Ubuntu/Debian based - OpenVPN server configuration

Requirements :

1. Any PC with 4 GB RAM or Raspberry pi3 with 32GB sd Card

2. USB keyboard,USB mouse and HDMI monitor

3. Internet connection

4. Static IP connection for Server

Knowledge Required :

1. Ubuntu OS installation on PC or Raspbian OS installation on Raspberry pi

2. Port forwarding knowledge on router

The following steps are involved for installation of openvpn on terminal,

sudo apt update # Update system files

sudo apt install openvpn # Openvpn software installation

wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz # Download Encryption key generator software fro Github

cd ~ # Change to root access

tar xvf EasyRSA-unix-v3.0.6.tgz # Unzip Encryption software

cd ~/EasyRSA-v3.0.6/ # Change director to EasyRSA
cp vars.example vars # Copy certificate creation
nano vars # Edit certificate using Editor tools

./easyrsa init-pki # Create PKI directory
./easyrsa build-ca nopass # Build Certificate

./easyrsa gen-req server nopass # Create server.reg files/server
sudo cp ~/EasyRSA-v3.0.6/pki/private/server.key /etc/openvpn/ # Copy server.key to openvpn
scp ~/EasyRSA-v3.0.6/pki/reqs/server.req mypc@your_CA_ip:/tmp # Copy server.reg to tmp folder


./easyrsa sign-req server server # Create server.crt file

scp pki/issued/server.crt mypc@your_server_ip:/tmp # Copy server.crt to tmp folder

sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/ # Copy server.crt,ca.crt file to openvpn

./easyrsa gen-dh # generate secret key for server 
sudo openvpn --genkey --secret ta.key # Generate authentication key  ta.key
sudo cp ~/EasyRSA-v3.0.6/ta.key /etc/openvpn/ # Copy ta.key to openvpn
sudo cp ~/EasyRSA-v3.0.6/pki/dh.pem /etc/openvpn/ # copy dh.pem file to openvpn

# Server required files creation Ended
cd ..

mkdir -p ~/client-configs/keys # create client-configs/keys dirctory in home folder
chmod -R 700 ~/client-configs # Read write access privilege enable

# Client side key generation begin

cd ~/EasyRSA-v3.0.6/ # change dirctory easyrsa
./easyrsa gen-req client1 nopass # Client key generation
cp pki/private/client1.key ~/client-configs/keys/ # Copy client key to configs/keys




./easyrsa sign-req client client1 # client,crt file generation


sudo cp ~/EasyRSA-v3.0.6/ta.key ~/client-configs/keys/ # copy ta.key to client-configs/keys/
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ # copy ca.crt to client-configs/keys/
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ # copy sample config files to openvpn
sudo gzip -d /etc/openvpn/server.conf.gz # gunzip server.conf files

# Server configuration started

sudo nano /etc/openvpn/server.conf # Edit server.conf files, the following changes are made.
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
dh dh.pem
user nobody
group nogroup

# IP tables creation for clients

sudo nano /etc/sysctl.conf # systemctl files edit
net.ipv4.ip_forward=1

sudo sysctl -p # Cheaking system IPV4

ip route | grep default # Find server connected router IP address

sudo nano /etc/ufw/before.rules # Linux firewall rules edit

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered in IP route | grep default command !)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

sudo nano /etc/default/ufw # Firewall policy set to ACCEPT
DEFAULT_FORWARD_POLICY="ACCEPT"

sudo ufw allow 1194/udp # Allow firewalls 1194/udp packets

sudo ufw disable # firewall enable
sudo ufw enable # firewall disable

sudo systemctl start openvpn@server # openvpn server startup on boot
sudo systemctl status openvpn@server # check status of openvpn

ip addr show tun0 # check IP address of vpn tunnel

sudo systemctl enable openvpn@server # start on bootup enable

mkdir -p ~/client-configs/files # dirctory already created	

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf # copy sammy/client-configs/file to client-configs/base,conf

nano ~/client-configs/base.conf # base.conf file edit

remote your_server_ip 1194
proto udp
user nobody
group nogroup
#ca ca.crt
#cert client.crt
#key client.key
#tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

nano ~/client-configs/make_config.sh # client key generation bash script

#!/bin/bash

# First argument: Client identifier

KEY_DIR=/home/mypc/client-configs/keys
OUTPUT_DIR=/home/mypc/client-configs/files
BASE_CONFIG=/home/mypc/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

chmod 700 ~/client-configs/make_config.sh

cd ~/client-configs # change dirctory to client-configs

sudo ./make_config.sh client1 # Client key genration


ls ~/client-configs/files # show .ovpn file

your server IP either static IP or Dynamic IP required for server.