Recently I had to comb though 15 different websites in order to figure out what I was doing. Here are my notes, I hope they are helpful to you.
Install Common Packages
sudo apt-get update
sudo apt-get -y install vim openvpn easy-rsa
Create CA Directory
make-cadir ~/openvpn-ca
ca ~/openvpn-ca
Create VARS File
rm vars
vim vars
Content
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "Springfield"
set_var EASYRSA_REQ_CITY "Springfield"
set_var EASYRSA_REQ_ORG "PLUMSOS CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "openvpn@plumsos.lan"
set_var EASYRSA_REQ_OU "PLUMSOS EASY CA"
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "PLUMSOS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
set_var EASYRSA_BATCH 1
:wq
Init the pki
./easyrsa ini-pki
Build the CA
./easyrsa build-ca nopass
Build Server Key
./easyrsa gen-req server-server nopass
Sign the Server Key
./easyrsa sign-req server server-server
Build the Client Key
./easyrsa gen-req client01 nopass
Sign the Client Key
./easyrsa sign-req client client01
Build the Diffie-Hellman Key
./easyrsa gen-dh
Copy Server Key and Certificate
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/issued/server-server.crt /etc/openvpn/server/
sudo cp ~/openvpn-ca/pki/private/server-server.key /etc/openvpn/server/
Copy Client Key and Certificate
sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/client/
sudo cp ~/openvpn-ca/pki/issued/client01.crt /etc/openvpn/client/
sudo cp ~/openvpn-ca/pki/private/client01.key /etc/openvpn/client/
Copy Diffie-Hellman Key
sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/server/
Create Server Config
sudo vim /etc/openvpn/server.conf
Content:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server-server.crt
key /etc/openvpn/server/server-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway defl"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH
-AES-128-CBC-SHA256
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
:wq
Create the Client Config
sudo vim /etc/openvpn/client/client01.ovpn
Content:
client
dev tun
proto udp
remote 172.16.200.XXX 1194
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH
-AES-128-CBC-SHA256
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
:wq
Enable OpenVPN Server
systemctl enable openvpn@server
systemctl start openvpn@server
Configure IP Forwarding
sudo vim /etc/sysctl.conf
Uncomment net.ipv4.ip_forward=1
:wq
Add UFW becore content
sudo vim /etc/ufw/before.rules
Content:
Note Change ethernet address (eth0) name as needed!
# Nat table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
:wq
Customize UFW forwarding policy
sudo vim /etc/default/ufw
Content:
DEFAULT_FORWARD_POLICY="ACCEPT"
:wq
Open UFW ports for OpenVPN
sudo ufw allow openvpn
Enable UFW
sudo ufw --force enable