Skip to content

Instantly share code, notes, and snippets.

@lpaulmp
Forked from seuros/openvpn.md
Last active September 17, 2015 20:36
Show Gist options
  • Save lpaulmp/5dd6fb05af852ab95492 to your computer and use it in GitHub Desktop.
Save lpaulmp/5dd6fb05af852ab95492 to your computer and use it in GitHub Desktop.

OpenVPN on Ubuntu

Install OpenVPN

sudo apt-get install openvpn

Generate Server Certificates

sudo cp -r /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/keys/
cd /etc/openvpn/keys/

edit variables

sudo vim vars

export KEY_COUNTRY="XX"
export KEY_PROVINCE="YY"
export KEY_CITY="City"
export KEY_ORG="My VPN Service"
export KEY_EMAIL="[email protected]"
export KEY_CONFIG=$EASY_RSA/openssl-1.0.0.cnf

now generate certificates

sudo mkdir keys

source ./vars
sudo -E ./clean-all
sudo -E ./build-ca
sudo -E ./build-key-server server
sudo -E ./build-dh

sudo cp /etc/openvpn/keys/ca.crt /etc/openvpn
sudo cp /etc/openvpn/keys/ca.key /etc/openvpn
sudo cp /etc/openvpn/keys/dh1024.pem /etc/openvpn
sudo cp /etc/openvpn/keys/server.crt /etc/openvpn
sudo cp /etc/openvpn/keys/server.key /etc/openvpn

restart OpenVPN

sudo service openvpn restart

Generate Client Certificates

cd /etc/openvpn/keys
source ./vars
sudo -E ./build-key user1

Copy these files to your client over asecure channel (SSH, USB Stick):

ca.crt
user1.crt
user1.key

Configure OpenVPN

sudo adduser --system --no-create-home --disabled-login openvpn
sudo addgroup --system --no-create-home --disabled-login openvpn

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gunzip /etc/openvpn/server.conf.gz
cd /etc/openvpn

edit configuration

sudo vim server.conf

change user and group:

user openvpn
group openvpn

restart OpenVPN

sudo service openvpn restart

check if running

ifconfig tun0

Enable Routing Web Traffic Through VPN

cd /etc/openvpn
sudo vim server.conf

uncomment this line:

push "redirect-gateway def1 bypass-dhcp"

restart OpenVPN

sudo service openvpn restart

enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

add SNAT rule

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to $(curl ip.paddd.de)

Configuring The Client (Shimo on OS X)

tbd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment