Follow the instructions in How To Set Up an OpenVPN Server on Ubuntu 16.04 to configure OpenVPN server on linode server.
Run the following command as user leo on OpenVPN server host:
# Step 1: Install OpenVPN
sudo apt update
sudo apt install openvpn easy-rsa
# Step 2: Set Up the CA Directory
cd ~/docs
make-cadir ./openvpn-ca
cd openvpn-ca
# Step 3: Configure the CA Variables
vi vars # modify vars # export KEY_NAME="linserver"
# Step 4: Build the Certificate Authority
source vars
./clean-all # do NOT run this command when building the 2nd certificate
./build-ca
# Step 5: Create the Server Certificate, Key, and Encryption Files
./build-key-server linserver # match the name in step 3
./build-dh
sudo openvpn --genkey --secret keys/ta.key
# Step 6: Generate a Client Certificate and Key Pair
./build-key linclient
## build the second client certificate, backup all files in *keys* folder
./build-key e7450
# Step 7: Configure the OpenVPN Service
cd keys
sudo cp ca.crt linserver.crt linserver.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/linserver.conf
cd /etc/openvpn
sudo vi linserver.conf # modify parameters
## uncomment *client-to-client* and *duplicate-cn*
# Step 8: Adjust the Server Networking Configuration
sudo vi /etc/sysctl.conf
sudo sysctl -p
# Adjust the UFW Rules to Masquerade Client Connections
# add the following lines into /etc/ufw/before.rules:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to wlp11s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
sudo ufw allow 1194/udp
sudo ufw disable
sudo ufw enable
# Step 9: Start and Enable the OpenVPN Service
sudo systemctl start openvpn@linserver
sudo systemctl status openvpn@linserver
sudo systemctl enable openvpn@linserver
# Step 10: Create Client Configuration Infrastructure
mkdir -p ~/docs/openvpn-client-configs/files
chmod 700 ~/docs/openvpn-client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/docs/openvpn-client-configs/base.conf
vi ~/docs/openvpn-client-configs/base.conf
cat << EOF > ~/docs/openvpn-client-configs/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/docs/openvpn-ca/keys
OUTPUT_DIR=~/docs/openvpn-client-configs/files
BASE_CONFIG=~/docs/openvpn-client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
EOF
chmod 700 ~/docs/openvpn-client-configs/make_config.sh
# Step 11: Generate Client Configurations
cd ~/docs/openvpn-client-configs
sudo chown leo:leo -R /home/leo/docs/openvpn-ca/keys
./make_config.sh linclient # keep the same with the name set in Step 6
./make_config.sh e7450 # build the 2nd certificate
# transfer file ~/docs/openvpn-client-configs/files/linclient.ovpn to the client
Run the following script on a VPN client. For Linux:
sudo apt-get update
sudo apt-get install openvpn
# Edit file linclient.ovpn with the existence of file /etc/openvpn/update-resolv-conf
sudo openvpn --config linclient.ovpn
After the connection is verifed, start OpenVPN service on client with
sudo openvpn --daemon --config linclient.ovpn.
Note:
File /etc/openvpn/ipp.txt is the IP address of clients connected to this server. It's created by OpenVPN. When rebuilding a new server certificate, it's safe to delete it.
Do NOT building with Set up a Hardened OpenVPN Server on Debian 9. Its network configuration is unnecessarily complicated and will make you lose connection with your host.