OpenVPN - create your own VPN server

apt-get install openvpn

New Download version (14-10-2020)

mkdir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa/easy-rsa-master
#Clear MS Windows shit (90% of space)
rm -rf distro/windows

cd /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3

vi vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
set_var EASYRSA "${0%/*}"
set_var EASYRSA_OPENSSL "openssl"
set_var EASYRSA_PKI "$PWD/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_PROVINCE "<....>"
set_var EASYRSA_REQ_CITY "<Your City>"
set_var EASYRSA_REQ_ORG "<Your Organisation>"
set_var EASYRSA_REQ_EMAIL "<Info@Yourdomain>"
set_var EASYRSA_REQ_OU "Your Organisation>"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CRL_DAYS 180

chmod 755 vars

./easyrsa init-pki
./easyrsa build-ca nopass
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: Unix4Life

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:


./easyrsa gen-req vpnserver nopass

Common Name (eg: your user, host, or server name) [vpnserver]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/reqs/vpnserver.req
key: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/vpnserver.key

./easyrsa sign-req server vpnserver

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/easy-rsa-16485.Ej254q/tmp.AUmJ0y
Enter pass phrase for /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/ca.key:

Certificate created at: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/issued/vpnserver.crt

openssl verify -CAfile pki/ca.crt pki/issued/vpnserver.crt
pki/issued/vpnserver.crt: OK

##Generating Diffie-Hellman (DH) params
./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time !!!!!!!!!!!!!!!!!!!

vi /etc/openvpn/server.conf
port <portnumber>
proto tcp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
dh dh.pem
server <Your IP range you will choose for NAT> <SubnetMask>
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
max-clients 10
user nobody
group nogroup
status /var/log/openvpn/openvpn-status.log
verb 0


find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.crt' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.key' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name 'dh.pem' -exec cp -p {} /etc/openvpn/ \;

systemctl enable openvpn
systemctl start openvpn

# Build for all family members: client1/2/3/4
./easyrsa gen-req Client1
Enter PEM pass phrase: <Your passphrase>
Verifying - Enter PEM pass phrase: <Your passphrase>
Common Name (eg: your user, host, or server name) [Client1]: [Enter]

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/reqs/Client1.req
key: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/Client1.key

./easyrsa sign-req client Client1
Confirm request details: yes
Enter pass phrase for /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/private/ca.key: <Your passphrase>

Certificate created at: /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/issued/Client1.crt

find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.crt' -exec cp -p {} /etc/openvpn/ \;
find /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3 -name '*.key' -exec cp -p {} /etc/openvpn/ \;

cat /etc/openvpn/easy-rsa/easy-rsa-master/easyrsa3/pki/index.txt


  If you like my website, feel free to donate via the Paypal button... A small amount for a cup of coffee is enough ;-) Thank you!