OpenVPN/Server
We're using OpenVPN with a TLS infrastructure. Clients can only connect with a certificate that has been signed by the servers CA. The server needs the following files, in order to properly serve clients:
- ca.crt (generated by easy-rsa)
- ca.key (generated by easy-rsa)
- dh4096.pem (generated by openssl)
- server.conf (written by you from template)
- server.key (generated by openvpn)
Contents
Setting up the Server
Our Docker image comes with all necessary binaries, to run the server. To seed the configuration you should switch into a shell in the image with a command like docker exec -it zombi/openvpn
. The following steps assume that you are within the OpenVPN container.
Generate Static Key
Within /etc/openvpn, execute openvpn --genkey --secret server.key
to generate the OpenVPN static key.
Build CA
Run /usr/share/easy-rsa/easyrsa init-pki
and /usr/share/easy-rsa/easyrsa build-ca nopass
to build the CA (depending on your usecase, you might want to set a passphrase and remove the "nopass") and copy the files ca.crt and private/ca.key to /etc/openvpn.
Generate Diffie Hellman Parameters
Within /etc/openvpn, run openssl dhparam -out dh4096.pem 4096
. This takes a long time, a smaller prime is probably enough and generates way faster, so if you want to be slightly less secure, but way faster, you might want to consider using 1024 or 2048 instead of 4096.