Server

Install the openvpn package:

apt-get update
apt-get install openvpn easy-rsa

Copy easy-rsa examples:

cp -r /usr/share/easy-rsa/ /etc/openvpn
mkdir /etc/openvpn/easy-rsa/keys

Edit certificate variables:

vim /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="example"
export KEY_EMAIL="changeme@example.com"
export KEY_OU="changeme"

# X509 Subject Field

export KEY_NAME="server"

Generate 2048-bit DIFFIE-HELLMAN:

openssl dhparam -out /etc/openvpn/dh2048.pem 2048

Generate server certificates/keys:

cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server

Copy generated keys/certificates:

cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Now we need to set up networking.

Enable IPv4 forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

and make it permanent

vim /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Configure firewall (iptables):

iptables -t nat -A POSTROUTING -s 10.90.10.0/24 -o eth0 -j MASQUERADE

iptables-save

In our server configuration we will use a default UDP port 1194.

TIP: If your client is behind a firewall or in a "secure" corporate network with closed ports,
you should try to use UDP port 53 or 443 (don't forget to make changes in both server/client
configurations).

Create server config file:

vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.90.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status logs/status.log
log-append logs/openvpn.log
verb 3

Create the logs destination:

mkdir -p /etc/openvpn/logs
touch /etc/openvpn/logs/{openvpn,status}.log

Restart the openvpn service:

systemctl restart openvpn@server.service

Generating client certificates is kind of "complicated" and involves multiple steps by default.
To make it more friendly, I've created simple bash script.

vim /etc/openvpn/gen-client.sh
#!/bin/bash
username=$1

# Generating key
echo "Generating key for user ${username}"
cd /etc/openvpn/easy-rsa/
source vars && ./pkitool ${username}
cp /etc/openvpn/clients/.tmp/.tmp.ovpn /etc/openvpn/clients/.tmp/$
{username}.ovpn
echo "Done"

# Adding ca certificate to ovpn client configuration file

echo "Adding ca certificate to ovpn client configuration file"
echo "<ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/ca.crt | grep -A 100 "BEGIN CERTIFICATE" |
grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "</ca>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user certificate to ovpn client configuration file

echo "Adding user certificate to ovpn client configuration file"
echo "<cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.crt | grep -A 100 "BEGIN
CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> /etc/openvpn/clients/.tmp/$
{username}.ovpn
echo "</cert>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
echo "Done"

# Adding user key to ovpn client configuration file

echo "Adding user key to ovpn client configuration file"
echo "<key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn
cat /etc/openvpn/easy-rsa/keys/${username}.key | grep -A 100 "BEGIN PRIVATE
KEY" | grep -B 100 "END PRIVATE KEY" >> /etc/openvpn/clients/.tmp/$
{username}.ovpn
echo "</key>" >> /etc/openvpn/clients/.tmp/${username}.ovpn

mkdir -p /etc/openvpn/clients/${username}
mv /etc/openvpn/clients/.tmp/${username}.ovpn /etc/openvpn/clients/$
{username}/${username}.ovpn
cp /etc/openvpn/easy-rsa/keys/${username}.{crt,key} /etc/openvpn/clients/$
{username}
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/clients/${username}

cd /etc/openvpn/clients; tar -jcf ${username}.tar.gz ${username}/

echo "Done"

echo "
===========================================================================
==============

Configurations are located in /etc/openvpn/clients/${username}

---------------------------------------------------------------------------
------

Download friendly version with:

'scp root@`hostname -f`:/etc/openvpn/clients/${username}.tar.gz .'

===========================================================================
==============
"

exit 0

Make it executable:

chmod +x /etc/openvpn/gen-client.sh

Now we need to create client config template which will be used in the next step.

mkdir -p /etc/openvpn/clients/.tmp/
vim /etc/openvpn/clients/.tmp/.tmp.ovpn
client
verb 1
dev tun
proto udp
port 1194
remote example.com 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
cipher AES-128-CBC

And finally generate client config:

cd /etc/openvpn/
./gen-client.sh username

Client configurations are located in /etc/openvpn/clients/username with friendly version

/etc/openvpn/clients/username.tar.gz

tree /etc/openvpn/clients/
/etc/openvpn/clients/
username
ca.crt
username.crt
username.key
username.ovpn
username.tar.gz

Client side
Install the openvpn package:

apt-get update
apt-get install openvpn

Copy client vpn configuration from vpn server:

scp root@example.com:/etc/openvpn/clients/username.tar.gz
tar -xzvf username.tar.gz

Connect to vpn server:

openvpn --config username.ovpn

Try to ping vpn server:

ping 10.90.10.1