Install packages
apt install openvpn easy-rsa
# Optional for Google Authenticator 2FA
apt install libpam-google-authenticator
Server Config
# OpenVPN config
# Filename: /etc/openvpn/server.conf
# Authentication is using client certs, user/pass and 2FA.
# Further, certificate common_name and username are pinned, to prevent
# users from sharing certificates.
# Ubuntu systemd runs openvpn with restricted capabilities and cannot run
# client connect/disconnect scripts to send email notifications. To fix:
# in /lib/systemd/system/openvpn@.service uncomment the LimitNPROC line
# and increase the default value from 10 to 100 processes
# Run systemctl daemon-reload and service openvpn restart
port 1194
proto udp
dev tun
dh dh.pem
ca ca.crt
tls-crypt ta.key
cert ovpn-server.crt
key ovpn-server.key
server 10.8.0.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
# Set this to internal network
push "route 10.100.0.0 255.255.0.0"
# Set this if internal DNS is to be used
push "dhcp-option DNS 10.100.0.2"
# Permit mutiple clients with same client cert
# duplicate-cn
keepalive 10 120
# Notify the client when the server restarts so it can auto reconnect
explicit-exit-notify 1
cipher AES-256-CBC
data-ciphers 'AES-256-CBC'
data-ciphers-fallback 'AES-256-CBC'
auth SHA256
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
client-config-dir ccd
# Authentiate users with both password and google-authenticator 2FA
# Clients have to enter password and 2fa token in the password prompt
#plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
# Email root on user connct/disconnect
#script-security 2
#client-connect /etc/openvpn/client-connect.sh
#client-disconnect /etc/openvpn/client-disconnect.sh
# Ensure username and certificate name are same, users cannot share certs
#auth-user-pass-verify /etc/openvpn/auth-cn-user.sh via-env
IP Forwarding and NAT
Enable IP Forwarding
# Sysctl config fragment to enable IP forwarding
# Filename: /etc/sysctl.d/enable-ipforward.conf
# Run `sysctl -p /etc/sysctl.d/enable-forwarding.conf` to take effect
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
ovpn-client