How to Set up an OpenVPN Server on Ubuntu

On your Ubuntu server, while logged into the root account, execute the following commands:

apt update
apt install openvpn easy-rsa

make-cadir ~/easy-rsa
cd ~/easy-rsa

./easyrsa init-pki   [enter MyVPN-CA for common name]
./easyrsa build-ca nopass

./easyrsa gen-req server nopass   [enter to accept default]
./easyrsa sign-req server server

./easyrsa gen-dh
openvpn --genkey --genkey secret ta.key

./easyrsa gen-req kb nopass
./easyrsa sign-req client kb

cp pki/ca.crt pki/dh.pem ta.key /etc/openvpn/
cp pki/issued/server.crt pki/private/server.key /etc/openvpn/

nano /etc/openvpn/server.conf

Paste into the file:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
explicit-exit-notify 1
mssfix 1350

systemctl enable --now openvpn@server

nano /etc/sysctl.conf

At the bottom of the file, paste:

net.ipv4.ip_forward=1

sysctl -p

Need the following exceptions in iptables:

# Allow incoming OpenVPN connections (UDP 1194)
iptables -A INPUT -p udp --dport 1194 -j ACCEPT

# Allow related and established traffic
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from VPN subnet (10.8.0.0/24)
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT

# NAT for VPN clients (so they can access the internet)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

# Allow forwarding traffic
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

mkdir -p ~/client-configs/files
cd ~/client-configs

nano base.conf

Paste the following text, replacing server.ip.or.fqdn with your server's actual IP or FQDN:

client
dev tun
proto udp
remote server.ip.or.fqdn 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
key-direction 1
verb 3

Make a script that can generate a client config file (.ovpn file to send to your clients):

nano makeovpn.sh

Paste:

#!/bin/bash

CLIENT=$1
cat base.conf \
    <(echo -e '<ca>') \
    ~/easy-rsa/pki/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ~/easy-rsa/pki/issued/$CLIENT.crt \
    <(echo -e '</cert>\n<key>') \
    ~/easy-rsa/pki/private/$CLIENT.key \
    <(echo -e '</key>\n<tls-auth>') \
    /etc/openvpn/ta.key \
    <(echo -e '</tls-auth>') \
    > ~/client-configs/files/$CLIENT.ovpn

Generate a config for your first client (replacing clientname):

chmod +x makeovpn.sh
./makeovpn.sh clientname

This will generate a clientname.ovpn file. You can open this on Windows or Linux with the OpenVPN application, or send it to yourself on email if you want to get it on your iPhone, then simply open it with the OpenVPN app.

If you want to add a friend or other device to your setup, just run:

cd ~/easy-rsa
./easyrsa gen-req friend1 nopass
./easyrsa sign-req client friend1

./makeovpn.sh friend1

Then, send them the friend1.ovpn file.