OpenVPN Installation#
last update 2025/10/19
Summary#
Documents#
environment#
OS |
apache |
|---|---|
AlmaLinux 9 |
2.4.62 |
Installation#
install#
# set up IP forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
# edit openssl config
sed -i -e 's/default_days = 365/default_days = 3650/' /etc/pki/tls/openssl.cnf
sed -i -e 's/default_crl_days= 30/default_crl_days= 3650/' /etc/pki/tls/openssl.cnf
# openvpn install
dnf -y install openvpn easy-rsa
export EASYRSA_CA_EXPIRE=7300
wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod 700 ./openvpn-install.sh
./openvpn-install.sh
IP address: <server IP address>
Do you want to enable IPv6 support (NAT)? [y/n]: n
Port choice [1-3]: 1
Protocol [1-2]: 1
DNS [1-12]: 3
Enable compression? [y/n]: n
Customize encryption settings? [y/n]: n
Press any key to continue... return
Client name: cli_<client name>
Select an option [1-2]: 1
# copy key pair
cp -p /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/private/ca.key /etc/openvpn/server/
cp -p /etc/openvpn/tls-crypt.key /etc/openvpn/server/
cp -p /etc/openvpn/ipp.txt /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/private/server_*.key /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/issued/server_*.crt /etc/openvpn/server/
cp -p /etc/openvpn/easy-rsa/pki/issued/cli_*.crt /etc/openvpn/client/
cp -p /etc/openvpn/easy-rsa/pki/private/cli_*.key /etc/openvpn/client/
cp -p /etc/openvpn/crl.pem /etc/openvpn/client/
echo 'log /var/log/openvpn/openvpn.log' >> /etc/openvpn/server.conf
echo 'log-append /var/log/openvpn/openvpn-append.log' >> /etc/openvpn/server.conf
# enable duplicate access (option)
echo '' >> /etc/openvpn/server.conf
echo 'duplicate-cn' >> /etc/openvpn/server.conf
reboot#
# start openvpn
systemctl restart openvpn-server@server.service
log rotation#
cat << __EOT__ > /etc/logrotate.d/openvpn
/var/log/openvpn/*.log {
missingok
notifempty
sharedscripts
delaycompress
compress
postrotate
/bin/systemctl restart openvpn 2>&1 > /dev/null || true
endscript
}
__EOT__
.ovpn file modification#
ちなみに
Adjusting the client's MSS value can help stabilize communication
Depending on the network used by the OpenVPN tunnel, communication over the VPN may become unstable if packet sizes are too large. In such cases, you can avoid the issue by limiting the size of fragmented UDP packets using the mssfix directive.
Check the MTU and MSS values#
Access the following URL#
Apply the obtained MTU and MSS values to the WireGuard configuration#
sed -i -e 's/verb 3/mssfix 1300\nverb 3/' cli_<client name>.ovpn