Before installing OpenVPN on your server, a fresh installation of the Operating System (Ubuntu 18.04/20.04/CentOS/Debian) is required.

As a first step, the installation of easy-rsa for managing X. 509 PKI, or Public Key Infrastructure is required in order to encrypt traffic between the server and various clients.

Certification Authority Setup

The OpenVPN server uses certificates to encrypt traffic between the server and various clients. Thus, we need to set up a certificate authority (CA) on your server to create and manage these certificates.

We can utilize the easy-rsa template by copying it to a new directory and then entering that directory to move into the configuration.

$ make-cadir ~/openvpn-ca
$ cd ~/openvpn-ca

We need to edit some of the variables that help decide how to create the certificates. Use nano—or another favorite editor—to open the file. We'll be editing some variables toward the end of the file.

$ nano vars

Look for the section below—the easy-rsa template provides some default fields for these variables, but you should change them according to your needs. Make sure you also change the KEY_NAME variable as well.

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field
export KEY_NAME="EasyRSA"

After some tweaks:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="Tustin"
export KEY_ORG="SSD Nodes"
export KEY_EMAIL="james@example.com"
export KEY_OU="Marketing"

# X509 Subject Field
export KEY_NAME="vpnserver"

Now, source the vars file you just edited. If there aren't any errors, you'll see the following output.

$ source vars
 NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/user/openvpn-ca/keys

Now we can clean up the environment and then build up our CA.

$ ./clean-all
$ ./build-ca

A new RSA key will be created, and you'll be asked to confirm the details you entered into the vars file earlier. Just hit Enter to confirm.

Once the installation of Certification Authority is completed, it is required to create new firewall rules for OpenVPN in order for the OpenVPN Client to connect to your server.

Ubuntu/Debian

ufw allow 1194 (1194 is a default port, you can change/use another port during the installation of OpenVPN)
ufw allow 51821 (51821 is the SSH port of the Automatic Installation of Ubuntu 18.40/20.04 ISO)

Before you enable ufw (firewall) on your server, check if the above ports have been added to the firewall rules :

ufw status
ufw list

After verifying that the preferred ports have been added, enable ufw (firewall) using this command :

ufw enable

CentOS Firewall rules

sudo firewall-cmd --zone=public --permanent --add-port=1194/tcp
sudo firewall-cmd --zone=public --permanent --add-port=51821/tcp
sudo firewall-cmd --reload

OpenVPN Server Installation

To install OpenVPN Server, download the installer script using curl command :

curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Next, run the executable installer script as shown.

sudo bash openvpn-install.sh

During the installation, the script will ask some questions. The default answers/selections are :

What port do you want OpenVPN to listen to : 

Defauld: 1194

What Protocol do you want OpenVPN to use?

UDP

What DNS resolvers do you want to use with the VPN : 

Google (Anycast : worldwide)

Do you want to use compression?

No

Do you want to customize encryption settings?

No

Once the VPN installation process is complete, a client configuration file will be written under the current working directory. This is the file you will use to configure your OpenVPN client as described in the next section.

The configuration file has been writtet to /home/[USERACCOUNT]/[USERACCOUNT].ovpn
Downdload the .ovpn file and import it in your OpenVPN client.

To verify that OpenVPN service is running on your server, you can check it by running the following command :

sudo systemctl status openvpn

Also, verify that the OpenVPN daemon is listening on the port you instructed the script to use, using the ss terminal command :

sudo ss -tupln | grep openvpn

To check that the VPN interface has been successfully created (VPN Tunnel), you can confirm it by running the command below :

ip a

The output should indicate an tun0 interface POINTOPOINT and inet with IP 10.x.x.x