===== OpenVPN Access Server =====
{{tag>linux openvpn routing aws}}

==== Auto install with SSL Cert. ====
Launch an Amazon Linux 2 instance with the following user data.  Security Group will need to allow;
  * SSH (TCP:22)
  * HTTP (TCP:80)
  * HTTPS (TCP:443)
  * Admin (TCP:943)
  * OpenVPN (UDP:1194)
<code bash>
#!/bin/bash
yum -y install ncurses-compat-libs
yum -y install https://as-repository.openvpn.net/as-repo-centos7.rpm
yum -y install openvpn-as
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install certbot

sudo certbot certonly -n -d VPN.DOMAIN.TLD --email hostmaster@DOMAIN.TLD --no-eff-email --agree-tos --standalone

sudo systemctl stop openvpnas
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.key
sudo rm /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo rm /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s /etc/letsencrypt/live/VPN.DOMAIN.TLD/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
sudo systemctl start openvpnas

sudo /usr/local/openvpn_as/scripts/sacli --import GetActiveWebCerts
sudo /usr/local/openvpn_as/scripts/sacli start
</code>
After install SSH to instance and set password for openvpn user.
<code bash>
sudo passwd openvpn
</code>

==== Configure auto renewal of SSL Cert ====
Create script /home/ec2-user/cert_loader.sh
<file bash cert_loader.sh>
#!/bin/bash
/usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "/usr/local/openvpn_as/etc/web-ssl/privkey.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "/usr/local/openvpn_as/etc/web-ssl/cert.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "/usr/local/openvpn_as/etc/web-ssl/chain.pem" ConfigPut
/usr/local/openvpn_as/scripts/sacli start
</file>
Edit crontab for root user to call renewal with cert loader as a post-hook.
<code bash>
1 1 * * 2 certbot renew --standalone --preferred-challenges http --pre-hook '' --post-hook '/home/ec2-user/cert_loader.sh' > /var/log/cert_loader.log
</code>

----

==== Old ====

Backup default self signed certificates;
<code>
$ mkdir old-ss-cert
$ sudo cp /usr/local/openvpn_as/etc/web-ssl/* ./old-ss-cert/
</code>

\\

Install LetsEncrypt SSL certificate;
<code>
$ sudo systemctl stop openvpnas
$ sudo apt-get install letsencrypt
$ sudo letsencrypt certonly
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas
$ sudo systemctl status openvpnas
</code>

\\

Review LetsEncrypt SSL certificate;
<code>
$ sudo systemctl stop openvpnas
$ sudo letsencrypt renew
$ sudo cp /etc/letsencrypt/live/CERTNAME/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
$ sudo cp /etc/letsencrypt/live/CERTNAME/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
$ sudo cp /etc/letsencrypt/live/CERTNAME/chain.pem /usr/local/openvpn_as/etc/web-ssl/ca.crt
$ sudo systemctl start openvpnas
</code>