A while ago, we have published a guide that described the easiest way to install and configure OpenVPN using a script called openvpn-install. Using this script, anyone, even the beginners, can implement an working OpenVPN setup within few minutes in DEB-based and RPM-based systems. The other day one of our reader has suggested that there is yet another similar script called "PiVPN", which is used setup OpenVPN in Raspberry Pi. It is primarily designed for Raspberry Pi, however it will work on Debian and Ubuntu. Currently, it supports only Ubuntu 14.04 LTS.
How secure is PiVPN?
Before going to the installation part, let us discuss some of its security features. Even though the installation is so trivial, it doesn't mean that PiVPN is not secure enough to use in production. Everything has been upgraded right out of the box beyond the default settings to harden the security of the server and client. It gives you the ability to enable unattended-upgrades which will automatically patch your server with security updates. Also, the server configuration will only use the latest TLS 1.2 protocol. Both the data and control channels use upgraded AES and SHA256 encryption and hash algorithms.
I'd like to give it a try and see how it works in my Ubuntu 14.04 LTS server edition. So here we go.
PiVPN - Simplest OpenVPN Setup And Configuration
Installation is extremely simple. Open Terminal and run the following command:
curl -L https://install.pivpn.io | bash
Yes, it is that simple. After a few seconds, enter the sudo user password. The above command will download and install latest OpenVPN along with all required dependencies in your system. PiVPN will ask you a series of questions along the way. Just go with defaults as it is just enough to setup the working OpenVPN server.
Click OK to continue.
PiVPN needs a STATIC IP ADDRESS to function properly.
If you have more than one network interface, Choose any one to configure it.
PiVPN will not configure Static IP address if you're not using Raspberry Pi device. For the purpose of this guide, I use Ubuntu 14.04, so it doesn't configure the static IP.
Next, choose a local user that will hold your ovpn configurations.
It is recommended to enable unattended-upgrades to update security updates automatically. Choose Yes to enable unattended-upgrades.
Choose a protocol.
Choose OpenVPN port. Default value is enough for most cases.
Choose your desired level of encryption. I go with the default value.
Click OK to generate Diffie-Hellman key:
Next, choose whether the clients use public IP or DNS name to connect to server.
Choose the DNS Provider for your VPN Clients. To use your own, select Custom.
Congratulations! OpenVPN has been installed in your server.
Finally, click Yes to reboot your system.
To check if OpnVPN service is running, enter the following command:
$ sudo service openvpn status * VPN 'server' is running
Check if OpenVPN is listening to the server:
$ ps auxww | grep openvpn nobody 936 0.0 0.3 28624 2428 ? Ss 16:15 0:00 /usr/sbin/openvpn --writepid /run/openvpn/server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2 sk 1206 0.0 0.1 11740 940 pts/1 S+ 16:15 0:00 grep --color=auto openvpn
As you can see, OpenVPN server is up and running! Let us go ahead and configure the clients.
Create a client ovpn profile
After rebooting the server, run the following command to create a client ovpn profile.
Enter a name for your client system and a strong password.
Enter a Name for the Client: client ##ENTER client certificate name Enter the password for the client: ##ENTER password Enter the password again to verify: ##ENTER password again spawn ./easyrsa build-client-full client Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..................................................+++ .....................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.YlVMZrBWgj' Enter PEM pass phrase:ubuntu Verifying - Enter PEM pass phrase:ubuntu ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'client' Certificate is to be certified until Jul 9 09:47:17 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client's cert found: client.crt Client's Private Key found: client.key CA public Key found: ca.crt tls-auth Private Key found: ta.key ======================================================== Done! client.ovpn successfully created! client.ovpn was copied to: /home/sk/ovpns for easy transfer. ========================================================
If you don't want password for the client certificates, you can skip the password option using command:
pivpn add nopass
The client profiles will be stored under /home/username/ovpns. To verify it, run:
$ ls /home/sk/ovpns/ client.ovpn
You need to copy the profiles to your client systems in order to connect with the OpenVPN server.
For example, you copy the client profiles using scp command like below.
scp client.ovpn email@example.com:/etc/openvpn/
Here, 192.168.43.150 is my openvpn client's IP address.
List all certificates
To list all valid and revoked certificates, run:
: NOTE : The first entry should always be your valid server! ::: Certificate Status List ::: :: Status || Name :: Valid :: server Valid :: client
Revoke a client ovpn profile
To revoke a client ovpn profile, run:
Don't like PiVPN? You can uninstall it by running the following command:
And, that's all for now. In the next guide, I will explain how to authenticate OpenVPN clients. Hope this helps. If you find our guides useful, please spend a moment to share them on your social, professional networks and support OSTechNix!