Embedded Files
FOUNDATION & ENVIRONMENT BUILDING
Overview
I deployed an OpenVPN server on Ubuntu to provide encrypted remote access. I created a private Certificate Authority with Easy RSA, issued server and client certificates, and configured Network Address Translation so clients could reach the internal network. (How to Configure & Manage a VPN)
Objectives
Build an OpenVPN server with a private Certificate Authority.
Generate client profiles and verify connectivity.
Enforce least privilege on keys and files.
Prerequisites
Ubuntu with sudo rights and a static IP address or domain name.
Basic command line skills.
Tools and technologies
OpenVPN, Easy RSA, Ubuntu Linux, Uncomplicated Firewall, Systemd, Public Key Infrastructure
Implementation
Update the system
sudo apt update
sudo apt upgrade y
Install OpenVPN and Easy RSA
sudo apt install y openvpn easy rsa
Initialize the Certificate Authority
make cadir ~/openvpn ca and cd ~/openvpn ca
Edit vars with organization details
./easyrsa build ca and set a strong passphrase
Create server keys and parameters
./easyrsa gen req server nopass
./easyrsa sign req server server
./easyrsa gen dh for Diffie Hellman parameters
openvpn genkey secret ta.key for the static key used by tls auth
Place files and set permissions
Copy ca.crt, server.crt, server.key, dh.pem, ta.key to /etc/openvpn
chmod 600 on private keys and 644 on public material
Server configuration
/etc/openvpn/server.conf minimal config:
port 1194, proto udp, dev tun
ca, cert, key, dh, tls auth ta.key 0
cipher AES 256 CBC, auth SHA256
user nobody, group nogroup, persist key, persist tun
status and log files with moderate verbosity
Enable Internet Protocol forwarding and Network Address Translation
Edit /etc/sysctl.conf to set net.ipv4.ip forward=1 and apply with sudo sysctl p
In Uncomplicated Firewall before.rules, add a POSTROUTING masquerade from the VPN subnet to the primary interface
Allow 1194 udp and OpenSSH in Uncomplicated Firewall
Start and enable the service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Create a client and package a profile
./easyrsa gen req client1 nopass and ./easyrsa sign req client client1
Copy client keys and ca to a client configs folder
Build client .ovpn file that references ca, cert, key, and tls auth with remote server ip 1194
Test and document
Import the profile on a client, connect, verify the external IP with curl ifconfig.me, and ping internal resources
Record exact versions and checksums for reproducibility
Outcomes
A working virtual private network with certificate based authentication.
A repeatable process for adding clients with consistent security controls.
Skills demonstrated
Public key infrastructure fundamentals, key lifecycle, least privilege on secrets.
Linux service management and firewall routing.
Client support and connectivity testing.
Google Sites
Report abuse