# OpenVPN

#### **1. Install OpenVPN and Easy-RSA on the VPS** <a href="#id-1.-install-openvpn-and-easy-rsa-on-the-vps" id="id-1.-install-openvpn-and-easy-rsa-on-the-vps"></a>

Ensure your VPS has OpenVPN and Easy-RSA installed.

**On Debian/Ubuntu**

Copy

```
apt update
sudo apt install openvpn easy-rsa -y
```

**On CentOS/RHEL**

Copy

```
 yum install epel-release -y
sudo yum install openvpn easy-rsa -y
```

***

#### **2. Set Up the Easy-RSA Environment** <a href="#id-2.-set-up-the-easy-rsa-environment" id="id-2.-set-up-the-easy-rsa-environment"></a>

1. Create a directory for Easy-RSA:

   Copy

   ```
    codemake-cadir ~/openvpn-ca
   cd ~/openvpn-ca
   ```
2. Initialize the Public Key Infrastructure (PKI):

   Copy

   ```
   ./easyrsa init-pki
   ```
3. Build the Certificate Authority (CA):

   Copy

   ```
   ./easyrsa build-ca
   ```

   You’ll be prompted to set a password for the CA and enter a name (e.g., "VPN\_CA").
4. Generate the server certificate and key:

   Copy

   ```
   ./easyrsa build-server-full server nopass
   ```
5. Generate the Diffie-Hellman key exchange:

   Copy

   ```
   ./easyrsa gen-dh
   ```
6. Generate the HMAC key for additional security:

   Copy

   ```
   openvpn --genkey --secret ta.key
   ```

***

#### **3. Configure OpenVPN Server** <a href="#id-3.-configure-openvpn-server" id="id-3.-configure-openvpn-server"></a>

1. Copy the certificates and keys to the OpenVPN directory:

   Copy

   ```
   sudo cp ~/openvpn-ca/pki/ca.crt /etc/openvpn/
   sudo cp ~/openvpn-ca/pki/private/server.key /etc/openvpn/
   sudo cp ~/openvpn-ca/pki/issued/server.crt /etc/openvpn/
   sudo cp ~/openvpn-ca/pki/dh.pem /etc/openvpn/
   sudo cp ~/openvpn-ca/ta.key /etc/openvpn/
   ```
2. Create the OpenVPN server configuration file:

   Copy

   ```
   codesudo nano /etc/openvpn/server.conf
   ```

   Add the following content to the file:

   Copy

   ```
    codeport 1194
   proto udp
   dev tun
   ca ca.crt
   cert server.crt
   key server.key
   dh dh.pem
   auth SHA256
   tls-auth ta.key 0
   topology subnet
   server 10.8.0.0 255.255.255.0
   ifconfig-pool-persist ipp.txt
   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 8.8.8.8"
   push "dhcp-option DNS 8.8.4.4"
   keepalive 10 120
   cipher AES-256-CBC
   user nobody
   group nogroup
   persist-key
   persist-tun
   status openvpn-status.log
   verb 3
   ```
3. Enable IP forwarding:

   Copy

   ```
    sysctl -w net.ipv4.ip_forward=1
   ```

   Persist the setting by editing `/etc/sysctl.conf`:

   Copy

   ```
   codenet.ipv4.ip_forward=1
   ```
4. Configure firewall rules:

   Copy

   ```
   sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
   sudo iptables-save > /etc/iptables/rules.v4
   ```

***

#### **4. Start the OpenVPN Server** <a href="#id-4.-start-the-openvpn-server" id="id-4.-start-the-openvpn-server"></a>

Start and enable the OpenVPN service:

Copy

```
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
```

Check the status:

Copy

```
sudo systemctl status openvpn@server
```

***

#### **5. Generate Client Configuration** <a href="#id-5.-generate-client-configuration" id="id-5.-generate-client-configuration"></a>

1. Generate a client certificate and key:

   Copy

   ```
   cd ~/openvpn-ca
   ./easyrsa build-client-full client1 nopass
   ```
2. Create a client configuration file:

   Copy

   ```
   nano ~/client1.ovpn
   ```

   Add the following content to the file:

   Copy

   ```
   client
   dev tun
   proto udp
   remote <your-server-ip> 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   remote-cert-tls server
   auth SHA256
   cipher AES-256-CBC
   verb 3
   <ca>
   [Paste the content of `ca.crt` here]
   </ca>
   <cert>
   [Paste the content of `client1.crt` here]
   </cert>
   <key>
   [Paste the content of `client1.key` here]
   </key>
   <tls-auth>
   [Paste the content of `ta.key` here]
   </tls-auth>
   ```

***

#### **6. Transfer the Client Configuration** <a href="#id-6.-transfer-the-client-configuration" id="id-6.-transfer-the-client-configuration"></a>

Transfer the `client1.ovpn` file to your device (PC, phone, or another client).

Example using `scp`:

Copy

```
bscp ~/client1.ovpn user@client-device:/path/to/destination
```

***

#### **7. Connect Using the Client** <a href="#id-7.-connect-using-the-client" id="id-7.-connect-using-the-client"></a>

**On Linux**

Install OpenVPN:

Copy

```
sudo apt install openvpn
sudo openvpn --config client1.ovpn
```

**On Windows**

* Download and install the OpenVPN client.
* Import the `.ovpn` file and connect.

**On Android/iOS**

* Download the OpenVPN Connect app.
* Import the `.ovpn` file and connect.

***

#### **8. Verify Connection** <a href="#id-8.-verify-connection" id="id-8.-verify-connection"></a>

Check your public IP to confirm traffic is routed through the VPN:

Copy

```
curl ifconfig.me
```

It should display the IP address of your VPS, not your local IP.

***

You now have a fully functional OpenVPN server on your VPS and can connect securely from client devices!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oqtonetai-1.gitbook.io/oqtonetai/private-vpn-oqtovpn/openvpn.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.