Today, we're going to learn how to configure two of the most widely used open-source VPN solutions: OpenVPN and WireGuard!
As we will need at least two Linux systems (one for the VPN server, another for the client – for OpenVPN, at least), you will need to work in pairs!
1. Install the openvpn
and wireguard-tools
packages from the APT repository.
2. We'll use EasyRSA to generate a PKI with CA & leaf certificates for server + clients:
git clone https://github.com/OpenVPN/easy-rsa.git cd easy-rsa/easyrsa3 cp vars.example vars vim vars # or nano, uncomment & edit COUNTRY, CITY, ORG etc. ./easyrsa init-pki ./easyrsa build-ca # and enter a min. 4 char password + remember it! # verify CA details: ./easyrsa show-ca
3. Now use the official instructions here to request & sign both a “Server” and a “Client” certificate (use whatever Common Names you want, but make them at least descriptive). Note: you must supply a password, though you can disable this by editing the vars
file and uncommenting the EASYRSA_NO_PASS 1
line ;) .
Make sure to set the proper client
or server
certificate type for sign-req
's argument!
Also note the generated certificates path! You must transfer the CA + Client certificate + private key to the client machine (VM) – you can do it now, or a bit later when told!
We will use EasyRSA to generate a CA:
Now choose your role (and help your colleague!):
Note: Must do all these steps logged in as root
!
1. First, copy the server private key + certificate and the CA certificate to the OpenVPN's server configuration directory:
root in /etc/openvpn/server … ➜ ls -l total 16K -rw------- 1 root root 1.2K 2024-12-08 19:56 ca.crt -rw------- 1 root root 4.5K 2024-12-08 19:56 Server.crt -rw------- 1 root root 1.7K 2024-12-08 19:56 Server.key
2. Copy the OpenVPN example server.conf
:
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf
Open the config with your favorite editor, then:
ca
, cert
and key
point to the ones copied from EasyRSA (note: Linux is CaSe SeNsItiVe!);ta.key
;dh2048.pem
);3. Start/restart the service:
systemctl restart openvpn-server@server.service
If it didn't complain, the congratulations! You're done with the server!
Use journalctl -u openvpn-server@server -n 100 -f
to display the log flow of the OpenVPN server (also check it in case of any service startup error).
1. Transfer the Server CA (ca.crt
), Client.key
and Client.crt
from the Server (check easyrsa's pki/
directory).
2. Copy the example client configuration from /usr/share/doc/openvpn/examples/sample-config-files/client.conf
somewhere you want (e.g., in your home, or inside /etc/openvpn/client
, it doesn't really matter).
3. Edit the config and enter the server's external IP address (the VLAN9 network IP address if on OpenStack) specified using the remote
variable, then also check (and modify) the ca
, cert
and key
variables to point to where you have these files (which you've transfered earlier, RIGHT?).
4. Try to run your client using openvpn <path-to-client.conf>
. Inspect the error… Something about ta.key
– yep, that's right, bring it from the server :(
5. Finally, connect to the VPN and (from another terminal, unless you spawned OpenVPN in daemon mode), ping it:
ping 10.8.0.1
Wireguard is one of the latest open-source VPN technology, increasingly popular for its low complexity, straight-forward , security and performance due to its use of some modern cryptographic primitives (ChaCha20+Poly1305 for symmetric encryption, Curve25519 for ECDH, BLAKE2s for hashing).
Authentication is done by simply exchanging public keys. Let's go!
1. Both pairs should generate a private and public key pair and share the public counterpart. This is best done using the wg
CLI utility:
wg genkey | tee wg-priv.key | wg pubkey | tee wg-pub.key # Q: what does `tee` do? (`man` it!)
Only the public key is displayed on console (both are stored as files for backup!). Share it with your colleague!
2. Time to create our configuration file. Create a .conf
file inside /etc/wireguard/
(your choice of naming, though wg-isc
sounds quite okay).
Use the following code template and fill the variables (also remove/replace the <..>
placeholders!):
[Interface] PrivateKey = <paste-your-private-key> ListenPort = 55820 [Peer] PublicKey = <paste-your-colleagues's-pub-key> Endpoint = <colleague-VM-IP>:55820 AllowedIPs = <your-tunnel-subnet>/<mask>
Use a private space as the tunnel subnet address, e.g., 10.12.34.252/30
.
3. We'll create the wireguard interfaces the iproute2
way (i.e., using the ip
Linux utility):
ip link add wg-isc type wireguard wg setconf wg-isc /etc/wireguard/wg-isc.conf # or whatever you named your config ip address add <your-address>/<mask> dev wg-isc
4. Connectivity test!
ping <colleague-private-tunnel-ip> sudo wg # show wireguard statistics