User Tools

Site Tools



Quick setup

Long Setup

This was my starting point:

Here is my steps

Step 1 — Installing OpenVPN and EasyRSA

sudo apt install openvpn
aunpack ./EasyRSA-3.0.8.tgz

Step 2 — Configuring the EasyRSA Variables and Building the CA

cd ./EasyRSA-3.0.8/
cp vars.example vars
vim ./vars

Uncomment these lines and update the highlighted values to whatever you’d prefer, but do not leave them blank:
. . .
set_var EASYRSA_REQ_PROVINCE   "NewYork"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "DigitalOcean"
set_var EASYRSA_REQ_EMAIL      ""
set_var EASYRSA_REQ_OU         "Community"

Step 3 — Creating the Server Certificate, Key, and Encryption Files

./easyrsa init-pki
"... Your newly created PKI dir is: /home/vissie/EasyRSA-3.0.8/pki"
./easyrsa build-ca
"Pick a password"
"name the server"
"... Your new CA certificate file for publishing is at:
cp ./pki/ca.crt /etc/openvpn/
./easyrsa gen-req server nopass
sudo cp ./pki/private/server.key /etc/openvpn/
./easyrsa sign-req server server
sudo cp ./pki/issued/server.crt /etc/openvpn/
sudo cp ./pki/ca.crt /etc/openvpn/
./easyrsa gen-dh
sudo openvpn --genkey --secret ta.key
sudo cp ./ta.key /etc/openvpn/
sudo cp ./pki/dh.pem /etc/openvpn/

Step 4 — Generating a Client Certificate and Key Pair

cd ~
mkdir -p ~/client-configs/keys
chmod -R 700 ~/client-configs
cd ~/EasyRSA-3.0.8/
./easyrsa gen-req vissie nopass
cp ./pki/private/vissie.key ~/client-configs/keys/
./easyrsa sign-req client vissie
cp ./pki/issued/vissie.crt ~/client-configs/keys/
sudo cp ~/EasyRSA-3.0.8/ta.key ~/client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

Step 5 — Configuring the OpenVPN Service

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
sudo vim /etc/openvpn/server.conf
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
# Below this, add an auth directive
auth SHA256
#If necessary, change the file name by removing the 2048 so it aligns with the key you generated in the previous step:
dh dh.pem
user nobody
group nogroup
#Find the redirect-gateway
push "redirect-gateway def1 bypass-dhcp"
#Just below this, find the dhcp-option section. Again, remove the “;” from in front of both of the lines to uncomment them:
push "dhcp-option DNS"
push "dhcp-option DNS"
# Optional!
port 11
# Optional!
proto tcp
#If you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0
explicit-exit-notify 0

Step 6 — Adjusting the Server Networking Configuration

sudo vim /etc/sysctl.conf
sudo sysctl -p
ip route | grep default
#Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0:
#default via dev eth0 proto static

sudo apt install ufw
sudo vim /etc/ufw/before.rules

# UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded. 
# Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming 
# from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:

# rules.before
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward

# NAT table rules
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)

# Don't delete these required lines, otherwise there will be errors
. . .

sudo vim /etc/default/ufw

sudo ufw allow 1194/udp
sudo ufw allow OpenSSH

Step 7 — Starting and Enabling the OpenVPN Service

sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
sudo systemctl enable openvpn@server

Step 8 — Creating the Client Configuration Infrastructure

mkdir -p ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
vim ~/client-configs/base.conf
remote 1194
proto udp
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
# Finally, add a few commented out lines. Although you can include these directives in every client configuration file, you only need to enable them for Linux clients 
# that ship with an /etc/openvpn/update-resolv-conf file. This script uses the resolvconf utility to update DNS information for Linux clients.
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
vim ~/client-configs/


# First argument: Client identifier


cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

chmod 700 ~/client-configs/

Step 9 — Generating Client Configurations

cd ~/client-configs
sudo ./ vissie
ls ~/client-configs/files

Step 10 — Installing the Client Configuration

sudo apt install openvpn
# Check to see if your distribution includes an /etc/openvpn/update-resolv-conf script:
ls /etc/openvpn
#Next, edit the OpenVPN client configuration file you transfered:
vim client1.ovpn

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Here is my notes:

Use dig command for determining my public IP address:

sudo apt-get install dnsutils
dig +short

On step 3, I got an permision denied error onL

echo 1 > /proc/sys/net/ipv4/ip_forward

So rather I did:

In a nutshell, to enable IP forwarding, you can just put the following in /etc/sysctl.conf:

net.ipv4.ip_forward = 1
sudo sysctl -p

Plus I did both ipv4 and ipv6. Not knowing if that was correct. But it made sense to me that it would be.

For step 4 I had to use my actual network interface in the before,rule, not eth0.

For Step 5, sudo did NOT work. I had to BE root.

You might have the following issue : No /etc/openvpn/easy-rsa/openssl.cnf file could be found Further invocations will fail In this case, just create a symbolic link :

ln -s openssl-1.0.0.cnf openssl.cnf

And then clean everything :

I just did a install on Debian Jessie. I had the same issues. Seemingly the service started, no visual errors, but openvpn was not running. a

sudo netstat -uapn | grep openvpn

came up blank. After hours of trouble shooting I eventually came upon this way of starting the service

systemctl start openvpn@server.service.

This failed! Now I had a error.

journalctl -xn

showed me a error on TUN/TAP.

I had a issue with a ta-key. I just disabled that: If you do not have a ta.key, of course tls-auth will fail. You may:

drop the tls-auth instruction altogether. This is not a major dent in your security: the Manual in fact states: This feature by itself does not improve the TLS auth in any way, although it offers a 2nd line of defense if a future flaw is discovered in a particular TLS cipher-suite or implementation (such as CVE-2014-0160, Heartbleed, where the tls-auth key provided protection against attackers who did not have a copy). However, it offers no protection at all in the event of a complete cryptographic break that can allow decryption of a cipher-suite's traffic. or you may now generate the ta-key:

openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key it is not too late for this.

Some more hours later I realised, that due to the fact that I was on a VPS, I had no TUN/TAP access from my provider as a default! I had to enable it via a console option.

I did that, the server rebooted. And now I have my openVPN.

So, 10 points to the author on a great setup guide! Thx dude.

I hope this little bit of info helps someone.


View connected users

sudo cat /etc/openvpn/openvpn-status.log


If you’re customizing rules for your own installation and breaking things on your server and clients to catch errors to match, you probably want to change your logging method in /etc/openvpn/server.conf from log /var/log/openvpn.log to log-append /var/log/openvpn.log and restart OpenVPN to keep your logs from being blown away when you stop and start. Then switch it back to log after you’re done.

Connection issues

Please remember, if your VPN is up, but there is no traffic going to the internet, make sure that UFW is running and that the rules is setup correctly.

New notes for Debian 9 (Stretch)

apt-get install openvpn easy-rsa
openvpn.txt · Last modified: 2021/11/10 03:39 by vissie