Using the excellent Digital Ocean tutorial as my base I decided to setup an OpenVPN server on a Linux Mint 18 computer running on my home network so that I can have an extra layer of protection when connecting to those less than reputable WiFi hotspots at airports and hotels.
While this post is not meant to be an in-depth guide, you should use the original for that, it is meant to allow me to look back at this at some point in the future and easily re-create my setup.
1. Install everything you need
sudo apt-get update
sudo apt-get install openvpn easy-rsa
2. Setup Certificate Authority (CA)
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
nano vars
3. Update CA vars
Set these to something that makes sense:
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”
export KEY_OU=”MyOrganizationalUnit”
Set the KEY_NAME to something that makes sense:
export KEY_NAME=”server”
4. Build the CA
source vars
./clean-all
./build-ca
5. Build server certificate and key
./build-key-server server
./build-dh
openvpn –genkey –secret keys/ta.key
6. Generate client certificate
source vars
./build-key-pass clientname
7. Configure OpenVPN
cd ~/openvpn-ca/keys
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Edit config file:
sudo nano /etc/openvpn/server.conf
Uncomment the following:
tls-auth ta.key 0
cipher AES-128-CBC
user nobody
group nogroup
push “redirect-gateway def1 bypass-dhcp”
push “route 192.168.10.0 255.255.255.0”
push “route 192.168.20.0 255.255.255.0”
Add the following:
key-direction 0
auth SHA256
Edit config file:
sudo nano /etc/sysctl.conf
Uncomment the following:
net.ipv4.ip_forward=1
Run:
sudo sysctl -p
8. Setup UFW rules
Run:
ip route | grep default
To find the name of the network adaptor. For example:
default via 192.168.x.x dev enp3s0  src 192.168.x.x  metric 202
Edit config file:
sudo nano /etc/ufw/before.rules
Add the following, replacing your network adaptor name, above the bit that says # Don’t delete these required lines…
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o enp3s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Edit config file:
sudo nano /etc/default/ufw
Change DEFAULT_FORWARD_POLICY to ACCEPT.
DEFAULT_FORWARD_POLICY=”ACCEPT”
Add port and OpenVPN to ufw, allow it and restart ufw to enable:
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
9. Start OpenVPN Service and set it to enable at boot
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
10. Setup client configuration
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
Edit config file:
nano ~/client-configs/base.conf
Replace remote server_IP_address port with the external IP address and port you are planning on using. The IP address can also be a hostname, such as a re-director.
Add the following:
cipher AES-128-CBC
auth SHA256
key-direction 1
Uncomment the following:
user nobody
group nogroup
Comment out the following:
#ca ca.crt
#cert client.crt
#key client.key
11. Make a client configuration generation script
Create the file:
nano ~/client-configs/make_config.sh
Add the following to it:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.confcat ${BASE_CONFIG} \
<(echo -e ‘<ca>’) \
${KEY_DIR}/ca.crt \
<(echo -e ‘</ca>\n<cert>’) \
${KEY_DIR}/${1}.crt \
<(echo -e ‘</cert>\n<key>’) \
${KEY_DIR}/${1}.key \
<(echo -e ‘</key>\n<tls-auth>’) \
${KEY_DIR}/ta.key \
<(echo -e ‘</tls-auth>’) \
> ${OUTPUT_DIR}/${1}.ovpn
And mark it executable:
chmod 700 ~/client-configs/make_config.sh
12. Generate the client config file
cd ~/client-configs
./make_config.sh clientname
13. Transfer client configuration to device
You can now transfer the client configuration file found in ~/client-configs/files to your device.
I was with you, until step 7.
What is the stuff we are uncommenting and why?
Most of the uncommented lines have to do with configuring how the VPN networking and security will work. For a full explanation I would highly recommend taking a look at the Digital Ocean tutorial referenced above and copied here: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04