From Netsoc Wiki
(Redirected from Openvpn)
Jump to: navigation, search

There is an instance of openvpn running on the LDAP vm on cube. The idea is to encrypt traffic to the LDAP server.

It can be reached (from a connected machine) on vpn.ldap.netsoc.tcd.ie

Key setup

ca.key is self signed
server.key is signed by ca.key

clientca.key is a second self signed ca
all client keys are signed with clientca.key

To add a new server

Create a new cert

openssl genrsa -out newserver.key 4096

Create a certificate signing request

openssl req -new -key newserver.key -out newserver.csr

Use the following settingswhen it prompts you: C=IE, ST=DUB, L=Dublin, O=DUIS, CN=newserver/emailAddress=ops@netsoc.tcd.ie

Fill the sign request

openssl x509 -req -days 3650 -in newserver.csr -CA clientca.crt -CAkey clientca.key -set_serial 01 -out newserver.crt

clientca.key is on spoon in /root/ldap-openvpn-keys

Copy over files to newserver:/etc/openvpn/keys

Needed files:

  • newserver.key
  • newserver.crt
  • ta.key from ldap.netsoc.tcd.ie:/etc/openvpn/keys
  • bothcas.pem from ldap.netsoc.tcd.ie:/etc/openvpn/keys
    • Contains public keys for both cas

Config file


dev tun
port 1194
proto udp

remote ldap.netsoc.tcd.ie 1194

# contains both ca.crt and caclient.crt
ca              /etc/openvpn/keys/bothcas.pem

cert            /etc/openvpn/keys/newclient.crt
key             /etc/openvpn/keys/newclient.key
tls-auth        /etc/openvpn/keys/ta.key 1

cipher AES-256-CBC


user nobody
group nobody

# create this dir if it doesn't exist
chroot /etc/openvpn/jail

You may need to create the group nobody

Restart openvpn

/etc/init.d/openvpn restart


Sometimes, if the openvpn server goes down for a while, the client can need a kick when it comes back up.
Copy this to /etc/cron.hourly/vpn-keepalive to deal with this.


if ! ping -c 1 vpn.ldap.netsoc.tcd.ie &> /dev/null
  /etc/init.d/openvpn restart