Building a VPN Solution using OpenVPN Server on a Raspberry Pi – Part 2 Configuring the clients

Now that we have configured the openvpn server, we will continue on to configuring the clients. If you haven’t configured the openvpn server yet, please refer to my previous blog https://nivleshc.wordpress.com/2017/08/31/building-a-vpn-solution-using-openvpn-server-on-a-raspberry-pi-part1-configuring-the-server/

To connect to the openvpn server, the client needs a ovpn file. This file contains the required certificates and the openvpn servers address. The article at https://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side/#awesm=~oB89WBfWrt21bV provides the steps required. However I have deviated from the steps listed in that article abit, for the following reasons

  • I am not using comp-lzo, which is used for backwards compatibility
  • I am using AES-256-CBC
  • I am using a more verbose level (verb 3)

Now that the above is out of the way, use the steps below to generate the client configuration file

  1. On the Raspberry Pi, using terminal, elevate your session to root and then change to the easy-rsa keys folder using the following command
   sudo su
   cd /etc/openvpn/easy-rsa/keys

2.     Create a new file with the following lines and save it as Default.txt ( do not forget to replace <your public domain name to openvpn server> with your openvpn public hostname)

   client
   dev tun
   proto udp
   remote <your public domain name to openvpn server> 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   mute-replay-warnings
   ns-cert-type server
   key-direction 1
   cipher AES-256-CBC
   verb 3
   mute 20

3.   Download the script MakeOpenVPN.sh from Github using the following command (the actual Github url is https://gist.github.com/laurenorsini/10013430. The command below is using the raw version of the file)

  wget https://gist.githubusercontent.com/laurenorsini/10013430/raw/df70eae7b573aaa16c417bc54c2e0c03303501e6/MakeOpenVPN.sh

4.   The MakeOpenVPN.sh script needs some modification to match our openvpn server configuration. Modify the script based on the following

change line 7 from KEY=".3des.key" to KEY=".aes256.key"
change line 21 from echo "Client’s cert found: $NAME$CR" to 
echo "Client’s cert found: $NAME$CRT" 
change line 72 by adding a # in front of the line (so you are commenting out the line)

5. The script will be owned by root. Grant it execute permissions by running the following

  chmod u+rwx MakeOpenVPN.sh

6.  Now execute the script using the following command. You will be asked for the name of an existing client for whom you had generated the keys and certificates for when configuring the openvpn server (for instance client1)

 ./MakeOpenVPN.sh

The script checks to ensure the following files exist in the folder /etc/openvpn/easy-rsa/keys

{client1}.crt
{client1}.aes256.key
ca.crt
ta.key

If any of the above files are missing, an error is displayed and the script stops.

However, if everything goes well, the following is displayed

Done! {client1}.ovpn Successfully Created.

and the file {client1}.ovpn is placed in the /etc/openvpn/easy-rsa/keys folder

7.   Thats it folks! The client config file is now ready. Import it into your openvpn client to connect to your openvpn server. Don’t forget the password you had configured for the client when you generated the key because it will be requested everytime you try connecting to the openvpn server.

A good MacOS OpenVPN client is https://tunnelblick.net. On IOS, you can download the  free OpenVPN Connect app.

Let me know what you think of my blog and enjoy the privacy and benefits of the vpn server 🙂

Advertisements