I was trying to create a openvpn server on my ubuntu vps today. Here is the instruction.
Make sure your package repositories and installed programs are up to date by issuing the following commands:
apt-get update apt-get upgrade --show-upgraded
Begin by installing the OpenVPN software and the udev dependency with the following command:
apt-get install openvpn udev
The OpenVPN package provides a set of encryption-related tools called “easy-rsa”. These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. However, in order to function properly, these scripts should be located in the /etc/openvpn directory. Copy these files with the following command:
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
Most of the relevant configuration for the OpenVPN public key infrastructure is contained in/etc/openvpn/easy-rsa/2.0/, and much of our configuration will be located in this directory.
Configure Public Key Infrastructure Variables
Before we can generate the public key infrastructure for OpenVPN we must configure a few variables that the easy-rsa scripts will use to generate the scripts. These variables are set near the end of the/etc/openvpn/easy-rsa/2.0/vars file. Here is an example of the relevant values.
File: /etc/openvpn/easy-rsa/2.0/vars :
export KEY_COUNTRY="US" export KEY_PROVINCE="OH" export KEY_CITY="Oxford" export KEY_ORG="Ducklington" export KEY_EMAIL="squire@ducklington.org"
Alter the examples to reflect your configuration. This information will be included in certificates you create and it is important that the information be accurate, particularly the KEY_ORG and KEY_EMAIL values.
Initialize the Public Key Infrastructure (PKI)
Issue the following three commands in sequence to initialize the certificate authority and the public key infrastructure:
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca
These scripts will prompt you to enter a number of values. By configuring the vars you can be sure that your PKI is configured properly. If you set the correct values in vars, you will be able to press return at each prompt.
Generate Certificates and Private Keys
With the certificate authority generated you can generate the private key for the server. To accomplish this, issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key-server server
This script will also prompt you for additional information. By default, the Common Name for this key will be “server”. You can change these values in cases where it makes sense to use alternate values. The challenge password and company names are optional and can be left blank. When you’ve completed the question section you can confirm the signing of the certificate and the “certificate requests certified” by answering “yes” to these questions.
With the private keys generated, we can create certificates for all of the VPN clients. Issue the following command:
. /etc/openvpn/easy-rsa/2.0/build-key client1
Replace the client1 parameter with a relevant identifier for each client. You will want to generate a unique key for every user of the VPN. Each key should have it’s own unique identifier. All other information can remain the same. If you need to add users to your OpenVPN at any time, repeat this step to create additional keys.
Generate Diffie Hellman Parameters
The “Diffie Hellman Parameters” govern the method of key exchange and authentication used by the OpenVPN server. Issue the following command to generate these parameters:
. /etc/openvpn/easy-rsa/2.0/build-dh
This should produce the following output:
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time
This will be followed by a quantity of seemingly random output. The task has succeeded.
Relocate Secure Keys
The /etc/openvpn/easy-rsa/2.0/keys/ directory contains all of the keys that you have generated using theeasy-rsa tools.
In order to authenticate to the VPN, you’ll need to copy a number of certificate and key files to the remote client machines. They are:
- ca.crt
- client1.crt
- client1.key
You can use the scp tool, or any other means of transferring. Be advised, these keys should transferred with the utmost attention to security. Anyone who has the key or is able to intercept an unencrypted copy of the key will be able to gain full access to your virtual private network.
Typically we recommend that you encrypt the keys for transfer, either by using a protocol like SSH, or by encrypting them with the PGP tool.
The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:
- ca.crt
- ca.key
- dh1024.pem
- server.crt
- server.key
Issue the following commands:
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
These files need not leave your server. Maintaining integrity and control over these files is of the utmost importance to the integrity of your server. If you ever need to move or back up these keys, ensure that they’re encrypted and secured. If these files are compromised, they will need to be recreated along with all client keys.
Revoking Client Certificates 
If you need to remove a user’s access to the VPN server, issue the following command sequence.
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full client1
This will revoke the ability of users who have the client1 certificate to access the VPN. For this reason, keeping track of which users are in possession of which certificates is crucial.
This is an instruction manual from linode library. After configuring my openvpn server, I tried to connect it from my windows 7 laptop. Luckily, There’s no problem to connect it with my client at all. But the matter confused me was that I couldn’t browse some sites banned in China. That make me uncomfortable. If some one can fix this problem. I’ll be very appreciated!
