Today, we're going to learn how to configure two of the most widely used open-source VPN solutions: OpenVPN and WireGuard!

• Set up OpenVPN and WireGuard servers on a Linux machine;
• Configure clients to connect to each VPN;
• Customize routing through the VPN.

As we will need at least two Linux systems (one for the VPN server, another for the client – for OpenVPN, at least), you will need to work in pairs!

1. Install the openvpn and wireguard-tools packages from the APT repository.

2. We'll use EasyRSA to generate a PKI with CA & leaf certificates for server + clients:

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
cp vars.example vars
vim vars  # or nano, uncomment & edit COUNTRY, CITY, ORG etc.
./easyrsa init-pki
./easyrsa build-ca   # and enter a min. 4 char password + remember it!
# verify CA details:
./easyrsa show-ca

3. Now use the official instructions here to request & sign both a “Server” and a “Client” certificate (use whatever Common Names you want, but make them at least descriptive). Note: you must supply a password, though you can disable this by editing the vars file and uncommenting the EASYRSA_NO_PASS 1 line ;) .

Make sure to set the proper client or server certificate type for sign-req's argument!

Also note the generated certificates path! You must transfer the CA + Client certificate + private key to the client machine (VM) – you can do it now, or a bit later when told!

We will use EasyRSA to generate a CA:

Now choose your role (and help your colleague!):

Note: Must do all these steps logged in as root!

1. First, copy the server private key + certificate and the CA certificate to the OpenVPN's server configuration directory:

root in /etc/openvpn/server …
➜ ls -l
total 16K
-rw------- 1 root root 1.2K 2024-12-08 19:56 ca.crt
-rw------- 1 root root 4.5K 2024-12-08 19:56 Server.crt
-rw------- 1 root root 1.7K 2024-12-08 19:56 Server.key

2. Copy the OpenVPN example server.conf:

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/server.conf

Open the config with your favorite editor, then:

• ensure that the ca, cert and key point to the ones copied from EasyRSA (note: Linux is CaSe SeNsItiVe!);
• read the comments and generate ta.key;
• read the comments and generate the Diffie-Hellman parameters file (dh2048.pem);

3. Start/restart the service:

systemctl restart openvpn-server@server.service

If it didn't complain, the congratulations! You're done with the server!

Use journalctl -u openvpn-server@server -n 100 -f to display the log flow of the OpenVPN server (also check it in case of any service startup error).

1. Transfer the Server CA (ca.crt), Client.key and Client.crt from the Server (check easyrsa's pki/ directory).

2. Copy the example client configuration from /usr/share/doc/openvpn/examples/sample-config-files/client.conf somewhere you want (e.g., in your home, or inside /etc/openvpn/client, it doesn't really matter).

3. Edit the config and enter the server's external IP address (the VLAN9 network IP address if on OpenStack) specified using the remote variable, then also check (and modify) the ca, cert and key variables to point to where you have these files (which you've transfered earlier, RIGHT?).

4. Try to run your client using openvpn <path-to-client.conf>. Inspect the error… Something about ta.key – yep, that's right, bring it from the server :(

5. Finally, connect to the VPN and (from another terminal, unless you spawned OpenVPN in daemon mode), ping it:

ping 10.8.0.1

TODO