OpenVPN/Checklist guide

Install the packages openvpn and easy-rsa.

• Copy /etc/easy-rsa to /etc/openvpn/easy-rsa and cd there
• Edit the vars file with the information you want. Read Create a Public Key Infrastructure Using the easy-rsa Scripts for details.
• Clean up any previous keys:

# easyrsa clean-all

• Create a seed for the CA creation

# dd if=/dev/urandom of=pki/.rnd bs=256 count=1

• Create the "certificate authority" key

# easyrsa build-ca nopass

• Create certificate and private key for the server

# easyrsa build-server-full ''<server-name>'' nopass

• Create the Diffie-Hellman pem file for the server.

# easyrsa gen-dh

• Create a certificate for each client.

All certificates are stored in directory. If you mess up, you can start all over by doing a easyrsa clean-all

Copy to each client the , and their respective crt and key files.

• Create with a content like this:

/etc/openvpn/server/myvpnserver.conf

port ''<port>''
proto tcp
dev tun0

ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/''<server-name>''.crt
key /etc/openvpn/easy-rsa/pki/private/''<server-name>''.key
dh /etc/openvpn/easy-rsa/pki/''<your pem file>''

server ''<desired base ip>'' 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3

log-append /var/log/openvpn
status /tmp/vpn.status 10

• Start and, optionally, enable for autostart on boot, the daemon. (In this example, is )

Read Daemon for more information.

• Create a .conf file for each client like this:

• Start the connection with

Optionally, enable for autostart on boot the daemon. (In this example, is )

Read Daemon for more information.

If the openvpn server can be started manually as root but not using systemd, you can try fixing the permissions:

# chown -R openvpn:network /etc/openvpn/*