In today’s connected world, the need for secure communication between remote offices and networks is paramount. A Site-to-Site Virtual Private Network (VPN) allows you to create a secure tunnel between two or more networks over the Internet. This blog post will guide you through the process of configuring a Site-to-Site VPN using OpenVPN on Linux servers.
Prerequisites
Before we begin, ensure you have the following:
- Two Linux servers: One will act as the VPN server and the other as the client. We’ll assume both servers are running Ubuntu.
- Root access: You’ll need administrative privileges to install packages and modify system configurations.
- Basic knowledge of Linux command line: Familiarity with terminal commands will help you through this guide.
Step 1: Install OpenVPN
First, log in to both servers and install OpenVPN along with the required utilities.
sudo apt update
sudo apt install openvpn easy-rsa -yStep 2: Configure the Certificate Authority (CA)
After installation, you need to set up the Certificate Authority (CA) on the server that will act as your VPN server.
-
Create a directory for the Easy-RSA files:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca -
Edit the
varsfile to set up the variables for your CA. Look for lines containingexport KEY_COUNTRY,KEY_PROVINCE, and other details, and adjust them according to your location:nano vars -
Generate the CA:
source vars
./clean-all
./build-ca
Step 3: Create Server and Client Certificates
Generate Server Certificate
-
Generate the server certificate and private key:
./build-key-server server -
Generate Diffie-Hellman parameters:
./build-dh -
Generate HMAC key:
openvpn --genkey --secret keys/ta.key
Generate Client Certificate
On the server, generate a certificate for the client:
./build-key clientStep 4: Configure OpenVPN on the Server
-
Copy the example configuration file to the OpenVPN directory:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz -
Edit the OpenVPN configuration file:
sudo nano /etc/openvpn/server.confModify the following lines (hold down
Ctrl + Wto search):-
Uncomment and set the
ca,cert,key, anddhlines to point to the correct certificate paths:ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem -
Uncomment
user nobodyandgroup nogroupto run OpenVPN with non-privileged user privileges. - Set
push "route <your_client_network> <subnet_mask>"to direct traffic to the client network.
-
-
Start and enable the OpenVPN server:
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
Step 5: Configure OpenVPN on the Client
-
Create a Client Configuration File:
sudo nano /etc/openvpn/client.ovpnPaste the following configuration:
client
dev tun
proto udp
remote [SERVER_IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3Replace
[SERVER_IP]with the public IP address of your server. - Copy the necessary certificates: Make sure the necessary
.crtand.keyfiles are transferred to the client from the server.
Step 6: Start the Client VPN
-
Start the OpenVPN client:
sudo openvpn --config /etc/openvpn/client.ovpn
When successfully connected, you should see connection logs on both the server and client sides.
Step 7: Verify the Connection
To verify that the VPN is working:
-
Check the IP address on the client to ensure it’s part of the VPN subnet:
curl ifconfig.me -
Ping the VPN server from the client:
ping [SERVER_VPN_IP]
Conclusion
You have now successfully set up a Site-to-Site VPN using OpenVPN on Linux servers! This configuration allows secure communication between your networks, ensuring that your data remains private and secure.
Resources
- OpenVPN Documentation
- Easy-RSA Documentation
This article aims to provide a comprehensive yet straightforward guide for setting up your Site-to-Site VPN on Linux. For further customization and advanced configurations, be sure to refer to the OpenVPN documentation. Happy tunneling!
