Do you need your servers to communicate securely through the WAN or an unsecured LAN? Having some services communicating insecurely that you want to encapsulate in a VPN tunnel? Let’s see how we can have a setup using 2 servers. We could have more but… let’s keep it simple for now.

General configuration

Before we start, let’s name those 2 linux servers (here Ubuntu 14.04) which will be inter-connected via a VPN:

Server1 will play the role of the VPN server. If we would have a setup involving more than 2 servers, all of them would connect to Server1 to establish the VPN tunnel.

Server2 = the Client server (the server which will connect to Server1)

First we must install on Server1 the OpenVPN and a tool to ease the PKI configuration (we’ll create a Public Key Infrastructure Using the easy-rsa scripts):

We create a sample VPN server configuration:

Once extracted, open server.conf in a text editor. We have many things to change out there.

At first we need to change the Diffie hellman parameters to get a better security level.
Change this:

to this:

This will double the RSA key length used when generating server and client keys.
Then uncomment those lines:

By default, openVPN runs as root. We don’t need that. Better to confine openVPN in a non privilege user.
A good thing to do also is to avoid DNS requests leaking outside the VPN connexion. For this we need to declare DNS servers into our conf file (usually the ones provided by a secure DNS provider like opendns.com). If you will use the VPN for internal services, you don’t need to do that. Rely on what’s declared into /etc/hosts.
The addresses below refers to the public DNS servers provided by opendns.com:

This is not our goal here but if we were about to create a VPN gateway, we would need those extra steps:

  • setup the VPN server to pass the traffic thru
  • enable the IP forwarding
  • setup a firewall like ufw (Uncomplicated Firewall) to protect the VPN server

To pass thru the VPN connexion, uncomment the below line.
N.B.: we don’t need that for our 2 servers to communicate.

Again, the following is only needed in case you setup a VPN gateway. In that case you need the VPN server to forward internet requests from clients to the internet with enabling packet forwarding at the kernel level. If we don’t do that, the traffic will stop at the server.

We just enabled it. But it will return to default (disabled) after reboot. To make it permanent, edit /etc/sysctl.conf and uncomment the next line to enable packet forwarding for IPv4

To setup the Firewall you will find a good article on ufw here.

Voila. We finished with the first part of the configuration.

Creating a Certificate Authority and Server-Side Certificate & Key

Our OpenVPN configuration will use certificates to encrypt traffic. More practical and secure than using passwords.

Configure and Build the Certificate Authority

First we need to copy the RSA generation scripts:

We make a key storage place:

Now edit /etc/openvpn/easy-rsa/vars and adapt it to your business. This is what you should change:

Change also the key name:

After that, we need to generate the Diffie-Hellman parameters. Beware, this can take several minutes…

Now, let’s initialise the PKI (beware of the double . in front of /vars).
This last command builds the certificate authority (CA) by invoking an interactive OpenSSL command. The output will prompt you to confirm the DN (Distinguished Name) variables that were entered earlier into the Easy-RSA’s variable file (country name, organisation, etc.). When building the CA, simply press ENTER to pass through each prompt:

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca

Generate a Certificate and Key for the Server

Press ENTER the whole way. Unless it asks for y/n. Answer y.

The output should finish with:

OpenVPN expects to see the server’s CA, certificate and key in /etc/openvpn. Let’s copy them into the proper location:

Voila! OpenVPN server is ready to go. Start it and check the status:

The status command should return: “VPN ‘server’ is running”.

Generate Certificates and Keys for client server

As stated before, our client server name is server2 (we’ll need to repeat this procedure for each client server):

Again press ENTER the whole way. Unless it asks for y/n. Answer y.

The example client configuration file should be copied to the Easy-RSA key directory. We’ll use it as a template which will be downloaded to client servers for editing. We need to change the name of the example file from client.conf to client.ovpn because the .ovpn file extension is what the clients will expect to have.

Creating the unified profile

Our client server will need those files transfered to him:

/etc/openvpn/easy-rsa/keys/server2.crt
/etc/openvpn/easy-rsa/keys/server2.key
/etc/openvpn/easy-rsa/keys/client.ovpn (the same for all clients)
/etc/openvpn/ca.crt (the same for all clients)

Some files are specific to each client, some others are the same for all.
The easiest way to transfer all what the server client needs, is to create a unified profile. It’s a file (we’ll named it  client.ovpn) containing all the infos available in all the above mentioned files.

First, let’s edit this file: /etc/openvpn/easy-rsa/keys/client.ovpn.
Change here the IP and name to match your VPN server (server1):

As for the server uncomment this:

As we’ll include all the client’s files in the client.ovpn file, we need to comment those lines:

To include the client’s files into this one unified profile, the contents of the ca.crt, server2.crt, and server2.key files are pasted directly into it using a basic XML-like syntax.
First create this structure at the end of the client.ovpn file and insert the mentioned files in between tags:

On the client server side

First, you need to SCP the client.ovpn file from server1 to the client server server2.
Then on server2 we install OpenVPN:

Now, move the file client.ovpn to /etc/openvpn and rename it into .conf :

Renaming into .conf will make the VPN connection to server1 to start at boot time automatically.

You can start it manually running:

Voila. You should now see on server2 a new interface used for the VPN:

Same on server1:

Reboot server2. The connection should go up again without your intervention.

Bravo! You have now 2 servers connected to each other via a VPN tunnel 🙂