Enable IP forwarding to forward network packets properly
nano /etc/sysctl.conf
Change the following line:
net.ipv4.ip_forward=1
Apply the new settings
sysctl -p
Install OpenVPN package
apt-get install openvpn -y
sudo apt install easy-rsa
Сopy the EasyRSA directory to /etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/
Сhange the directory to easy-rsa and rename the vars.example
cd /etc/openvpn/easy-rsa
mv vars.example vars
Editing files vars
nano vars
...
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "NewYork"
set_var EASYRSA_REQ_CITY "New York City"
set_var EASYRSA_REQ_ORG "DigitalOcean"
set_var EASYRSA_REQ_EMAIL "admin@example.com"
set_var EASYRSA_REQ_OU "Community"
...
Initialize PKI
./easyrsa init-pki
Build the CA without a password
./easyrsa build-ca nopass
Generate the server key
./easyrsa gen-req server nopass
Sign the server certificate
./easyrsa sign-req server server
Build a Diffie-Hellman key exchange
./easyrsa gen-dh
Generate a HMAC signature
openvpn --genkey --secret ta.key
Finally, copy all the certificate and key to the /etc/openvpn directory:
sudo cp ta.key /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/
Create crl.pem
sudo ./easyrsa gen-crl # Generate crl.pem
sudo cp pki/crl.pem /etc/openvpn/crl.pem
Generate Client certificate
./easyrsa gen-req client1 nopass
Sign the Client certificate
./easyrsa sign-req client client1
Copy all client certificate and key to /etc/openvpn/client/ directory
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client1.crt /etc/openvpn/client/
cp pki/private/client1.key /etc/openvpn/client/
nano /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
topology subnet
server 10.11.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
mode server
tls-server
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 10
explicit-exit-notify 1
crl-verify /etc/openvpn/crl.pem
Start OpenVPN service
sudo systemctl start openvpn@server
Verify the OpenVPN server
sudo systemctl status openvpn@server
To start a service at boot
sudo systemctl enable openvpn@server
Iptables options
sudo iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o eth0 -j MASQUERADE
Saving iptables options
sudo netfilter-persistent save
See iptables options
sudo iptables -L -n -v -t nat --line-numbers
Logs
less /var/log/openvpn/openvpn.log
Start/Stop openvpn server
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
Key for client:
ca.crt
client.crt
client.key
ta.key
Or create .ovpn file
client
dev tun
remote 22.23.24.25 1194
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
comp-lzo
persist-key
persist-tun
nobind
#If you need to send all traffic via vpn unmark the following line
#redirect-gateway def1
#!!!MARK!!! the following FOUR lines for Linux via cli
#status openvpn-status.log
#log /var/log/openvpn.log
#verb 3
#mute 20
#==========================================================
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUbcLEuDrxc9KpdBNSW3KEIFFKbT8wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNTI2MTAzNTE3WhcNMzEw
NTI0MTAzNTE3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALuFXLUxsC8qklCKW08Vn4XfXyxz7Q60ywrEv+3V
J+CbxDvudDxD7MeCd0bzkm0pBH0hWECSVOG+Rpese3Jk+L4DrRp4oWUh4U3bMovK
U8/8JsbfQGspOpXQTRnF9WEcWbBqpCM/vaKf3t311pfvhxujnWNQG1pauC/HdJwI
55oXh0L8NjOPONFgyJKjwKJawOB6ATidO/MsZ4xvp+wmP8TI0I31hc9SWOH0n4Xo
kKmsglxFWXplUeCxOvJEiaQ177/wfhzJueRtYos5fI1/VjsmuVCmmFmVgprPjJmx
pIxE+7j4yWEUxeZA++8fTG/ebh2j6YbdP0vDNpwZ9WyYJTUCAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUdt1KmP9lnL4+6kf64haylCLEuoswUQYDVR0jBEowSIAUdt1KmP9l
nL4+6kf64haylCLEuouhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRtwsS4
OvFz0ql0E1JbcoQgUUptPzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAa8BpjNmkjpQkni52bxHpBF5wsWyBAP+LP4AwGmmS/pX+
+oG/5dadQEc6qKTrGfyVu4EuwFCnibOIhB0JL1ItAKFxGiYexsO4Vexvp92Iwo0K
N42fDfN3NBdeQlyTC2b0jwb38zxpnlD8bCIl79NVbAuPLsEvLcfqLvKwwwMwi4/0
55gdwehk87mOPwJCIfCV7s7Gcs5vfwdL9ukd+VFriFX+Gv0YKNQnMFG2bEhSHIKc
AzS+E51XCWZ0KLmWDJ6ohtjIn3pPuSqnD+/FvGnWg61r+e5Kh/PWszsXVkvbJKFj
SuQBVULYMqXqMzM0wvFfYCZ8R6kqjZtZ5h+0Je5Mdg==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a9:82:f1:aa:5e:ff:59:2d:c1:d5:b9:cf:be:b0:5a:9a
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: May 26 13:29:09 2021 GMT
Not After : May 10 13:29:09 2024 GMT
Subject: CN=akyrylenko
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:c2:99:38:ad:d7:26:a6:c9:29:2d:62:20:9f:
e4:3e:55:4b:42:e9:dc:d2:eb:60:8d:ab:bb:69:c6:
cc:7e:cd:bc:1d:c7:2a:38:f5:60:55:d4:ae:cd:20:
b7:dc:9c:e9:10:1d:5e:4b:be:04:87:6e:22:00:e7:
9c:d4:3e:76:d0:e9:1f:0e:b1:63:dc:5e:30:3c:37:
3e:f6:a9:71:4f:9f:a8:9f:f4:07:22:e6:3b:78:36:
fd:da:f5:19:bc:d4:be:b2:15:d8:dd:21:bb:6e:8d:
98:88:e5:4d:67:64:ad:bf:db:75:c3:84:80:64:bd:
d5:16:8f:07:80:f3:e3:63:6b:da:a1:63:e4:c1:fa:
ac:24:1c:6d:a3:ff:d4:92:fe:9a:ed:7f:a4:96:da:
35:5d:af:a5:10:ea:09:ce:d4:a8:f5:0b:e2:d7:42:
a2:23:54:5a:e0:d0:d4:4c:13:84:fa:ff:5f:52:4b:
72:fb:6e:97:c1:ad:aa:7a:58:1a:d9:e0:85:12:eb:
09:2c:5a:0c:b8:0b:b0:fe:a1:41:6d:79:69:06:74:
22:2b:e3:00:e8:18:b7:e4:7d:46:37:ec:9b:5c:24:
fb:83:40:b8:9d:80:3f:6e:81:26:13:e8:49:c3:cc:
11:85:84:4a:cd:7f:a4:29:c7:ad:d7:56:e8:38:96:
fb:57
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
16:CD:A2:F3:21:81:77:15:EC:1A:F8:14:81:95:3A:1E:9D:60:0A:B2
X509v3 Authority Key Identifier:
keyid:76:DD:4A:98:FF:65:9C:BE:3E:EA:47:FA:E2:16:B2:94:22:C4:BA:8B
DirName:/CN=Easy-RSA CA
serial:6D:C2:C4:B8:3A:F1:73:D2:A9:74:13:52:5B:72:84:20:51:4A:6D:3F
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
9a:df:d0:b9:99:ae:41:6f:8a:67:59:62:7a:d1:1e:1d:5f:3d:
c3:1f:fd:6a:c5:0f:1e:bb:c2:1f:43:95:5c:3f:59:5d:96:8c:
e5:f4:91:62:a7:9d:bf:ee:f6:f3:8c:84:99:a1:fc:bb:52:3d:
f5:cd:aa:3a:2e:43:eb:be:a7:a8:9f:68:60:8b:72:4a:ba:e2:
b9:c2:74:dd:31:a3:12:3e:d3:39:45:66:9b:2a:61:02:37:f6:
db:d9:53:38:2b:f6:f7:23:43:84:f6:10:57:39:8d:27:6c:f9:
bb:7d:ed:8f:49:b0:29:05:d1:d3:43:04:1b:cf:51:77:27:a9:
fc:3e:8a:3d:b5:f3:5e:17:29:46:57:85:c3:03:5a:a2:b8:01:
07:61:b6:21:78:a7:10:bf:bc:20:89:50:41:49:10:f8:59:11:
53:d8:3a:f3:04:48:4f:39:22:e7:88:68:44:9b:46:9f:f6:0b:
d6:54:52:c7:f9:89:55:53:7b:d2:6d:47:21:ce:16:06:82:f1:
ee:13:1b:fe:73:91:9e:c9:79:35:18:6a:04:50:87:b3:b7:7c:
51:85:85:db:24:3d:f7:44:f3:12:3d:56:5c:cf:e0:db:cb:58:
2f:30:dd:61:3b:a6:fc:92:96:9e:fd:0b:40:42:16:b3:f9:65:
d6:84:d3:91
-----BEGIN CERTIFICATE-----
MIIDWTCCAkGgAwIBAgIRAKmC8ape/1ktwdW5z76wWpowDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNTI2MTMyOTA5WhcNMjQwNTEw
MTMyOTA5WjAVMRMwEQYDVQQDDApha3lyeWxlbmtvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwsKZOK3XJqbJKS1iIJ/kPlVLQunc0utgjau7acbMfs28
HccqOPVgVdSuzSC33JzpEB1eS74Eh24iAOec1D520OkfDrFj3F4wPDc+9qlxT5+o
n/QHIuY7eDb92vUZvNS+shXY3SG7bo2YiOVNZ2Stv9t1w4SAZL3VFo8HgPPjY2va
oWPkwfqsJBxto//Ukv6a7X+klto1Xa+lEOoJztSo9Qvi10KiI1Ra4NDUTBOE+v9f
Ukty+26Xwa2qelga2eCFEusJLFoMuAuw/qFBbXlpBnQiK+MA6Bi35H1GN+ybXCT7
g0C4nYA/boEmE+hJw8wRhYRKzX+kKcet11boOJb7VwIDAQABo4GiMIGfMAkGA1Ud
EwQCMAAwHQYDVR0OBBYEFBbNovMhgXcV7Br4FIGVOh6dYAqyMFEGA1UdIwRKMEiA
FHbdSpj/ZZy+PupH+uIWspQixLqLoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QYIUbcLEuDrxc9KpdBNSW3KEIFFKbT8wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYD
VR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQCa39C5ma5Bb4pnWWJ60R4dXz3D
H/1qxQ8eu8IfQ5VcP1ldlozl9JFip52/7vbzjISZofy7Uj31zao6LkPrvqeon2hg
i3JKuuK5wnTdMaMSPtM5RWabKmECN/bb2VM4K/b3I0OE9hBXOY0nbPm7fe2PSbAp
BdHTQwQbz1F3J6n8Poo9tfNeFylGV4XDA1qiuAEHYbYheKcQv7wgiVBBSRD4WRFT
2DrzBEhPOSLniGhEm0af9gvWVFLH+YlVU3vSbUchzhYGgvHuExv+c5GeyXk1GGoE
UIezt3xRhYXbJD33RPMSPVZcz+Dby1gvMN1hO6b8kpae/QtAQhaz+WXWhNOR
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCwpk4rdcmpskp
LWIgn+Q+VUtC6dzS62CNq7tpxsx+zbwdxyo49WBV1K7NILfcnOkQHV5LvgSHbiIA
55zUPnbQ6R8OsWPcXjA8Nz72qXFPn6if9Aci5jt4Nv3a9Rm81L6yFdjdIbtujZiI
5U1nZK2/23XDhIBkvdUWjweA8+Nja9qhY+TB+qwkHG2j/9SS/prtf6SW2jVdr6UQ
6gnO1Kj1C+LXQqIjVFrg0NRME4T6/19SS3L7bpfBrap6WBrZ4IUS6wksWgy4C7D+
oUFteWkGdCIr4wDoGLfkfUY37JtcJPuDQLidgD9ugSYT6EnDzBGFhErNf6Qpx63X
Vug4lvtXAgMBAAECggEBALt+g+tg0CPRpQ8TNciapSytCEtewMv89XLtxPrL+8qH
XXZ9alRzRU7b9Xxc5yRnmqd83m6ke8+1Yt7kGsLpb5EnHFMUy0I3GtCdjuv/q6ov
1jJGxyf95XqR1kmYdDKpzPu8tI4OD1ca0aHYvm+vKOXu7KxRPxm89wtEnsCyClKG
rYY29bQgLowqJ5AV6HELFg7ZMEsbb0cClnW3jw6JrkrUlLwBmbquR5nf5A6q6qDe
AC/9bgnvExZALPAwUYQpOoEeAMV/4n1qm9udJgX3ulWWGTF75vhh+lgssDfc8OgM
YGwzs4Vnt5sLIUWaX6mWDQPc/N95KqhkaBDLON+PcMECgYEA+zI7fdhCkh18qBI6
SFJ4vFBcANT08Q8LN/mjTgSQW6q2Ob8aykJZTzsJuGFNud7IB8jWsAoRKpvXwAzw
6kW+Ixj79G1I33JoWzKEq7O+clXFiunUpUOtAoaIyZfB2s4UvG01EEBNAMqxYsvc
fSXkATuyGkhleP1/i5XneSFFJIkCgYEAxnwTPPH5Awrbe+hKDLPfk/JeDk7S9zQZ
JfPSOsRnmXDSNp6x8IgOEwged/9KtspyDwtjmQ4arvCemzS4zgrx6IgshWs8L+Vj
WarV5TmV09rMO3YaI6m1PJrnUo332dZx+7IZW22YiJ9adyRsDk0GLSukD2RfrJpg
HssvOGJA6N8CgYAoyyCUMFGnTviWhtdGNXZ8BoTacbsRhsLopTbbDayv5kpPmHRu
UlYUot7SPaMUw1Qyx2/uCMR+6e4gtzlMomTdaEpKiJDkEL1Xyh13kOolwT4icBTj
fdkT5utB6c5GjV8atpV+fSLENSaXh8nX3RZpCNvEnuszud9DuOVta3TCGQKBgBfa
aWV1nvtinqXxcJS+OSxKgEsv5eKXfD43Yxh06g5ipKCzyaaicy6OVzsMjyoQgkyU
jc+jBknn2OfGGj+IyTGsy8zs6jrHUn1ALpxxozPmo4yx0MpgZst1wj8FmLexMdmR
ucJnFWG15OVUlzfQweFD0V+YLHdNxidtO6uHA035AoGBAIaTDTVVWxhS0xq7XnYX
dgOM43+eo7zfA9pFLG0Pd/Mq0cBMJAaH5+hY3hizPGWLqCq1hkvtn48teJUFu8gv
J3oG5eOCxSIULtKui19cLSqYmDcjBCLSkE5lBZSEaVCXW8cOQIhEuyXeojzVucWb
OwB0EunqR8VpjzhOnZGpDmmD
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
49600dc121af03e6c0561457eaedfabe
ab99713c3b50d075b6a4b2f26c8468d8
238fe92ad0744eb68e6901f341f63dd9
fa0327846fda3bf248217bfa3d4f966d
3ab813a0cc68d2ac50ad3554c6ec7502
f941c2e76216da2a52cb5b51e2831689
98e8ae325c73a0bd053a46503c074516
e9b5e47961cc054fed273bb2d6f20a7b
da776739c377190523d1e65683c86c74
f8304329c63ca52009010245dc754498
6fe2517dda3cd3bd3ffd61bdff26bb16
201c4d08d1b554db7be25c25d4c41aff
caefcfecd7a0431edbdc319403762bc0
e4a9cc9124e7adcd2647f420906c4168
5df911088f103f675192a965a9c44e3e
5337e6cf5561fc121db8842771a7cbde
-----END OpenVPN Static key V1-----
</tls-auth>
#==============================================================
#UNMARK the following 2 lines for Linux via cli
#and then sudo openvpn --script-security 2 --config /path/to/*.ovpn
#
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
*Do not forget change line: remote 22.23.24.25 1194
*Do not forget open port 1194 for your firewall or security group
Add next to end server.conf
...
crl-verify /etc/openvpn/crl.pem
...
Create crl.pem
sudo ./easyrsa gen-crl # Generate crl.pem
sudo cp pki/crl.pem /etc/openvpn/crl.pem
Now if you need revoke client certificate run next:
sudo ./easyrsa revoke client
Links:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-10
Package provides the GNOME bits of NetworkManager's OpenVPN plugin.
sudo apt install network-manager-openvpn-gnome