Road Warrior OpenVPN Part 3
In our previous articles in this series, we’ve looked at configuring OpenVPN on your VPS in order to provide a method to protect your internet connection when using wifi hotspots for internet access. Last time we got the OpenVPN server up and running, and this time we’ll look at getting the configuration done for client certificates so you can connect your devices to your VPN.
How to Configure Client Certificates to Connect Devices to VPN
You will need to create a key and certificate for each of the devices that you wish to connect to the VPN. While you can use one key and certificate pair for all devices, OpenVPN will only allow one device to be connected at a time using them. Using multiple key and certificate pairs also allows you to remove a pair should a device be lost or stolen, preventing it from connecting through your VPN and not affecting other devices.
As each client device needs its own key and certificate, you’ll need to give each one a unique name One way is to name them after the device itself so it’s easy to link them together later, so “laptop”, “iphone”, “tablet1” and so on. In this example we’ll be creating a certificate for “laptop”, and you can exchange the word “laptop” wherever you see it in these instructions with the name you want to use for the next key and certificate pair you want to use.
When using these commands to create a client key and certificate pair you’ll need to be in the /etc/openvpn/easy-rsa directory. Assuming you are already in that directory, we’ll start with building the new key:
sudo ./build-key laptop
Just as when running the command for the server’s key, you’ll be prompted with several questions. You can hit enter for all of them, then answer with a “y” for the final two questions about signing.
You will then have three files created in the keys directory: in my example they are laptop.crt, laptop.csr and laptop.key as the filename matches the name provided to the build-key command.
Now we need to provide the configuration for the client, and again we can get this from the sample config files:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/myvpn.ovpn
Note that this file will be used for all client devices, so it doesn’t need to be named to match the key and certificate pairs. When connecting with the client device you will see OpenVPN identify the connection using the filename you chose here. Next we need to tweak the settings for the client device:
sudo nano /etc/openvpn/easy-rsa/keys/myvpn.ovpn
The first line we want to edit is one that looks like this:
remove my-server-1 1194
In this case you need to replace my-server-1 with the public IP address of your server.
The next thing to change is further down in the file, with a line stating “# Downgrade privileges after initialization”. This is similar to the server configuration, and you will need to remove the semicolons at the start of the user and group lines to have the client connect as an unprivileged user. With that done you can then save and exit the file.
Now the configuration is ready, you need to download this to the device that will be connecting. I recommend using an FTP client that supports the SFTP protocol for connecting. Obviously the tool you use and how to connect to your server will be dependent on the device that you are configuring the VPN connection on. You will be using SFTP to connect and the username and password you use to configure the server over SSH. Once you have connected, there are 4 files you need to copy to the client device. First there are the certificate, and the key files you have created for it. Next there’s the .ovpn configuration file. Finally the server’s ca.crt file will need to be copied over. So in our example of the laptop we’d be downloading:
/etc/openvpn/easy-rsa/keys/laptop.crt
/etc/openvpn/easy-rsa/keys/laptop.key
/etc/openvpn/easy-rsa/keys/myvpn.ovpn
/etc/openvpn/ca.crt
At this stage, with the files copied to the device you then need to refer to your client device’s OpenVPN client documentation for how to import the files and configure the VPN on the device, as this is outside of the scope of this tutorial.
For any subsequent devices you only need to repeat the process of creating a key and certificate pair for the new device. You can reuse the .ovpn file from before, and then copy the 4 files over to the new device for configuring OpenVPN.
We now have the OpenVPN server configured and ready on the server, and client devices configured. We have one last thing to do, and that is configure the server’s firewall to allow the VPN connections and allow forwarding traffic to the internet on behalf of the connected user. We’ll look at how to do this next time.