Last Updated: February 25, 2016
·
338
· herrbischoff

OpenVPN Server for Local Network

Abbreviated steps to set up an OpenVPN server that acts as expected, incuding routing to and from your local network.

Server configuration

Become root:

sudo su

Update apt and install OpenVPN

apt-get update  
apt-get install openvpn

Change to OpenVPN directory and copy easy-rsa data:

cd /etc/openvpn
cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa/

Edit vars:

vim easy-rsa/vars

Change export EASY_RSA="`pwd`" to export EASY_RSA="/etc/openvpn/easy-rsa". You can also change the default settings at the bottom of the file so you don't have to enter them over and over again while creating certificates.

Change the easy-rsa directory, source the file and get building:

cd easy-rsa
source vars
ln -s openssl-1.0.0.cnf openssl.cnf
./clean-all
./build-ca OpenVPN
./build-key-server server
./build-key client1
./build-dh
cd ..

Create OpenVPN config:

vim server.conf

dev tun

proto udp

port 1194

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

user nobody

group nogroup

server 10.8.0.0 255.255.255.0

persist-key

persist-tun

status /var/log/openvpn-status.log

verb 3

client-to-client

push "redirect-gateway def1"

#set the dns servers

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

log-append /var/log/openvpn

comp-lzo

Make sure IP4 forwarding and gateway routing is enabled:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to [IPADDRESS]
vim /etc/sysctl.conf

Uncomment net.ipv4.ip_forward=1.

vim /etc/rc.local

Add the following just above exit 0:

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source [IPADDRESS]

Start OpenVPN:

service openvpn start

Client configuration

vim client1.ovpn

dev tun

client

proto udp

remote [IPADDRESS] 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

comp-lzo

verb 3

Copy ca.crt, client1.crt and client1.key to the same directory as the config file.