OpenVPN on Ubuntu 12.10 at DigitalOcean
Install OpenVPN
sudo apt-get install openvpn
Generate Server Certificates
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2
edit variables
sudo vim vars
export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="mail@example.com"
now generate certificates
sudo mkdir keys
source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn
restart OpenVPN
sudo service openvpn restart
Generate Client Certificates
cd /etc/openvpn/easy-rsa2
source ./vars
sudo -E ./build-key user1
Copy these files to your client over asecure channel (SSH, USB Stick):
ca.crt
user1.crt
user1.key
Configure OpenVPN
sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn
edit configuration
sudo vim server.conf
change user and group:
user openvpn
group openvpn
restart OpenVPN
sudo service openvpn restart
check if running
ifconfig tun0
Enable Routing Web Traffic Through VPN
cd /etc/openvpn
sudo vim server.conf
uncomment this line:
push "redirect-gateway def1 bypass-dhcp"
restart OpenVPN
sudo service openvpn restart
enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
add SNAT rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl whatismyip.akamai.com)
make iptables rules permanent so they are still there after a reboot
sudo apt-get install iptables-persistent
Accept all the defaults and you're done!
Thanks so much for this. The 3rd command from the last
was
for me and client config was a bit tricky (especially on a mac) But now Im writing from Amsterdam. Cheers.
Edit: Also as a side note, I've seen people using MASQUERADE but youre using SNAT, what are the differences between them? Why did you choose to use SNAT?