OpenVPN Quick How To

Alex, May 5, 2016 10:27
If you have been looking around the interwebs on a how-to-setup-that-bloody-vpn-server-you-need-to-access-IP-blocked-content and could not find a working solution, this page is for you. I share my script with you guys. Use and modify as you please. A link back is always appreciated.

Twitter question

From a question on twitter:
Okay, dear Linux/server people: I'd appreciate a guide to set up openvpn server. Not deep understanding, just get it up and running. @JaschMedia
I can do that: I use a simple script to set up new openVPN servers if I need one. Follow these steps and you have a OpenVPN tunnel up and running in minutes.


There are more secure ways of setting up your VPN. Do not use this guide to protect your nuclear plant. But if you are Googling for solutions you should resign from that job immediately. This guide is here for demonstration and educational purposes only.

Install all the things

I only run Debian linux so replace apt-get with your package manager if you are on a different flavor. Run all commands as root.
# apt-get install -y openvpn easy-rsa
# /etc/init.d/openvpn stop

# (c) 2016 HackPending -
# Provided as-is. 
HOSTIP=`ifconfig eth0 | grep "inet addr" | cut -f2 -d: | cut -f1 -d " "`
echo $HOSTIP
apt-get install openvpn easy-rsa
/etc/init.d/openvpn stop
mkdir /etc/openvpn/client-config-dir
echo "ifconfig-push
push redirect-gateway def1
push dhcp-option DNS
push remote-gateway
" > /etc/openvpn/client-config-dir/iphone
echo "ifconfig-push
push remote-gateway
" > /etc/openvpn/client-config-dir/router
echo "proto tcp
port 443
verb 3
log-append /var/log/openvpn.log
dev tun0
cipher AES-256-CBC
mode server
topology subnet
keepalive 30 500
client-config-dir /etc/openvpn/client-config-dir
ca /etc/openvpn/tun0/ca.crt
cert /etc/openvpn/tun0/server.crt
key /etc/openvpn/tun0/server.key
dh /etc/openvpn/tun0/dh4096.pem
" > /etc/openvpn/openvpn.conf
mkdir /etc/openvpn/tun0
cp -prv /usr/share/easy-rsa /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
echo "export EASY_RSA=\"/etc/openvpn/easy-rsa\"
export OPENSSL=\"openssl\"
export PKCS11TOOL=\"pkcs11-tool\"
export GREP=\"grep\"
export KEY_CONFIG=\`\$EASY_RSA/whichopensslcnf \$EASY_RSA\`
export KEY_DIR=\"\$EASY_RSA/keys\"
export PKCS11_MODULE_PATH=\"dummy\"
export PKCS11_PIN=\"dummy\"
export KEY_SIZE=4096
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY=\"US\"
export KEY_PROVINCE=\"NY\"
export KEY_CITY=\"City\"
export KEY_ORG=\"OrgName\"
export KEY_EMAIL=\"me@localhost\"
export KEY_CN=${HOSTIP}
export KEY_OU=
" > /etc/openvpn/easy-rsa/vars
cd /etc/openvpn/easy-rsa
. ./vars
cp keys/ca.crt /etc/openvpn/tun0/ca.crt
cp keys/ca.key /etc/openvpn/tun0/ca.key  
./build-key-server server
cp keys/server.key /etc/openvpn/tun0/server.key
cp keys/server.crt /etc/openvpn/tun0/server.crt
cp keys/dh4096.pem /etc/openvpn/tun0/dh4096.pem
for CONFIG in iphone router
  echo "build-key: ${CONFIG}"
  if [ ! -r keys/${CONFIG}.crt ]
    ./build-key ${CONFIG}
    cp keys/${CONFIG}.crt /etc/openvpn/tun0/${CONFIG}.crt
    cp keys/${CONFIG}.key /etc/openvpn/tun0/${CONFIG}.key
  echo "Create ${CONFIG} client config"
  echo "client
dev tun
proto tcp
remote ${HOSTIP} 443
resolv-retry infinite
cipher AES-256-CBC
verb 3
ns-cert-type server
mute 20
link-mtu 1400
mssfix 1400
`cat /etc/openvpn/tun0/ca.crt`
`cat /etc/openvpn/tun0/${CONFIG}.crt`
`cat /etc/openvpn/tun0/${CONFIG}.key`
" > /etc/openvpn/tun0/${CONFIG}.ovpn
echo "Enable forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "OpenVPN forwarding"
iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
echo >> /etc/rc.local
echo "# VPN setup" >> /etc/rc.local
echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local
echo "# Routing" >> /etc/rc.local
echo "iptables -A FORWARD -i eth0 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT" >>  /etc/rc.local
echo "iptables -A FORWARD -s -o eth0 -j ACCEPT" >> /etc/rc.local
echo "iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE" >> /etc/rc.local
echo "Restarting openvpn"
/etc/init.d/openvpn start

Copy the script above to a file called

# chmod 700
# ./
Answer all the questions and your VPN will be setup. In the directory /etc/openvpn/tun0 you will find router.ovpn and iphone.ovpn. Download both from your server and remove them from your server. The difference between the two is that iphone.ovpn will redirect all traffic through the VPN tunnel and router.ovpn will only set up a route to the 192.168.44/24 network via the tunnel. You can replace by if you are running your own DNS.