================================================================================ Run OpenVPN SERVER on Linux (after Easy-RSA CA + client certs exist) ================================================================================ -------------------------------------------------------------------------------- 0) Clean reinstall — delete PKI and start fresh (optional) -------------------------------------------------------------------------------- Use this when you want a completely clean CA and new server/client certs (e.g. wrong CN, mixed localhost/server names, or corrupted state). WARNING — irreversible for existing installs: - Removing the PKI invalidates EVERY client certificate already issued. - Users must get new .ovpn profiles from the web app after you rebuild the CA. - Back up nothing you still need: sudo tar czf ~/easy-rsa-pki-backup.tgz /opt/easy-rsa/pki A) Stop OpenVPN (so it does not hold old key files): sudo systemctl stop openvpn-server@server 2>/dev/null || true sudo systemctl stop openvpn@server 2>/dev/null || true B) Remove copied keys from the system OpenVPN directory (adjust paths if yours differ): sudo rm -f /etc/openvpn/server/ca.crt /etc/openvpn/server/vpnserver.crt \ /etc/openvpn/server/vpnserver.key /etc/openvpn/server/server.crt \ /etc/openvpn/server/server.key /etc/openvpn/server/dh.pem C) Wipe Easy-RSA PKI only (keeps /opt/easy-rsa scripts; replace path if you use e.g. /var/lib/easy-rsa): # If anything still writes under pki/, stop that service first (e.g. php-fpm). sudo rm -rf /opt/easy-rsa/pki D) Recreate CA (same owner as before — here www-data): sudo -u www-data bash -c 'cd /opt/easy-rsa && EASYRSA_BATCH=1 ./easyrsa init-pki' sudo -u www-data touch /opt/easy-rsa/pki/.rnd sudo -u www-data chmod 600 /opt/easy-rsa/pki/.rnd sudo -u www-data bash -c 'cd /opt/easy-rsa && EASYRSA_BATCH=1 EASYRSA_REQ_CN="MyVPN-CA" ./easyrsa build-ca nopass' sudo chown -R www-data:www-data /opt/easy-rsa sudo chmod 700 /opt/easy-rsa (Or run: sudo bash /path/to/init-easy-rsa-pki.sh /opt/easy-rsa after step C — that script creates the CA when pki/ is empty.) E) Issue server cert (friendlytv.site), DH, copy to /etc/openvpn/server — follow sections 2–3 below. F) Re-issue client certs from vpn-admin (or Easy-RSA) and have users download new profiles. You already have: - CA and clients from Easy-RSA (e.g. /opt/easy-rsa/pki/) - Web app that downloads .ovpn profiles — that does NOT start OpenVPN. You must install the openvpn package and run a server config that uses the SAME CA as your client certificates. -------------------------------------------------------------------------------- 1) Install OpenVPN -------------------------------------------------------------------------------- sudo apt update sudo apt install -y openvpn -------------------------------------------------------------------------------- 2) Create SERVER certificate (if you only created CA + clients so far) -------------------------------------------------------------------------------- Scripted (same result as the commands below): sudo bash /path/to/EP/openvpn-pki/issue-openvpn-server-cert.sh Optional: sudo bash issue-openvpn-server-cert.sh --restart Env: VPN_EASYRSA_DIR, VPN_SERVER_CN, VPN_SERVER_NAME, EASYRSA_USER Manual — as the same user that owns Easy-RSA (e.g. www-data or root): cd /opt/easy-rsa CN friendlytv.site (recommended), file basename vpnserver: sudo -u www-data bash -c 'cd /opt/easy-rsa && EASYRSA_BATCH=1 EASYRSA_REQ_CN=friendlytv.site ./easyrsa gen-req vpnserver nopass' sudo -u www-data bash -c 'cd /opt/easy-rsa && EASYRSA_BATCH=1 ./easyrsa sign-req server vpnserver' Creates: pki/issued/vpnserver.crt pki/private/vpnserver.key (If you already created server.crt with CN localhost, you can leave it unused or revoke later; use vpnserver.* in OpenVPN.) Diffie-Hellman (first time only, can take a minute): sudo -u www-data ./easyrsa gen-dh → pki/dh.pem -------------------------------------------------------------------------------- 3) Copy keys into /etc/openvpn/server/ (readable by openvpn) -------------------------------------------------------------------------------- sudo mkdir -p /etc/openvpn/server sudo cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/server/ sudo cp /opt/easy-rsa/pki/issued/vpnserver.crt /etc/openvpn/server/ sudo cp /opt/easy-rsa/pki/private/vpnserver.key /etc/openvpn/server/ sudo cp /opt/easy-rsa/pki/dh.pem /etc/openvpn/server/ sudo chmod 600 /etc/openvpn/server/vpnserver.key sudo chown root:root /etc/openvpn/server/* -------------------------------------------------------------------------------- 4) Server config file -------------------------------------------------------------------------------- The systemd unit openvpn-server@server expects this exact path: /etc/openvpn/server/server.conf If you see "Error opening configuration file: server.conf", the file is missing or not in that directory. The helper script can create it from server.conf.example: sudo bash /path/to/EP/openvpn-pki/issue-openvpn-server-cert.sh Or: sudo nano /etc/openvpn/server/server.conf Minimal example (adjust paths if yours differ): ----- cut ----- port 1194 proto udp dev tun topology subnet ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/vpnserver.crt key /etc/openvpn/server/vpnserver.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 remote-cert-tls client # OpenVPN 2.4.x (e.g. Ubuntu 20.04): use cipher (data-ciphers is 2.5+ only). cipher AES-256-GCM auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/status.log verb 3 ----- end ----- If your distro uses "nogroup" vs "nobody", match /etc/group (Ubuntu: group nogroup). Enable IP forwarding (required for VPN traffic to reach the internet): echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-openvpn-forward.conf sudo sysctl -p /etc/sysctl.d/99-openvpn-forward.conf NAT for clients (replace eth0 with your real public interface: ip route get 8.8.8.8): sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE To survive reboot, install iptables-persistent or add an equivalent script — document your distro’s method. If OpenVPN fails to start after changing certs: sudo journalctl -u openvpn-server@server -n 40 --no-pager Common fixes: - "Unrecognized option or missing parameter (--data-ciphers)": use cipher ... as above (2.4). - "Cannot open ... server.key" / "server.crt": paths in server.conf must match vpnserver.* files. - DH parameters invalid: run openssl dhparam -in ... -check -noout; if it fails, regenerate (rm pki/dh.pem then easyrsa gen-dh). -------------------------------------------------------------------------------- 5) Enable and start -------------------------------------------------------------------------------- Newer Ubuntu (config in /etc/openvpn/server/server.conf): sudo systemctl enable --now openvpn-server@server sudo systemctl status openvpn-server@server Older layout (single /etc/openvpn/server.conf): sudo systemctl enable --now openvpn@server If unsure: systemctl list-units 'openvpn*' --all Check listening: sudo ss -ulnp | grep 1194 -------------------------------------------------------------------------------- 6) Firewall on this Linux host -------------------------------------------------------------------------------- sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw enable # if not already sudo ufw status Verify the list includes 1194/udp — without it, inbound OpenVPN is blocked (client timeouts; tcpdump shows nothing until traffic is allowed and a client is connecting). -------------------------------------------------------------------------------- 7) Cloud / router -------------------------------------------------------------------------------- - If this machine is behind NAT: forward UDP 1194 from the public IP to this host. - Cloudflare: hostname for VPN must be DNS-only (grey cloud), not proxied. -------------------------------------------------------------------------------- 8) Match the client profile -------------------------------------------------------------------------------- Your .ovpn uses: remote friendlytv.site 1194 udp — same port and protocol as server. Client certs must be issued by the same CA as /etc/openvpn/server/ca.crt. -------------------------------------------------------------------------------- 9) Client log: "Server poll timeout" / CONNECTION_TIMEOUT (UDP out, no reply) -------------------------------------------------------------------------------- The client sends UDP (BYTES_OUT) but never completes TLS — usually the packets never reach openvpn on this host, or the public IP in DNS is wrong. On the VPN server, confirm this machine’s public IP matches DNS (friendlytv.site): curl -4 -s ifconfig.me ; echo dig +short friendlytv.site A If they differ: fix DNS or move OpenVPN to the host that owns that IP. While a client tries to connect, on the server watch for inbound UDP 1194: sudo tcpdump -n -i any udp port 1194 - No packets: firewall upstream (provider panel / security group), home router must forward UDP 1194 to this host’s LAN IP, or Cloudflare still proxied (orange cloud). - Packets seen but no log in OpenVPN: rare; check wrong interface or duplicate IP. Re-check: sudo ufw status, provider “firewall” for UDP 1194, Plesk/hosting network rules. If tcpdump shows inbound packets but the client still reports CONNECTION_TIMEOUT: - On the server, add NCP ciphers (same list as client .ovpn data-ciphers), then restart: ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC (see server.conf.example — OpenVPN 2.4 + OpenVPN Connect 3 needs this next to cipher.) - While connecting: sudo journalctl -u openvpn-server@server -f - tcpdump should show both client->server and server->client; if only client->server, check server logs and client PC firewall (allow OpenVPN inbound UDP). If UFW already lists 1194/udp but tcpdump still shows 0 packets while the client is actively connecting (start tcpdump first, then tap Connect — same 10-second window): - Hosting control panel firewall (Plesk Firewall, “Security”, Imunify360, provider network ACL) may block UDP before it reaches this VM — add allow UDP 1194 there. - Extra iptables rules (before UFW): sudo iptables -L INPUT -n -v --line-numbers - Some ISPs or mobile networks block UDP to arbitrary ports — try another network (e.g. different mobile carrier / WiFi) or move OpenVPN to tcp/443 (separate change). ================================================================================