificate and server public and server private certificate on your server - I put them in the /etc/openvpn/server folder

The server.conf file options will depend on your situation. This is where you want to hit the man pages. Something as simple as turning on compression can compromise security. Here is an example config:

proto udp
port 1194
tls-server
key server.key
cert server.crt
ca ca.crt
dh dh.pem
tls-auth tls.auth 0
remote-cert-eku "TLS Web Client Authentication"
data-ciphers-fallback AES-256-CBC
dev tun
topology subnet
server 10.30.1.0 255.255.254.0
user nobody
group nogroup
client-config-dir client-config #client config files will go here
ccd-exclusive #Only allow clients with a config to connect
allow-compression no
keepalive 60 180
verb 3

To generate the Diffie Hellman file:
openssl dhparam -out dh.pem 2048
To generate a tls.auth file:
openvpn --genkey secret tls.auth

You can test the configuration by temporarily running the server at the shell with your configuration file as a parameter:
openvpn --config server.conf

To have it run as a daemon:

systemctl start openvpn-server@server
systemctl enable openvpn-server@server
#To check status
service openvpn-server@server status

I use the server firewall to control client to client traffic. For this to work I need to tell the server to allow IP forwarding (make it a router) and then setup the firewall.

#Turn on forwarding now
sysctl -w net.ipv4.ip_forward=1

Edit /etc/sysctl.conf to survive reboot
net.ipv4.ip_forward = 1

Server Firewall

apt-get install ufw
ufw allow ssh
ufw allow 1194/udp #This is the OpenVPN port
ufw default deny incoming #Don’t allow anything else in (make sure you allowed anything else you need above)
ufw default allow outgoing
ufw enable
#To view all the rules setup
ufw status verbose

Add a rule for 10.30.1.2 to talk to any client
ufw route allow in on tun0 from 10.30.1.2 to 10.30.1.0/23

Client configuration
Server entries
The above config uses the ccd-exclusive option, which means if the server doesn’t have a config file with the clients common name in their certificate, they will be disconnected. I use this to assign VPN IPs statically to clients so I know how to reach them and for the firewall rules to work using IP addresses. These config files go in the directory that is after the client-config-dir option.
A typical client config file will be in the above directory and have a file name that matches the client common name with contents like this:
ifconfig-push 10.30.1.2 255.255.254.0

Example client configuration setup - the file I upload to the EPIC. I keep it all inline - easy to distribute this way. Yes there is a private key for the client in this file, it should be treated securely. Anyone that has access to this file can pretend to be the client.

client
#dev tun #not used on Opto
remote <server FQDN here> 1194 udp
nobind
#persist-key #not used on Opto
#persist-tun #not used on Opto
tls-client
key-direction 1
mute-replay-warnings
resolv-retry infinite
explicit-exit-notify
remote-cert-eku "TLS Web Server Authentication"
verify-x509-name <server FQDN here> name
cipher AES-256-CBC #deprecated, probably unnecessary
<key>
-----BEGIN PRIVATE KEY-----
*Clients private key here*
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
*Clients certificate here*
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
*CA certificate here, same on every client*
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
*tls.auth file contents here, same on every client*
-----END OpenVPN Static key V1-----
</tls-auth>

The key is the private key generated for this client on the CA using the EasyRSA utility. The cert is the clients public key. The ca section will be the same for all clients and is the public key of the CA that was generated when the PKI was initialized. The tls contents come from the tls.auth file generated on the server, it will be the same for all clients.

Hopefully that will get you started. It is a lot more than what I had to start with.

Thanks so much for that very comprehensive brain/note dump @philip

I think now @JerryD can see why the VPN server setup is outside the scope of Opto22 products.
We have made setting up the client very smooth and easy.
I think you can also see why it might be worth re-thinking the hosted server stance. I know it takes about 10 to 15 minutes to make an account at https://openvpn.net/ and have your PC/laptop and EPIC/RIO connected. With 3 free concurrent sessions, if you don’t need the EPIC/RIO to be connected 24/7 (or get clever and have the VPN turn on and off via an API call from an MQTT topic via Node-RED for example) then three free session might be exactly what is needed for a good long time.

Double thanks @philip. I realized it is not straight forward. This will greatly help me move forward. We have a fairly large number of EPIC installations in the design phase and this resolves one of the issues of most import.

Thanks