OpenVPN on Ubuntu 12.10 at DigitalOcean

openvpn.md

OpenVPN on Ubuntu 12.10 at DigitalOcean

Install OpenVPN

sudo apt-get install openvpn

Generate Server Certificates

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2

edit variables

sudo vim vars

export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="mail@example.com"

now generate certificates

sudo mkdir keys

source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh

sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn

restart OpenVPN

sudo service openvpn restart

Generate Client Certificates

cd /etc/openvpn/easy-rsa2
source ./vars
sudo -E ./build-key user1

Copy these files to your client over asecure channel (SSH, USB Stick):

ca.crt
user1.crt
user1.key

Configure OpenVPN

sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn

edit configuration

sudo vim server.conf

change user and group:

user openvpn
group openvpn

restart OpenVPN

sudo service openvpn restart

check if running

ifconfig tun0

Enable Routing Web Traffic Through VPN

cd /etc/openvpn
sudo vim server.conf

uncomment this line:

push "redirect-gateway def1 bypass-dhcp"

restart OpenVPN

sudo service openvpn restart

enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

add SNAT rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl whatismyip.akamai.com)

make iptables rules permanent so they are still there after a reboot

sudo apt-get install iptables-persistent

Accept all the defaults and you're done!

Thanks so much for this. The 3rd command from the last

echo 1 > /proc/sys/net/ipv4/ip_forward

was

echo 1 > sudo /proc/sys/net/ipv4/ip_forward

for me and client config was a bit tricky (especially on a mac) But now Im writing from Amsterdam. Cheers.

Edit: Also as a side note, I've seen people using MASQUERADE but youre using SNAT, what are the differences between them? Why did you choose to use SNAT?