OpenVPN on Ubuntu 12.10 at DigitalOcean
Install OpenVPN
sudo apt-get install openvpn
Generate Server Certificates
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2
edit variables
sudo vim vars
export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="mail@example.com"
now generate certificates
sudo mkdir keys
source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn
restart OpenVPN
sudo service openvpn restart
Generate Client Certificates
cd /etc/openvpn/easy-rsa2
source ./vars
sudo -E ./build-key user1
Copy these files to your client over asecure channel (SSH, USB Stick):
ca.crt
user1.crt
user1.key
Configure OpenVPN
sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn
edit configuration
sudo vim server.conf
change user and group:
user openvpn
group openvpn
restart OpenVPN
sudo service openvpn restart
check if running
ifconfig tun0
Enable Routing Web Traffic Through VPN
cd /etc/openvpn
sudo vim server.conf
uncomment this line:
push "redirect-gateway def1 bypass-dhcp"
restart OpenVPN
sudo service openvpn restart
enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
add SNAT rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl whatismyip.akamai.com)
make iptables rules permanent so they are still there after a reboot
sudo apt-get install iptables-persistent
Accept all the defaults and you're done!
This comment has been minimized.
sinanm89 commentedJan 29, 2014
Thanks so much for this. The 3rd command from the last
was
for me and client config was a bit tricky (especially on a mac) But now Im writing from Amsterdam. Cheers.
Edit: Also as a side note, I've seen people using MASQUERADE but youre using SNAT, what are the differences between them? Why did you choose to use SNAT?