OpenVPN setup

Category: /knowledge /linux
Tags: linux vpn

以前帮朋友摸索过如何通过浏览器配置VPN的参数并激活. 后来不了了之, 就把安装记下来吧. 估计帮别人翻墙有用.


Use default Ubuntu packages

sudo apt install openvpn easy-rsa

Configuration Setup

setup server

  • vi /etc/default/openvpn, add

  • cd /etc/openvpn/

     cp -r /usr/share/doc/openvpn/examples/easy-rsa/ .
  • vi easy-rsa/2.0/vars

     export D=/etc/openvpn/easy-rsa/2.0
     export KEY_COUNTRY="US"
     export KEY_PROVINCE="DE"
     export KEY_CITY="Newark"
     export KEY_ORG="IT"
     export KEY_EMAIL=""
  • cd /etc/openvpn/easy-rsa/2.0
  • . ./vars
  • ./clean-all
  • ./build-ca
  • ./build-key-server server ( a challenge password: 25b8c7de)
  • ./build-key client1 You can repeat this step if you want to have more clients, just replace the parameter with client2, client3, etc.
  • Now let’s create Diffie Hellman parameters: `./build-dh
  • scp the following files to client1

     scp ca.crt client1.crt client1.key situ@client1_host
  • then move these files to /etc/openvpn on the client.

config server

  • vi /etc/openvpn/openvpn.conf

     dev tun
     proto tcp
     port 1194
     ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
     cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
     key /etc/openvpn/easy-rsa/2.0/keys/server.key
     dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
     user nobody
     group nogroup
     #status openvpn-status.log
     #verb 3
     push "redirect-gateway def1"
     #log-append /var/log/openvpn

setup client

  • vi /etc/openvpn/openvpn.conf

     dev tun0
     proto tcp
     # e.g.
     remote ${remote_vpn_server} 1194
     resolv-retry infinite
     user nobody
     group nogroup
     # Try to preserve some state across restarts.
     ca ca.crt
     cert client1.crt
     key client1.key
     # Set log file verbosity.
     verb 3

configuration on both side

  • configure IP forwarding and IPTables for doing NAT on the server:

     echo 1 > /proc/sys/net/ipv4/ip_forward
     sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

You can verify the rule was written correctly with:

    sudo iptables -L -t nat

If you have a firewall you should make sure your VPN traffic can be routed.

If you made a mistake and want to remove all rules from IPTables:

    sudo iptables -F -t nat
  • Now restart OpenVPN in both client and server and you should be set. Running ‘'’ifconfig’’’ and ‘'’route -n’’’ you should see a new interface, tun0, in both PC’s. Confirm you can connect with a ping to your new tun0 interfaces, for example:


start a client from command line

sudo: cd /etc/openvpn; sudo openvpn  --config /etc/openvpn/openvpn.conf; cd - 
Gnome: gksu -u root 'cd /etc/openvpn; openvpn --config /etc/openvpn/client.conf'
KDE: kdesu [-u root] -c 'cd /etc/openvpn; openvpn  --config /etc/openvpn/openvpn.conf; cd -'

DD-WRT router setup

verb 5 script-security 2 route dhcp-option DNS server

dev tun0 proto udp keepalive 10 120 dh /tmp/openvpn/dh.pem ca /tmp/openvpn/ca.crt cert /tmp/openvpn/cert.pem key /tmp/openvpn/key.pem



  • 如果看不到讨论部分, 请暂时关掉adblock in Firefox/Chrome
  • 本网站使用Javascript实现评论功能, 此处外链对提高您的网站PR没有帮助. (潜台词: 请不要灌水, 谢谢)