Last Updated: February 25, 2016
· herrbischoff

OpenVPN Server for Local Network

Abbreviated steps to set up an OpenVPN server that acts as expected, incuding routing to and from your local network.

Server configuration

Become root:

sudo su

Update apt and install OpenVPN

apt-get update  
apt-get install openvpn

Change to OpenVPN directory and copy easy-rsa data:

cd /etc/openvpn
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa/

Edit vars:

vim easy-rsa/vars

Change export EASY_RSA="`pwd`" to export EASY_RSA="/etc/openvpn/easy-rsa". You can also change the default settings at the bottom of the file so you don't have to enter them over and over again while creating certificates.

Change the easy-rsa directory, source the file and get building:

cd easy-rsa
source vars
ln -s openssl-1.0.0.cnf openssl.cnf
./build-ca OpenVPN
./build-key-server server
./build-key client1
cd ..

Create OpenVPN config:

vim server.conf

dev tun

proto udp

port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

user nobody

group nogroup




status /var/log/openvpn-status.log

verb 3


push "redirect-gateway def1"

#set the dns servers

push "dhcp-option DNS"

push "dhcp-option DNS"

log-append /var/log/openvpn


Make sure IP4 forwarding and gateway routing is enabled:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to [IPADDRESS]
vim /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1.

vim /etc/rc.local

Add the following just above exit 0:

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source [IPADDRESS]

Start OpenVPN:

service openvpn start

Client configuration

vim client1.ovpn

dev tun


proto udp

remote [IPADDRESS] 1194

resolv-retry infinite




ca ca.crt

cert client1.crt

key client1.key


verb 3

Copy ca.crt, client1.crt and client1.key to the same directory as the config file.