Skip to content

Instantly share code, notes, and snippets.

@miketweaver

miketweaver/digitalocean-openvpn-guide.md

Last active February 12, 2018 13:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save miketweaver/b358e09ac688036491f28ae4d561f31f to your computer and use it in GitHub Desktop.
Save miketweaver/b358e09ac688036491f28ae4d561f31f to your computer and use it in GitHub Desktop.
Download ZIP
Digital Ocean OpenVPN commands
Raw
digitalocean-openvpn-guide.md

Raw commands from: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

With some tweaks so you don't have to open nano/vim Also includes an OpenVZ tweak

Step 1

apt update
apt upgrade -y
apt install -y openvpn easy-rsa

Step 2

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Step 3

sed -i 's/export KEY_NAME="EasyRSA"/export KEY_NAME="server"/g' vars

Step 4

cd ~/openvpn-ca
source vars
./clean-all
./build-ca

Just press ENTER through the prompts

Step 5

./build-key-server server

enter y to two questions

./build-dh
openvpn --genkey --secret keys/ta.key

Step 6: Generate a Client Certificate and Key Pair

cd ~/openvpn-ca
source vars

# Change client1 to account name
./build-key client1

enter and y for the prompts

Step 7: Configure the OpenVPN Service

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

sed -i 's/;tls-auth ta.key 0 # This file is secret/tls-auth ta.key 0 # This file is secret\nkey-direction 0/g' /etc/openvpn/server.conf
sed -i 's/;cipher AES-128-CBC/cipher AES-128-CBC\nauth SHA256/g' /etc/openvpn/server.conf

sed -i 's/;user nobody/user nobody/g' /etc/openvpn/server.conf
sed -i 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf
sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf
sed -i 's/;push "dhcp-option DNS/push "dhcp-option DNS/g' /etc/openvpn/server.conf
sed -i 's/port 1194/port 443/g' /etc/openvpn/server.conf
sed -i 's/;proto tcp/proto tcp/g' /etc/openvpn/server.conf
sed -i 's/proto udp/;proto udp/g' /etc/openvpn/server.conf

Step 8: Adjust the Server Networking Configuration

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p

apt install -y ufw
ip route | grep default    #for openvz venet0

sed -i '10i\\n# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0] \n# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered)\n-A POSTROUTING -s 10.8.0.0/8 -o venet0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES' /etc/ufw/before.rules
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw

sudo ufw allow https
sudo ufw allow OpenSSH

sudo ufw enable

sed -i 's/LimitNPROC=10/#LimitNPROC=10/g' /lib/systemd/system/openvpn@.service
systemctl daemon-reload

Step 9: Start and Enable the OpenVPN Service

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

Step 10: Create Client Configuration Infrastructure

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf

# Replace server_IP_address
sed -i 's/remote my-server-1 1194/remote server_IP_address 443/g' ~/client-configs/base.conf

sed -i 's/;proto tcp/proto tcp/g' ~/client-configs/base.conf
sed -i 's/proto udp/;proto udp/g' ~/client-configs/base.conf
sed -i 's/;user nobody/user nobody/g' ~/client-configs/base.conf
sed -i 's/;group nogroup/group nogroup/g' ~/client-configs/base.conf
sed -i 's/ca ca.crt/#ca ca.crt/g' ~/client-configs/base.conf
sed -i 's/cert client.crt/#cert client.crt/g' ~/client-configs/base.conf
sed -i 's/key client.key/#key client.key/g' ~/client-configs/base.conf
sed -i 's/;cipher x/cipher AES-128-CBC/g' ~/client-configs/base.conf
echo "auth SHA256" >> ~/client-configs/base.conf
echo "key-direction 1" >> ~/client-configs/base.conf
echo "# script-security 2" >> ~/client-configs/base.conf
echo "# up /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf
echo "# down /etc/openvpn/update-resolv-conf" >> ~/client-configs/base.conf
wget https://gist.githubusercontent.com/miketweaver/b358e09ac688036491f28ae4d561f31f/raw/make_config.sh -O ~/client-configs/make_config.sh
chmod 700 ~/client-configs/make_config.sh

Step 11: Generate Client Configurations

cd ~/client-configs

# Replace client1 with username.
./make_config.sh client1

ls ~/client-configs/files
Raw
make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment