# OpenVPN and CA install
### sources
- https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04
- https://chatgpt.com/share/672b8e75-5a08-8009-9d13-f062d91bfac8
### Prereqs
ubunutu 24 with ufw configured
### Update/Upgrade
```
sudo apt update
sudo apt upgrade -y
```
### Install OpenVPN and Easy-RSA
`sudo apt install openvpn easy-rsa -y`
### Setup CA
```
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
```
```
vi vars
```
```
set_var EASYRSA_REQ_COUNTRY "YourCountry"
set_var EASYRSA_REQ_PROVINCE "YourProvince"
set_var EASYRSA_REQ_CITY "YourCity"
set_var EASYRSA_REQ_ORG "YourOrganization"
set_var EASYRSA_REQ_EMAIL "email@example.com"
set_var EASYRSA_REQ_OU "YourOrganizationalUnit"
```
```
./easyrsa init-pki
./easyrsa build-ca
```
add password to ca
### Generate Certs and Keys
`./easyrsa gen-req server nopass`
`./easyrsa sign-req server server`
Type yes and enter ca password
`./easyrsa gen-dh`
`openvpn --genkey --secret ta.key` // this is deperacated need update
### Config OpenVPN Server
`sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem ta.key /etc/openvpn/`
`sudo vi /etc/openvpn/server.conf`
```
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
tls-auth ta.key 0 # This file should be kept secret
cipher AES-256-CBC
auth SHA256
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route {ip.addr.ess.0 last byte is masked} 255.255.255.0" # Replace with masked ip address
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
```
### Enable IP Forwarding
`sudo vi /etc/sysctl.conf`
```
net.ipv4.ip_forward=1
```
`sudo sysctl -p`
### Config Firewall
`sudo vi /etc/default/ufw`
change: `DEFAULT_FORWARD_POLICY="ACCEPT"`
`sudo vi /etc/ufw/before.rules`
Replace IP Address:
```
# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o {ADD IP ADDRESS} -j MASQUERADE
COMMIT
# END OPENVPN RULES
```
`sudo ufw allow 1194/udp`
`sudo ufw enable`
### Start OpenVPN
```
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
sudo systemctl status openvpn@server
```
### Client Config
```
mkdir -p ~/client-configs/keys
mkdir -p ~/client-configs/files
```
`vi ~/client-configs/base.conf`
Rplace MY IP ADDRESS
```
client
dev tun
proto udp
remote {MY IP ADDRESS} 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
```
### Client Certificates and Keys
`cd ~/openvpn-ca`
Replace client1 with client_name
```
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1
```
`cp pki/ca.crt pki/issued/client1.crt pki/private/client1.key ta.key ~/client-configs/keys/`
`vi ~/client-configs/make_config.sh`
### Generate Client Keys
Replace client name
```
#!/bin/bash
CLIENT_NAME={client name}
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
mkdir -p $OUTPUT_DIR
cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e '\n') \
${KEY_DIR}/${CLIENT_NAME}.crt \
<(echo -e '\n') \
${KEY_DIR}/${CLIENT_NAME}.key \
<(echo -e '\n') \
${KEY_DIR}/ta.key \
<(echo -e '') \
> ${OUTPUT_DIR}/${CLIENT_NAME}.ovpn
```
`chmod 700 ~/client-configs/make_config.sh`
`./client-configs/make_config.sh`
### Distribute Client Config
{client name}.ovpn is now available in ~/client-configs/files/.