Skip to content

Instantly share code, notes, and snippets.

@IskenHuang
Forked from padde/openvpn.md
Created July 27, 2014 04:15
Show Gist options
  • Save IskenHuang/31b704ed9d59ee17de9d to your computer and use it in GitHub Desktop.
Save IskenHuang/31b704ed9d59ee17de9d to your computer and use it in GitHub Desktop.

OpenVPN on Ubuntu 12.10 at DigitalOcean

Install OpenVPN

sudo apt-get install openvpn

Generate Server Certificates

sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa2
cd /etc/openvpn/easy-rsa2

edit variables

sudo vim vars

export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="[email protected]"

now generate certificates

sudo mkdir keys

source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh

sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/easy-rsa/2.0/keys/server.key /etc/openvpn

restart OpenVPN

sudo service openvpn restart

Generate Client Certificates

cd /etc/openvpn/easy-rsa2
source ./vars
sudo -E ./build-key user1

Copy these files to your client over asecure channel (SSH, USB Stick):

ca.crt
user1.crt
user1.key

Configure OpenVPN

sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn

edit configuration

sudo vim server.conf

change user and group:

user openvpn
group openvpn

restart OpenVPN

sudo service openvpn restart

check if running

ifconfig tun0

Enable Routing Web Traffic Through VPN

cd /etc/openvpn
sudo vim server.conf

uncomment this line:

push "redirect-gateway def1 bypass-dhcp"

restart OpenVPN

sudo service openvpn restart

enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

add SNAT rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl whatismyip.akamai.com)

make iptables rules permanent so they are still there after a reboot

sudo apt-get install iptables-persistent

Accept all the defaults and you're done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment