OpenVPN on Raspberry Pi 2

-rwxr-xr-x 1 root root   119 Mar 27  2016 build-ca
-rwxr-xr-x 1 root root   352 Mar 27  2016 build-dh
-rwxr-xr-x 1 root root   188 Mar 27  2016 build-inter
-rwxr-xr-x 1 root root   163 Mar 27  2016 build-key
-rwxr-xr-x 1 root root   157 Mar 27  2016 build-key-pass
-rwxr-xr-x 1 root root   249 Mar 27  2016 build-key-pkcs12
-rwxr-xr-x 1 root root   268 Mar 27  2016 build-key-server
-rwxr-xr-x 1 root root   213 Mar 27  2016 build-req
-rwxr-xr-x 1 root root   158 Mar 27  2016 build-req-pass
-rwxr-xr-x 1 root root   449 Mar 27  2016 clean-all
-rwxr-xr-x 1 root root  1471 Mar 27  2016 inherit-inter
drwx------ 2 pi   pi    4096 Feb 17 20:46 keys
-rwxr-xr-x 1 root root   302 Mar 27  2016 list-crl
-rw-r--r-- 1 root root  7859 Mar 27  2016 openssl-0.9.6.cnf
-rw-r--r-- 1 root root  8416 Mar 27  2016 openssl-0.9.8.cnf
-rw-r--r-- 1 root root  8313 Mar 27  2016 openssl-1.0.0.cnf
-rwxr-xr-x 1 root root 13246 Mar 27  2016 pkitool
-rwxr-xr-x 1 root root  1035 Mar 27  2016 revoke-full
-rwxr-xr-x 1 root root   178 Mar 27  2016 sign-req
-rw-r--r-- 1 root root  2076 Mar 27  2016 vars
-rwxr-xr-x 1 root root   740 Mar 27  2016 whichopensslcnf

Writing-up now, I’m confused why I’ve set keys to “pi” owner/group. It’s not like that when I finish. Anyway: looks like I set this instance up not that long ago, in March 2016. Already though, I lost the notes. 🙁 (Losing notes is a major contributing factor to creating this blog; it helps combat those existential crises where I feel I’m rather like the falling tree that nobody hears).

This dedicated Pi uses a UPS battery set-up I taped together, and first I had to deal with no space and so set-up a low disk space alert.

  • A VPN is desirable because I can reduce my attack network facing surface for private services e.g. remote control, APIs, sensitive IoT MQTT etc.
  • A VPN is desirable for times when I have no 3G/4G signal on my phone and need to use public WiFi
  • A VPN is desirable if I want to access services I pay for, e.g. Netflix, from abroad
  • I’ll be using a VPN built-in to PFSense for full network access, with easier-to-set highly granular control
  • The Pi is for off-loading streaming (including for friends) and safe browsing from public WiFi
  • I can partition it from the sensitive areas of my network
  • It uses very little electricity … e.g. usually less than 2W including battery electronics

A service I used for free DDNS (Dynamic DNS) was no-ip. My router had client updater software built-in, and no-ip offered a free service that just needed a touch every 30-days. My ISP contract actually provides me with 5 usable IPv4 addresses, but I’m not sure of the technicalities of VPNs or how to access my internal networks if I set a Pi to use one of the external static IP addresses. I imagine I’d have to manually push and route to the internal networks which seemed like more hard work, as my networking & Linux knowledge is too basic. So it seemed easier to follow tutorials that use a Nat’d internal network IP that is forwarded to by a gateway router, usually from a dynamic IP.

Unfortunately something strange occurred with my no-ip account where the hostname I used no longer appeared in my account. Trying to reestablish it just raised error messages saying it was already in use. I suspect an error on no-ip’s side of things, but as it was a free service I felt too ashamed to challenge them on it. That left me looking at the Pi, without notes, trying to remember how making new .ovpn files (with a new DDNS domain) worked. Hmmm.

Before I continued, I decided to purchase an enhanced package with no-ip (about £25 I think it was) for the year, and chose a new host/domain. But then I made a CNAME on dyndns where I manage my xarta domains (pointed to by 1and1) as I have a lifetime free account on there (long story) so that vpn.xarta.co.uk can be set to whatever DDNS I’m using. (dyndns looked more expensive and complicated for Dynamic DNS ironically and didn’t permit PayPal payments which is why I stuck with no-ip). So at least I don’t have to remake VPN .ovpn files if my DDNS changes in the future.

Next I considered my options:

I figured I’ll go the repair root which might help me understand the pre-scripted route when I inevitably switch at some point in the future (or set-up in an Ubuntu Server VM as a back-up VPN server maybe in the nearer future). OpenVPN is of course already installed on the Pi, but I updated/upgraded everything first. Then I just followed the instructions from Mel Grubb:

...

pi@raspVPN:/etc/openvpn/easy-rsa $ sudo nano /etc/openvpn/easy-rsa/vars


GNU nano 2.2.6 File: vars

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="/etc/openvpn/easy-rsa"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="UK"
export KEY_PROVINCE="CHESHIRE"
export KEY_CITY="STOCKPORT"
export KEY_ORG="XARTA"
export KEY_EMAIL="admin@xarta.co.uk"
export KEY_OU="security"

# X509 Subject Field
export KEY_NAME="EasyRSAkeyFile"


^G Get Help  ^O WriteOut  ^R Read File ^Y Prev Page ^K Cut Text  ^C Cur Pos
^X Exit      ^J Justify   ^W Where Is  ^V Next Page ^U UnCut Text^T To Spell







pi@raspVPN:/etc/openvpn/easy-rsa $ sudo su
root@raspVPN:/etc/openvpn/easy-rsa#   source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@raspVPN:/etc/openvpn/easy-rsa#   ./clean-all
root@raspVPN:/etc/openvpn/easy-rsa#   ./build-ca
Generating a 2048 bit RSA private key
.....+++
..+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [CHESHIRE]:
Locality Name (eg, city) [STOCKPORT]:
Organization Name (eg, company) [XARTA]:
Organizational Unit Name (eg, section) [security]:VPN
Common Name (eg, your name or your server's hostname) [XARTA CA]:vpn.xarta.co.uk
Name [EasyRSAkeyFile]:EasyRSAkeyFileCA
Email Address [admin@xarta.co.uk]:


root@raspVPN:/etc/openvpn/easy-rsa#   ./build-key-server vpn.xarta.co.uk
Generating a 2048 bit RSA private key
....................................................................+++
.........................................+++
writing new private key to 'vpn.xarta.co.uk.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [CHESHIRE]:
Locality Name (eg, city) [STOCKPORT]:
Organization Name (eg, company) [XARTA]:
Organizational Unit Name (eg, section) [security]:VPN
Common Name (eg, your name or your server's hostname) [vpn.xarta.co.uk]:
Name [EasyRSAkeyFile]:EasyRSAKeyFileServer
Email Address [admin@xarta.co.uk]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UK'
stateOrProvinceName   :PRINTABLE:'CHESHIRE'
localityName          :PRINTABLE:'STOCKPORT'
organizationName      :PRINTABLE:'XARTA'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'vpn.xarta.co.uk'
name                  :PRINTABLE:'EasyRSAKeyFileServer'
emailAddress          :IA5STRING:'admin@xarta.co.uk'
Certificate is to be certified until Feb 16 20:36:10 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

root@raspVPN:/etc/openvpn/easy-rsa#   ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..... BLAH BLAH BLAH ^10

root@raspVPN:/etc/openvpn/easy-rsa#   openvpn --genkey --secret keys/ta.key
root@raspVPN:/etc/openvpn/easy-rsa#   nano /etc/openvpn/server.conf


#local 192.168.1.120 #RASPBERY PI IP ####commenting out as causes boot-up error when trying to bind even after late OpenVPN start-up####
dev tun
proto udp
port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpn.xarta.co.uk.crt # SERVER NAME
key /etc/openvpn/easy-rsa/keys/vpn.xarta.co.uk.key  # SERVER NAME

dh /etc/openvpn/easy-rsa/keys/dh2048.pem # AS SET PREV WHEN GENERATING

server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2

# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"

# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"

# your local subnet
push "route 192.168.1.0 255.255.255.0" # RASPBERRY PI SUBNET

# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"

# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
# push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

cipher AES-128-CBC

comp-lzo

user nobody

group nogroup

persist-key

persist-tun

status /var/log/openvpn-status.log 20

log /var/log/openvpn.log

verb 4

root@raspVPN:/etc/openvpn/easy-rsa/#  nano /etc/sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#


root@raspVPN:/etc/openvpn/easy-rsa#  sysctl -p
net.ipv4.ip_forward = 1

root@raspVPN:/etc/openvpn/easy-rsa#  nano /etc/firewall-openvpn-rules.sh

#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.120

root@raspVPN:/etc/openvpn/easy-rsa#  chmod 700 /etc/firewall-openvpn-rules.sh
root@raspVPN:/etc/openvpn/easy-rsa#  chown root /etc/firewall-openvpn-rules.sh

root@raspVPN:/etc/openvpn/easy-rsa#  nano /etc/network/interfaces

 interfaces(5) file used by ifup(8) and ifdown(8)

# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'

# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual
        pre-up /etc/firewall-openvpn-rules.sh

allow-hotplug wlan0
iface wlan0 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

allow-hotplug wlan1
iface wlan1 inet manual
    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

root@raspVPN:/etc/openvpn/easy-rsa#  ###ADDED LINE FEB 2017: After=multi-user.target####
root@raspVPN:/etc/openvpn/easy-rsa#  nano /lib/systemd/system/openvpn@.service

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
After=multi-user.target

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/op$
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target








login as: pi
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Feb 18 23:46:47 2017
pi@raspVPN:~ $ sudo su
root@raspVPN:/home/pi# cd /etc/openvpn/easy-rsa
root@raspVPN:/etc/openvpn/easy-rsa#   source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@raspVPN:/etc/openvpn/easy-rsa#   ./build-key-pass note4
Generating a 2048 bit RSA private key
...................................+++
...........+++
writing new private key to 'note4.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [CHESHIRE]:
Locality Name (eg, city) [STOCKPORT]:
Organization Name (eg, company) [XARTA]:
Organizational Unit Name (eg, section) [security]:VPN
Common Name (eg, your name or your server's hostname) [note4]:
Name [EasyRSAkeyFile]:
Email Address [admin@xarta.co.uk]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UK'
stateOrProvinceName   :PRINTABLE:'CHESHIRE'
localityName          :PRINTABLE:'STOCKPORT'
organizationName      :PRINTABLE:'XARTA'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'note4'
name                  :PRINTABLE:'EasyRSAkeyFile'
emailAddress          :IA5STRING:'admin@xarta.co.uk'
Certificate is to be certified until Feb 16 23:54:25 2027 GMT (3650 days)
Sign the certificate? [y/n]:Y


1 out of 1 certificate requests certified, commit? [y/n]Y
Write out database with 1 new entries
Data Base Updated
root@raspVPN:/etc/openvpn/easy-rsa#   cd keys
root@raspVPN:/etc/openvpn/easy-rsa/keys#  openssl rsa -in note4.key -des3 -out note4.3des.key
Enter pass phrase for note4.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:


root@raspVPN:/etc/openvpn/easy-rsa/keys# nano /etc/openvpn/easy-rsa/keys/MakeOVPN.sh


#!/bin/bash

### BLANK: PASTE FROM melgrubb.com/2016/12/11/rphs-v2-openvpn/
### ./clean-all will get rid of this file too!!!

# Default Variable Declarations 
DEFAULT="Default.txt" 
FILEEXT=".ovpn" 
CRT=".crt" 
KEY=".3des.key" 
CA="ca.crt" 
TA="ta.key" 
 
#Ask for a Client name 
echo "Please enter an existing Client Name:"
read NAME 
 
#1st Verify that client's Public Key Exists 
if [ ! -f $NAME$CRT ]; then 
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" 
exit 
fi 
echo "Client's cert found: $NAME$CR" 
 
#Then, verify that there is a private key for that client 
if [ ! -f $NAME$KEY ]; then 
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" 
exit 
fi 
echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists 
if [ ! -f $CA ]; then 
echo "[ERROR]: CA Public Key not found: $CA" 
exit 
fi 
echo "CA public Key found: $CA" 

#Confirm the tls-auth ta key file exists 
if [ ! -f $TA ]; then 
echo "[ERROR]: tls-auth Key not found: $TA" 
exit 
fi 
echo "tls-auth Private Key found: $TA" 
 
#Ready to make a new .opvn file - Start by populating with the default file 
cat $DEFAULT > $NAME$FILEEXT 
 
#Now, append the CA Public Cert 
echo "<ca>" >> $NAME$FILEEXT 
cat $CA >> $NAME$FILEEXT 
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert 
echo "<cert>" >> $NAME$FILEEXT 
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT 
echo "</cert>" >> $NAME$FILEEXT 
 
#Then, append the client Private Key 
echo "<key>" >> $NAME$FILEEXT 
cat $NAME$KEY >> $NAME$FILEEXT 
echo "</key>" >> $NAME$FILEEXT 
 
#Finally, append the TA Private Key 
echo "<tls-auth>" >> $NAME$FILEEXT 
cat $TA >> $NAME$FILEEXT 
echo "</tls-auth>" >> $NAME$FILEEXT 
 
echo "Done! $NAME$FILEEXT Successfully Created."


root@raspVPN:/etc/openvpn/easy-rsa/keys# chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

root@raspVPN:/etc/openvpn/easy-rsa/keys# nano /etc/openvpn/easy-rsa/keys/Default.txt

client
dev tun
proto udp
remote vpn.xarta.co.uk 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1 
cipher AES-128-CBC
comp-lzo
verb 1
mute 20

root@raspVPN:/etc/openvpn/easy-rsa/keys#  ./MakeOVPN.sh
Please enter an existing Client Name:
note4
Client's cert found: note4
Client's Private Key found: note4.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! note4.ovpn Successfully Created.
root@raspVPN:/etc/openvpn/easy-rsa/keys#

The OpenSSL version (built for Raspbian Jesse in Jan 2017) seems a little old … from May last year. From a quick investigation I couldn’t see any major severe issues to worry about right now, but I’ll probably look at building that or sourcing from another repository to obtain a more up-to-date copy, after which I might have to re-do the above all over again.

Meanwhile, I’ll isolate here for my convenience, just the steps required to set-up a new client .ovpn.

...

login as: pi
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Verification code:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Feb 19 09:43:09 2017 from 192.168.1.105
pi@raspVPN:~ $ sudo su
root@raspVPN:/home/pi# cd /etc/openvpn/easy-rsa
root@raspVPN:/etc/openvpn/easy-rsa# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
root@raspVPN:/etc/openvpn/easy-rsa# ./build-key-pass dell1515
Generating a 2048 bit RSA private key
........................+++
...........................+++
writing new private key to 'dell1515.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [UK]:
State or Province Name (full name) [CHESHIRE]:
Locality Name (eg, city) [STOCKPORT]:
Organization Name (eg, company) [XARTA]:
Organizational Unit Name (eg, section) [security]:VPN
Common Name (eg, your name or your server's hostname) [dell1515]:
Name [EasyRSAkeyFile]:
Email Address [admin@xarta.co.uk]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'UK'
stateOrProvinceName   :PRINTABLE:'CHESHIRE'
localityName          :PRINTABLE:'STOCKPORT'
organizationName      :PRINTABLE:'XARTA'
organizationalUnitName:PRINTABLE:'VPN'
commonName            :PRINTABLE:'dell1515'
name                  :PRINTABLE:'EasyRSAkeyFile'
emailAddress          :IA5STRING:'admin@xarta.co.uk'
Certificate is to be certified until Feb 17 12:16:07 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@raspVPN:/etc/openvpn/easy-rsa# cd keys
root@raspVPN:/etc/openvpn/easy-rsa/keys# openssl rsa -in dell1515.key -des3 -out dell1515.3des.key
Enter pass phrase for dell1515.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
root@raspVPN:/etc/openvpn/easy-rsa/keys# ./MakeOVPN.sh
Please enter an existing Client Name:
dell1515
Client's cert found: dell1515
Client's Private Key found: dell1515.3des.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
Done! dell1515.ovpn Successfully Created.
root@raspVPN:/etc/openvpn/easy-rsa/keys#

Then I just copy the .ovpn file temporarily to my pi Desktop so that I can scp it to my windows machine to put in LastPass, and to deploy to the intended client device / person (sharing it temporarily on GoogleDrive if necessary).

nb: for normal use I set this Pi to be headless with Raspi-Config though I can always use a virtual server with VNC of course, or just change the setting back to Desktop for VNC Server as required.

TODO: Look at using Dnsmasq and forwarding DNS requests over the VPN.
TODO: Investigate using the Google Authenticator pam_google_authenticator.so etc. with OpenVPN?
TODO: unattended update/upgrade
TODO: better monitoring/alert instrumentation. I want to do my own of course, but in a chicken & egg situation it’s better to have something rather than nothing/pending. I hate “wasting” my time on IT that might just become obsolete or which I only need rarely but in this case I might look at something like Nagios for monitoring/reporting/alerting on my servers including this OpenVPN server. e.g.