OpenVPN is open-source commercial[11] software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[12] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[13]

OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.

OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, also has an implementation of OpenVPN protocol.

Source: wikipedia.org

Table of Contents

OpenVPN

sudo groupadd nogroup

 

DDClient-Dynamic DNS

sudo pacman -S ddclient --noconfirm && sudo nano /etc/ddclient/ddclient.conf

 

Input required:

Add following lines and change the "login=","password=", and the domain at the bottom. 

For noip
protocol=dyndns2
use=web, if=eth0
server=dynupdate.no-ip.com
login=your-@emailaddress.com
password='your-password'
your-dyndns_domain
sudo crontab -e

add

#######################DDClient
45 04 * * * /usr/sbin/ddclient --force
##################################

 

Easy-RSA

sudo pacman -S openvpn easy-rsa --noconfirm && sudo su
cd /etc/easy-rsa
export EASYRSA=$(pwd)
easyrsa init-pki
easyrsa build-ca nopass

 

Input required:

Change <code>your-dyndns_domain</code> to your domain.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:your-dyndns_domain
Your new CA certificate file for publishing is at:/etc/easy-rsa/pki/ca.crt
cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/
easyrsa gen-req ArchServer nopass
your-dyndns_domain

Enter

cp /etc/easy-rsa/pki/private/ArchServer.key /etc/openvpn/server/
openssl dhparam -out /etc/openvpn/server/dh.pem 2048
This takes around 20 minutes

 

Input required:

Change <code>your-device</code> like Smartphone / Laptop etc.
openvpn --genkey --secret /etc/openvpn/server/ta.key
easyrsa gen-req your-device

Enter your-password and NO COMMON NAME!!
Hit enter

easyrsa sign-req server ArchServer

yes

 

Input required:

Change <code>your-device</code> like Smartphone / Laptop etc.
easyrsa sign-req client your-device

yes

mv /etc/easy-rsa/pki/issued/ArchServer.crt /etc/openvpn/server/
mkdir /etc/easy-rsa/pki/signed
mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
exit

 

Client config & ovpngen AUR

cd && pikaur -S ovpngen --noconfirm

 

Input required:

Change <code>your-dyndns_domain</code> to your domain. Change <code>your-device</code> like Smartphone / Laptop etc.
sudo ovpngen your-dyndns_domain /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
sudo nano your-device.ovpn

 

Input required:

Change <code>your-dyndns_domain</code> to your domain.

remote your-dyndns_domain 1194 udp
and add behind ‘verb 3’ 

cipher AES-256-CBC
auth SHA512
resolv-retry infinite
tls-version-min 1.2
auth-nocache
remote-cert-tls server
comp-lzo
ctrl + x
yes

 

Input required:

Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer. 

sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/

 

Server config

sudo nano /etc/openvpn/server/server.conf
Change the IP to your home network if it’s necessary.
# your local subnet
push "route 192.168.1.0 255.255.255.0"

Change the client's number depends on your needs.

max-clients 2
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/ArchServer.crt
key /etc/openvpn/server/ArchServer.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients

########################Pi-hole
push "dhcp-option DNS 192.168.1.76"
###############################

###### https://dns.watch/
#push "dhcp-option DNS 84.200.69.80"
#push "dhcp-option DNS 84.200.70.40"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
#push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"

client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
auth SHA512
#comp-lzo
compress lz4-v2
push "compress lz4-v2"
user nobody
group nogroup
persist-key
persist-tun
max-clients 2
remote-cert-tls client
#client-connect /etc/openvpn/vpn-connect.sh
#client-disconnect /etc/openvpn/vpn-disconnect.sh
#script-security 2
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 3
ifconfig-pool-persist ipp.txt
log-append /var/log/openvpn
status /tmp/vpn.status 10
ctrl + x
yes 
sudo systemctl enable openvpn-server@server.service && sudo systemctl start openvpn-server@server.service

 

New clients

 

Input required:

Change <code>your-device</code> like Smartphone / Laptop etc.
sudo su && cd /etc/easy-rsa
easyrsa gen-req your-device

Enter your password and NO COMMON NAME!!
Hit enter

 

Input required:

easyrsa sign-req client your-device

yes

 

Input required:

Change <code>your-dyndns_domain</code> to your domain. Change <code>your-device</code> like Smartphone / Laptop etc.

mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
sudo ovpngen yourDYNDNSdomain.com /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
sudo nano your-device.ovpn

 

Input required:

Change <code>your-dyndns_domain</code> to your domain.

remote your-dyndns_domain 1194 udp
and add behind ‘verb 3’ 

cipher AES-256-CBC
auth SHA512
resolv-retry infinite
tls-version-min 1.2
auth-nocache
remote-cert-tls server
comp-lzo
ctrl + x
yes

 

Input required:

Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer. 

sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/

 

UFW

sudo pacman -S ufw --noconfirm && sudo nano /etc/default/ufw

Change:

DEFAULT_FORWARD_POLICY="DROP"

to

DEFAULT_FORWARD_POLICY="ACCEPT"
sudo nano /etc/ufw/before.rules

 

Input required:

Add after header (# ufw-before-forward) and before (# Don't delete these required lines, otherwise there will be errors and change the 'your-interface'

# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Allow traffic from clients to the interface
-A POSTROUTING -s 10.8.0.0/24 -o your-interface -j MASQUERADE

# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT
ctrl + x
yes 
sudo ufw allow ssh && sudo ufw allow 1194/udp && sudo ufw allow 8001/tcp && sudo ufw allow 8080/tcp && sudo ufw allow 8082/tcp && sudo ufw allow 5232/tcp

y

sudo nano /etc/ufw/sysctl.conf

Uncomment:

#net/ipv4/ip_forward=1

to

net/ipv4/ip_forward=1

ctrl + x
yes

sudo ufw enable && sudo systemctl enable ufw.service && sudo systemctl start ufw.service
YES