If you are looking for adding user (or yourself) to OpenVPN for support purposes, check out Setup Open VPN User 2018 Edition

• Quick instructions on making new client certificate configurations are towards the bottom

This article explains how to install Open VPN on Ubuntu 18.04. The steps followed came from this Tutorial:

• https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

————————————-

• START THE AWS INSTANCE
• sudo apt update
• sudo apt install openvpn
• wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
• cd ~
• tar xvf EasyRSA-3.0.4.tgz
• cd ~/EasyRSA-3.0.4/
• cp vars.example vars
• vi vars
• [EDIT EASYRSA_REQ_ properties accordingly]
• ./easyrsa init-pki
• ./easyrsa build-ca nopass

————————————-

• sudo apt update
• sudo apt install openvpn
• wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
• cd ~/EasyRSA-3.0.4/
• ./easyrsa init-pki
• ./easyrsa gen-req server nopass
• sudo cp ~/EasyRSA-3.0.4/pki/private/server.key /etc/openvpn/
• scp -i ~/pge2.pem ~/EasyRSA-3.0.4/pki/reqs/server.req ubuntu@10.91.200.205:/tmp

————————————-

• cd ~/EasyRSA-3.0.4/
• ./easyrsa import-req /tmp/server.req server
• [TYPE yes WHEN PROMPTED]

————————————-

• scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/server.crt /tmp
• scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/ca.crt /tmp
• sudo cp /tmp/{server.crt,ca.crt} /etc/openvpn/
• cd EasyRSA-3.0.4/
• ./easyrsa gen-dh
• openvpn –genkey –secret ta.key
• sudo cp ~/EasyRSA-3.0.4/ta.key /etc/openvpn/
• sudo cp ~/EasyRSA-3.0.4/pki/dh.pem /etc/openvpn/

————————————-

• mkdir -p ~/client-configs/keys
• chmod -R 700 ~/client-configs
• cd ~/EasyRSA-3.0.4/
• ./easyrsa gen-req client1 nopass
• cp pki/private/client1.key ~/client-configs/keys/
• scp -i ~/pge2.pem pki/reqs/client1.req ubuntu@10.91.200.205:/tmp

————————————-

• cd EasyRSA-3.0.4/
• ./easyrsa import-req /tmp/client1.req client1
• ./easyrsa sign-req client client1

————————————-

• scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/client1.crt /tmp
• cp /tmp/client1.crt ~/client-configs/keys/
• cp ~/EasyRSA-3.0.4/ta.key ~/client-configs/keys/
• sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/

————————————-

• sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
• sudo gzip -d /etc/openvpn/server.conf.gz
• sudo vi /etc/openvpn/server.conf
• [Add “key-direction 0” below “tls-auth ta.key 0”]
• [Add “auth SHA256” below “cipher AES-256-CBC”]
• [Change “dh dh2048.pem” to “dh dh.pem”]
• [Uncomment “user nobody” and “group nogroup”]
• [NOTE: Could update to PUSH DNS to clients. Could upadte to use a different port/protocol like 443/tcp vs. default 1194/udp.]
• sudo vi /etc/sysctl.conf
• [Uncomment “net.ipv4.ip_forward=1”]
• [Uncomment “push “redirect-gateway def1 bypass-dhcp””]
• [Uncomment “push “dhcp-option DNS 208.67.222.222”” and “push “dhcp-option DNS 208.67.220.220””]
• ip router | grep default
• [Locate the interface name, i.e. enp7s0, and copy it]
• sudo vi /etc/ufw/before.rules
• [Add the following lines:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp7s0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o enp7s0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

• sudo vi /etc/default/ufw
• [Change DEFAULT_FORWARD_POLICY value from “DROP” to “ACCEPT”]
• sudo ufw allow 1194/udp
• sudo ufw allow OpenSSH
• sudo ufw disable
• sudo ufw enable
• sudo systemctl start openvpn@server
• sudo systemctl status openvpn@server
• [Output should show 'active (running)']
• sudo systemctl enable openvpn@server
• mkdir -p ~/client-configs/files
• cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
• vi ~/client-configs/base.conf
• [Update line “remote my-server-1 1194” to use your server IP “remote cloud.errigal.com 1194”]
• [Make sure “proto udp” is uncommented and that “proto tcp” is commented witht he ';' character]
• [Comment with '#' “tls-auth ta.key 1”]
• [Comment with '#' “ca”, “cert” and “key” prop lines]
• [Under line “cipher AES-256-CBC” add line “auth SHA256”]
• [Add “key-direction 1” to the file]
• [Add the following commented out lines:

# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

• vi ~/client-configs/make_config.sh
• Insert the following content:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn

• chmod 700 ~/client-configs/make_config.sh

————————————-

• cd ~/client-configs
• sudo ./make_config.sh client1

————————————-

• sftp scotty@olympus.err:client-configs/files/client1.ovpn ~/
• INSTALL Tunnelblick: https://tunnelblick.net/release/Tunnelblick_3.7.8_build_5180.dmg
• [Say you have no configuration files]
• [When install is complete, open a Finder window and double-click ~/client1.ovpn]
• In Tunnelblick, click 'Settings' and Check box to 'Redirect all IPV4 traffic through the VPN'
• If prompted to 'Always User Plugin', click it so that you always use the connect/disconnect plugin. Do not click 'Do not use plugin' or the like.
• Manually update your System Prefences → Network → Settings to include OpenDNS and Errigal DNS:
  • 10.91.100.71
  • 208.67.222.222
  • 208.67.220.220

————————————-

Visit OpenVPN Server Machine (olympus.err)

• cd ~/EasyRSA-3.0.4/
• ./easyrsa gen-req CONFIG_NAME nopass
• cp pki/private/CONFIG_NAME.key ~/client-configs/keys/
• scp -i ~/pge2.pem pki/reqs/CONFIG_NAME.req ubuntu@10.91.200.205:/tmp

Visit CA Machine (AWS Northern California: Errigal CA - DO NOT DELETE)

• cd EasyRSA-3.0.4/
• ./easyrsa import-req /tmp/CONFIG_NAME.req CONFIG_NAME
• ./easyrsa sign-req client CONFIG_NAME

Visit OpenVPN Server Machine (olympus.err)

• scp -i ~/pge2.pem ubuntu@10.91.200.205:/home/ubuntu/EasyRSA-3.0.4/pki/issued/CONFIG_NAME.crt /tmp
• cp /tmp/CONFIG_NAME.crt ~/client-configs/keys/
• cd ~/client-configs
• sudo ./make_config.sh CONFIG_NAME
• [Config File is ~/client-configs/files/CONFIG_NAME.ovpn]

MAKE SURE YOU STOP THE AWS Nothern California: Errigal CA - DO NOT DELETE instance

Visit OpenVPN Server Machine (olympus.err)

• sudo systemctl stop openvpn@server
• sudo systemctl start openvpn@server
• sudo systemctl enable openvpn@server
• sudo systemctl status openvpn@server