VPNs allow you to route your Internet traffic through an encrypted tunnel to a remote server, enhancing your privacy while online. Often a VPS is around the same price per month as a dedicated VPN service, but gives you much more freedom and utility as a poweruser. This post will overview a basic routed OpenVPN configuration on an Ubuntu machine.

Step 1: Drivers and packages

First you need to enable TUN/TAP on your VPS. Usually your host will give you an option for this in your Control Panel. If not, you may have to file a support ticket. We will need TUN to emulate a new network device for the VPN to use. To check whether you have TUN enabled, do sudo cat /dev/net/tun. If you get the message “File descriptor in bad state,” then TUN is working. If you get “No such device,” then the TUN driver is missing.

Now we will need to install OpenVPN, as well as Easy-RSA which we will use for our PKI:

$ sudo apt-get install openvpn easy-rsa

Step 2: PKI and keys

Set up the PKI environment and generate a CA certificate:

$ sudo -s # become root
$ mkdir /etc/openvpn/easy-rsa/
$ cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
$ editor /etc/openvpn/easy-rsa/vars # set up parameters for your CA
$ cd /etc/openvpn/easy-rsa/
$ source vars
$ ./clean-all
$ ./build-ca # the CA certificate is now built

Build a key and certificate for the server:

$ ./build-key-server SERVER_NAME_HERE
$ ./build-dh
$ cd keys/
$ cp SERVER_NAME_HERE.crt SERVER_NAME_HERE.key ca.crt dh1024.pem /etc/openvpn/ 

Make keys and certificates for each client, and transfer them to the remote hosts (for example using SCP):

$ ./build-key CLIENT_NAME
$ scp /etc/openvpn/ca.crt CLIENT_MACHINE: 
$ scp /etc/openvpn/easy-rsa/keys/CLIENT_NAME.key CLIENT_MACHINE:
$ scp /etc/openvpn/easy-rsa/keys/CLIENT_NAME.crt CLIENT_MACHINE:

Step 3: Server config

Copy the default the server configuration:

$ cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
$ gzip -d /etc/openvpn/server.conf.gz

Now edit /etc/openvpn/server.conf and set the correct filenames for the server certificates and keys:

ca ca.crt
cert SERVER_NAME.crt
key SERVER_NAME.key 
dh dh1024.pem

Step 4: iptables

You may have to set up some routes and firewall rules to get your VPN to work as expected (using NAT):

$ /sbin/iptables -A FORWARD -o tun0 -j ACCEPT
$ /sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ /sbin/iptables -A FORWARD -s -j ACCEPT
$ /sbin/iptables -A FORWARD -j REJECT
$ /sbin/iptables -t nat -A POSTROUTING -s -o venet0:0 -j MASQUERADE
$ /sbin/iptables -t nat -A POSTROUTING -j SNAT --to-source YOUR_SERVER_IP_HERE

If you’re using an iptables manager, you can easily add these rules to that service’s configuration. You can also put them in a new initscript, in an on-boot cronjob, or some other script that gets run when the server boots.

Step 5: Start the daemon and connect clients

Now just start OpenVPN:

$ service openvpn start

And then configure your client with the keys you scp’d. Everything should be peachy.