sudo apt-get install openvpn easy-rsa
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars
Now configure variables
export KEY_COUNTRY="CZ"
export KEY_PROVINCE="CA"
export KEY_CITY="town"
export KEY_ORG="home"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="home"
export KEY_NAME="server"
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key
cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
sudo nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
keepalive 60 120
comp-lzo
client-to-client
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward=1 # find this line are removed # character to enable it
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server
Don't forget to enable firewall port 1194
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
nano ~/client-configs/base.conf
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194 # change IP address to IP of your server
comp-lzo
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
verb 3
mute 20
# uncomment following on Linux only
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
nano ~/client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cd ~/openvpn-ca
source vars
./build-key ${1}
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
chmod 700 ~/client-configs/make_config.sh
~/client-configs/make_config.sh client_name