ssh username@my.server.addy
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn ufw
mkdir VPN/
wget -P ~/VPN https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
cd VPN/
tar xvf EasyRSA-3.0.8.tgz
cd EasyRSA-3.0.8
Let's get started!
cp vars.example vars
nano vars
-- change the info and uncomment it... delete what is bold/red and change the bold/green to fit your needs --# set_var EASYRSA_REQ_COUNTRY "US "
# set_var EASYRSA_REQ_PROVINCE "California "
# set_var EASYRSA_REQ_CITY "San Francisco "
# set_var EASYRSA_REQ_ORG "Copyleft Certificate Co "
# set_var EASYRSA_REQ_EMAIL "me@example.net "
# set_var EASYRSA_REQ_OU "My Organizational Unitv"
and uncomment this one too... it's right below.
# set_var EASYRSA_KEY_SIZE 2048
save and exit./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn
sudo cp pki/issued/server.crt /etc/openvpn
./easyrsa gen-dh
-- ugh... if this is a PC, it will take a few minutes at most...openvpn --genkey secret ta.key
sudo cp ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
mkdir -p ../client-configs/keys
chmod -R 700 ../client-configs
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ../client-configs/keys/
./easyrsa sign-req client client1
cp pki/issued/client1.crt ../client-configs/keys/
cp ta.key ../client-configs/keys/
sudo cp /etc/openvpn/ca.crt ../client-configs/keys/
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
sudo nano /etc/openvpn/server.conf
port 1194
# TCP or UDP server?
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# dh dh2048.pem
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
; explicit-exit-notify 1
if you have exit error when trying to start, check to seesudo nano /etc/sysctl.conf
-- uncomment sudo sysctl -p
ip route | grep default
Take note of your network adaptersudo nano /etc/ufw/before.rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp2s0 (change to the interface
you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o enp2s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
sudo nano /etc/default/ufw
change from DROP to ACCEPT -- DEFAULT_FORWARD_POLICY="sudo ufw allow 1194/tcp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
sudo ufw allow 5900/tcp
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
sudo systemctl enable openvpn@server
mkdir -p ../client-configs/files
wget -P ../client-configs/ http://www.linncountykansas.com/base.conf
nano ../client-configs/base.conf
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto tcp
remote my.url.or.ip 1194
;remote my-server-2 1194
resolv-retry infinite
nobind
auth-nocache
redirect-gateway def1
user nobody
group nogroup
persist-key
persist-tun
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# ca ca.crt
# cert client.crt
# key client.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
verb 3
;mute 20
nano ../client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=keys
OUTPUT_DIR=files
BASE_CONFIG=base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
chmod 700 ../client-configs/make_config.sh
cd ../client-configs
sudo ./make_config.sh client1
sudo chown $USER files/*.ovpn
cp files/*.ovpn ~