Ceci est un update version 2026 de Connexion VPN entre un client Windows et un serveur Linux datant de 2016.

OpenVPN Setup

OpenVPN Setup

This guide describes how to set up an OpenVPN server on a Linux machine and connect to it.
It uses EasyRSA to generate the necessary certificates and keys for the server and clients.

Documentation

Configure server

Install OpenVPN

OPEN_VPN_USERNAME=hostinger-openvpn # Choose whatever name you want for the server certificate, but avoid spaces and special characters

OPEN_VPN_PORT=1194 # Change the default value for more security



sudo su - # Every single commands needs to be run as root

apt-get install openvpn

Install EasyRSA

cd /usr/share/

git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa

./easyrsa init-pki

Generate certificates

Generate CA and server certificate

./easyrsa build-ca

It creates the file pki/ca.crt.

./easyrsa gen-req $OPEN_VPN_USERNAME nopass

It creates the files pki/reqs/$OPEN_VPN_USERNAME.req and pki/private/$OPEN_VPN_USERNAME.key.

./easyrsa show-req "$OPEN_VPN_USERNAME" # should show the content of pki/reqs/$OPEN_VPN_USERNAME.req

./easyrsa sign-req server "$OPEN_VPN_USERNAME"

It creates the file pki/issued/$OPEN_VPN_USERNAME.crt.

Generate Diffie-Hellman parameters

This command takes a long time!

./easyrsa gen-dh

It creates the file pki/dh.pem.

Generate certificates for each client

CLIENT_NAME=client1

VPS_USER=pumbaa

SERVER_HOME_FOR_SCP=/home/$VPS_USER/openvpn-client-keys/

./easyrsa gen-req "$CLIENT_NAME" nopass



./easyrsa show-req "$CLIENT_NAME"

./easyrsa sign-req client "$CLIENT_NAME"



mkdir -p "${SERVER_HOME_FOR_SCP}"

cp "pki/issued/$CLIENT_NAME.crt" "${SERVER_HOME_FOR_SCP}"

cp "pki/private/$CLIENT_NAME.key" "${SERVER_HOME_FOR_SCP}"

cp "pki/ca.crt" "${SERVER_HOME_FOR_SCP}"

chown -R $VPS_USER:$VPS_USER "${SERVER_HOME_FOR_SCP}"

It creates the files pki/reqs/$CLIENT_NAME.req and pki/private/$CLIENT_NAME.key.

Install EasyTLS (Optional)

Easy-TLS used to rotate keys, fingerprints, handle tls-crypt.

git clone https://github.com/TinCanTech/easy-tls.git
mv easy-tls/* .

./easytls init-tls

./easytls build-tls-crypt

ls -l pki/easytls/

Configure OpenVPN server

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/server/

vi /etc/openvpn/server/server.conf

Set the following parameters in server.conf.
Remove the original ca, cert, key and dh parameters and replace them with the correct paths to the CA certificate, server certificate, server key and Diffie-Hellman parameters generated in the previous steps (e.g. ca /usr/share/easy-rsa/pki/ca.crt).
Replace the values between << and >> with the actual values defined earlier.

port <<OPEN_VPN_PORT>>

proto udp

dev tun



# The IP address range for the VPN. Will be used in the client configuration file to set the IP address of the tun0 interface on the client side.

# 10.8.0.1 = VPN server

# 10.8.0.2+ = clients

server 10.8.0.0 255.255.255.0



push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1"

push "dhcp-option DNS 9.9.9.9"



data-ciphers AES-256-GCM:AES-128-GCM

data-ciphers-fallback AES-256-CBC



keepalive 10 120

persist-key

persist-tun



user nobody

group nogroup



ca /usr/share/easy-rsa/pki/ca.crt

cert "/usr/share/easy-rsa/pki/issued/<<OPEN_VPN_USERNAME>>.crt"

key "/usr/share/easy-rsa/pki/private/<<OPEN_VPN_USERNAME>>.key"

dh /usr/share/easy-rsa/pki/dh.pem

data-ciphers-fallback 'AES-256-CBC' # https://forums.openvpn.net/viewtopic.php?t=33536

IP Tables

Forward traffic from the VPN to the internet

The file /etc/sysctl.d/99-openvpn-forward.conf may not exist, but it will be created by the following command.

echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/99-openvpn-forward.conf

sysctl --system

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

The IP (10.8.0.0) is the same as the one defined in the server parameter of server.conf.
The network interface (eth0) should be replaced with the actual network interface used to connect to the internet on the server machine. Show it with ip route.

Allow packet forwarding between the VPN interface and the internet interface

These rules are required on systems where the default FORWARD policy is DROP.

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Make the iptables rules persistent across reboots

apt install iptables-persistent

Rules will be saved in /etc/iptables/rules.v4 and /etc/iptables/rules.v6 at installation and automatically loaded at boot.
If you make changes to the iptables rules, don't forget to save them with netfilter-persistent save.

sysctl net.ipv4.ip_forward

Expected:

net.ipv4.ip_forward = 1

Allow OpenVPN port in the firewall

ufw allow ${OPEN_VPN_PORT}/udp

# or

iptables -A INPUT -p udp --dport ${OPEN_VPN_PORT} -j ACCEPT

Check the iptables rules

iptables -t nat -L POSTROUTING

iptables -L -n

iptables -L -n | grep ${OPEN_VPN_PORT}

Run OpenVPN server

openvpn /etc/openvpn/server/server.conf

Running OpenVPN manually like this is temporary.
The process stops when the terminal closes and it will not restart after a reboot.

Run OpenVPN server as a service

systemctl start openvpn-server@server  # Starts the service

systemctl enable openvpn-server@server # Enables the service to start at boot

systemctl status openvpn-server@server # Checks the status of the service

server corresponds to the filename: /etc/openvpn/server/server.conf.

View server logs:

journalctl -u openvpn-server@server -f

Configure client

Install OpenVPN

apt-get install openvpn network-manager-openvpn-gnome

Configure OpenVPN client

Copy the client certificate, key and CA certificate from the server to the client machine.
Include these 3 files in the client configuration file (client.conf) and set the correct paths to these files in the client.conf file (see below).

SERVER_USERNAME=pumbaa

SERVER_IP=pumbaa.ch

SERVER_SSH_PORT=22 # SSH port of the server. May be different from the OpenVPN port defined in server.conf because it's not related.

CLIENT_NAME=lenovo-work

LOCAL_OPENVPN_PATH=/etc/openvpn/client/

TMP_FOLDER=/tmp/openvpn-client-keys

mkdir -p "${TMP_FOLDER}"

scp -P ${SERVER_SSH_PORT} ${SERVER_USERNAME}@${SERVER_IP}:${SERVER_HOME_FOR_SCP}/${CLIENT_NAME}.crt "${TMP_FOLDER}"

scp -P ${SERVER_SSH_PORT} ${SERVER_USERNAME}@${SERVER_IP}:${SERVER_HOME_FOR_SCP}/${CLIENT_NAME}.key "${TMP_FOLDER}"

scp -P ${SERVER_SSH_PORT} ${SERVER_USERNAME}@${SERVER_IP}:${SERVER_HOME_FOR_SCP}/ca.crt "${TMP_FOLDER}"

sudo mv "${TMP_FOLDER}"/* "${LOCAL_OPENVPN_PATH}"

Cleaning (server side)

Don't forget to delete the client certificates and keys from the server at ${SERVER_HOME_FOR_SCP} after copying them to the client machine for security reasons.
But keep the originals in /usr/share/easy-rsa/pki/.

Configure OpenVPN client

cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/

vi /etc/openvpn/client/client.conf

Set the following parameters in client.conf.
Replace the values between << and >> with the actual values defined earlier.

client

dev tun

proto udp

remote your_server_ip <<OPEN_VPN_PORT>>



ca /etc/openvpn/client/ca.crt

cert /etc/openvpn/client/<<CLIENT_NAME>>.crt

key /etc/openvpn/client/<<CLIENT_NAME>>.key

Run OpenVPN client

sudo openvpn /etc/openvpn/client/client.conf

Creating a VPN requires privileged operations, so you need to run OpenVPN with sudo.

Show the new network interface and the new route for the VPN network:

ip addr show tun0

ip route

Should show a new network interface (tun0) with an IP address in the same subnet as the one defined in the server parameter of server.conf (e.g. 10.8.0.x) and a route for the VPN network:

0.0.0.0/1 via 10.8.0.1 dev tun0

10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2

72.60.84.240 via 192.168.10.1 dev enp0s31f6

128.0.0.0/1 via 10.8.0.1 dev tun0

Bonus : A small systray integration for Ubuntu

OpenVPN-Systray Requires YAD, openvpn and notify-send.