- Install packages
sudo apt install openvpn easy-rsa
- Create easy-rsa directory
sudo make-cadir /etc/openvpn/easy-rsa
- Change directory
cd /etc/openvpn/easy-rsa
- Initiate PKI
./easyrsa init-pki
- Build CA
./easyrsa build-ca nopass
- Generate key pair for the server
./easyrsa gen-req server nopass
- Generate Diffie Hellman parameters
./easyrsa gen-dh
- Sign server certificate
./easyrsa sign-req server server
- Copy server certificates and keys to main configuration directory
cp -v pki/{dh.pem,ca.crt,issued/server.crt,private/server.key} /etc/openvpn/
- Copy or move dh file to match entry in OpenVPN configuration
cp /etc/openvpn/dh.pem /etc/openvpn/dh2048.pem
- Generate client certificate
./easyrsa gen-req client nopass
- Sign client certificate
./easyrsa sign-req client client
- Copy sample server configuration
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server.conf.gz
- Unzip server sample configuration
sudo gzip -d /etc/openvpn/server.conf.gz
- Generate secret key
cd /etc/openvpn
sudo openvpn --genkey --secret ta.key
- Verify the followings in server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.tx
tls-auth ta.key 0 # This file is secret
cipher AES-256-GCM
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
# user authentication
;client-cert-not-required
# ldap/ad authentication
;plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/plugin/auth-ldap.conf
- Start openvpn server
sudo systemctl start openvpn@server
- Check status
sudo systemctl status openvpn@server
- Copy clients certificates and keys
mkdir -pv ~/vpn
cp /etc/openvpn/easy-rsa/pki/{ca.crt,issued/client.crt,private/client.key} ~/vpn
cp /etc/openvpn/ta.key ~/vpn
- Enable OpenVPN service and restart it
sudo systemctl enable openvpn && sudo systemctl restart openvpn
- References
https://ubuntu.com/server/docs/service-openvpn
https://linuxconfig.org/how-to-setup-a-openvpn-server-on-ubuntu-20-04