Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Digital Ocean OpenVPN commands

Raw commands from:

With some tweaks so you don't have to open nano/vim Also includes an OpenVZ tweak

Step 1

apt update
apt upgrade -y
apt install -y openvpn easy-rsa

Step 2

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Step 3

sed -i 's/export KEY_NAME="EasyRSA"/export KEY_NAME="server"/g' vars

Step 4

cd ~/openvpn-ca
source vars

Just press ENTER through the prompts

Step 5

./build-key-server server

enter y to two questions

openvpn --genkey --secret keys/ta.key

Step 6: Generate a Client Certificate and Key Pair

cd ~/openvpn-ca
source vars
# Change client1 to account name
./build-key client1 

enter and y for the prompts

Step 7: Configure the OpenVPN Service

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

sed -i 's/;tls-auth ta.key 0 # This file is secret/tls-auth ta.key 0 # This file is secret\nkey-direction 0/g' /etc/openvpn/server.conf
sed -i 's/;cipher AES-128-CBC/cipher AES-128-CBC\nauth SHA256/g' /etc/openvpn/server.conf

sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf
sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf
sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf
sed -i 's/;push "dhcp-option DNS/push "dhcp-option DNS/g' /etc/openvpn/server.conf
sed -i 's/port 1194/port 443/g' /etc/openvpn/server.conf
sed -i 's/;proto tcp/proto tcp/g' /etc/openvpn/server.conf
sed -i 's/proto udp/;proto udp/g' /etc/openvpn/server.conf

Step 8: Adjust the Server Networking Configuration

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p

apt install -y ufw
ip route | grep default    #for openvz venet0

sed -i '10i\\n# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0] \n# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered)\n-A POSTROUTING -s -o venet0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES' /etc/ufw/before.rules

sudo ufw allow https
sudo ufw allow OpenSSH

sudo ufw enable

sed -i 's/LimitNPROC=10/#LimitNPROC=10/g' /lib/systemd/system/openvpn@.service
systemctl daemon-reload

Step 9: Start and Enable the OpenVPN Service

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

Step 10: Create Client Configuration Infrastructure

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
# Replace server_IP_address
sed -i 's/remote my-server-1 1194/remote server_IP_address 443/g' ~/client-configs/base.conf
sed -i 's/;proto tcp/proto tcp/g' ~/client-configs/base.conf
sed -i 's/proto udp/;proto udp/g' ~/client-configs/base.conf
sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf
sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf
sed -i 's/ca ca.crt/#ca ca.crt/g' ~/client-configs/base.conf
sed -i 's/cert client.crt/#cert client.crt/g' ~/client-configs/base.conf
sed -i 's/key client.key/#key client.key/g' ~/client-configs/base.conf
sed -i 's/;cipher x/cipher AES-128-CBC/g' ~/client-configs/base.conf
echo "auth SHA256" >> ~/client-configs/base.conf
echo "key-direction 1" >> ~/client-configs/base.conf
echo "# script-security 2" >> ~/client-configs/base.conf
echo "# up /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf
echo "# down /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf
wget -O ~/client-configs/
chmod 700 ~/client-configs/

Step 11: Generate Client Configurations

cd ~/client-configs
# Replace client1 with username.
./ client1
ls ~/client-configs/files
# First argument: Client identifier
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment