Guide for create openvpn server on Ubuntu Server 16.04.
apt-get install openvpn easy-rsa
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Edit vars by vim:
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key macbook (client name)
cp -R /root/openvpn-ca/keys/ /etc/openvpn/
server conf /etc/openvpn/server.conf:
local !!SERVER IP!!
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
server 10.100.0.0 255.255.255.0
cipher AES-256-CBC
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
enable forwarding /etc/sysctl.conf:
net.ipv4.ip_forward = 1
sysctl -p
firewall settings:
iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth1 -j MASQUERADE
apt-get install iptables-persistent
auto generate .ovpn:
mkdir -p /root/client-configs
mkdir -p /root/client-configs/files
add to /root/client-configs/base.conf
client
dev tun
proto tcp
remote !!SERVER IP!! 1194
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
ns-cert-type server
# uncomment for linux client user, push dns setting on client machine, need install resolvconf
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
comp-lzo
verb 3
View the list of revoked client certificates:
cd ~/openvpn-ca
source vars
./list-crl
Revocation of the client certificate:
. ./vars
./revoke-full CLIENT_NAME
Copy crl.pem to the server (/etc/openvpn) and add the term to openvpn.conf crl-verify crl.pem
If there is no crl.pem file, and the crl-verify crl.pem directive in openvpn.conf is present, then the server will not allow any clients!
add to /root/client-configs/make_config.sh:
#!/bin/bash
# First argument: Client name
KEY_DIR=/etc/openvpn/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '
${KEY_DIR}/ca.crt \
<(echo -e '
${KEY_DIR}/${1}.crt \
<(echo -e '
${KEY_DIR}/${1}.key \
<(echo -e '
${KEY_DIR}/ta.key \
<(echo -e '
> ${OUTPUT_DIR}/${1}.ovpn
Get your .ovpn in /root/client-configs/files!
add user script:
#!/usr/bin/env bash
read -p 'Client name is: ' CLIENT_NAME
if [[ -z ${CLIENT_NAME} ]]; then
echo 'Your must enter client name!'
exit 1
fi
cd /root/openvpn-ca
source ./vars
./build-key ${CLIENT_NAME}
cp -R /root/openvpn-ca/keys/ /etc/openvpn/
echo "ok, client ${CLIENT_NAME} created!"
echo -e "Run for get .ovpn file:\n /root/client-configs/make_config.sh ${CLIENT_NAME}"