http://www.bask.se/index.php?action=history&feed=atom&title=Howto%2FOpenVPN
Howto/OpenVPN - Revision history
2026-04-19T14:28:58Z
Revision history for this page on the wiki
MediaWiki 1.41.0
http://www.bask.se/index.php?title=Howto/OpenVPN&diff=5403&oldid=prev
Pf: Created page with "This is how to install [https://openvpn.net/ OpenVPN] 2.4.7 server including a local CA on [https://releases.ubuntu.com/20.04/ Ubuntu 20.04.1 LTS (Focal Fossa)]. We will also..."
2021-01-02T16:37:11Z
<p>Created page with "This is how to install [https://openvpn.net/ OpenVPN] 2.4.7 server including a local CA on [https://releases.ubuntu.com/20.04/ Ubuntu 20.04.1 LTS (Focal Fossa)]. We will also..."</p>
<p><b>New page</b></p><div>This is how to install [https://openvpn.net/ OpenVPN] 2.4.7 server including a local CA on [https://releases.ubuntu.com/20.04/ Ubuntu 20.04.1 LTS (Focal Fossa)].<br />
<br />
We will also create client configurations for OpenVPN and OpenWRT.<br />
<br />
Assumptions:<br />
Login username is "ubuntu".<br />
Working material saved under that users home directory<br />
Editor used is "vi"<br />
OpenVPN Server’s CommonName will be ov-server<br />
Use OpenVPNs "tls-crypt" functionality<br />
The default route interface is "eth0"<br />
Use Layer 3 routing (tun interface and separate IP addresses)<br />
IP address range for client is 10.88.0.0/16<br />
Use NAT<br />
<br />
Good references:<br />
https://openvpn.net/<br />
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04<br />
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-ubuntu-20-04<br />
<br />
<br />
Install needed packages:<br />
<code>sudo apt update<br />
sudo apt install openvpn easy-rsa</code><br />
<br />
<br />
Bootstrat Easy-RSA<br />
<br />
mkdir ~/easy-rsa<br />
<br />
cp -a /usr/share/easy-rsa/* ~/easy-rsa/<br />
<br />
Creating PKI structure including local CA<br />
<br />
sudo chown ubuntu ~/easy-rsa<br />
chmod 700 ~/easy-rsa<br />
cd ~/easy-rsa<br />
./easyrsa init-pki<br />
<br />
vi vars<br />
<br />
set_var EASYRSA_REQ_COUNTRY "SE"<br />
set_var EASYRSA_REQ_PROVINCE "VG"<br />
set_var EASYRSA_REQ_CITY "Trollhattan"<br />
set_var EASYRSA_REQ_ORG "Bask"<br />
set_var EASYRSA_REQ_EMAIL "admin@bask.se"<br />
set_var EASYRSA_REQ_OU "OPS"<br />
set_var EASYRSA_ALGO "ec"<br />
set_var EASYRSA_DIGEST "sha512"<br />
<br />
Create the CA certificate without password. Remove "nopass" if you would like to enter a password for each use.<br />
./easyrsa build-ca nopass<br />
<br />
<br />
sudo cp pki/ca.crt /usr/local/share/ca-certificates/<br />
sudo update-ca-certificates<br />
<br />
Creating OpenVPN Server Certificate and Private Key<br />
<br />
./easyrsa gen-req ov-server nopass<br />
<br />
./easyrsa sign-req server ov-server<br />
<br />
sudo cp pki/private/ov-server.key /etc/openvpn/server/<br />
sudo cp pki/issued/ov-server.crt /etc/openvpn/server/<br />
sudo cp pki/ca.crt /etc/openvpn/server/<br />
<br />
openvpn --genkey --secret ta.key<br />
sudo cp ta.key /etc/openvpn/server<br />
<br />
mkdir -p ~/client-configs/keys<br />
chmod -R 700 ~/client-configs<br />
cp ~/easy-rsa/ta.key ~/client-configs/keys/<br />
<br />
./easyrsa gen-req client1 nopass<br />
./easyrsa sign-req client client1<br />
<br />
cp pki/private/client1.key ~/client-configs/keys/<br />
cp pki/issued/client1.crt ~/client-configs/keys/<br />
sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/<br />
sudo chown ubuntu ~/client-configs/keys/*<br />
<br />
Configure OpenVPN<br />
<br />
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server/<br />
sudo gunzip /etc/openvpn/server/server.conf.gz<br />
<br />
sudo vi /etc/openvpn/server/server.conf<br />
<br />
Add the following:<br />
tls-crypt ta.key<br />
cipher AES-256-GCM<br />
auth SHA256<br />
dh none<br />
user nobody<br />
group nogroup<br />
push "redirect-gateway def1 bypass-dhcp"<br />
push "dhcp-option DNS 8.8.8.8"<br />
push "dhcp-option DNS 8.8.4.4"<br />
cert ov-server.crt<br />
key ov-server.key<br />
<br />
sudo nano /etc/sysctl.conf<br />
net.ipv4.ip_forward = 1<br />
sudo sysctl -p<br />
<br />
sudo nano /etc/ufw/before.rules<br />
<br />
# START OPENVPN RULES<br />
# NAT table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)<br />
-A POSTROUTING -s 10.88.0.0/16 -o eth0 -j MASQUERADE<br />
COMMIT<br />
# END OPENVPN RULES<br />
<br />
sudo nano /etc/default/ufw<br />
DEFAULT_FORWARD_POLICY="ACCEPT" (cahnge from DROP)<br />
<br />
Update firewall to allow UDP port 1194<br />
sudo ufw allow 1194/udp<br />
<br />
sudo ufw disable<br />
sudo ufw enable<br />
<br />
sudo systemctl -f enable openvpn-server@server.service<br />
sudo systemctl start openvpn-server@server.service<br />
sudo systemctl status openvpn-server@server.service<br />
<br />
mkdir -p ~/client-configs/files<br />
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf<br />
<br />
nano ~/client-configs/base.conf<br />
user nobody<br />
group nogroup<br />
<br />
;ca ca.crt<br />
;cert client.crt<br />
;key client.key<br />
<br />
;tls-auth ta.key 1<br />
<br />
cipher AES-256-GCM<br />
auth SHA256<br />
<br />
key-direction 1<br />
<br />
; script-security 2<br />
; up /etc/openvpn/update-resolv-conf<br />
; down /etc/openvpn/update-resolv-conf<br />
<br />
; script-security 2<br />
; up /etc/openvpn/update-systemd-resolved<br />
; down /etc/openvpn/update-systemd-resolved<br />
; down-pre<br />
; dhcp-option DOMAIN-ROUTE .<br />
<br />
nano ~/client-configs/make_config.sh<br />
<br />
#!/bin/bash<br />
<br />
# First argument: Client identifier<br />
<br />
KEY_DIR=~/client-configs/keys<br />
OUTPUT_DIR=~/client-configs/files<br />
BASE_CONFIG=~/client-configs/base.conf<br />
<br />
cat ${BASE_CONFIG} \<br />
<(echo -e '<ca>') \<br />
${KEY_DIR}/ca.crt \<br />
<(echo -e '</ca>\n<cert>') \<br />
${KEY_DIR}/${1}.crt \<br />
<(echo -e '</cert>\n<key>') \<br />
${KEY_DIR}/${1}.key \<br />
<(echo -e '</key>\n<tls-crypt>') \<br />
${KEY_DIR}/ta.key \<br />
<(echo -e '</tls-crypt>') \<br />
> ${OUTPUT_DIR}/${1}.ovpn<br />
<br />
chmod 700 ~/client-configs/make_config.sh<br />
<br />
cd ~/client-configs<br />
./make_config.sh client1</div>
Pf