[howto] Openvpn server, using easy-rsa3 to create keys and certs

# Using SD card with "2014-01-07-wheezy-raspbian armhf"
# Remember you gotta do port forwarding, not covered in this post
# TIP: When using Windows Client, must run Openvpn Client as administrator
# otherwise it connects but TUN/TAP will not start due to permissions
# and you will not have web browsing etc. This is a common mistake.

# Now install openvpn
sudo apt-get install openvpn -y

# Now we create keys and certs using the new easyrsa3
# You need to make a passphrase during this process
mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1
# Copy certs and keys to correct directory
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/ta.key /etc/openvpn/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/
# Client Script
nano $HOME/clientside/raspberrypi.ovpn

dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
cipher AES-256-CBC
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf


# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local


# reboot the pi
sudo reboot

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g.
# when you go to your remote location, connect to no-ip address or external static IP


5 thoughts on “[howto] Openvpn server, using easy-rsa3 to create keys and certs

  1. Great guide, thanks a lot! Only problem i had was some weird spaces in the .ovpn file i had to fix manually. After that it just worked 😀
    What’s the easiest way to make more client files?

  2. hi, your script above “/usr/local/bin/firewall.sh” hoses my connection to the centos 6 server, it locks me out and I’ve got to dance around with iptables to get back in. Are you sure the script is right?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s