Published: 20190228

Tested on: Ubuntu 16.04 amd64


01. install openvpn software
02. build server keys and certificate
03. configure openvpn service
04. enable ipv4 forwarding
05. create scripts for building user profiles
06. add vpnuser shell account
07. create a user profile
08. additional users


  1. Install OpenVPN software

    $ sudo -i
    # apt -y install openvpn easy-rsa

    Also install NTP

    # apt -y install ntp

  1. Build server keys and certificate

    # make-cadir openvpn-ca
    # cd openvpn-ca
    # vi vars

    (near bottom of file, edit)

    export KEY_SIZE=4096
    export KEY_COUNTRY=”US”
    export KEY_PROVINCE=”CA”
    export KEY_CITY=”MyCity”
    export KEY_ORG=”MyCompany”
    export KEY_EMAIL=””
    export KEY_OU=”Dept”
    export KEY_NAME=”server”

    (export KEY_NAME="server" corresponds to command below "./build-key-server server", don't change a letter!)

    # source vars
    # ./clean-all
    # ./build-ca

    (enter thru them all)

    # ./build-key-server server

    (enter thru them all, this makes server commonName = server)

    on the question “Sign the certificate? [y/n]:” you need to type: y (and then enter)
    on the question “1 out of 1 certificate requests certified, commit? [y/n]” you need to type: y (and then enter)

    # ./build-dh

    (takes long time, go for break)

    # openvpn --genkey --secret keys/ta.key

  1. Configure OpenVPN service

    # cd ~/openvpn-ca/keys
    # cp ca.crt server.crt server.key ta.key dh4096.pem /etc/openvpn/
    # wget

    Maybe edit server.conf to your liking...

    # cp server.conf /etc/openvpn/
    # systemctl enable openvpn@server
    # systemctl start openvpn@server

    check how it registered

    # systemctl status openvpn@server.service

    press q to escape info

    if you for some reason call your file server-1234.conf instead of server.conf, the commands are:

    # systemctl enable openvpn@server-1234
    # systemctl start openvpn@server-1234
    # systemctl status openvpn@server-1234.service

    You can also check that the ports are listening with:

    $ ss -natlu

    You can check the logs of your server with:

    # tail -f /var/log/syslog

  1. Enable IPv4 forwarding

    Edit /etc/sysctl.conf and make sure this line is present/uncommented:


    Enable IPv4 NAT

    # mkdir /scripts
    # cd /scripts
    # wget
    # chmod 0700

    Edit /etc/rc.local and make sure this line is present (before "exit 0")


    Reboot the machine (not needed if you run /etc/rc.local manually and update sysctl)

  1. Create scripts for building user profiles

    # cd
    # mkdir -p client-configs/files
    # chmod 0700 client-configs/files
    # cd client-configs
    # wget
    # wget
    # chmod 0700

    Edit base.conf to match the settings in your server.conf (particularly the lines "proto" and "remote")

  1. Add vpnuser shell account

    (This step isn't really needed for minimum functionality, but it might be good to have)

    # mkdir /home/openvpn
    # groupadd -g 2001 vpnuser1
    # useradd -g 2001 -u 2001 -s /bin/bash -d /home/openvpn/vpnuser1 -m vpnuser1
    # passwd vpnuser1

    (Set random unix pw for vpnuser1, no need to write it down)

  1. Create user key in OpenVPN Server and create user profile

    create user key

    # cd ~/openvpn-ca
    # source vars
    # ./build-key vpnuser1

    (enter thru them all) When you come to the question: "Sign the certificate? [y/n]:" type y (and then enter) When you come to the question: "1 out of 1 certificate requests certified, commit? [y/n]" type y (and the enter)

    # cd ~/client-configs
    # ./make_config vpnuser1

    You now have an OpenVPN user profile here: ~/client-configs/files/vpnuser1.ovpn

  1. Additional users

    Just repeat step 6 and 7