====== OpenVPN Server ======

You can find a similar documentation to install and configure almost everywhere.
This guide is for a connection between my Icingaserver and my QNAP, which I wanted to monitor.
I dont configure this VPN for browsing the web or anything.

===== Installation =====

<code>apt-get install openvpn easy-rsa</code>

===== Configuration =====

Create your configuration
<code>gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf</code>

Edit the following in "/etc/openvpn/server.conf
<code>
#from
dh dh1024.pem
#to
dh dh2048.pem
</code>

Edit and uncomment
<code>
user nobody
group nogroup
</code>

==== Create the Certificate Authority ====

<code>
cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys
</code>

Edit the default vars in "/etc/openvpn/easy-rsa/vars"
<code>
export KEY_COUNTRY="YOUR COUNTRY eg. DE"
export KEY_PROVINCE="YOUR PROVINCE eg. BW"
export KEY_CITY="YOUR CITY eg. Karlsruhe"
export KEY_ORG="YOUR ORG eg. Lunetikk"
export KEY_EMAIL="YOUR MAILADDRESS"
export KEY_OU="YOUR OU eg. lunetikk"

export KEY_NAME="ANY IDENTIFIER eg. openvpn"
</code>

Execute the following and if asked say "y" and enter
<code>
openssl dhparam -out /etc/openvpn/dh2048.pem 2048

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
</code>

Build the cert, if asked say "y" and enter
<code>./build-key-server openvpn</code>

Copy your cert and keys
<code>cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn</code>

and start the service
<code>service openvpn start</code>

==== Create client certificate ====

execute the following, if asked say "y" and enter
<code>./build-key qnap</code>

copy the client sampleconfig
<code>cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/qnap.ovpn</code>

edit "/etc/openvpn/easy-rsa/keys/qnap.ovpn" and change the following
<code>
remote YOUROPENVPNSERVER 1194

#use these on qnap, make sure they exist
user nobody
group everyone

#comment the 3 lines
#ca ca.crt
#cert client.crt
#key client.key

#at the end of the file, add your ca, client-cert and client-key
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
...
-----END CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
</code>

===== Commands =====

^  Command  ^  Function  ^
|   nmap -sL 10.8.0.*   |  shows all connected clients in the given IP range  |

===== Connecting a QNAP as client =====

Edit the file "/etc/config/vpn.conf" and add the following
<code>
[OPENVPN_CLIENT1]
Enable = TRUE
Status = 1
Index = 1
Gateway = 0
Allow Connect = 0
Reconnect = 1
Server Address = lunetikk.de
Profile File = OpenVPN4
VPN Proto Type = udp
VPN Port = 1194
Compress = 1
Re-direct gateway = 1
Encryption = 1
AccessCode = AAA
Time Stamp = 0
</code>

Start your client (parameter 1 is the index in your config)
<code>/etc/init.d/vpn_openvpn_client.sh start 1 &</code>

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
<code>
# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
</code>

===== Connecting an Ubuntu 16 as client =====

Install the client
<code>
apt-get update
apt-get install openvpn
</code>

Copy the .ovpn file from your server to your client into /etc/openvpn/ \\
Rename it to .conf, for example client.conf
<code>
mv client.ovpn client.conf
</code>

If you run OpenVPN with systemd you need to configure your configfiles in "/etc/default/openvpn"
Add your filename (client) if you only want the single file to be recognized, add "all" if you want any .conf files to be loaded
<code>
AUTOSTART="client"
#or
AUTOSTART="all"</code>

Reload the "/etc/default/" configs
<code>systemctl daemon-reload </code>

Restart the OpenVPN 
<code>systemctl restart openvpn</code>

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
<code>
# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
</code>

===== Connecting a Raspbian 9 as client =====

Install the client
<code>
apt-get update
apt-get install openvpn
</code>

Copy the .ovpn file from your server to your client into /etc/openvpn/ \\
Rename it to .conf, for example client.conf
<code>
mv client.ovpn client.conf
</code>

If you run OpenVPN with systemd you need to configure your configfiles in "/etc/default/openvpn"
Add your filename (client) if you only want the single file to be recognized, add "all" if you want any .conf files to be loaded
<code>
AUTOSTART="client"
#or
AUTOSTART="all"</code>

Reload the "/etc/default/" configs
<code>systemctl daemon-reload</code>

Restart the OpenVPN 
<code>systemctl restart openvpn</code>

Check if your connection is up with ifconfig and ping your gateway (OpenVPN server)
<code>
# ifconfig
tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.8.0.6  P-z-P:10.8.0.2  Maske:255.255.255.255

# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=38.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=37.9 ms
</code>

and with systemctl
<code>
# systemctl status openvpn@client.service
● openvpn@client.service - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-01-21 12:56:38 CET; 3min 6s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 1684 ExecStart=/usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid (code=exited, status=0/SUCCESS)
 Main PID: 1686 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
           └─1686 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --config /etc/openvpn/client.conf --writepid /run/openvpn/client.pid

Jan 21 12:56:40 raspbian ovpn-client[1686]: ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=wlan0 HWADDR=xx:xx:xx:xx:xx:xx
Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP device tun0 opened
Jan 21 12:56:40 raspbian ovpn-client[1686]: TUN/TAP TX queue length set to 100
Jan 21 12:56:40 raspbian ovpn-client[1686]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip link set dev tun0 up mtu 1500
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.1
Jan 21 12:56:40 raspbian ovpn-client[1686]: /sbin/ip route add 10.8.0.1/32 via 10.8.0.1
Jan 21 12:56:40 raspbian ovpn-client[1686]: GID set to nogroup
Jan 21 12:56:40 raspbian ovpn-client[1686]: UID set to nobody
Jan 21 12:56:40 raspbian ovpn-client[1686]: Initialization Sequence Completed
</code>