Now that we have configured the openvpn server, we will continue on to configuring the clients. If you haven’t configured the openvpn server yet, please refer to my previous blog https://nivleshc.wordpress.com/2017/08/31/building-a-vpn-solution-using-openvpn-server-on-a-raspberry-pi-part1-configuring-the-server/
To connect to the openvpn server, the client needs a ovpn file. This file contains the required certificates and the openvpn servers address. The article at https://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side/#awesm=~oB89WBfWrt21bV provides the steps required. However I have deviated from the steps listed in that article abit, for the following reasons
- I am not using comp-lzo, which is used for backwards compatibility
- I am using AES-256-CBC
- I am using a more verbose level (verb 3)
Now that the above is out of the way, use the steps below to generate the client configuration file
- On the Raspberry Pi, using terminal, elevate your session to root and then change to the easy-rsa keys folder using the following command
sudo su cd /etc/openvpn/easy-rsa/keys
2. Create a new file with the following lines and save it as Default.txt ( do not forget to replace <your public domain name to openvpn server> with your openvpn public hostname)
client dev tun proto udp remote <your public domain name to openvpn server> 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server key-direction 1 cipher AES-256-CBC verb 3 mute 20
3. Download the script MakeOpenVPN.sh from Github using the following command (the actual Github url is https://gist.github.com/laurenorsini/10013430. The command below is using the raw version of the file)
wget https://gist.githubusercontent.com/laurenorsini/10013430/raw/df70eae7b573aaa16c417bc54c2e0c03303501e6/MakeOpenVPN.sh
4. The MakeOpenVPN.sh script needs some modification to match our openvpn server configuration. Modify the script based on the following
change line 7 from KEY=".3des.key" to KEY=".aes256.key"
change line 21 from echo "Client’s cert found: $NAME$CR" to echo "Client’s cert found: $NAME$CRT"
change line 72 by adding a # in front of the line (so you are commenting out the line)
5. The script will be owned by root. Grant it execute permissions by running the following
chmod u+rwx MakeOpenVPN.sh
6. Now execute the script using the following command. You will be asked for the name of an existing client for whom you had generated the keys and certificates for when configuring the openvpn server (for instance client1)
./MakeOpenVPN.sh
The script checks to ensure the following files exist in the folder /etc/openvpn/easy-rsa/keys
{client1}.crt {client1}.aes256.key ca.crt ta.key
If any of the above files are missing, an error is displayed and the script stops.
However, if everything goes well, the following is displayed
“Done! {client1}.ovpn Successfully Created.“
and the file {client1}.ovpn is placed in the /etc/openvpn/easy-rsa/keys folder
7. Thats it folks! The client config file is now ready. Import it into your openvpn client to connect to your openvpn server. Don’t forget the password you had configured for the client when you generated the key because it will be requested everytime you try connecting to the openvpn server.
A good MacOS OpenVPN client is https://tunnelblick.net. On IOS, you can download the free OpenVPN Connect app.
Let me know what you think of my blog and enjoy the privacy and benefits of the vpn server 🙂
You must be logged in to post a comment.