How I Install My OpenVPN Server

on Ubuntu and Pi

Server - Ubuntu - Windows - Android - VPN Users

First things first, login to your soon-to-be server, update your system... and then install OpenVPN (might install a firewall, but that's up to you, I included it in the instructions). I hope things go smoothly, sometimes they do... sometimes not. Just beware. This will, okay should, work perfectly on a freshly installed system.
but in the end... computers do whatever the hell they want.

or... you can be a lazy admin and use a bash script: https://github.com/Nyr/openvpn-install

ssh username@my.server.addy
sudo apt update && sudo apt upgrade -y
sudo apt install openvpn ufw
I went to https://github.com/OpenVPN/easy-rsa/releases/ to see what the latest release is. At this time it is 3.0.8, change it to fit your needs.
From your home directory mkdir VPN/
wget -P ~/VPN https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
cd VPN/
tar xvf EasyRSA-3.0.8.tgz
cd EasyRSA-3.0.8 Let's get started! cp vars.example vars
nano vars -- change the info and uncomment it... delete what is bold/red and change the bold/green to fit your needs --
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unitv" and uncomment this one too... it's right below. #set_var EASYRSA_KEY_SIZE 2048 save and exit

Let's make some keys, shall we? ./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
copy the newly created files to the server directory sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn
sudo cp pki/issued/server.crt /etc/openvpn
./easyrsa gen-dh -- ugh... if this is a PC, it will take a few minutes at most...
if it's a Pi, go find something to do. On my RPi2 ram it took almost 60 minutes.
my RPi4 with 8GB did it in about 60 seconds.
my desktop did it in about 30 seconds... --

openvpn --genkey secret ta.key
sudo cp ta.key /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
mkdir -p ../client-configs/keys
chmod -R 700 ../client-configs

-- CREATE USERS --
I have several VPNs on different machines and in different places
So I named mine after the machine or place...
change the green to meet your needs.
Might have a look at this for adding/removing people... https://github.com/davethepear/openvpn
./easyrsa gen-req client1 nopass
cp pki/private/client1.key ../client-configs/keys/
./easyrsa sign-req client client1
copy the newly created keys to the server and keys directory cp pki/issued/client1.crt ../client-configs/keys/
cp ta.key ../client-configs/keys/
sudo cp /etc/openvpn/ca.crt ../client-configs/keys/
You can copy the example files below, or open and edit using the information I give
just change the example files to match the information I give below. sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/
Edit the server configuration sudo nano /etc/openvpn/server.conf
This is all I have in my server.conf file port 1194
# TCP or UDP server?
proto tcp
;proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# dh dh2048.pem
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
; explicit-exit-notify 1 if you have exit error when trying to start, check to see
that you've commented out the explicit-exit-notify 1
idk why, but on some systems it makes things no worky
sudo nano /etc/sysctl.conf -- uncomment #net.ipv4.ip_forward=1

sudo sysctl -p
If you have installed (or already have ufw firewall) ip route | grep defaultTake note of your network adapter
sudo nano /etc/ufw/before.rules
-- add this near the top of the file, don't delete or change anything else but the green
and be sure the network thingy is correct, like enp2s0 or eno1 or eth0 or wln2s0 -- # START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp2s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o enp2s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

Edit the firewall sudo nano /etc/default/ufw change from DROP to ACCEPT -- DEFAULT_FORWARD_POLICY="ACCEPT" Save and Exit

Add the VPN to the firewall sudo ufw allow 1194/tcp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
if you have VNC, now is a good time to add this: sudo ufw allow 5900/tcp
Fire up the server, check for errors in status, enable if all is good! sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
sudo systemctl enable openvpn@server
-- almost done! --
mkdir -p ../client-configs/files
wget -P ../client-configs/ http://www.linncountykansas.com/base.conf
nano ../client-configs/base.conf
This is what's in my base.conf file, except green, change that to yours... client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto tcp

remote my.url.or.ip 1194
;remote my-server-2 1194
resolv-retry infinite
nobind
auth-nocache
redirect-gateway def1
user nobody
group nogroup
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# ca ca.crt
# cert client.crt
# key client.key

remote-cert-tls server

# tls-auth ta.key 1

cipher AES-256-CBC
auth SHA256
key-direction 1

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

verb 3

;mute 20
Don't forget to forward that port in your router...

-- Making OVPN files for your devices --
nano ../client-configs/make_config.sh
paste this into make_config.sh
#!/bin/bash

# First argument: Client identifier

KEY_DIR=keys
OUTPUT_DIR=files
BASE_CONFIG=base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

chmod 700 ../client-configs/make_config.sh
cd ../client-configs
Remember what you used above, client1 sudo ./make_config.sh client1

change ~ to whatever destination you like, or leave them where they sit
you'll send these to your phone, laptop, or whatever... sudo chown $USER files/*.ovpn
cp files/*.ovpn ~
oh, and...

Do not forget to add a forwarding acception to your router!


-- Making it work on Ubuntu --
-- Making it work on Android --
-- Making it work on Windows --