OpenVPN setup

openvpn-server.sh

#become root and add key
sudo su -
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn

#Based Linode Hardened https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/
#require signed HMAC sig file for access
openvpn --genkey --secret /etc/openvpn/server/ta.key
openssl genpkey -genparam -algorithm DH -out /etc/openvpn/server/dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096
#exit root 

##############################################VPN Certificate Authority on another machine
#Use EasyRSA for VPN CA
sudo apt install make-cadir
make-cadir ~/ca && cd ~/ca
ln -s openssl-1.0.0.cnf openssl.cnf
#set defaults here:
vim ~/ca/vars
######################################## Start of vars file
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
######################################## End of vars file
source ./vars # it will loads vars as default 
#and prompt: "NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/ca/keys"
./clean-all

#Use EasyRSA for VPN Server CA
#Use your VPN server’s hostname or some other identifier as the Common Name 
./build-ca
# and leave the challenge password blank.
# create the server’s private key, add or edit the information prompts as needed:
./build-key-server server
# When you’ve completed the question section for the private key, 
# confirm the signing of the certificate and the certificate requests certified by answering yes to those two questions.

# Upload the server credentials to your Linode, using scp from your local computer:
scp ./keys/{ca.crt,server.crt,server.key} root@<your_linode's_IP>:/etc/openvpn/server
# copy of the HMAC key you created earlier to distribute to each client device:
scp root@<your_linode's_IP>:/etc/openvpn/server/ta.key ./keys

###########################################
#VPN Client credentials CREATION
cd ~/ca && source ./vars && ./build-key client1
cd ~/ca && source ./vars && ./build-key-pass client1
cd ~/ca && source ./vars && ./build-key-pass client2
############################################## END of VPN Certificate Authority on another machine

#  OpenVPN Configuration Files
# server config with Cipher
sudo vim /etc/openvpn/server.conf
######################################## start of server.conf
dev tun
persist-key
persist-tun
topology subnet
port 1194
proto udp
keepalive 10 120

# Location of certificate authority's cert.
ca /etc/openvpn/server/ca.crt

# Location of VPN server's TLS cert.
cert /etc/openvpn/server/server.crt

# Location of server's TLS key
key /etc/openvpn/server/server.key

# Location of DH parameter file.
dh /etc/openvpn/server/dhp4096.pem

# The VPN's address block starts here.
server 10.89.0.0 255.255.255.0

explicit-exit-notify 1

# Drop root privileges and switch to the `ovpn` user after startup.
user ovpn

# OpenVPN process is exclusive member of ovpn group.
group ovpn

# Cryptography options. We force these onto clients by
# setting them here and not in client.ovpn. See
# `openvpn --show-tls`, `openvpn --show-ciphers` and
#`openvpn --show-digests` for all supported options.
tls-crypt /etc/openvpn/server/ta.key
auth SHA512    # This needs to be in client.ovpn too though.
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC

# Logging options.
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log /var/log/openvpn.log
verb 3
######################################## End of server.conf

# OpenVPN Client config 
sudo vim client.ovpn
######################################## Start of client.ovpn
# No cryptography options are specified here because we want
# the VPN server to push those settings to clients rather than
# allow clients to dictate their crypto.

client
dev tun
persist-key
persist-tun
proto udp
nobind
user ovpn
group ovpn
remote-cert-tls server
auth SHA512
verb 3

# Remote server's IP address and port. IP is
# preferable over hostname so as not to rely
# on DNS lookups.
remote <your_linode's IP address> 1194
# To successfully import this profile, you
# want the client device's CA certificate copy,
# client certificate and key, and HMAC signature
# all in the same location as this .ovpn file.
ca ca.crt
cert client1.crt
key client1.key
tls-crypt ta.key
######################################## End   of client.ovpn

########################################
# DISTRIBUTE TO EACH USER: 
# client1.key # Exclusive to this device.
# client1.cert # Exclusive to this device.
# CA.pem # Is shared among server and client devices.
# ta.key # Is shared among server and client devices.
# client.ovpn # Is shared among client devices.
#############################################################################
# TURN ON THE SYSTEMCTL SERVICE
sudo systemctl enable openvpn@server
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server

• OVPN documentation
• Ubuntu LTS » Ubuntu Server Guide » VPN »
• Hardening OpenVPN

Generating CRT based out of CSR && Private Key:

openssl req \
       -key client.key \
       -in client.csr \
       -x509 -days 365 -out client.crt

with google authenticator