Installing OpenVPN

Based on OpenVPN 2.4.0. On a Raspberry Pi...

   sudo apt-get install openvpn openssl easy-rsa

   sudo cp -r /usr/share/easy-rsa /etc/openvpn

Update the file /etc/openvpn/easy-rsa/vars:

   export EASY_RSA="/etc/openvpn/easy-rsa"

   export KEY_SIZE=2048

Create Certificates

These should be built into the /etc/openvpn/easy-rsa/keys directory

   cd /etc/openvpn/easy-rsa

   sudo su

   source vars

   ln -s openssl-1.0.0.cnf openssl.conf

   ./clean-all

   # build CA cert

   ./build-ca OpenVPN

   # build server key files

   ./build-key-server server

   # build client key files

   ./build-key client1

   ./build-key client2

   # build Diffie-Hellman key exchange

   ./build-dh

   # static Pre-Shared Key PSK

   openvpn --genkey --secret ta.key

Create Server Configuration File

A default version can be found in /usr/share/doc/openvpn/examples/sample-config-files. Should be named /etc/openvpn/openvpn.conf. However, this is all that is required:

   port 1194

   proto udp

   dev tun

   ca /etc/openvpn/easy-rsa/keysca.crt

   cert /etc/openvpn/easy-rsa/keysserver.crt

   key /etc/openvpn/easy-rsa/keysserver.key

   dh /etc/openvpn/easy-rsa/keysdh2048.pem

   server 10.8.0.0 255.255.255.0

   ifconfig-pool-persist ipp.txt

   keepalive 10 120

   cipher AES-128-CBC

   tls-auth /etc/openvpn/easy-rsa/keysta.key 0

   comp-lzo

   persist-key

   persist-tun

   status /var/log/openvpn-status.log

   log /var/log/openvpn

   verb 3

   explicit-exit-notify 1

Create Client Configuration File

   This is all that is required:

   client 

   dev tun 

   proto udp 

   remote 1194 

   resolv-retry infinite

   nobind

   persist-key

   persist-tun

   mute-replay-warnings

   ns-cert-type server

   key-direction 1

   cipher AES-128-CBC

   comp-lzo

   verb 1

   mute 20

   

   -----BEGIN CERTIFICATE-----

   ...

   -----END CERTIFICATE-----

   

   

   -----BEGIN CERTIFICATE-----

   ...

   -----END CERTIFICATE-----

   

   

   -----BEGIN PRIVATE KEY-----

   ...

   -----END PRIVATE KEY-----

   

   

   #

   # 2048 bit OpenVPN static key

   #

   -----BEGIN OpenVPN Static key V1-----

   ...

   -----END OpenVPN Static key V1-----

   

Routing all Client Traffic Through VPN

To route all traffic through the VPN, the following is added to /etc/openvpn/openvpn.conf:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup

And the following firewall rule is required to ensure that all traffic initiated from clients will be masqueraded as traffic outgoing from wlan0 (change this to the appropriate interface!):

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0-j MASQUERADE

Installing iptables-persistent can make the firewall rules persistent:

sudo apt-get install iptables-persistent

They are configured with:

iptables-save >/etc/iptables/rules.v4

or better:

dpkg-reconfigure iptables-persistent

To list the NAT tables:

iptables -t nat -vL

It is also necessary to enable IP forwarding by un-commenting net.ipv4.ip_forwarpv4.ip_forward=1 in /etc/sysctl.conf and running sudo sysctl -p