OpenVPN is open-source commercial[11] software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[12] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[13]
OpenVPN allows peers to authenticate each other using pre-shared secret keys, certificates or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signatures and certificate authority. It uses the OpenSSL encryption library extensively, as well as the TLS protocol, and contains many security and control features.
OpenVPN has been ported and embedded to several systems. For example, DD-WRT has the OpenVPN server function. SoftEther VPN, a multi-protocol VPN server, also has an implementation of OpenVPN protocol.
Source: wikipedia.org
sudo groupadd nogroup
sudo pacman -S ddclient --noconfirm && sudo nano /etc/ddclient/ddclient.conf
Add following lines and change the "login=","password=", and the domain at the bottom.
For noip
protocol=dyndns2
use=web, if=eth0
server=dynupdate.no-ip.com
login=your-@emailaddress.com
password='your-password'
your-dyndns_domain
sudo crontab -e
add
#######################DDClient
45 04 * * * /usr/sbin/ddclient --force
##################################
sudo pacman -S openvpn easy-rsa --noconfirm && sudo su
cd /etc/easy-rsa
export EASYRSA=$(pwd)
easyrsa init-pki
easyrsa build-ca nopass
your-dyndns_domain
to your domain.Common Name (eg: your user, host, or server name) [Easy-RSA CA]:your-dyndns_domain
Your new CA certificate file for publishing is at:/etc/easy-rsa/pki/ca.crt
cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/
easyrsa gen-req ArchServer nopass
your-dyndns_domain
Enter
cp /etc/easy-rsa/pki/private/ArchServer.key /etc/openvpn/server/
openssl dhparam -out /etc/openvpn/server/dh.pem 2048
your-device
like Smartphone / Laptop etc.openvpn --genkey --secret /etc/openvpn/server/ta.key
easyrsa gen-req your-device
Enter your-password and NO COMMON NAME!!
Hit enter
easyrsa sign-req server ArchServer
yes
your-device
like Smartphone / Laptop etc.easyrsa sign-req client your-device
yes
mv /etc/easy-rsa/pki/issued/ArchServer.crt /etc/openvpn/server/
mkdir /etc/easy-rsa/pki/signed
mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
exit
cd && pikaur -S ovpngen --noconfirm
your-dyndns_domain
to your domain. Change your-device
like Smartphone / Laptop etc.sudo ovpngen your-dyndns_domain /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
sudo nano your-device.ovpn
your-dyndns_domain
to your domain.remote your-dyndns_domain 1194 udp
and add behind ‘verb 3’
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
tls-version-min 1.2
auth-nocache
remote-cert-tls server
comp-lzo
ctrl + x
Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer.
sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/
sudo nano /etc/openvpn/server/server.conf
# your local subnet
push "route 192.168.1.0 255.255.255.0"
Change the client's number depends on your needs.
max-clients 2
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/ArchServer.crt
key /etc/openvpn/server/ArchServer.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0"
# Set your primary domain name server address for clients
########################Pi-hole
push "dhcp-option DNS 192.168.1.76"
###############################
###### https://dns.watch/
#push "dhcp-option DNS 84.200.69.80"
#push "dhcp-option DNS 84.200.70.40"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
#push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"
client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
auth SHA512
#comp-lzo
compress lz4-v2
push "compress lz4-v2"
user nobody
group nogroup
persist-key
persist-tun
max-clients 2
remote-cert-tls client
#client-connect /etc/openvpn/vpn-connect.sh
#client-disconnect /etc/openvpn/vpn-disconnect.sh
#script-security 2
#crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log
verb 3
ifconfig-pool-persist ipp.txt
log-append /var/log/openvpn
status /tmp/vpn.status 10
ctrl + xsudo systemctl enable openvpn-server@server.service && sudo systemctl start openvpn-server@server.service
your-device
like Smartphone / Laptop etc.sudo su && cd /etc/easy-rsa
easyrsa gen-req your-device
Enter your password and NO COMMON NAME!!
Hit enter
easyrsa sign-req client your-device
yes
your-dyndns_domain
to your domain. Change your-device
like Smartphone / Laptop etc.mv /etc/easy-rsa/pki/issued/your-device.crt /etc/easy-rsa/pki/signed
sudo ovpngen yourDYNDNSdomain.com /etc/openvpn/server/ca.crt /etc/easy-rsa/pki/signed/your-device.crt /etc/easy-rsa/pki/private/your-device.key /etc/openvpn/server/ta.key > your-device.ovpn
sudo nano your-device.ovpn
your-dyndns_domain
to your domain.remote your-dyndns_domain 1194 udp
and add behind ‘verb 3’
cipher AES-256-CBC
auth SHA512
resolv-retry infinite
tls-version-min 1.2
auth-nocache
remote-cert-tls server
comp-lzo
ctrl + x
Copy the file to your Phone and import the file to the “OpenVPN for Android” application or to your computer.
sudo scp your-device.ovpn your-copmputer/your-user@192.168.1.xxx:/home/your-user/
sudo pacman -S ufw --noconfirm && sudo nano /etc/default/ufw
Change:
DEFAULT_FORWARD_POLICY="DROP"
to
DEFAULT_FORWARD_POLICY="ACCEPT"
sudo nano /etc/ufw/before.rules
Add after header (# ufw-before-forward) and before (# Don't delete these required lines, otherwise there will be errors and change the 'your-interface'
# NAT (Network Address Translation) table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from clients to the interface
-A POSTROUTING -s 10.8.0.0/24 -o your-interface -j MASQUERADE
# do not delete the "COMMIT" line or the NAT table rules above will not be processed
COMMIT
ctrl + xsudo ufw allow ssh && sudo ufw allow 1194/udp && sudo ufw allow 8001/tcp && sudo ufw allow 8080/tcp && sudo ufw allow 8082/tcp && sudo ufw allow 5232/tcp
y
sudo nano /etc/ufw/sysctl.conf
Uncomment:
#net/ipv4/ip_forward=1
to
net/ipv4/ip_forward=1
ctrl + x
yes
sudo ufw enable && sudo systemctl enable ufw.service && sudo systemctl start ufw.service
YES