apt-get install openvpn
https://openvpn.net/index.php/open-source/documentation/howto.html
https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-rsa-3-on-centos-8/
New Download version (14-10-2020) https://github.com/OpenVPN/easy-rsa.git
mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
unzip easy-rsa-master.zip
cd /etc/openvpn/easy-rsa/easy-rsa-master
#Clear MS Windows shit (90% of space)
rm -rf distro/windows
cd /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3
vi vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA "${0%/*}"
set_var EASYRSA_OPENSSL "openssl"
set_var EASYRSA_PKI "$PWD/pki"
set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "NL"
set_var EASYRSA_REQ_PROVINCE "<....>"
set_var EASYRSA_REQ_CITY "<Your City>"
set_var EASYRSA_REQ_ORG "<Your Organisation>"
set_var EASYRSA_REQ_EMAIL "<Info@Yourdomain>"
set_var EASYRSA_REQ_OU "Your Organisation>"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_CERT_RENEW 30
chmod 755 vars
./easyrsa init-pki
./easyrsa build-ca nopass
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: Unix4Life
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/ca.crt
./easyrsa gen-req vpnserver nopass
Common Name (eg: your user, host, or server name) [vpnserver]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/reqs/vpnserver.req
key: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/vpnserver.key
./easyrsa sign-req server vpnserver
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/easy-rsa-16485.Ej254q/tmp.AUmJ0y
Enter pass phrase for /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/ca.key:
Certificate created at: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/issued/vpnserver.crt
openssl verify -CAfile pki/ca.crt pki/issued/vpnserver.crt
pki/issued/vpnserver.crt: OK
##Generating Diffie-Hellman (DH) params
./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time !!!!!!!!!!!!!!!!!!!
vi /etc/openvpn/server.conf
port <portnumber>
proto tcp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
dh dh.pem
server <Your IP range you will choose for NAT> <SubnetMask>
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 10 120
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 0
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.crt' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.key' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name 'dh.pem' -exec cp -p {} /etc/openvpn/ \;
systemctl enable openvpn
systemctl start openvpn
# Build for all family members: client1/2/3/4
./easyrsa gen-req Client1
Enter PEM pass phrase: <Your passphrase>
Verifying - Enter PEM pass phrase: <Your passphrase>
Common Name (eg: your user, host, or server name) [Client1]: [Enter]
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/reqs/Client1.req
key: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/Client1.key
./easyrsa sign-req client Client1
Confirm request details: yes
Enter pass phrase for /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/ca.key: <Your passphrase>
Certificate created at: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/issued/Client1.crt
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.crt' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.key' -exec cp -p {} /etc/openvpn/ \;
cat /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/index.txt