OpenVPN Server with easy-rsa on Ubuntu 14.04 easy setup

In case you want to run an simple openVPN server on your own host, but like me think most of the tutorials do not focus enough on plain commands, feel free to follow this little instruction set:

# install openvpn and easy-rsa
sudo apt-get install openvpn easy-rsa
# copy sample config files
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# unzip files in the designated folder
sudo gunzip /etc/openvpn/server.conf.gz
# copy easy-rsa scripts (required for easy key generation)
sudo cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa2
# sometimes the keys folder is missing, which is why we generate it to be sure
sudo mkdir /etc/openvpn/easy-rsa2/keys -p
#since 14.04 openvpn requires an additional key in the vars file
sudo sh -c 'echo "export KEY_ALTNAMES=\"Irgendwas\"" >> /etc/openvpn/easy-rsa2/vars'
# copy current openssl version to match default config sudo cp /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf openssl.cnf
# customize vars file with the est editor in the world: (but you could use vi,nano,... too)
sudo vim /etc/openvpn/easy-rsa2/vars

Set your /etc/openvpn/server.conf to:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa2/keys/ca.crt
cert /etc/openvpn/easy-rsa2/keys/server.crt
key /etc/openvpn/easy-rsa2/keys/server.key
dh /etc/openvpn/easy-rsa2/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
keepalive 10 120
status openvpn-status.log
verb 3

Back in the terminal we will now start the crypto-foo:

# get root to simplify following commands
sudo -i
# change dir to the easy-rsa scripts folder
cd /etc/openvpn/easy-rsa2/
# set variables into current bash session
source ./vars
# clean existing dir (attention! deletes everything in keys folder)
# generate certificate authority key
# generate server key
./build-key-server server
# generate diffie hellmann parameter (can take some time)

And now you are basically done. In cases of firewalls remember to open the openVPN port (which is set in /etc/openvpn/server.conf and defaults to 1194).

To add a client with an own keypair use distinct key-name values:

sudo -E ./build-key client1
sudo -E ./build-key client2
sudo -E ./build-key client3

or in case you want it password protected (which requires to enter the password everytime you’ll connect):

sudo -E ./build-key-pass client1
sudo -E ./build-key-pass client2
sudo -E ./build-key-pass client3

Now safely(!) distribute the keys to your client machines, using PGP, secure USB sticks or printed paper 🙂 according to the following scheme:

Original by yed licensed under CC BY-SA 4.0

You might

Do not forget to start your server:

/etc/init.d/openvpn start server

If you want to use these files on the client with your Network-Manager, install the required plugin:

sudo apt-get install network-manager-openvpn

and set the following options:

openVPN-NetworkManagerIt is also possible to generate a .conf or .ovpn file, which is required by some apps e.g. on android and iOS but will be handled in a separate post soon.