Skip to content

Instantly share code, notes, and snippets.

@padde
Last active April 30, 2018 17:11
Show Gist options
  • Save padde/5689930 to your computer and use it in GitHub Desktop.
Save padde/5689930 to your computer and use it in GitHub Desktop.
OpenVPN on Ubuntu 12.10 at DigitalOcean

OpenVPN on Ubuntu 12.10 at DigitalOcean

Install OpenVPN

sudo apt-get install openvpn

Generate Server Certificates

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2

edit variables

sudo vim vars

export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="mail@example.com"

now generate certificates

sudo mkdir keys

source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh

sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn

restart OpenVPN

sudo service openvpn restart

Generate Client Certificates

cd /etc/openvpn/easy-rsa2
source ./vars
sudo -E ./build-key user1

Copy these files to your client over asecure channel (SSH, USB Stick):

ca.crt
user1.crt
user1.key

Configure OpenVPN

sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn

edit configuration

sudo vim server.conf

change user and group:

user openvpn
group openvpn

restart OpenVPN

sudo service openvpn restart

check if running

ifconfig tun0

Enable Routing Web Traffic Through VPN

cd /etc/openvpn
sudo vim server.conf

uncomment this line:

push "redirect-gateway def1 bypass-dhcp"

restart OpenVPN

sudo service openvpn restart

enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

add SNAT rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl whatismyip.akamai.com)

make iptables rules permanent so they are still there after a reboot

sudo apt-get install iptables-persistent

Accept all the defaults and you're done!

@sinanm89
Copy link

Thanks so much for this. The 3rd command from the last

echo 1 > /proc/sys/net/ipv4/ip_forward

was

echo 1 > sudo /proc/sys/net/ipv4/ip_forward

for me and client config was a bit tricky (especially on a mac) But now Im writing from Amsterdam. Cheers.

Edit: Also as a side note, I've seen people using MASQUERADE but youre using SNAT, what are the differences between them? Why did you choose to use SNAT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment